Rohan Massey, a partner at Ropes & Gray in London, and David Poloquin, an associate at Ropes & Gray in Boston. Courtesy photos. Rohan Massey, a partner at Ropes & Gray in London, and David Peloquin, an associate at Ropes & Gray in Boston. Courtesy photos.

Now that Japan has secured an adequacy decision under the European Union's General Data Protection Regulation, opening a channel of free-flowing data between the two jurisdictions, several other countries are expected to follow suit. But the U.S. is not among them.

The European Commission announced in late January that Japan had successfully negotiated the first adequacy decision under the GDPR. The agreement between Japan and the EU created the “world's largest area of safe data flows,” according to a statement from European Commissioner Věra Jourová.

“Europeans' data will benefit from high privacy standards when their data is transferred to Japan. Our companies will also benefit from a privileged access to a 127 million consumers' market,” Jourová added. “Investing in privacy pays off; this arrangement will serve as an example for future partnerships in this key area and help set global standards.”

Under the GDPR, EU member countries are not allowed to transfer personal data to countries that are outside the EU and lack adequate data protection. To secure an adequacy decision under the GDPR, Japan made data protection assurances to the EU and agreed to implement new rules to bring its data protection system in line with the European regulations. Japan also created a framework for handling data-related complaints from Europeans.

Rohan Massey, a London-based partner at Ropes & Gray who leads the firm's privacy and cybersecurity practice, said in an interview Tuesday that South Korea is negotiating an adequacy decision with the EU while India and Mexico have shown interest in doing the same. He expected that Brazil, which passed sweeping data protection legislation last year, also would seek an adequacy decision.

“All these major economic areas are taking an omnibus approach to data protection,” Massey said. But he noted that the U.S. hasn't hopped aboard that data protection train and “is still focused very much sectorally on how it regulates data protection.”

“The U.S. has been very commercially driven in its approach,” he added.

As more countries pass comprehensive data protection laws, the U.S. has continued to follow a segmented approach with specific agencies regulating certain types of data and some states passing their own privacy laws, such as the California Consumer Privacy Act.  

A federal data privacy law would open the door for a U.S.-EU adequacy decision under the GDPR. But such a law appears to be a tough sell at the moment.

“The U.S. will not have an adequacy decision until it has a nationwide privacy law, so we're not really in the ballpark to have that kind of [adequacy] decision,” said David Peloquin, an associate at Ropes & Gray in Boston who specializes in clinical research and health data privacy. “The bottom line is we're nowhere close to an adequacy decision in the U.S.” 

Many of Peloquin's clients are medical researchers and are unable to participate in the Privacy Shield data transfer network that allows certain stateside companies under the jurisdiction of the Federal Trade Commission or Department of Transportation to transfer data between the EU and U.S.

U.S.-based organizations that are ineligible for Privacy Shield certification, including Peloquin's nonprofit clients, typically have to rely on standard contractual clauses to transfer data with the EU, according to Peloquin. He said many of his clients are unable to comply with certain terms found in those contracts.

“The problem with that is that the terms of those contracts require that you, for example, agree to jurisdiction of the European court,” he said. “It has really stalled some important research because we're unable to get data transferred from Europe to the U.S.”  

In the past day alone, Peloquin said he's heard from two major university clients who were dealing with EU-related data transfer headaches. He's been considering certain potential solutions, including bespoke contracts that must receive approval from EU data protection authorities. But that route “takes a lot time, like months and months,” he said.

“We have this fundamental problem that we're all trying to work around,” he added.  

Read More:

Just How Much Will the EU Impact US Tech, Privacy?

An American In-House Counsel in London: GDPR From Across the Pond

Potential FTC Facebook Fine Could Signal Stricter US Enforcement of Tech's Privacy Policies