Multinationals Struggle to Adapt to Japan’s New Privacy Law

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Brian Yap

Multinational corporations doing business in Japan have been struggling to comply with the country’s newly-amended privacy law’s consent requirements to transfer data abroad, privacy attorneys told Bloomberg BNA.

The recently-amended Protection of Personal Information Act (PIPA), which took effect May 30, stipulates that any cross-border transfer of personal data requires explicit consent from those whose data is being transferred. Personal data kept in Japan that can be accessed by an overseas subsidiary or affiliate is also subject to the mandatory consent rule.

Companies that fail to get consent to transfer data won’t face a fine, but there are other significant incentives for companies to comply. Getting consent can lower the risk of being sued or of facing an administrative investigation by the country’s new privacy regulator, the Personal Information Protection Commission (PIPC). The amended act doesn’t include a specific penalty for companies that fail to get consent. PIPA allows individuals to sue for violations of the law and gives the PIPC the power to investigate alleged violations of the law.

Although Japanese companies have been quick to respond to the new compliance requirements, foreign companies are struggling to do so partly due to the sheer size of their global workforces, Yumiko Ohta, a corporate transactions and employment law partner at Orrick Tokyo Law Offices, told Bloomberg BNA.

“Unlike their Japanese counterparts, multinationals are in much higher need of transferring such information to their head office and their subsidiaries as well as affiliates abroad,” Ohta said. Foreign-based multinationals have traditionally adopted a centralized approach to handling information from their overseas branches, she said.

Ohta and other attorneys contacted by Bloomberg BNA declined to name particular foreign-based multinationals that may be struggling with the law.

Many U.S-based multinationals, such as Apple Inc., Intel Corp., Merck & Co. Inc., Nike Inc., AFLAC Inc., and Eli Lilly & Co., generate significant business revenue from their operations in Japan, according to Bloomberg data. For example, Apple took in nearly $17 billion from its Japanese operations in fiscal year 2016.

Fumiaki Matsuoka, data protection and general corporate law of counsel at Atsumi & Sakai in Tokyo, told Bloomberg BNA that the government considered compliance burdens on foreign companies when the original PIPA was enacted in 2005. The amended PIPA process didn’t include the same level of contemplation of such issues, he said.

Exemptions

The original PIPA permitted cross-border transfers so long as an opt-out system was in place that gave individuals notice of and the opportunity to terminate a transfer, or if the transfer was carried out through a certified third-party service in Japan.

Japan amended PIPA, in part, to bring it in line with the European Union’s new privacy regime, the General Data Protection Regulation (GDPR) set to take effect May 25, 2018. The GDPR includes stronger consent provisions now echoed in PIPA.

The implementing rules for the amended PIPA, which were issued by the PIPC, include exemptions from the consent requirement.

Cross-border data transfers from a Japanese branch of a foreign company to its head office are considered under the amended PIPA to be an internal transfer and don’t need additional consent. But if the transfer is to an entity in the same corporate group that is considered a separate corporate entity, the company must have internal privacy policies that govern such transfers.

Under the rules, additional consent isn’t needed if an overseas company receiving data is located in a country deemed to have privacy protections equivalent to the Japanese law. A foreign country that has an international privacy certification, such as those under the Asia Pacific Economic Cooperation’s Cross Border Privacy Rules system, may also be eligible to receive data without more formal consent.

The PIPC is authorized to create a list of privacy-approved countries but hasn’t released such a list. Without that guidance, companies are left to interpret the privacy adequacy of countries outside Japan.

The generally vague language of the exemptions makes it difficult for multinationals to rely on them, Ohta said. For the time being, the best practice for multinationals seeking to transfer data outside Japan is to obtain explicit consent from each individual concerned, she said.

PIPC has announced that it intends to review privacy equivalency between PIPA and the EU’s privacy regime, but that the review won’t be completed until the first half of next year.

Iwao Toriumi, a senior manager at the International Bankers Association of Japan (IBA) in Tokyo, told Bloomberg BNA that companies may cite equivalency of privacy protections in contracts with third parties overseas that they intend to transfer data to, but the extensive scope of the amended PIPA and another country’s privacy regime make such a direct equivalency comparison difficult, if not impossible, for companies to verify.

Companies aren’t required to get approval from the PIPC for such contracts, but the regulator has the power to conduct on-site inspections that include review of contracts, Toriumi, who was formerly an economist with the Cabinet Office, said.

One area of particular regulatory confusion involves identifying the physical location, and therefore attendant controlling privacy law, of data servers used by the parties to a transfer agreement, he said.

To contact the reporter on this story: Brian Yap in Tokyo at correspondent.bna.com

To contact the editor responsible for this story: Donald Aplin at daplin@bna.com

For More Information

The full text of the amended PIPA is available, in English, at https://www.ppc.go.jp/files/pdf/280222_amendedlaw.pdf.

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security