Earlier this year, the European Commission, the executive arm of the European Union, recognized Japan’s data protection regime as adequate under the European General Data Protection Regulation (GDPR). Japan is now treated as part of the European Economic Area (EEA) under the GDPR, and data flows from the EEA may be transferred to Japan without any additional safeguards or agreements. This is the first adequacy decision since the GDPR took effect, and it will likely provide a road map for other countries or territories seeking EU approval going forward.
At the same time that Japan’s adequacy determination was being finalized, the California attorney general began hosting seven public forums across the state to allow public comment during the California Consumer Privacy Act (CCPA) pre-rulemaking process. The CCPA, enacted July 28, 2018, and effective Jan. 1, 2020, is modeled on the GDPR, imposing new data protection requirements on certain companies and granting new rights to California residents.
Even before the CCPA was signed into law, the bill sparked speculation about whether California could apply under the GDPR for adequacy. While California has not yet expressed an intention to apply, the state has a history of forging its own path in the absence of federal action. And notably, industry stakeholders at the CCPA public forums requested that the potential CCPA regulations contain a safe harbor provision for GDPR-compliant businesses. In addition, legislation introduced this year to amend the CCPA to more closely align with the GDPR framework—coupled with last year’s stalled efforts to create a California data protection agency—indicates that some state legislators may have a broader vision of the relationship between the two privacy regimes.
But could a single state secure a GDPR adequacy determination even though the United States has not obtained a full adequacy decision? This post considers whether California could apply (based on the factors considered in the recent Japanese adequacy decision) and, importantly, whether any legal barriers exist under the GDPR.