The European Commission is negotiating a deal with Japan’s data protection agency on personal data transfers. The deal may leave Japanese companies vulnerable to new, stricter EU rules set to come into force next year.

However, many have questioned whether Japan’s Personal Information Protection Commission can establish rules strict enough to satisfy the EU and the General Data Protection Regulation (GDPR), which comes into effect on 25 May 2018. There are 2,500 Japanese companies operating in the EU that are at risk from a failure to comply with the GDPR.