EU revamps data protection law: key issues for Japanese companies

Introduction

Collecting and processing personal data is central to the global business operations of multinational Japanese companies. The European Union's ("EU") data protection regime, which applies to the operations of many multinational Japanese companies, has been in place for over 15 years and still represents the international benchmark for data protection regulation (see our February 2011 newsletter for an overview of the regime).

On 25 January 2012, the European Commission released its long awaited proposals to revise the EU Data Protection Directive¹ (the "Directive"). The draft law takes the form of a Regulation (see the text here) which, if adopted substantially in its current form, would represent a comprehensive revision and strengthening of what is already generally considered to be the most stringent data protection regime in the world.

Key Aspects of the Regulation Proposals

One Set of Rules

Currently it is not always clear which - or how many - of the Member States' data protection laws apply to a Japanese organisation operating in multiple jurisdictions across the EU. By proposing a Regulation - and therefore one set of directly applicable rules throughout the EU - it is to be hoped that problems caused by the current lack of harmonisation under the Directive can be avoided. This should be a real improvement for Japanese businesses grappling with different standards, regulators and bureaucratic hurdles in various EU jurisdictions.  

Single Regulator - "One Stop Shop"

The Regulation also provides that an organisation with multiple presences across the EU will only have to deal with (and comply with the directions of) one of the EU data protection "supervisory authorities". This will be determined by the location of the organisation's "main establishment" (based on where the main decisions about the data processing are taken or, failing that, where the main processing activities take place in the EU). This might well encourage Japanese businesses to locate their EU headquarters in the traditionally more pragmatic data protection jurisdictions (e.g. the UK).  

Wider Concept of Personal Data

"Personal data" currently means any information relating to a natural person who is identified or can be identified, directly or indirectly. The proposals broaden this by referring to "means reasonably likely to be used by the data controller" or anyone. This suggests that if anyone anywhere was "reasonably likely" to use means that would identify an individual from a set of information, then the information would be personal data even if the particular organisation holding it had no prospect of identifying the individual. This appears to leave little scope for effective anonymisation of data. The Regulation also mentions location data and online identifiers as new means of identifying individuals.  

International Data Transfers

In practice, the restrictions imposed by the Directive on personal data flows to "third countries" outside the EEA which are not considered to ensure an adequate level of data protection (which currently includes Japan), cause the greatest compliance challenges for international businesses. They also add complexity to international outsourcings and cloud computing operations.

The Regulation does not fundamentally alter the existing framework but it affirms and extends slightly the current options. Binding Corporate Rules (sets of regulator-approved intra-group compliance rules; "BCRs") appear to be the transfer mechanism of choice; a supervisory authority will now be obliged to approve a set of BCRs provided that they meet the requirements set out in the Regulation (which reflect the current rules).

In theory, BCRs should be easier to obtain. However, in practice whether the relevant supervisory authority will be as cooperative as envisaged is less certain. The Regulation confirms that BCRs will be available for data processors as well as data controllers. Data transfer agreements using the Commission-approved "model clauses" continue to be an alternative compliance route for many multinational Japanese companies.

Longer Arm Jurisdiction – A Key Concern to Japanese Companies

The Regulation will also apply to the processing of EU residents' personal data by an organisation which is not established in the EU (e.g. in Japan) but is either: (a) offering goods or services to such individuals; or (b) is monitoring their behaviour (which could include behavioural advertising). This may displease some of the larger Japan-based suppliers of internet and IT services (e.g. internet shopping malls and cloud computing providers) since these "non-established" data controllers would be required to comply with the Regulation in respect of their processing of EU residents' data, and to appoint a representative in the EU.  

Data Security Breaches - Duty to Report in 24 hours

As expected the draft Regulation requires data controllers across all sectors to notify their supervisory authority of data security breaches involving personal data (currently only public telecommunication services providers have to do so). There is no minimum threshold proposed. The supervisory authority must be notified without undue delay - and within 24 hours, if feasible - after the organisation becomes aware of any data breach. There are also measures requiring organisations to notify the individuals affected by the breach where it is likely to adversely affect the protection of their privacy.  

Consent

Relying on consent from individuals as a legitimising ground for processing their personal data is rarely an attractive option. In future it will become even more challenging to rely on consent because the Regulation requires consent to be "explicit" and either to be by way of a statement or a clear affirmative action of the individual. The Regulation also casts doubt over an organisation's ability to obtain an "omnibus consent" (e.g. collecting a consent to data processing which is part of the same statement obtaining consent to terms and conditions of sale).  

The Right to Be Forgotten

This is a strengthening of the existing right of individuals to require deletion of their data. It is openly targeted at the online sphere, with the activities of younger people in mind. Where an organisation (a "data controller"), which is processing an individual's data has made those data public (which includes via a social networking site), the data controller will be required to take all reasonable steps to inform third parties processing the published data of the request to delete it. Where the data controller has authorised a third party to publish the personal data, the data controller shall be considered responsible for the publication. The obligations are likely to increase costs and potential liability for social networking service providers (among others).

Greater Internal Governance Burden

The end of the registration ("notification") requirement for data controllers with national Data Protection Authorities will be welcome and is estimated to save €130 million. However, it has been replaced by an obligation on organisations to adopt internal policies and compliance measures, as well as implementing measures to ensure the verification of the effectiveness of such policies and measures, to be carried out by independent auditors "if proportionate". In addition, there is a further internal documentation requirement, an obligation to keep records of any security breaches and a duty to appoint data protection officers for all organisations in the public sector and larger ones in the private sector.

Also proposed is an obligation to conduct a privacy "impact assessment" in relation to any processing activity which presents specific privacy risks (e.g. involving health data).

Data Processors

Data processors (e.g. providers of outsourced payroll services) process personal data on behalf of their customers ("data controllers"). Under the current law, a data controller is liable for the processing carried out for it by its data processor, whereas data processors are not regulated under the law. This will change under the proposals, as some obligations of the Regulation will apply directly to data processors, in particular in relation to security.

The proposed law makes it explicit that a data processor which exceeds its data controller's instructions becomes fully liable as a data controller in its own right. More measures are prescribed for the already mandatory data processing agreements defining the relationship between a data controller and a data processor and these look set to become more important, complex documents in future.

Conclusions

The European Commission's proposals represent a comprehensive reform of the existing EU data protection regime. As well as the Regulation, the Commission is proposing a new directive on protecting personal data in the area of law enforcement and related judicial activities (see the text here).

The Commission estimates that the Regulation should save businesses €2.3 billion a year. However, such costs savings may well be cancelled out by the increased investment required to meet new internal accountability and governance requirements, underpinned by fines of up to 2% of annual worldwide turnover. Changes such as the Regulation's greater jurisdictional reach and the "right to be forgotten" are likely to cause particular concern to key players in the global digital economy, such as the internet services and social media giants.

Whether all the proposals will be reflected in the final Regulation remains to be seen. The text must first be approved by both the Council and the European Parliament and so the earliest date for the new law coming into force is likely to be late 2014.