Cross-border data transfers. Japan-EU versus Japan-US

By | Thursday November 2nd, 2017

Japanese law on personal data protection (APPI – Act on the Protection of Personal Information), in force since the 30thmay 2017 with the amendments approved in December 2017, allows to transfer data from Japan to third countries, only if it’s ensured that the receiving party provides “adequate” standards of data protection.

The GDPR’s importance is highlighted also by the fact that the European Union is the only jurisdiction engaged in dealing with Japan on adequacy standards and that Japan isn’t willing to start dealing with other countries, not even with the USA.

Japan is not intending to issue a general declaration asserting that US data protection standards are adequate; for this reason, companies that want to transfer data from Japan to the US will have to rely on cross-border rules on privacy, developed by the Asia Pacific Economic Cooperation (APEC).

This is possible because, since 2012, the United States was the first non-Asian country to adhere to the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (“CBPR”) System ( For this reason, companies can voluntarily comply with the CBPR System and transfer data to APEC members, without any additional restrictions or warrantee on transferred data protection and privacy.

The CBPR Stystem is characterized by four elements1:

  1. self-assessment;
  2. compliance verification;
  3. recognition / acceptance;
  4. disputes resolution and application.

APEC Privacy Framework is formally recognized by Canada, Japan, Mexico, South Corea and the US and it could be adopted by all 21 APEC members.

Companies that proceed without an express consent when transferring data from Japan, or without CBPR certification, will be subject to the executive action of the Japanese Personal Information Protection Commission, in the case PIPC receives any complaint.

The Regulation (EU) 2016/679 (GDPR), which has been the legislative basis for many other countries, is the differentiator that puts the EU and the US on two different levels, with regard to cross-border transfers to and from Japan. Indeed, EU and Japan are negotiating on adequacy, while Japan does not intend to start this kind of negotiations with the US.

Since July, Japan and the EU are engaged in dealings, in order to mutually recognize the adequacy of the respective privacy and data protection regimes. In many respects, Japan’s APPI is modelled on GDPR, which will be entirely applied from May 2018.

The objective of the two delegations is to get to an agreement in principle on mutual recognition of adequacy standards by the end of 2018.






(translated by Matilde Bobbio)


Category: Legal framework Open Forum Tags: , , , , , , , ,

About Stefano Tresoldi

Degree in Administrative Science at UNITO Law Department, with more than 20 years as consultant in IT field. Since 2011 to 2015 consultant for regulatory-driven transformation projects related to "Online Civil Trial" (PCT), included privacy and security compliance. 2014-2015 Consultant for an innovative digital project on the new juridical regulation for "Messa alla prova" (L. 67 del 28.04.14) and for "Volonatria Giurisdizione". Stefano founded in 1995 the company STL an IT computer science consulting company. As owner, the prime occupation was company management and new business discovering, public relations, and partnership building; but in more than 20 years at STL he worked and acquired many interdisciplinary skills in many matters: stakeholder management and stakeholder engagement, leadership, strategic thinking, problem solving, decision making, public speech and presentations. Since 2002 he work as consultant.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.