The European Union’s General Data Protection Regulation (“GDPR”) attempts to protect the rights of member states’ citizens by enacting a regulatory scheme for processing personal data. The GDPR is notable both for the strength of the protection it offers and for the reach of said protection. The GDPR requires entities outside of the European Union (“EU”) who process the personal data of EU citizens to have protections similar to those of the GDPR in place. Foreign persons, companies, and governments who process said data must be aware of, and abide by, the GDPR’s provisions. The purpose of this paper is to analyze weaknesses in the U.S. system of privacy and data protection law by comparing the adequacy decision made for Japan to the Schrems II case recently decided in the EU. This note begins with a discussion of the history of data protection law in the EU and its importance to Europe before moving on to a description of the GDPR and its adequacy requirements. Then, this paper will parse the relevant considerations discussed in the Adequacy Decision for Japan and drawing comparisons to the U.S.’ data protection measure under the EU-US Privacy Shield.