On Tuesday this week, the EU and Japan successfully concluded their talks on reciprocal adequacy.
What does this mean?
Generally speaking, it means that the two nations recognise each other’s data protection systems as “equivalent”, and therefore agree that data can flow between them as of the implementation date later this year.
The announcement also has a particular impact on GDPR practicalities. The agreement means that Japan will join the short list of non-EU nations that are confirmed as having an “adequate level of [data privacy] protection” under Article 45, and therefore is one of the few suitable and permitted locations for EU personal data to be transferred to.
Other adequate states are Andorra, Argentina, Canada (only in situations where PIPEDA is also applicable), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the US (limited to the Privacy Shield framework, which is obviously being hotly debated currently).
In its press release, the European Commission described the agreement as creating the “world’s largest area of safe transfers of data” as the privacy of 535 million consumers will be protected under this agreement.
But let’s look at this a different way.
Of the Forbes Global 2000, 615 are headquartered in either the EU or Japan. A further 110 are based in other adequate states, 67 are based in South Korea who are also in talks to join the list, and 346 are based in countries that while not deemed adequate, have robust data protection laws (Australia, Singapore, Hong Kong and most recently China). Not to mention the 82 based in California, which has just passed its Consumer Privacy Act.
That leaves only 780 of the biggest companies in the world who are not headquartered in countries or states that take data privacy seriously. Most of whom operate internationally and within the countries mentioned above and will therefore have to respect the local laws. That doesn’t leave many for whom data privacy is not a boardroom issue.
The point here is that while the addition of 127 million Japanese consumers to the global data protection community is of course a good thing for business and consumers alike, it’s actually not the biggest takeaway from this announcement.
The tide is turning. Or perhaps has turned. Data privacy laws are the norm. National governments are eager to show that their levels of protection reach the highest necessary standard in order to preserve their relevance on the world stage.
Meanwhile, countries without robust legislation are now very much the exception, often singled out for not respecting the emphasis that society now places on the privacy of personal data.
That is what these laws signify after all. Legislation is more than a framework of rules to abide by. It is a reflection of current ethical values. On that basis, there are not many governments who will be comfortable remaining on the outside much longer. It will likely be a very different, even more positive, picture in 12 months’ time.