Major regulatory changes in data governance recently went into effect in Japan and China that are likely to impact organizations doing business in these Asian markets. While the regulations are long-awaited, their implementation follows on the heels of the global Wannacry ransomware data scare and at the same time as companies attempt to prepare for the European General Data Protection Regulation. Both countries’ changes warrant reviews of company policies and procedures, but they are also quite different: Japan’s straightforward amendments focus on consumer information and data protection, while China turned a controversial focus to network operators managing data.
Japan’s Amended Act
In Japan, the Act on the Protection of Personal Information provides the primary governance on data privacy. While the APPI dates back to 2003, the recent amendments passed in 2015 and have now gone into effect as of May 30, 2017.
Under the amendments, data is now broken down into sensitive information and anonymously processed information when determining the consent required for transfer. Sensitive information, which includes personal identifiers such as demographic or medical information, is subject to additional protections and release requirements. Anonymized information may be transferred according to regulatory restrictions without special consent. Other key changes include greater responsibilities for smaller data enterprises, opt-out consents, and record-keeping requirements.
To process international data transfers, businesses will need to obtain consent unless the foreign jurisdiction has similar privacy protections. Businesses already operating in Japan and transferring data across borders with existing reasonable measures to support cross-border data transfers are a step ahead in achieving compliance with the Act. For example, compliance with the APEC Cross Border Privacy Rules system is a good way to establish compliance with the Act’s data transfer requirements.
The amendments also established a Personal Information Protection Commission, which materialized January 1, 2016 and consolidated data oversight. The Commission serves as the country’s data protection authority with newly minted enforcement powers. Previous oversight was run by several different agencies, including national ministries regulating different business sectors and a limited-purpose commission. Notably, the Commission is authorized to enforce criminal penalties of fines or imprisonment for even negligent violations of the Act.
These new rules add definitions, outline government involvement, and strengthen enforcement mechanisms in a similar vein as we’ve seen in Europe through the GDPR.
On June 1, 2017, China’s Cybersecurity Law took effect, pushing forward in the face of widespread calls for delays and changes from interest groups worldwide. At a glance, the law addresses policy reform in cybersecurity as well as data privacy governance, a welcome action given the country’s vulnerabilities particularly in intellectual property and software piracy. Still, the breadth of the law and lack of certain details are at the forefront of global data discussions. Characterized as intrusive and vague, foreign companies operating in China have received little guidance on fulfilling the law’s criteria.
The law applies to network operators, critical information infrastructure operators, electronic information distribution service providers, and software download service providers. Most Chinese businesses using computer infrastructure, as well as multinational businesses with operations and data in China, fall within the scope of the law. Essentially, the law gives the Chinese government direct control over Internet-centered companies operating within its borders. Some of the provisions include:
- Requirements for data centers in China where companies must store personal data of Chinese citizens and ‘important’ business data
- Businesses that handle network access and domain registration services for users, handle stationary or mobile phone network access, or provide users with information publication or instant messaging services, shall require users to provide real identity information when signing agreements with users or confirming provision of services
- If companies violate the Law’s provisions, individuals have the right to request deletion of their personal information
- Unlike other data protection laws, China’s Cybersecurity Law specifies security controls and activities that different covered organizations must put in place. These include having a security program, intrusion detection and prevention systems, backup and recovery, network log monitoring, encryption, etc.
Of note, the Cyberspace Administration of China, the Chinese internet regulator, did delay laws relating to cross-border data transfer, now expected in 2018.
The law may present a competitive edge to Chinese companies while foreign companies face unfavorable choices such as opening the security of their businesses or products to Chinese inspection, separating their local Chinese systems from their global IT portfolio, higher spending to make these types of changes, or pulling out of the market entirely. The law’s ambiguity also raises concerns that foreign competitors to Chinese companies may be targeted or blocked and their intellectual property put at risk, making them reluctant to bring innovation into the market.
The recent data headlines from Asia tell a tale of two countries. While the new rules, their implementation, and the enforcement mechanisms in Japan were clearly outlined and calmly received, the global Internet-based technology market is scrambling to decipher the implications for their business today and in the future of the desirable but problematic Chinese market. Businesses operating in one or both of these markets should conduct a thorough evaluation of their privacy, security, and data management practices while also incorporating these data demands into their business outlook and strategic planning. We will continue to monitor regulatory updates in both countries.