TOKYO -- Japan and the European Union agreed in substance on Thursday to allow the movement of personal information between their jurisdictions as soon as this fall, as Tokyo works to update rules for how Japanese corporations manage user data to meet the EU's new privacy law.
Vera Jourova, the European justice commissioner, told reporters here that she had made progress on reconciling protection standards in her meeting with Haruhi Kumazawa, an official on Japan's Personal Information Protection Commission.
Having an agreed-on framework in place would ease the administrative burden on Japanese companies seeking to comply with the new law, for which even big corporations remain woefully unprepared.
The EU's General Data Protection Regulation, which went into force this month, tightly restricts the movement of European personal data out of the bloc. The rules allow transfers only to jurisdictions that meet EU privacy standards. Switzerland and 10 other places have been approved so far, but Japan is not on that list.
Companies in unapproved countries must ask users' for permission to move their information outside the EU, or they must enter into data transfer contracts modeled after ones prepared by European authorities.
Japan put a new data protection law into effect last May and plans to add further guidelines for safeguarding European data. Labor union membership, for example, will be treated as personal information requiring special care. Jourova also said the EU wants to check Japan's restrictions on government access to personal data.
The GDPR also requires companies to put in place safeguards on EU nationals' information even when it remains within the bloc. Businesses must have a system to quickly alert authorities in the event of a data leak.
Jourova said the EU will first monitor compliance by organizations that process large volumes of data or handle sensitive information, such as medical care providers and insurers.
Fines for violating the GDPR amount to 4% of yearly global sales or a maximum of 20 million euros ($23.3 million), whichever is higher. Even some EU member countries are behind on bringing their domestic regulations in line with GDPR standards.