Scroll Top


European Commission: the European Union and Japan have successfully concluded their talks on mutual adequacy and agreed to recognize each other’s data protection systems as “equivalent”.

Milan, 20 July 2018 – On 17 July 2018, the European Commission announced that the European Union and Japan, in connection with the Economic Partnership Agreement (EPA), have successfully concluded their talks on mutual adequacy and agreed to recognize each other’s data protection systems as “equivalent”. In the future, data will therefore be allowed to flow safely between the EU – where the General Data Protection Regulation (GDPR) has entered into force on 25 May 2018 – and Japan.

Each party will now start its internal procedures for the adoption of the adequacy decision. For the EU, this involves obtaining an opinion from the European Data Protection Board (which, from 25 May 2018, has replaced the Article 29 Working Party) and the approval from a committee composed of representatives of the EU Member States.

Once this procedure is completed, the Commission will adopt the adequacy decision on Japan.

Before the Commission formally adopts the above-mentioned adequacy decision – most likely by the autumn of this year –, Japan has committed itself to implementing the following additional guarantees:

(i) a set of rules that provide EU individuals whose personal data are transferred to Japan with additional guarantees that will bridge some gaps between the two data protection systems. These additional guarantees will strengthen, for example, the protection of sensitive data, the conditions under which EU data may be further transferred from Japan to another third country, and the exercise of individual rights to access and rectification. These rules will be binding on Japanese companies that import data from the EU and enforceable by the Japanese independent data protection authority and courts;

(ii) a complaint-handling mechanism to investigate and resolve complaints from EU citizens regarding access to their data by Japanese public authorities. This mechanism will be managed and supervised by the Japanese independent data protection authority.