Almost half a year has passed since the General Data Protection Regulation (GDPR) came into force in the European Union.
While no large fines have been issued so far, we believe this is simply the calm before the storm.
The data protection authorities in the EU are currently focused on preparing guidance on various issues regarding the interpretation of the GDPR. Once this is done, they can direct their resources to enforcement.
Those businesses in Japan that offer goods or services to the EU market, or that monitor the activities of EU consumers should make sure they understand the data mapping involved, namely, what personal data is being handled and how. They should also carry out data impact assessments to check for high-risk behaviour.
It is the data mapping and data impact assessment documents that EU authorities are most likely to ask for if there is an investigation. Not providing these immediately on request is likely to result in an instant fine.
If necessary, GDPR-compliant client privacy notices or consumer-facing privacy notices should be put in place.
One aspect that is starting to take shape between Japan and the EU relates to transfers of EU data subjects’ personal data to Japan.
The default position is that such transfers are prohibited. However, there are a number of ways that this can be done in a GDPR-compliant manner.
Japan’s amendments to its own privacy laws that came into full effect in May 2017 introduced a similar obligation to execute a specific agreement to allow processing of personal data collected in Japan to take place outside Japan.
The Japanese government has since been in discussions with the European Commission to see if Japan and the EU can recognise each other’s privacy laws as equivalent. If equivalent, then free transfers of personal data between the two jurisdictions would be possible without the need to execute a specific agreement.
In July, Japan and the EU posted a press release stating that they would recognise each other’s privacy laws as equivalent.
Since Japan lacks some features of the GDPR, it will need to implement additional safeguards to protect EU citizens’ personal data.
The safeguards, outlined in a set of supplementary rules published this month by Japan’s Personal Information Protection Commission, will go into effect at the same time as the adequacy decision. The main safeguards are outlined below.
The Japanese definition of “special care-required personal information”—which includes, for instance, information on race and medical records—when applied to data transferred from the EU under the adequacy decision, will include a data subject’s sex life, sexual orientation and trade union membership.
Rights of Data Users
Under Japanese law, data users have a right to obtain disclosure, correction or deletion of their personal data except when the data is kept for no more than one year. This exception will not apply to EU data transferred under the adequacy decision.
Right of Usage
Under Japanese law, data processors receiving the transfer of personal data have a duty to confirm how the data was acquired and to keep records of the transfer. This obligation will now mean, when applied to data transferred from the EU under the adequacy decision (either directly or through another data controller), that the right of usage of the data will be limited to the right of usage about which the data users were originally notified.
Cross-border Transfer of Personal Data
Where a business operator intends to transfer personal data received from the EU under the adequacy decision to a third party located outside Japan (and outside the EU) on the basis of the data subject’s consent, it must inform the data subject about the ultimate data recipient, so that the data subject can make an informed decision as to whether or not to consent to the transfer.
Where a Japanese business operator receives EU personal data that it intends to transfer to a third party, the data subject needs to be provided information on the ultimate data recipient. This is to allow the data subject to make an informed decision about whether they wish to allow their data to be transferred.
The definition of anonymously processed data is modified for personal data received from the EU. Under the adequacy decision, the relationship between the data and the data subject cannot be restored.
Since the EU’s adequacy decision is expected in October, businesses in Japan will soon be able to benefit from this new adequacy arrangement.
Meanwhile, a number of legal proceedings are underway which will further define the scope of the GDPR.