Collecting and processing personal data relating to customers and employees is central to the global business operations of multinational Japanese companies. The European Union's ("EU") data protection regime, which has been in place for over 15 years, still represents the international benchmark for data protection standards and, increasingly, is being vigorously enforced by the data protection authorities of EU Member States ("DPAs").
In this newsletter we look at:
- the EU data protection regime;
- ke y obligations and rights;
- restrictions on transferring data outside the European Economic Area ("EEA");
- sanctions for non-compliance;
- proposed regulatory reforms; and
- recommendations for Japanese companies.
Overview of the EU data protection regime
The EU Data Protection Directive (Directive 95/46/EC; the "Directive") introduced in 1995 an extensive data protection regime for the EU. This imposed broad obligations on those who collect and control the use of personal data ("Data Controllers") and conferred broad rights on individuals about whom data is collected ("Data Subjects").
The Directive applies to Data Controllers established in EU Member States and also to those established outside the EU if they use equipment located in a Member State for the purposes of processing personal data. Depending on the circumstances, the EU subsidiaries of a multinational Japanese company and/or the Japan-based parent company may therefore be potentially subject to the Directive.
The Directive aims to protect the rights and freedoms of Data Subjects by laying down guidelines determining when processing of their personal data is lawful. The regime focuses mainly on processing by automated means (e.g. a computer database) but it can also extend to processing by non-automated means (e.g. information held in a traditional paper filing system).
Key obligations and rights
Under the Directive, Data Controllers must ensure that personal data are:
- processed fairly and lawfully;
- collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes;
- adequate, relevant and not excessive in relation to the purposes for which the data were collected and/or further processed;
- accurate and, where necessary, kept up to date; and
- kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed.
Additional obligations apply when 'sensitive' personal data are being processed, such as data relating to race, political opinions, physical or mental health or condition, sexual life, religious beliefs, and criminal records.
Data controllers are generally required to register with the relevant DPAs (e.g. the Information Commissioner in the UK) prior to processing any personal data, and must implement certain technical and organisational security measures in relation to the processing of such personal data.
The Directive confers certain rights on Data Subjects in relation to their personal data, the most important of which are rights of access to their data and rights of rectification, blocking, erasure and destruction of their data.
Restrictions on transferring data outside the EEA
Principle 8 of the Directive provides that personal data may not be transferred to a country outside the EEA (i.e. the EU plus Iceland, Liechtenstein and Norway) unless that country ensures an 'adequate level of protection' for the rights and freedoms of Data Subjects regarding the processing of their personal data.
Currently, the only circumstances in which Principle 8 will be automatically satisfied are where data are transferred to:
- European Commission 'White List' countries: currently comprising Switzerland, Argentina, Canada, the Isle of Man, Guernsey, Jersey, Andorra, the Faeroe Islands and Israel; and
- US Safe Harbor companies: companies in the US which have formally signed up to the "safe harbor principles" agreed between the European Commission and the US Government (excluding US companies in the financial services sector).
Any Japanese company subject to the Directive that wishes to transfer personal data from the EEA to Japan or another non-EEA/non-White List country (or non-Safe Harbor US company) must therefore ensure they satisfy Principle 8, typically by:
- Consent: obtaining valid consent to the transfer from the Data Subject;
- Standard terms: arranging for the relevant entities in the Japanese company group to enter into contracts with each other containing standard data transfer contractual terms approved by the European Commission; or
- Binding Corporate Rules ("BCRs"): implementing legally enforceable, internal corporate rules on data transfers and data processing standards approved by each of the relevant DPAs. BCRs are generally more attractive for larger multinational Japanese groups with complex data interchanges.
Transferring data outside the EEA may also require the transferring entity to amend any notifications it has made to the relevant DPAs.
Sanctions for non-compliance
Any company which fails to comply with its legal obligations under the Directive will be exposed to potential sanctions including fines, information notices (requiring information disclosure), enforcement notices (requiring remedial measures) and other sanctions provided for by national law, including administrative or criminal penalties. Data transfers which breach the Directive may be blocked or suspended.
In addition, any Data Subject who has suffered damage as a result of non-compliance may seek compensation from the company for that damage.
Japanese companies should note that DPAs are taking an increasingly tough stance against breaches and the majority are empowered to impose fines for serious contraventions.
Proposed regulatory reforms
Recognising that the Directive is showing its age in an era of social networking, behavioural advertising and Cloud Computing, in November 2010 the European Commission published its strategy for modernising the EU data privacy regime. The Commission acknowledged that rapid technological developments and globalisation have profoundly changed the world and brought new challenges to the protection of personal data and identified several key objectives for reform, including:
- strengthening individuals' rights in light of the impact of new technologies;
- improving harmonisation of protection within the EU;
- revising data protection rules in the area of police and judicial cooperation in criminal matters;
- promoting high standards of data protection worldwide; and
- strengthening and clarifying the roles of the national DPAs.
If adopted, some of the recommendations are likely to make data privacy compliance more onerous for businesses. On a more positive note, the Commission also recommended improving and streamlining the current procedures and rules for international data transfers, including clarifying and harmonising the requirements for valid consent and providing more visibility and clarity for finding that non-EEA countries meet the 'White List' adequacy requirements.
Whilst not all of these reforms may be incorporated into the final legislation, the key point for Japanese companies is that European data privacy will become a more complex and onerous area of compliance in future. Specific proposals for amending the Directive are expected in the second half of 2011.
Recommendations for Japanese companies
Ensuring compliance with the EU data protection regime is a complex and potentially daunting task.
It is therefore crucial for Japanese companies and their EU subsidiaries that collect, process and/or transfer personal data relating to EU customers and employees to ensure that they fully understand (seeking legal advice as necessary): (i) how the Directive applies to their business; and (ii) what specific legal obligations they must satisfy.
Specific measures which Japanese companies subject to the Directive may need to implement include:
- putting in place appropriate customer terms and conditions, data protection policies and staff training programmes to satisfy applicable legal obligations and allow the lawful transfer of personal data outside of the EEA; and
- registering EU subsidiaries as a Data Controller with the relevant DPA in each applicable Member State.