GDPR and Japan's Personal Information Protection Act: Adequacy Decision and Cross-Border Data Transfers

The General Data Protection Regulation (GDPR), effective May 2018, protects personal data of EU residents. Key features: - Fines up to €20 million or 4% of global annual revenue (whichever is higher) - Extraterritorial application: applies to non-EU companies offering goods/services to EU residents or monitoring their behavior - Enhanced individual rights (right to erasure, portability, access, etc.)

In January 2019, the European Commission and Japan's Personal Information Protection Commission (PPC) granted mutual adequacy decisions: - EU side: Japan's APPI provides equivalent protection to GDPR - Japan side: EU data protection qualifies as a safe third country

Result: Japanese companies can receive personal data from the EU without Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs).

Japanese companies receiving EEA resident data must comply with supplementary rules providing GDPR-equivalent protections, including expanded sensitive data categories and restrictions on onward transfers to non-EEA countries.

1. Companies with an establishment in the EU
2. Companies offering goods/services to EU residents (including free services)
3. Companies monitoring the behavior of EU residents (analytics, behavioral advertising)

The amended APPI (effective April 2022) requires, when transferring personal data to foreign third parties: 1. Individual consent (with disclosure of the destination country's data protection framework), or 2. The recipient has established an equivalent protection framework, or 3. The destination country has received an adequacy decision (EU, UK, etc.)

Japanese companies serving EU customers face GDPR extraterritorial application. While the mutual adequacy decision simplifies data flows, compliance with supplementary rules and the 2022 APPI cross-border transfer rules remains separately required.