An increasing number of multi-national Japanese companies  are seeking to improve the way they handle data across their  groups. In particular, Japanese businesses are frequently  looking to extract value from data relating to employees,  customers and suppliers.

By sharing such data effectively across group companies, it is  possible to reduce costs and improve business efficiency and quality. However, if such data identifies living individuals it is  likely to constitute "personal data" which is heavily regulated  in Europe. 

In this newsletter we look at the regulatory data protection  requirements which Japanese companies should consider  when transferring personal data to, from, or within Europe. The points discussed below are not exhaustive, but represent  some of the most important issues.

What regulations govern data protection in the EU?

In Europe, an extensive data protection regime was implemented by the 1995 EU Data Protection Directive (the "EU  Directive"). The EU Directive is not directly enforceable in each EU member country, but was instead implemented in each  member country by way of national implementing legislation.

As a result, there are some differences between the local laws in each country, but as a general rule they impose obligations on  data controllers in relation to their processing of personal data. More stringent rules apply to the processing of sensitive  personal data (e.g. personal data which relate to health, crime, race, religion etc.).

Although there are a number of potential exemptions, these data protection obligations are likely to apply to any Japanese  group which has subsidiaries or offices in Europe, or who use equipment (e.g. servers) or suppliers (e.g. cloud computing  providers) located in Europe to process personal data.

Although the precise requirements may vary between EU countries, we consider  below the most important general requirements.

Processing must be fair and lawful

Japanese companies must ensure that any data processing project is fair and  lawful. In order to ensure fairness, two key requirements must be satisfied:

  • affected individuals must be informed of the processing by a "fair processing  notice"; and
  • one of a number of prescribed conditions must be satisfied (e.g. the affected  individuals have consented to the processing or the processing is necessary  for the company's "legitimate interests").

The nature of the fair processing notice and the precise condition(s) which may be  satisfied by a Japanese company looking to process personal data in Europe will  depend on the type of data and the purposes for processing.

Restrictions on data transfers outside of Europe

One of the most problematic aspects of the EU Directive is the restriction imposed  on transferring personal data to recipients in certain countries outside the  European Economic Area ("EEA"). The EEA currently comprises all member states  of the European Union plus Iceland, Lichtenstein and Norway.

The EU Directive includes a prohibition on the transfer of personal data outside of  the EEA unless one or more prescribed conditions are satisfied. The most relevant  conditions for Japanese companies are likely to be:

  • the affected individuals have consented to the transfer;
  • the country to which the personal data is being transferred offers an adequate  level of protection to such data; or
  • other contractual safeguards are put in place to ensure protection of personal  data.

This is an area which receives considerable attention and where the level of  scrutiny by data protection authorities is relatively high compared with other  aspects of compliance. The most suitable method of ensuring compliance with this  restriction will depend on the jurisdictions involved and the nature of the data being  transferred.

Ensuring security and supplier management

The EU Directive requires data controllers to implement appropriate technical and  organisational measures to protect personal data against accidental or unlawful  destruction, loss, alteration, disclosure or access.

Such protective measures must be "state of the art", although data controllers are  allowed to take a risk-based approach and balance the effectiveness of security  measures against their cost.

Japanese companies will therefore need to consider the nature of the data being protected and how much harm would be  caused by a breach, together with the state of technological development and the costs of different security measures.

If Japanese companies use certain group companies or third party suppliers to process personal data on their behalf in Europe,  additional contractual requirements will apply to such data processing. It is also important that data controllers are confident that  any sub-processors will process personal data securely.

Rights of affected Individuals

If Japanese companies process personal data in Europe, affected individuals will automatically have a number of legally  enforceable rights. In certain circumstances, these include rights:

  • to access the personal data being processed; 
  • to have data corrected, erased or blocked;
  • to object to processing of data; and
  • to receive compensation if damage has been suffered.

Japanese companies operating in Europe should therefore have appropriate processes in place to ensure such rights are  protected and properly addressed.

Registration requirements

Data controllers are required by the EU Directive to register with the national supervisory authority in each relevant European  country prior to processing any personal data.

The precise registration requirements vary from state to state, with some jurisdictions (such as the UK) simply requiring data  controllers to notify the national authority, and other jurisdictions (such as France) requiring data controllers to obtain prior  permission from the national authority in certain circumstances.

When things go wrong

Failure to comply with applicable European data protection laws can expose Japanese companies to a range of liabilities. These  include regulatory investigation, claims for compensation from affected individuals, reputational damage and – in the most  serious cases – criminal fines or imprisonment.

Conclusion

The European data protection regime is intended to ensure that individuals' personal data is processed fairly, lawfully,  transparently and safely. At the same time, European authorities understand the need for international companies to share data  across their group.

The EU Directive therefore provides a number of options for group companies which wish to share personal data legally. We  have identified in this newsletter a number of steps which can help ensure such data processing is lawful, including:

  • ensuring individuals are fully informed of the data processing;
  • obtaining individuals' consent, if required;
  • entering into data transfer agreements; 
  • establishing appropriate security safeguards; and
  • liaising with local regulators as required.

Additional data protection requirements will apply to Japanese companies looking to process data in Europe, but these will  depend on the facts of each project. However, by seeking advice from Herbert Smith Freehills' experienced data protection  specialists at the outset of any data project, Japanese companies should be able to structure arrangements so as to comply  with European data protection laws.