Japanese Latest Privacy Framework Shares Key Characteristics with EU’s Upcoming Data Protection Law

by Dhiram Shah


As technology advances, it is more and more obvious that information networks, communication, and the economy are becoming increasingly interconnected and globalized, spreading across several countries. This means an increase in the volume and in the variety of personal data that is processed on a daily basis as well as in the transnational transactions that put this data to use. As strong economies like the EU and Japan rush to adopt data protection legislation, it is important to remember that these will not only be adopted internally but will regulate cross-border data transfers as well.

Japan and EU Set to Whitelist Each Other
The Japanese Act on Protection of Personal Information that restructured the previous regime came into force on May 30, 2017 – about a year earlier than the date the new EU General Data Protection Regulation (GDPR) is set to come into force, on May 25, 2018. According to a comparative overview of the two instruments, there is a lot they share – which is why it is projected that when the GDPR comes into force, both jurisdictions will whitelist each other, meaning that they will consider each other as providing a similar and mutually adequate level of protection. Both have the aim of enabling the useful flow of data while safeguarding individuals’ privacy, while they also introduce similar rules for cross-border data transfers. Yet, there are also a few differences in how they approach certain issues.

GDPR Offers Broader Protection in Sensitive Personal Data and Accountability
Arguably, some of the GDPR requirements are more clearly delineated and they arguably increase accountability for misuse of personal data that is processed. For example, Japan’s APPI introduces the concept of “business operator”, similar to the concept of “data controller” in the GDPR. “Data controller” refers to the entity that decides the purposes and means of processing of personal data. However, the APPI does not have a concept similar to the GDPR’s “data processor” – meaning the entity that processes data on behalf of the data controller. This in effect limits accountability only to the data controller, while data processors can be held liable too under the GDPR. Furthermore, the meaning of “sensitive personal data” is somewhat more limited under the APPI, as the GDPR does not only include race, religion, health status and criminal background when using this term, but also biometric data, such as height or weight, DNA, fingerprints, or even a person’s voice.

Businesses Need to Pay Attention to Cross-Border Data Transfers
Adapting to these new rules does not come cheap for businesses – it is estimated that companies on Fortune 500 will invest a total of $7.8 billion (€6.3 billion) or $16 million (€13 million) each to make sure that they comply with the GDPR. If they are found to not be up to par, they will face fines of up to €20 million or 4% of their annual profits, whichever is higher. By contrast, Japan’s APPI does not include administrative fines or civil damages provisions, but general criminal sanctions that are not necessarily privacy-focused, including crimes that could incur a 500,000 yen (€3,700) fine. Companies preparing for the GDPR are also expected to hire several privacy-related employees and professionals who deal with compliance issues – just the number of Data Protection Officers that have to be hired around the globe is estimated at roughly 75,000 – which raises the costs even further.

So in order to avoid these hefty fines and not let all that financial investment be compromised, businesses and organisations handling personal data need to also take account of any transnational dealings with other companies – even with those located in jurisdictions that are expected to be whitelisted, such as Japan.

Leave a comment