From 23 January 2019, cross-border flows of personal data from EU to Japan may be justified under the new adequacy decision of the European Commission.

The adequacy decision of the European Commission, which allows justifying personal data transfer from the European Economic Area (EEA) to Japan, came into force on 23 January 2019.

Cross-border flows of personal data, i.e. to countries outside the EEA (third countries) are set out in the General Data Protection Regulation (GDPR). The GDPR establishes, among other solutions, that a transfer of personal data to a third country may take place where the Commission has decided that the third country ensures an adequate level of protection. In this case, a transfer will not require a specific authorization.

Adequacy criterion does not require the third country's data protection system to be identical to the one of the European Union (EU). The goal is not to mirror point by point the European legislation, but to establish  a «standard of essential equivalence», which involves a comprehensive assessment of this country's data protection framework, in particular of the protection guarantees applicable to personal data and of the relevant oversight and redress mechanisms available, as detailed in the Working document on Adequacy Referential from the Article 29 Working Party.

Despite the EU has adopted adequacy decisions for another countries, including Andorra, Argentina, Canada, Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the United States (EU-U.S. Privacy Shield), this is the first time that the EU and a third-country agree to recognize a reciprocal adequacy protection level. Furthermore, the EU-Japan adequacy decision is the first one adopted since the GDPR became applicable by 25 May 2018.

On the EU side, this adequacy finding was decided based on a set of additional safeguards that Japan will apply to the data of European citizens, for example, the Japanese definition of «sensitive data» will be extended, the exercise of individual rights will be facilitated, and the further transfer of Europeans' data from Japan to another third country will be subject to a higher level of protection. Japan will also establish a system of handling and resolution of potential complaints from European citizens as regards access to their data by Japanese law enforcement and national security authorities, under the supervision of the Japanese data protection authority.

In case of failure of the adequacy decision by Japan, an EU citizen may lodge a complaint to the Japanese data protection authority to obtain redress via a binding decision and/or file a civil action  to obtain damages or injunction with a Japanese court.

Although adequacy decisions have no time limitation, they are periodically reviewed by the Commission. The first review of the EU-Japan adequacy decision should take place at the end of two years and then at least every four years.

Together with the EU-Japan Economic Partnership Agreement to be entered into force in February 2019, this adequacy decision will allow creating the world's largest area of safe data flows.