In this Privacy Tracker series, we look at laws from across the globe and match them up against the EU General Data Protection Regulation. The aim is to help you determine how much duplication of operational effort you might avoid as you move toward GDPR compliance and help you focus your efforts. In this installment, Kensaku Takase of Baker McKenzie compares the Japanese Act on the Protection of Personal Information with the principles expressed by the GDPR.
On July 6, the European Commission and the Japanese government published a joint statement on international transfers of personal data. The statement mentions that the EU and Japan will continue their cooperation and aim by early 2018 to recognize each other as having adequate levels of personal data protection. If this does indeed occur, it would mean there would be compliant transfers of personal data between the EU and Japan without the need for instruments such as standard contractual clauses, binding corporate rules or privacy certifications.
The EU Commission has an existing "white list" of countries it has recognized in the past as having an adequate level of personal data protection to the EU. However, Japan was not one of those recognized countries.
Japan's reformed privacy law came into full force May 30, 2017. Along with a significant number of changes, the new law also introduced a similar white-list concept. The mutual recognition will add Japan to EU's white list and make the EU Japan's first "white listed" jurisdiction.
Even so, there remains a large number of differences between the privacy laws of the EU and Japan. However, particularly with Japan's recent reforms, the significance of the differences is less. In particular, the establishment of the Personal Information Protection Commission in Japan, which is dedicated to the establishment and enforcement of privacy regulations, significantly enhances Japan's privacy law system.
Japanese Act on Protection of Personal Information | GDPR | |
---|---|---|
Purpose | To protect the rights and interests of individuals while ensuring due consideration for the usefulness of personal information by basic principles for the proper handling of personal information. | To enable the free movement of personal data within the Union while protecting fundamental rights and freedoms of natural persons and, in particular, their right to the protection of personal data. |
Material Scope | Applies to the use of a personal information for business. The APPI has a very broad and open concept of data processing. | Applies to the processing of personal data wholly or partly by automated means, within the scope of Union law. |
Territorial Scope | The APPI does not have express provisions dealing with jurisdiction and territoriality. | Applies to processing that takes place in the Union or by a processor who has an establishment in the Union within the context of activities in the Union or to processing activities that are related to the offering of goods and services to (or behavioral monitoring of) data subjects in the Union. |
Personal Data | “Personal Information” means the following two categories of information. 1. Information about a living individual which can identify a specific individual by the description contained in the information, such as name, date of birth or other description (including voice or behavior information), including information which can easily be combined with other information so as to enable the identification of that individual; and 2. Information that contains Personal Identifier Codes. “Personal Identifier Codes” means either (a) letters, numbers, marks or other codes for use with computers converted from a person’s bodily information which may identify the person, or (b) letters, numbers, marks or other codes on cards or other documents which are unique to the user or purchaser, and may identify the person. Apart from “Personal Information”, “Personal Data” is separately defined to cover information stored in a business operator’s database. Personal Data is defined as Personal Information constituting the business operator’s “Personal Information Database”. A “Personal Information Database” in turn is defined as: (i) an assembly of information systematically arranged in such a way that specific personal information can be retrieved by a computer; or (ii) an assembly of information in accordance with certain rules, and that has a table of contents, index or other means to facilitate the retrieval. Accordingly, once “Personal Information” is stored into a “Personal Information Database”, such Personal Information becomes “Personal Data” under the APPI. There are some provisions in the APPI that specifically deal with Personal Data. | Personal data means any information relating to an identified or identifiable natural person. |
Sensitive Personal | Personal Information that needs special care (“Sensitive Data”) is defined to include race, religion, social status medical history, criminal history and the fact that the person suffered damages by a crime. | Special categories of data that are considered particularly sensitive are personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. |
Data Controller | There is no concept of a “Data Controller” under Japanese law. However, the APPI uses the term “business operator,” which essentially refers to the entity responsible for the proper handling of all “Personal Information.” This is similar to the concept of data controller under EU law. | Means the natural or legal person, public authority, agency or other body, which, alone or jointly with others, determines the purposes and means of the processing of personal data. |
Data Processor | There is no concept of a “Data Processor” under Japanese law. As such, handling of personal data under the APPI should pertain to how a “business operator” treats and manages the personal information or personal data in its possession. | Means a natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller. |
Purpose Limitation | A business operator handling personal information shall not handle personal information beyond the scope necessary for achieving the purpose of use unless the business operator has obtained prior consent of data subjects. Purpose of use must promptly be notified to data subjects or publicly announced once a business operator acquires Personal Information, unless the purpose of use has already publicly announced. | Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. |
Accuracy | A business operator handling personal information must endeavor to keep the content of personal data accurate and up to date, within the scope necessary for achieving the purpose of use. | Personal data should be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which they are processed, is erased or rectified without delay. Personal data should be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures. |
Accountability | Japan does not recognize the concept of a data processor. Accountability lies with the business operator, which is similar to a data controller under EU law. | The controller shall be responsible for and be able to demonstrate compliance with the principles of the processing of personal data under the GDPR. The controller and the processor shall designate a data protection officer where processing requires regular and systematic monitoring of data subjects on a large scale or the core activities of the controller or the processor consist of processing on a large scale of special (sensitive) categories of data or personal data relating to criminal convictions and offenses. |
Access and Correction | The data subject may request the business operator to disclose, correct, add or delete the retained personal data. | The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning them are being processed, and to access the personal data and information about the processing, including what categories of data are processed, the recipients of the data, and rights to erasure and rectification of the personal data, the right to lodge a complaint with a DPA, the source of the data, whether the data was subject to automated profiling (and if so, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject). |
Transfer of Personal Data to Another country | The APPI provides that Personal Data may not be transferred to a foreign country unless: (i) the data subject has given specific advance consent to the transfer of the data subject’s Personal Data to the entity in a foreign country; (ii) the country in which the recipient is located has a legal system that is deemed equivalent to the Japanese personal data protection system, designated by the Japanese data protection authority; or (iii) the recipient undertakes adequate precautionary measures for the protection of Personal Data, as specified by the Japanese data protection authority. | Personal data may only be transferred to third countries where the EU has considered the laws to provide adequate protection or where protected by binding corporate rules, approved model clauses, binding agreements combined with an approved code of conduct or approved certification. |
photo credit: BWJones Japanese flag via photopin (license)