While Capitol Hill is inundated with proposed privacy legislations from the Data Breach Prevention and Compensation Act (DBPCA), the CLOUD Act and the ENCRYPT Act, organizations the world over are trying to understand how to get their own regulations deemed adequate enough to ensure the flow of business in the EU, now that GDPR is a reality.
To that end, Japan has been negotiating with the European Commission on an adequacy decision that will allow for the free transfer of data outside of the EU/EEA into Japan. In September, the Commission launched the procedural steps it would take in the adoption of its adequacy decision, which includes safeguards that Japan will apply to any personal data transferred from the EU and vice versa.
Věra Jourová, commissioner for Justice, Consumers and Gender Equality, said in a Sept. 5 press release: “We are creating the world’s largest area of safe data flows. Personal data will be able to travel safely between the EU and Japan to the benefit of both our citizens and our economies. Our partnership will promote global standards for data protection and set an example for future partnerships in this key area.”
So what are the implications of this adequacy agreement and what does the future hold for other countries when it comes to complying with GDPR? We talked with K&L Gates partners Ignasi Guardans and Claude Etienne Armingaud, advisers for EU policy and regulatory matters to understand the key points of great importance and how the decision will impact businesses around the globe.
Why Does the EU-Japan Adequacy Agreement Matter?
Of most importance is the understanding that this agreement is not a data transfer agreement. Rather, it’s an adequacy decision approved by the European Commission after assessing the privacy protection in Japan.
“Japan’s request for the recognition of its national data protection regulatory framework illustrates one of the anticipated effects of the European General Data Protection Regulation which entered into force on 25 May 2018,” Guardans said. The regulations put compliance mandates on not only EU-based companies but also on those companies that process personal data of individuals residing within the EU. “Consequently, non-EU companies that were previously impervious to EU data protection are now facing major investments for compliance, sometimes for limited benefits with regard to their market shares in the EU.”
As a result, Japan’s request comes as no surprise. It was anticipated that to continue to do business within Europe, countries would start drafting or adapting their national regulations. The United States has jumped on board with its proposed Consumer Data Protection Act put forth by Oregon Sen. Ron Wyden. Countries outside the EU are not only starting to implement substantially similar standards but also planning to seek recognition that such national standards were compatible with GDPR.
Until the EU-Japan decision, Armingaud said, “the use of the adequacy decision system had been very limited – only 12 countries over a period of 23 years sought such approval, and for the most part smaller countries (e.g. Faroe Island) or for a limited scope (i.e. subject to Safe Habor/Privacy Shield in the U.S. or for commercial entities complying with Canada’s PIPEDA).”
Japan may be the first country to apply for the adequacy decision under GDPR, but others, such as South Korea, are expected to follow suit.
How Will This Adequacy Decision Impact Businesses?
After a country obtains an adequacy decision, the free flow of personal data between them will be facilitated so that neither party is required to obtain the consent of the individuals concerned, nor is any bilateral agreement required between two commercial entities—a mandate that oftentimes may prove cumbersome to negotiate, Guardans said.
“The impact of businesses should be largely positive in both the data importing and the data exporting countries and cause a privileged access to the relevant markets,” he said. “Conversely, while GDPR’s initial goal was to limit the costs of compliance caused by discrepancies in the different Member States, many companies have found the legal, operational and technological implementation of GDPR to be prohibitively expensive.”
An adequacy decision creates a one-size-fits-all mechanism that helps to defray compliance implementation costs, Guardans said. It reportedly will serve not only for local but also for international aspects of conducting business, including all 28 EU Member States.
What Must Global Organizations Do Now to Prepare for Compliance?
Some companies, such as Microsoft, have elected to prepare for the expected changes in privacy standards worldwide by unilaterally applying GDPR across their organizations. “Other companies decided to stop their service offering toward Europe after 25 May 2018, or reorganize such offering by segregating their user bases,” Armingaud said.
In all likelihood, though, organizations will find there is really no way to avoid either GDPR compliance or its derivatives. Nations are moving in the direction of implementing similar standards, and hoping to avoid compliance could create negative consequences. It’s best to adopt a “when in Rome” mentality and start the process now.
To move toward compliance, Armingaud said, “impacted or willing companies first need to audit their infrastructure and organization in order to gain a 360-visibility over their data processing operation. From that data mapping exercise, they will then be able to assess, and document, the changes required to close the gap with regulatory requirements, whether they be set forth by GDPR or the upcoming non-EU national standards. No more, no less, as long as it is adequate.”