Summary

  • UK will maintain its adequacy status in Japan even after it withdraws from the European Union.
  • Japan recognises that the UK has relevant legislation in place to maintain its adequacy assessment.

The Personal Information Protection Commission ("PPC") in Japan has announced that, with respect to the transfer of personal data between Japan and the UK, the UK will maintain its adequacy status even after it withdraws from the European Union ("EU").

Background

The UK withdrew from the EU on 31 January 2020 and has entered into a transition period until 31 December 2020, during which time it will remain subject to EU rules including the General Data Protection Regulation ("GDPR").

Currently, European Economic Area member states, which includes those member states within the EU but does not include the UK, are included in Japan's white list of countries which Japan recognises as having an adequate level of personal data protection. This recognition enables personal data to be transferred out of Japan and into white-listed countries without the requirement for any further safeguards to be in place.

The PPC's Announcement

The PPC's announcement on 28 January 2020 confirms that the UK will continue to maintain its adequacy status in Japan now that it has withdrawn from the EU because it has the relevant legislation in place to maintain its adequacy assessment. The PPC also confirms that this will apply to the UK even after the transition period.

This is a welcome indication that countries outside of the EU recognise the ability of the UK's data protection laws to enforce international data protection requirements and that cross-border data transfer with the UK can continue after the transition period.

This announcement follows the recent adoption by the European Commission of its adequacy decision in favour of Japan on 23 January 2020.

As we noted in our 2020 data protection predictions blog, we expect the discussions around the UK's adequacy decision to be one of the key developments in the year to come for data protection. Despite the GDPR being enacted into UK law, it remains to be seen whether the EU will recognise the UK as providing adequate levels of data protection following the transition period. In this regard, the European Data Protection Supervisor ("EDPS"), Wojciech Wiewiórowski, noted that the UK is "13th in the row" for an adequacy decision. Even though the EDPS does not participate directly in adequacy decisions, his comments may indicate a general reluctance to let the UK skip the queue in terms of an adequacy decision.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.