EU Decision Introduces New Protection Framework on EU–Japan Data Transfers

January 24, 2019

The European Union (EU) has adopted an adequacy framework for the transfer of personal data between Japan and the European Union. This framework is a mutual arrangement that applies to both sides as of January 23, 2019.

Below is a brief summary of the new framework:

  • Whenever personal data is transferred from the EU to Japan, the same guarantees as those under EU law (e.g., an individual’s right to request access to his/her personal data) will continue to apply.
  • Note that the framework contains specific rules on the transfer of sensitive data (Art. 9 of the European General Data Protection Regulation, or GDPR. This includes health data). Under Japanese data protection law, these data sets are called “special care-required personal information" as defined in Article 2(3) of the APPI. That provision refers to "personal information comprising a principal's race, creed, social status, medical history, criminal record, fact of having suffered damage by a crime, or other descriptions etc. prescribed by Cabinet Order as those of which the handling requires special care so as not to cause unfair discrimination, prejudice or other disadvantages to the principal." For any of these data sets, including a trade-union membership (Art. 9, GDPR), specific consent requirements and exceptions apply.
  • This framework will only impact direct data flows from the EU to Japan. For EU personal data transferred to the United States first under the Privacy Shield and then passed on to Japan, an onward transfer agreement may be needed.
  • In Japan, the independent data protection authority (PPC) can investigate the processing of personal data by Japanese business operators and, if it finds irregularities, can issue binding decisions.
  • Because of Brexit, it remains to be seen whether and to what extent the new framework will apply to UK-Japan data transfers.
  • For EU-Japan-US data transfers, EU data must NOT be further transferred to individuals or entities abroad who do not guarantee an adequate level of protection, unless consent of EU individuals is obtained for such a transfer. A valid Privacy Shield certification in the United States may guarantee an adequate level of protection.
  • A joint review will be carried out after two years to assess the functioning of the framework.

We will continue to monitor this decision and keep you posted on further developments.


If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers:

Motonori Araki

Washington, DC
Dr. Axel Spies