On 23 January 2019, the EU Commission adopted a decision confirming the adequacy of Japanese data protection laws for the purpose of transferring personal data from the EU to Japan in compliance with the international data transfer restrictions set out in Chapter V of the GDPR. Continue reading
Tag: adequacy decision
On 17 July 2018, the EU Commission (“Commission”) and Japan concluded the negotiations on a reciprocal finding of an adequate level of data protection by both sides.
Under the General Data Protection Regulation (“GDPR”) which became effective across Europe on 25 May 2018, an adequacy decision adopted by the Commission is one of the ways which allows personal data to be transferred outside the European Economic Area (“EEA”). An adequacy decision is adopted if the Commission, after its assessment of the level of protection in the recipient jurisdiction, decides that the recipient jurisdiction ensures an adequate level of protection to the personal data of EU data subjects.
This is the first time the Commission and a third country have agreed on reciprocal recognition in respect of data protection adequacy. The other countries or territories which have been assessed by the Commission as having an adequate level of protection of personal data are all based on the Commission’s unilateral decisions (e.g. New Zealand, Canada and Switzerland). Reciprocal recognition means that not only can personal data be transferred from the EEA to Japan in compliance with the GDPR, it can also be transferred from Japan to the EU in compliance with the Japanese law.
The post below was first published on our Employment blog
Last week the UK Government released its negotiating position paper on international transfers of personal data within the EEA (The Exchange and Protection of Personal Data). Once the UK leaves the EEA it will no longer be subject to the General Data Protection Regulation (the “GDPR”) and would no longer form part of the EU “safe data” zone throughout which personal data may be freely transferred. The GDPR will however continue to apply to UK businesses who provide goods or services to individuals in the EEA.
In line with previous declarations, the position paper outlines the Government’s desire to maintain the “frictionless” movement of data to and from other countries within the EEA. It cites the economic benefits for the UK and EU as well as cooperation in respect of law enforcement matters (such as serious crime and terrorism).
The position paper sets out the Government’s preferred outcome in three key areas:
- An EU adequacy decision in relation to the UK’s post-Brexit data protection legislation;
- The continued input of the UK data regulator (the Information Commissioner’s Office (the “ICO”)) in the EU’s regulatory dialogue; and
- Interim arrangements, from the point of Brexit to the time when more permanent measures have been put in place, to maintain stability and consistency. Continue reading
On 18 July 2017 the House of Lords European Union Committee (the “Committee“) published a report covering the impact of Brexit on four aspects of the EU Data Protection Package:
- the General Data Protection Regulation (the “GDPR“) which will become directly applicable in all EU member states with effect from 25 May 2018. A Data Protection Bill is expected to be introduced by Parliament after the summer recess.
- the Police and Criminal Justice Directive (the “PJC“) which EU member states must transpose into national law by 6 May 2018;
- the EU-US Privacy Shield which enables personal data transfers from the EU to the US for commercial purposes and replaced the previous Safe Harbour international transfer mechanism to the US; and
- the EU-US Umbrella Agreement which establishes a common framework for the protection of personal data transferred between the EU and the US for criminal law enforcement purposes.