Japan started the dialogue with the EU Commission in April 2016 to realize free cross-border personal data flows and after thorough discussion, the mutual adequacy certification agreement between the EU and Japan was concluded and became effective in January 2019. While the adequacy agreement is a welcome event, this article examines if the policy which the Japanese government pursued is defensible.
This article focuses on the difficulty in comparing the (General Data Protection Regulation) GDPR with data protection law in a third country especially where its tradition and language are greatly different from the EU. It explains this difficulty in terms of the institutional aspect (the creation of an independent organ), the substantive adequacy of data protection law (rights of data subjects and obligations of data controllers) and the adequacy of enforcement of data protection law (administrative, civil and criminal enforcement).
It is understandable that the EU takes an adequacy approach for the data protection of their residents, but the time and effort involved in the assessment could be significant. The article suggests that an international agreement or convention could be a preferable option by drawing on the experience of Council of Europe Convention 108 and similar models when we narrow down the issues of data protection to the problem of crossborder data flows in the private sector.
Global Privacy Law Review