On 25 May 2018, the European General Data Protection Regulation (GDPR) will enter into force, creating for the first time a unified legal system on data privacy for the European Union’s (EU’s) 28 member countries. The effect will be much broader though, since the GDPR will apply to all firms providing services or selling goods in the EU or to EU residents.
The GDPR distinguishes between data controllers and data processors. Under Japan’s Act on the Protection of Personal Information (APPI), data processors are not specifically identified. The APPI, significantly revised with effect on 1 April 2017, now has stricter obligations to monitor and control subcontractors. Thus, for example, if the subcontractor is outside Japan, a contract needs to be put in place to ensure compliance or, alternatively, international agreements such as the APEC Privacy Framework should be used.
The GDPR applies wherever the processing takes place as long as the data processor is in the EU or the data concerns EU residents. In certain circumstances, data controllers or processors located outside the EU may have to appoint a representative in the EU.
In both systems, transfers of personal data to third parties are restricted but there are important differences. In Japan, the principle is that the consent of users should be obtained in advance. In the EU, consent is a possibility but only as an exception and, even then, subject to the condition that the transfer should be necessary. The main principle is either a decision by the EU Commission that specific countries provide an adequate level of protection, or a system of contracts to ensure appropriate safeguards. The EU and Japan have been discussing, but have not yet agreed to recognise, each other’s system.
There are a number of other differences, such as in the EU, transfers of data within groups can be handled through a set of binding corporate rules which create specific rights for third-party users. These rules are validated by any one of the 28 EU privacy authorities. This system does not exist in Japan, where group entities are treated as third parties.
The EU and US have an arrangement called a Privacy Shield that allows transfers to certain US entities, again a system that does not exist in Japan.
For transfers with outside parties, standard contractual clauses including mandatory principles stipulated in the GDPR make it possible to transfer data back and forth without individual consents.
For international data transfers, the EU system is more structured than the Japanese one at present, but this may change over time as the Japanese system evolves.
Another characteristic of the GDPR, widely reported in the press, is of course the level of fines which for major breaches may reach €20mn, or 4% of worldwide turnover, whichever is higher. The APPI’s maximum fines are a meagre ¥500,000. The main risk in Japan concerns reputation, with violators named and shamed in the press.
Right to be forgotten
A less well reported feature of the EU regulation concerns the rules of profiling. Monitoring the behaviour of persons in the EU falls fully within the GDPR, and that data is protected the same way. Further, EU residents have “the right not to be subject to a decision based solely on automated processing, including profiling”. Human intervention can be demanded and objections may be raised regarding an automated decision. The consequences of this new rule may be quite broad.
Also already largely reported is the right to be forgotten, or the right to obtain erasure of negative personal information. The EU Commission hopes that the market to new entrants will be further opened through application of the right to data portability, namely, the right to receive data in a structured and commonly used format, and the right to ask for transmission of data to another controller. A new right to restrict data processing can also be used when there are issues with the processing. None of these rights exist in Japan.
The GDPR is in fact only half of the intended regulation. There has been a delay in an accompanying e-privacy regulation, which deals with the protection of communication by and among operators. It includes rules on cookies and spam, and probably will not go into effect before mid-2019 or the end of that year.
For firms operating in both Japan and the EU, ensuring compatibility with both systems never has been easy, but is even less so under the new system.