For the first time, the European Union (EU) has recognized a country within the Asia-Pacific Economic Cooperation (APEC) forum—Japan—as an equal in terms of privacy, opening a channel of free-flowing data between the two jurisdictions.
Reaffirming their commitment to shared values in the field of privacy—and to strengthen their cooperation in shaping global standards for personal data protection—the EU and Japan have reached an agreement to create the world’s largest area of safe data transfers.
This “mutual adequacy arrangement” was announced in a joint statement from Věra Jourová, European Commissioner for Justice, Consumers and Gender Equality, and Haruhi Kumazawa, Commissioner of the Personal Information Protection Commission of Japan. Under the terms of the agreement, the EU and Japan now recognize the equivalency of the other’s personal data protection system. For Japan, this means the European Union’s personal data protection rules are now equivalent to the Japanese Act on the Protection of Personal Information (APPI). The European Commission has reached a similar decision regarding Japanese data protection law.
How will the Adequacy Decision affect companies doing business in the cloud?
As of January 23, 2019, Japanese businesses can transfer personal data from Japan to the EU without having to put in place any additional data safeguards or restrictions. With the rising popularity of cloud computing services, this decision allows Japanese businesses to more easily use services located in the EU, and vice versa. Businesses based in the EU can now transfer personal data to Japan without needing additional measures or safeguards, which typically would be required under Article 46 of the General Data Protection Regulation (GDPR).
Why is this agreement so monumental?
This is the first time the EU has recognized a country within the Asia-Pacific Economic Cooperation (APEC) forum as an equal in terms of privacy.
The data privacy decision was paired with the EU-Japan Economic Partnership Agreement, which was signed on the same day. The coupling of these agreements demonstrates the critical connection between the free flow of data and the trading of goods and services between the EU and Japan. As stated by the EU Commission, “With this agreement, the EU and Japan affirm that, in the digital era, promoting high privacy standards and facilitating international trade go hand in hand.”
Several other large markets are expected to follow suit, including South Korea and Brazil. Japan will join Andorra, Argentina, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay as providing adequate protection of personal data.
Adequacy decisions are required under the European Union’s General Data Protection Regulation, which prohibits EU members from transferring personal data outside the EU to countries that lack adequate data protection.
Does the United States have a European Union Adequacy decision?
The US currently lacks an EU adequacy agreement. Companies like Cisco and AppDynamics are able to transfer data outside the EU by complying with the EU-US Privacy Shield framework, the Swiss-US Privacy Shield, and standard contractual clauses (also commonly referred to as EU model clauses).
AppDynamics SaaS is available in Europe, Australia, and the US. What is the practical impact of a Japanese customer purchasing AppD SaaS provisioned to our European AWS site in Frankfurt?
With the adequacy decision in place, a Japanese business can now purchase AppDynamics SaaS, have its controller provisioned to Frankfurt, and require no additional measures or safeguards to allow the transfer of data to Frankfurt. This allows Japanese businesses first access to the latest AppDynamics features available on SaaS via Cognition Engine, which brings real-time insights to mission-critical application and business performance. Cognition Engine uses machine learning to go beyond problem detection to root-cause identification.