GDPR Update: The EU – Japan Data Protection Deal Agreed

GDPR Update: The EU – Japan Data Protection Deal Agreed

Alongside the signing of a new trade deal between the EU Commission and the Japanese government, the Commission and Japan’s data protection authority have agreed to recognise each other’s personal data protection systems as ‘equivalent’.

This agreement reaffirms the parties’ commitment to shared values concerning the protection of personal data, and to strengthen their cooperation and demonstrate their leadership, in shaping global standards based on a high level of protection of personal data.[1]

This agreement confirmed the mutual understanding of measures based on the Japanese Act on the Protection of Personal Information (APPI) and the role of the independent personal data protection authority, the Personal Information Protection Commission (PPC), and measures based on the EU General Data Protection Regulation (GDPR) and its governance structure.

This mutual adequacy finding is the first reciprocal recognition of data protection equivalency between the EU and a third country. In a joint statement between the parties it was stated that “the mutual adequacy finding will create the world’s largest area of safe data transfers based on a high level of protection of personal data.”

The PPC have agreed to implement additional safeguards in order to bring about similar protections for EU citizens as they enjoy under the GDPR. These include introducing stricter rules for handling EU citizen’s sensitive personal information. Creating a complaints procedure for EU citizen’s regarding how their personal data is accessed by the Japanese government authorities.

BM Data Services

Blaser Mills Law recently launched a regulatory consultancy business called BM Data Services. The consultancy acts as a Data Protection Officer (DPO) for businesses that must appoint a DPO under GDPR and the business either needs to or wants to outsource this responsibility. BM Data Services can also act as an EU Representative for non-EU businesses that are required to appoint a representative in the EU under Article 27 GDPR. For more information about BM Data Services, please email

Note, BM Data Services, is a separate business and only provides GDPR services by qualified GDPR practitioners. It does not offer legal services and is not regulated by the Solicitors Regulation Authority.


[1] Joint Statement by Haruhi Kumazawa, Commissioner of the Personal Information Protection Commission of Japan and Věra Jourová, Commissioner for Justice, Consumers and Gender Equality of the European Commission, Tokyo, 17 July 2018,