It is now required for the General Data Protection Regulation (GDPR) to govern the handling of the personal information of EU residents. More and more Japanese companies are voicing a number of doubts and concerns, about how exactly they are to comply with the GDPR, or whether they even need to be in GDPR compliance in the first place. We asked NRI Shintaro Kobayashi, an expert on the use and application of personal data, about whether any steps must be taken when the regulation comes into effect on May 25.
Attitudes Regarding Personal Information in the EU Differ from Those in Japan
――What is the events leading up to the adoption of the GDPR?
In the late 2000s, the spread of social media, smartphones, and other technologies made it possible to collect what’s known as big data, so now you had personal data being used to do things like analyze your car’s driving information, or your tweets on Twitter—that is, used in ways that weren’t envisioned under conventional systems for protecting personal information,. As a result, attitudes towards the protection of personal information began to shift, toward an emphasis on individuals being able to control their own information as they saw fit. In light of this trend, the EU announced a draft of the GDPR in 2012. After deliberations among the 28 member nations, the EU adopted it in 2016, and the regulation is supposed to come into effect in May 2018.
――How is the GDPR different from Japan’s Act on the Protection of Personal Information?
Japan’s Act on the Protection of Personal Information was designed principally around the obligation of business operators to protect people’s personal information, and above all it tends to encourage an emphasis on security control measures. For this reason, right after the Act on the Protection of Personal Information took effect in 2005, it produced an overreaction where people now felt compelled to protect such information, and suddenly you could no longer create school contact lists or community association directories, for instance.
By contrast, the GDPR is strongly imbued with the notion that protecting personal information is about protecting human rights, and the way it’s arranged is to first prescribe the rights of individuals, followed by the duties that business operators have to discharge. In handling personal information, business operators are required themselves to think up and act on the necessary measures for respecting the rights of individuals. Some representative examples of individuals’ rights would be the right to be forgotten*1 and the right to data portability*2, which act as a check on big data-related business.
Companies Must Be Cautious About Cross-Border Data Transfers and the Varying Scope of Protection
――Does the GDPR apply in cases where the personal information of EU residents is to be handled in Japan?
Yes, it does. This is rooted in the idea that personal information and human rights are a set pair, and if personal information is transferred somewhere, the human rights accompanying it must also be safeguarded. When the EU first asserted this point, its validity was questioned, but restrictions on the transfer of personal information beyond national borders are becoming a worldwide trend. This is because the spread of the internet has enabled the free transfer of personal information across borders, and so all countries face a greater need to protect the information of their citizens.
――What do Japanese companies have to be careful with when exchanging information on a global scale?
In Japan, if a specific individual can’t be identified by certain information, it isn’t considered to be personal information, but in the EU, even data that’s linked to “things”—like with IoT—will be more subject to protection the more closely it’s connected to an individual. It should be noted that the maximum fines for violations are higher, and that there are certain individual rights as well as duties owed by business operators that aren’t prescribed under Japan’s Act on the Protection of Personal Information.
Fortunately, the revised Act on the Protection of Personal Information which was enacted in 2016 was created with the GDPR in mind. And Japan’s Personal Information Protection Committee held negotiations with EU authorities, the result being that if the guidelines formulated by the Committee are followed, it’s permissible for personal information to be transferred from the EU to Japan. This likely means that the burden placed on individual companies will be considerably lessened. However, that doesn’t mean companies can rest easy. It’s important for companies to take comprehensive measures in handling such information, keeping in mind any differences in the scope of personal information that’s protected, and the rights of individuals that must be respected.
――What do companies need to consider specifically?
First of all, you must refer to the aforementioned guidelines in transferring any personal information to Japan. And when it comes to deleting data or handling requests for saved data to be provided, for example, you need to have internal rules in place and to apply them so that you can accommodate the rights of individuals. You also need a means of fulfilling your accountability according to the risks involved, for instance by appointing data protection officers, or making privacy impact assessments. Another thing would be to have a system that enables you to notify the authorities within 72 hours if any information is leaked.
It’s not simply a matter of everybody uniformly abiding by a certain rule, so your company needs to comprehend what sort of data will be exchanged between it and the EU. And in light of the purport of the GDPR, every company needs to fully consider to what extent it will be managing personal information, what level of risk it’s willing to accept, and what kind of risk it can deal with.
An Awareness That We’re Moving Towards a Global Infrastructure in the Digital Age
――Are Japanese companies embracing GDPR compliance?
It varies from company to company, and in particular it seems that certain companies have been slow in responding, such as EC websites that do one-off transactions with the EU, companies that have no local bases there, and SMEs. Companies that handle personal information for their inbound travel business that receives EU residents must also take heed.
However, just because a company is slow in complying with the GDPR, that doesn’t mean we recommend making a token effort just to get something in place. There are still a number of EU member nations that haven’t made rules for enforcing the GDPR yet, so the best thing would probably be to think carefully about the matters we discussed earlier as you identify and enact the necessary measures based on your company’s particular global strategy.
Some may feel that the GDPR is too strict, but mechanisms for protecting personal information on a global scale are a fundamental requirement for the digital age. If you think in those terms, GDPR compliance isn’t some transitory thing, but rather an activity to be undertaken assiduously for the long haul. I think this activity would certainly contribute to the prosperity of any given company.
- 1 The right to request that your personal data be deleted. It has gained attention for being something of a novel concept and having a sentimental naming, and is difficult for companies to accommodate. Google and other search services are leading the way in compliance with this right.
- 2 The right to request that a company provide one’s personal data in a machine-readable format, so that such data is easily portable. This right prevents large IT companies from storing personal data in “silos”, for example, and was established to enable individuals to exercise their freedom of choice as well as to promote a more competitive market environment.
Nomura Research Institute, Ltd.
Corporate Communications Department