On the 23rd of January, the European Committee determined the adequacy decision with Japan. This means that Japan has an equivalent level of personal data protection as under the General Data Protection Regulation (GDPR). An equivalent data protection level does not mean that it is an equal level of data protection as under the GDPR. The basic principle is that the standards used by the relevant country ensure a sufficient level of protection of personal data.
An example of the differences between the GDPR and the APPI (this is the Japanese data protection law and stands for Act on the Protection of Personal Information) is that Japan has a different interpretation of anonymised data. Pseudonymisation is under the APPI part of anonymisation. In order to fill up the gap in a number of differences in legislation, additional rules have been adopted. In addition, the adequacy decision with Japan does not apply, for example, to academic institutes insofar as they process personal data for the benefit of academic studies. The same is true for religious and political organisations when personal data are processed for religious and political activities.
In this blog I will explain what third countries are and what exactly a transfer of personal data and an adequacy decision entails. I will also explain what other options you have as an organisation to ensure that the transfer of personal data outside the European Economic Area (All European countries and Liechtenstein, Norway and Iceland, hereinafter EEA) takes place with sufficient safeguards.
When organisations wish to transfer personal data outside the EEA, organszations must ensure that proper agreements are made to ensure the protection of personal data. This can be done with extra contractual agreements or binding corporate rules. In addition, the transfer of personal data with sufficient guarantees is possible when a country has an adequacy decision.
The next country that will complete the list of adequacy decisions is probably South Korea.
Transferring personal data sounds rather abstract. The transfer of personal data actually means 'all provisions of data to parties outside the EEA'. This may involve sending data from employees to the parent company in India, using an online marketing tool from an external party that has the database or back-up in the United States, or selling personal data to customers outside the EEA.
The European Commission has published on its website a list of countries for which the European Commission has adopted an adequacy decision. These countries are: Andorra, Argentina, Canada (private parties only), Pharaoh Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and United States based companies that are members of the Privacy Shield. At the moment, the Privacy Shield is under discussion. The European Parliament has ruled that the Privacy Shield does not offer sufficient guarantees for the protection of personal data as required under the GDPR. It is therefore advisable to consider a contract as an alternative when you work with a company based in the United States.
If you as an organisation provide personal data to a country with an adequacy decision, the normal requirements under the GDPR apply. The adequacy decision ensures that no extra measures have to be taken between the parties to ensure the protection of personal data.
Do you have questions about this blog, about Binding Corporate Rules or additional contractual agreements that have to be made between parties? Please contact us!