An increasing number of multi-national Japanese companies are seeking to improve the way they handle data across their groups. In particular, Japanese businesses are frequently looking to extract value from data relating to employees, customers and suppliers.
By sharing such data effectively across group companies, it is possible to reduce costs and improve business efficiency and quality. However, if such data identifies living individuals it is likely to constitute "personal data" which is heavily regulated in Europe.
In this newsletter we look at the regulatory data protection requirements which Japanese companies should consider when transferring personal data to, from, or within Europe. The points discussed below are not exhaustive, but represent some of the most important issues.
What regulations govern data protection in the EU?
In Europe, an extensive data protection regime was implemented by the 1995 EU Data Protection Directive (the "EU Directive"). The EU Directive is not directly enforceable in each EU member country, but was instead implemented in each member country by way of national implementing legislation.
As a result, there are some differences between the local laws in each country, but as a general rule they impose obligations on data controllers in relation to their processing of personal data. More stringent rules apply to the processing of sensitive personal data (e.g. personal data which relate to health, crime, race, religion etc.).
Although there are a number of potential exemptions, these data protection obligations are likely to apply to any Japanese group which has subsidiaries or offices in Europe, or who use equipment (e.g. servers) or suppliers (e.g. cloud computing providers) located in Europe to process personal data.
Although the precise requirements may vary between EU countries, we consider below the most important general requirements.
Processing must be fair and lawful
Japanese companies must ensure that any data processing project is fair and lawful. In order to ensure fairness, two key requirements must be satisfied:
- affected individuals must be informed of the processing by a "fair processing notice"; and
- one of a number of prescribed conditions must be satisfied (e.g. the affected individuals have consented to the processing or the processing is necessary for the company's "legitimate interests").
The nature of the fair processing notice and the precise condition(s) which may be satisfied by a Japanese company looking to process personal data in Europe will depend on the type of data and the purposes for processing.
Restrictions on data transfers outside of Europe
One of the most problematic aspects of the EU Directive is the restriction imposed on transferring personal data to recipients in certain countries outside the European Economic Area ("EEA"). The EEA currently comprises all member states of the European Union plus Iceland, Lichtenstein and Norway.
The EU Directive includes a prohibition on the transfer of personal data outside of the EEA unless one or more prescribed conditions are satisfied. The most relevant conditions for Japanese companies are likely to be:
- the affected individuals have consented to the transfer;
- the country to which the personal data is being transferred offers an adequate level of protection to such data; or
- other contractual safeguards are put in place to ensure protection of personal data.
This is an area which receives considerable attention and where the level of scrutiny by data protection authorities is relatively high compared with other aspects of compliance. The most suitable method of ensuring compliance with this restriction will depend on the jurisdictions involved and the nature of the data being transferred.
Ensuring security and supplier management
The EU Directive requires data controllers to implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, disclosure or access.
Such protective measures must be "state of the art", although data controllers are allowed to take a risk-based approach and balance the effectiveness of security measures against their cost.
Japanese companies will therefore need to consider the nature of the data being protected and how much harm would be caused by a breach, together with the state of technological development and the costs of different security measures.
If Japanese companies use certain group companies or third party suppliers to process personal data on their behalf in Europe, additional contractual requirements will apply to such data processing. It is also important that data controllers are confident that any sub-processors will process personal data securely.
Rights of affected Individuals
If Japanese companies process personal data in Europe, affected individuals will automatically have a number of legally enforceable rights. In certain circumstances, these include rights:
- to access the personal data being processed;
- to have data corrected, erased or blocked;
- to object to processing of data; and
- to receive compensation if damage has been suffered.
Japanese companies operating in Europe should therefore have appropriate processes in place to ensure such rights are protected and properly addressed.
Data controllers are required by the EU Directive to register with the national supervisory authority in each relevant European country prior to processing any personal data.
The precise registration requirements vary from state to state, with some jurisdictions (such as the UK) simply requiring data controllers to notify the national authority, and other jurisdictions (such as France) requiring data controllers to obtain prior permission from the national authority in certain circumstances.
When things go wrong
Failure to comply with applicable European data protection laws can expose Japanese companies to a range of liabilities. These include regulatory investigation, claims for compensation from affected individuals, reputational damage and – in the most serious cases – criminal fines or imprisonment.
The European data protection regime is intended to ensure that individuals' personal data is processed fairly, lawfully, transparently and safely. At the same time, European authorities understand the need for international companies to share data across their group.
The EU Directive therefore provides a number of options for group companies which wish to share personal data legally. We have identified in this newsletter a number of steps which can help ensure such data processing is lawful, including:
- ensuring individuals are fully informed of the data processing;
- obtaining individuals' consent, if required;
- entering into data transfer agreements;
- establishing appropriate security safeguards; and
- liaising with local regulators as required.
Additional data protection requirements will apply to Japanese companies looking to process data in Europe, but these will depend on the facts of each project. However, by seeking advice from Herbert Smith Freehills' experienced data protection specialists at the outset of any data project, Japanese companies should be able to structure arrangements so as to comply with European data protection laws.