General Data Protection Regulation (GDPR)
Europe traditionally has had a strong commitment to human rights and privacy; this is no less true when it comes to data.
In 2018, the EU enacted a data privacy regulation called the General Data Protection Regulation, or GDPR. The GDPR regulates and protects personal data in the European Economic Area (EEA), including the EU (EFTA members Iceland, Liechtenstein, and Norway among non-EEA EU member states, and 27 EU member states). The regulation also protects the personal data of EU citizens abroad.
Built on the solid European philosophy of human rights protection, the GDPR, in principle, prohibits the transfer of personal data from within the EU to outside the EU. Exceptions to allow personal data flow beyond the EU apply if and only when the destination country has a high level of data protection that meets EU privacy standards.
To cross-border transfer EU citizens’ data or personal data collected within the EEA, the destination country must meet the “Sufficiency Certification” criteria. It measures whether the extent of privacy protection in the personal data regulations is, at minimum, equivalent to those in the EU.
Japan has received certification of the GDPR Sufficiency Criteria.
In addition to Japan, Andorra, Argentina, Canada, the Faroe Islands, Guernsey, Jersey, Israel, the Isle of Man, New Zealand, South Korea, Switzerland, the United Kingdom, and Uruguay have also received sufficiency certification.
The EU supports the Data Free Flow with Trust, or DFFT, reasoning that an international convergence of data protection rules to the GDPR will ensure secure data distribution.
In terms of data access and privacy-protecting philosophy, the US and the EU differ significantly; as discussed above, the EU views privacy as a fundamental right, while the US values the free distribution of data as a hallmark of transparency and freedom.
This fundamental discrepancy between the two nations that restricted fluid data flow created hurdles that disrupted economic and human activity. As a solution, the two nations created a special framework in 2016 called the Privacy Shield to aid data transfers.
Since there is no comprehensive privacy protection law in the U.S., the Privacy Shield maintained that the U.S. Department of Commerce and Federal Trade Commission will monitor the U.S. companies transferring personal information from the EU. Furthermore, the Shield appointed an ombudsman to provide independent oversight.
However, in July 2020, an EU court ruling invalidated the Privacy Shield.
Knowing that the breakdown of the Privacy Shield would significantly impact businesses, the U.S. and the EU immediately started working on a new framework for data transfers between them.
As a result, in March 2022, the U.S. and EU agreed in principle on a new framework for data transfers called the Trans-Atlantic Data Privacy Framework.
This new framework includes the following:
– new rules limiting access to transferred data by US intelligence authorities to that which is necessary and appropriate for national security and establishing safeguards to enforce this
– a multi-tiered remedies system, including a Data Protection Review Court, to investigate and resolve complaints by EU citizens regarding access to their data by US intelligence authorities
– imposing strong obligations on companies processing data transferred from the EU, including a requirement to self-certify compliance with EU regulations through the U.S. Department of Commerce.
In October 2022, the U.S. issued a Presidential Decree to implement this basic agreement. In response, in December, the European Commission initiated proceedings for a U.S. sufficiency certification under GDPR. A formal decision on the newest framework will take approximately six months.
Once the countries agree, the framework will enable free and secure data transfer between EU and U.S. companies.