The European Union and Japan on Wednesday launched the “world’s largest areas of safe data flows” after finalising common rules to protect personal information, the EU said.
Firms can transfer data now that the executive European Commission finds that Japanese law offers “a comparable level of protection of personal data,” the commission said.
“This adequacy decision creates the world’s largest area of safe data flows,” EU justice commissioner Vera Jourova said, referring to an area of more than 600 million people.
“Europeans’ data will benefit from high privacy standards when their data is transferred to Japan,” the Czech commissioner said.
“Our companies will also benefit from a privileged access to a 127 million consumers’ market,” she added.
Jourova said the arrangement “will serve as an example for future partnerships” on data flows and set global standards.
The two sides cleared the final hurdle by agreeing on supplementary rules.
These cover “the protection of sensitive data, the exercise of individual rights and the conditions under which EU data can be further transferred from Japan to another third country,” the commission said.
Japan’s independent data protection authority (PPC) and courts can enforce these rules covering Japanese firms that import data from EU.
Tokyo gave Brussels assurances that any use of personal data for law enforcement and national security purposes would be “limited to what is necessary and proportionate.”
Access by public authorities for these reasons would be “subject to independent oversight and effective redress mechanisms,” the EU executive said.
The two sides agreed to a mechanism to investigate and resolve complaints from Europeans over data access that Japan’s independent data protection authority will run and supervise.
The decision complements the EU-Japan Economic Partnership Agreement, which takes effect next month to become the world’s biggest trade deal.
EU citizens come under the General Data Protection Regulation that took effect in May last year.
The EU has billed the GDPR as the biggest shake-up of data privacy regulations since the birth of the web, saying it sets new standards in the wake of the Facebook data harvesting scandal.
The law establishes the key principle that individuals must explicitly grant permission for their data to be used and gives consumers the “right to know” who is processing their information and what it will be used for.