While the island may have an historical reputation for isolationism, Japan is unquestionably a world economic power. It is the third largest economy in the world, by raw gross domestic product, and generates more than six percent of the world’s economic activity.
However, to maintain that status, Japan understands that it needs to modernize its treatment of personal data.
Thus, Japan in 2015 passed a new Personal Information Protection Act (PIPA), which put into place a new Personal Information Protection Committee to regulate the collection and use of personal data and created strict rules surrounding the transfer of the personal data of Japanese citizens outside of Japan.
Unlike many countries, where violation of privacy law simply means a hefty fine, in Japan the mishandling of personal data can lead to a year in prison.
Further, like the EU’s General Data Protection Regulation, which comes into force in May of 2018, Japan’s new law ostensibly covers any organization that collects Japanese citizen data. Can Japan put an American citizen in jail for misusing personal data? That’s hard to say. The law, however, expressly instructs Japanese regulators to work with their counterparts in other countries to extend their enforcement power.
In general, you probably don’t want to chance it.
So, the first thing to understand is that Japan’s new PIPA comes into full force May 30, 2017, just a couple short months away. At that time, the definition of “sensitive” information expands greatly. As with the EU, for instance, IP addresses are now considered personal information. “Vocalizations,” i.e., speech recordings, are now personal information. Any kind of health ID or customer identification number is now personal information.
Further, for those kinds of data, you cannot move that data outside of Japan unless Japan has declared your country “adequate,” which hasn’t happened for any country yet, or you have the express permission of the data subject in question. That’s “opt-in” consent, not “opt-out” consent. A pre-checked box is not consent by the definition of Japan’s data protection law.
There is one other way to move data out of Japan, however: participation in the APEC Privacy Framework’s Cross Border Privacy Rules program. APEC is the Asia-Pacific Economic Cooperation, and the CBPRs program is a relatively new effort to allow for data transfer among all 21 countries in APEC (which include Canada, Mexico, Russia, China, the U.S., Japan and other world powers on the Pacific Rim). At the moment, the program is still relatively new, and only a few countries fully participate, but Japan is one of them, so it may be worth your organization’s while if you’re doing significant business with the Japanese.
Nor should it be a surprise that Japan was among the first to get fully involved. The country is clearly making strides toward solidifying its place in the global data economy. Just recently, Japanese officials met with members of the European Commission, looking to be declared “adequate” by EU data protection standards. This would allow the free flow of personal data between the two massive economies.
Right now, just a handful of countries — specifically not including the United States — have been declared adequate by the EU, enabling a much more efficient way to transfer EU citizen data across borders. Should Japan be added to this list, that would be a significant advantage in the world economy for Japanese companies.
Japan may, indeed, be hoping that adequacy with EU will eventually be seen as similarly attractive to foreign companies.
Until that day comes, however, companies doing business with Japanese citizens need to immediately get a good understanding of their data holdings. Do you know which data is the personal information of Japanese citizens? Can you tell what consent is attached to that data? Do you know where that data lives?
In the short term, some organizations may choose to find a Japanese data center and keep Japanese citizen data there. Others may choose to contact all of their Japanese customers and obtain new express consent for however their processing that data. Others may choose to be much more selective about how they do business in Japan at all.
Regardless, if your company is doing business in Japan now, it is of the utmost importance that you get those questions answered. If not, someone might find themselves spending a year in jail.