New reciprocal adequacy decision allows free flow of personal data between Japan and the EEA

On 17 July 2018, the EU Commission (“Commission”) and Japan concluded the negotiations on a reciprocal finding of an adequate level of data protection by both sides.

Under the General Data Protection Regulation (“GDPR”) which became effective across Europe on 25 May 2018, an adequacy decision adopted by the Commission is one of the ways which allows personal data to be transferred outside the European Economic Area (“EEA”). An adequacy decision is adopted if the Commission, after its assessment of the level of protection in the recipient jurisdiction, decides that the recipient jurisdiction ensures an adequate level of protection to the personal data of EU data subjects.

This is the first time the Commission and a third country have agreed on reciprocal recognition in respect of data protection adequacy. The other countries or territories which have been assessed by the Commission as having an adequate level of protection of personal data are all based on the Commission’s unilateral decisions (e.g. New Zealand, Canada and Switzerland). Reciprocal recognition means that not only can personal data be transferred from the EEA to Japan in compliance with the GDPR, it can also be transferred from Japan to the EU in compliance with the Japanese law.

Continue reading

UK Government Position Paper on International Transfers of Data – Key Points

The post below was first published on our Employment blog

Last week the UK Government released its negotiating position paper on international transfers of personal data within the EEA (The Exchange and Protection of Personal Data). Once the UK leaves the EEA it will no longer be subject to the General Data Protection Regulation (the “GDPR”) and would no longer form part of the EU “safe data” zone throughout which personal data may be freely transferred. The GDPR will however continue to apply to UK businesses who provide goods or services to individuals in the EEA.

In line with previous declarations, the position paper outlines the Government’s desire to maintain the “frictionless” movement of data to and from other countries within the EEA. It cites the economic benefits for the UK and EU as well as cooperation in respect of law enforcement matters (such as serious crime and terrorism).

The position paper sets out the Government’s preferred outcome in three key areas:

  • An EU adequacy decision in relation to the UK’s post-Brexit data protection legislation;
  • The continued input of the UK data regulator (the Information Commissioner’s Office (the “ICO”)) in the EU’s regulatory dialogue; and
  • Interim arrangements, from the point of Brexit to the time when more permanent measures  have been put in place, to maintain stability and consistency. Continue reading

House of Lords EU Committee Report on Brexit and the EU Data Protection Package

On 18 July 2017 the House of Lords European Union Committee (the “Committee“) published a report covering the impact of Brexit on four aspects of the EU Data Protection Package:

  • the General Data Protection Regulation (the “GDPR“) which will become directly applicable in all EU member states with effect from 25 May 2018. A Data Protection Bill is expected to be introduced by Parliament after the summer recess.
  • the Police and Criminal Justice Directive (the “PJC“) which EU member states must transpose into national law by 6 May 2018;
  • the EU-US Privacy Shield which enables personal data transfers from the EU to the US for commercial purposes and replaced the previous Safe Harbour international transfer mechanism to the US; and
  • the EU-US Umbrella Agreement which establishes a common framework for the protection of personal data transferred between the EU and the US for criminal law enforcement purposes.

Continue reading