Does the EU-Japan adequacy decision still apply after 2023?

Yes. The European Commission’s April 2023 report confirmed Japan continues to offer GDPR-equivalent protection, so data can keep flowing without SCCs or BCRs.

Do companies still need to follow the Supplementary Rules?

Absolutely. Although APPI absorbed some points, the updated Supplementary Rules remain binding for EU data—especially on sensitive-data scope and onward transfers.

Will PPC enforcement become tougher?

Possibly. The Commission encouraged the PPC to rely less on informal guidance and more on formal orders and fines, so businesses should expect closer scrutiny.

Data Privacy

Data Flows Between Japan and the EU: Navigating the GDPR Adequacy Decision After its First Review

Japanese Attorney at Law - Bengoshi L.L.

05 May 2025 • 6 min read

TL;DR

The EU’s first review (April 2023) confirmed Japan’s GDPR adequacy decision, so EU-to-Japan transfers still need no SCCs or BCRs.
APPI amendments (2022) absorbed key “Supplementary Rules,” but those rules still apply to gaps—especially sensitive-data scope and onward transfers.
Companies receiving EU data in Japan must follow both the updated APPI and the Supplementary Rules and be ready for stricter PPC enforcement urged by the EU.

Table of Contents

Background: The 2019 Adequacy Decision and Japan's "Supplementary Rules"
The First Review (2021-2023): Process and Outcome
Key Findings and Developments from the Review
Implications for US and International Businesses
Conclusion

For international businesses operating between Japan and the European Union/European Economic Area (EU/EEA), the free flow of personal data is often crucial. A key mechanism enabling this flow is the "adequacy decision" under Article 45 of the EU's General Data Protection Regulation (GDPR). In January 2019, Japan became one of a select group of countries granted an adequacy decision by the European Commission, signifying that its data protection framework offers a level of protection essentially equivalent to that provided by the GDPR. This landmark mutual recognition created the world's largest area of safe and free data flows at the time.

However, adequacy decisions are not permanent; the GDPR mandates periodic reviews. The first review of Japan's adequacy status concluded in early 2023. Understanding the outcome of this review and the ongoing requirements is essential for businesses relying on this framework for transatlantic data transfers.

Background: The 2019 Adequacy Decision and Japan's "Supplementary Rules"

Japan's journey towards adequacy involved significant updates to its domestic data protection law, the Act on the Protection of Personal Information (APPI - 個人情報保護法, Kojin Jōhō Hogohō), particularly the major amendments in 2015 (effective 2017). Following intensive dialogue between the European Commission and Japan's Personal Information Protection Commission (PPC - 個人情報保護委員会, Kojin Jōhō Hogo Iinkai), the mutual adequacy findings were announced.

A unique feature of Japan's adequacy decision was the establishment of "Supplementary Rules" (補完的ルール, hokanteki rūru) by the PPC. These rules apply specifically and only to personal data transferred from the EU/EEA to Japan based on the adequacy decision. They were designed to bridge certain gaps between the APPI (as it existed in 2019) and GDPR requirements. Key original Supplementary Rules included:

Expanded Sensitive Data: Treating data concerning sex life, sexual orientation, and trade union membership with the same protections as "special care-required personal information" (yō-hairyo kojin jōhō) under the APPI.
No Time Limit for Access Rights: Removing the previous six-month holding period limitation for data subjects to exercise access and other rights regarding "retained personal data" (hoyū kojin dēta).
Purpose Limitation for Onward Transfers: Reinforcing that data received under adequacy cannot be used for purposes beyond those initially specified by the EU data controller.
Restrictions on Re-transfer Mechanisms: Prohibiting the use of certain frameworks like the APEC Cross-Border Privacy Rules (CBPR) system for onward transfers of EU data received under adequacy from Japan to third countries.
Stricter Anonymization Standards: Setting higher standards for data to qualify as "anonymously processed information" (tokumei kakō jōhō) if derived from EU data.

Compliance with both the main APPI provisions and these specific Supplementary Rules became mandatory for Japanese businesses handling EU personal data received via the adequacy framework.

The First Review (2021-2023): Process and Outcome

GDPR Article 45(3) requires the European Commission to review adequacy decisions periodically, at least every four years, to ensure the third country still provides an equivalent level of protection.

The first review process for Japan began in January 2021. It involved detailed information exchange between the Commission and the PPC, assessing developments in Japan's legal framework and its practical application. The European Data Protection Board (EDPB) also provided input.

In April 2023, the European Commission published its report on the first review (Report COM(2023) 275 final), concluding that Japan continues to ensure an adequate level of data protection. Consequently, the adequacy decision remains in effect, allowing personal data to continue flowing freely from the EU/EEA to Japan without requiring additional safeguards like Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs).

Key Findings and Developments from the Review

The Commission's positive assessment was significantly influenced by Japan's substantial amendments to the APPI in 2020 and 2021 (fully effective April 2022), which occurred after the initial adequacy decision. The review highlighted several key areas:

Strengthened APPI: The Commission positively evaluated the convergence brought by the APPI amendments, including:
- Elimination of the 6-Month Rule: The statutory removal of the six-month threshold for data to be considered "retained personal data" subject to data subject rights directly incorporated one of the original Supplementary Rules into the main law.
- Enhanced Data Subject Rights: Introduction of the right to request disclosure of records in digital format, expanded rights to request cessation of use or erasure under broader conditions, and rights concerning third-party transfer records.
- Mandatory Breach Notification: New obligations to report significant data breaches to the PPC and notify affected individuals.
- Regulation of Pseudonymized Data: Introduction of rules for "pseudonymously processed information" (kamei kakō jōhō).
- Expanded Extraterritorial Scope: Clearer rules on the APPI's application to businesses outside Japan handling Japanese residents' data.
- Increased PPC Powers: Strengthened enforcement capabilities for the PPC, including significantly higher potential penalties for violations.
- Cross-Border Transfer Rules: Refinements to rules governing transfers of personal data from Japan to third countries, including stricter requirements for consent and assessing the data protection environment in the destination country.
Continued Role of Supplementary Rules: While some gaps were closed by the APPI amendments, the Supplementary Rules remain necessary to address remaining differences, particularly regarding the definition of sensitive data. The rules were updated by the PPC to align with the new APPI structure and terminology, including adding provisions related to pseudonymously processed information derived from EU data.
Government Access Safeguards: A critical element of any adequacy review, especially post-Schrems II, is the assessment of safeguards against disproportionate access to personal data by public authorities for law enforcement and national security purposes. The Commission reviewed Japan's legal framework governing such access and the available oversight and redress mechanisms (including the role of the PPC and judicial review) and concluded they provide sufficient guarantees against excessive surveillance.
PPC Enforcement Approach: The Commission report noted that the PPC's primary enforcement tool is administrative guidance (gyōsei shidō, 行政指導) and recommendations, rather than formal orders or monetary penalties. While acknowledging Japan's different administrative culture, the Commission encouraged the PPC to make greater use of its formal enforcement powers where appropriate to ensure effectiveness and deter non-compliance.
EDPB Input: The EDPB issued a statement generally welcoming the review's outcome but emphasizing the need for ongoing monitoring by the Commission, particularly concerning the practical application of rules on onward transfers and the handling of complaints from EU data subjects channeled through the PPC.

Implications for US and International Businesses

The continuation of Japan's adequacy status has several practical implications:

Simplified Data Transfers: Businesses can continue transferring personal data from the EU/EEA to their operations or partners in Japan without implementing SCCs, BCRs, or relying on other transfer mechanisms under GDPR Chapter V. This significantly reduces compliance complexity and costs.
Mandatory Compliance with Supplementary Rules: It is crucial for businesses in Japan receiving EU data via adequacy to understand and implement the Supplementary Rules in addition to the standard APPI requirements. This includes treating specific data categories as sensitive and adhering to stricter rules for onward transfers and anonymization/pseudonymization. Failure to comply with these specific rules constitutes a violation of the APPI for the data received under adequacy.
Onward Transfer Restrictions: The limitation on using mechanisms like APEC CBPRs for onward transfers of EU data from Japan to other third countries remains. Businesses needing to make such onward transfers must ensure they have a valid basis under either Japan's APPI cross-border rules (e.g., data subject consent, ensuring equivalent protection in the third country via contract, adequacy finding by PPC for the third country) or potentially GDPR rules if they are also subject to GDPR.
UK-Japan Data Flows: The UK government also reviewed and confirmed its own adequacy decision for Japan following Brexit, ensuring that data flows between the UK and Japan remain similarly streamlined.
Potential Enforcement Evolution: While a major shift is not immediate, the EU's encouragement for more robust formal enforcement by Japan's PPC suggests that businesses should be prepared for potentially stricter oversight or a gradual increase in formal sanctions over time, although administrative guidance is likely to remain the primary tool in the near term.

Conclusion

The successful first review of Japan's GDPR adequacy decision is positive news for international commerce, reaffirming the strong data protection alignment between the EU and Japan and ensuring the continued free flow of personal data. Japan's significant efforts in amending its APPI post-2019 were instrumental in achieving this outcome. For businesses operating across these regions, the key takeaway is the continued need for diligent compliance with both the evolved APPI framework and the specific Supplementary Rules governing EU data received under the adequacy finding. As global data protection laws continue to develop, ongoing attention to future reviews and regulatory guidance will remain essential.