Photo by Allison Bettin
You’d be hard-pressed to find a Westerner who’d deem Japan unsafe … except, perhaps, in the realm of data privacy. In a June seminar, lawyers from German-based ARQIS Foreign Law Office in Tokyo, in a foreign law joint enterprise with TMI Associates, discussed the intricacies of Japan’s data protection laws, with emphasis on their differences with European Union regulations.
Data privacy is a highly relevant topic in today’s global economy, where companies are facing the challenges of collecting, transferring, and storing personal data in multiple countries, all with varying laws. Despite Japan’s reputation of being a stickler for rules, the seminar heard the existing rules, including the Act on Protection of Personal Information (APPI), and related regulations are quite lax compared with the EU legal framework.
“From an EU perspective, Japan is one of those countries where data protection is almost non-existent or not secure,” says Ulrich Kirchhoff of ARQIS. “While the EU tries to make the data protection regulations stricter, Japan tries to make them less strict, so it goes exactly the opposite direction.”
Although the APPI is expected to be amended next year — with changes taking effect expected in 2017 — seminar participants pointed out that the current Japanese law is little more than a set of conduct guidelines advising businesses on how to handle personal data. Should a company violate a provision of the APPI, it would more than likely receive a government recommendation or order, but rarely face penal sanctions.
“This is [a] scolding from the government to the businesses, that’s it,” says Masafumi Oshino of TMI Associates. “If the business doesn’t obey the instructions or scolding, then the business [would] be subject to penal sanctions. So if they’re scolded and they just obey, everything is fine as far as APPI is concerned.”
Another issue relating to data privacy might be what legal recourse would a person have in Japan if their sensitive private information, like of their bank account, was leaked? The legal experts said if the victim was able to prove in a civil lawsuit that either material or immaterial damages occurred then the offending company would be ordered to pay damage compensation. Oshino points out that sometimes it might be more efficient to take on the company directly, as it would be concerned about public reputation, especially on social media. “If the reputation [is threatened] on the Internet, then the company will react to distinguish the bad reputation,” he says. In some cases, damages will be paid out of court directly to the person in order to settle the claim.
Another key point of the GCCIJ seminar was to discuss how multinational companies are able to comply with the myriad of national data privacy laws worldwide. It seems there is no simple answer.
“If you have a transfer of data from one jurisdiction to another jurisdiction, which law applies?” asks Dr Tobias Schiebe of ARQIS. “For such transactions, in a lot of cases, both or several laws apply. If you transfer data collected in Japan to Germany and the data is processed in Germany, then the German Data Protection Act, in principle, applies. But also for the act of collection and transfer of data in Japan, the Japanese laws and regulations apply.”
Several guests at the seminar shared that in order to navigate the jumble of laws, many German firms oblige their Japanese subsidiaries to follow the EU/German law. “If you follow the stricter law, which in most cases would be the European/German law, then that would generally also imply that you cover most of the requirements and obligations under the Japanese law,” says Schiebe. He states that some Japanese guidelines can also be quite detailed, so it is best to cover all bases and seek advice regarding the compliance of their company regulations and practice with Japanese law.
“It seems that the law amendment that is expected to come into effect in 2017 makes it even easier for companies at least to transfer certain data,” says Kirchhoff. “It needs to be seen how this will be implemented.”