The GSMA welcomes the announcement by the European Commission that Japan and the European Union will formally recognise each other’s data protection systems as providing an equivalent level of protection for consumers in both markets. Sitting alongside the broader EU-Japan Economic Partnership Agreement, this mutual adequacy arrangement will pave the way for creating the world’s largest zone—encompassing 37 per cent of global trade by value—in which personal data is allowed to flow freely and consumers’ privacy is protected to a similar high standard.
To realise the full potential of digital, data needs to move across national boundaries without restrictions. The recent effort by some countries to localise data—to require that certain types remain in country, or be stored on local servers—hinders free data flows and hurts both economic growth and foreign investment, without making the data itself any more secure. This new agreement, therefore, sends a strong signal that it is possible to both allow data to flow freely and protect consumers’ personal data.
A finding of adequacy is the most straightforward path for free movement of personal data between the EU and other countries. Both parties establish a comprehensive framework for all movements of personal data across respective borders and without the need for prior approvals or other formalities.
To achieve a preliminary finding of adequacy under the GDPR, Japan agreed to expand its definition of sensitive data, facilitate the rights of EU citizens to access local courts for any privacy infringements, and ensure higher levels of protection for onward transfer of EU subjects’ personal data from Japan to third countries.
The EU and Japan expect to ratify the process of finding each other’s data protection systems as “adequate” before the end of 2018. As the European Commission looks to extend adequacy findings to other countries, the GSMA is encouraged that such efforts reaffirm commitments to the free flow of data globally. The European Commission is currently engaged in ongoing adequacy talks with South Korea, which is likely to become the next country to receive a designation of adequacy.
While adequacy findings are the most straightforward path for enabling the free flow of personal data between the EU and other countries, they take a long time to establish and are consequently limited in number. The GSMA therefore encourages governments to support regional accountability-based mechanisms, such as the voluntary Cross-Border Privacy Rules system for the 21 member economies in the Asia-Pacific Economic Cooperation (APEC), as well as the EU’s Binding Corporate Rules (BCR). These regional frameworks are based on internationally accepted data protection principles and drive greater alignment of privacy standards across the region concerned. They ensure that the consumer remains protected, and that the organisation transferring the data remains accountable for the subsequent use of the data with the result that personal data can flow more freely across the region.