What is GDPR? Explaining the differences from the Privacy Act and the measures companies should take.

GDPR is the EU's law on the protection of personal information, and even companies outside the EU may be subject to it when doing business with EU companies, with possible sanctions for non-compliance. The following is a brief overview of the GDPR.

What is GDPR?

The General Data Protection Regulation (GDPR) is a law enacted in April 2016 to regulate the protection of personal data within the European Union (EU). The GDPR is not limited to names and addresses, but also covers personal data and privacy protection, including cookie information and IP addresses related to website browsing, and has stricter regulations than Japan's Personal Information Protection Law, including a wider scope of application.

Japanese companies may be subject to the GDPR when doing business with EU companies, so legal and compliance staff in particular need to understand the details of the GDPR and how it differs from Japan's Personal Information Protection Law so that they can play a central role in ensuring compliance with the GDPR.

Scope of Personal Information under GDPR

The GDPR defines "personal data" as information that may be used to identify an individual, and provides specific examples of personal information that is subject to protection.

Examples include an individual's name, address, telephone number, identification number (passport, driver's license, etc.), e-mail address, credit card information, GPS data, IP address, etc. It can be said that anything you can imagine when you hear the term "personal information" is broadly covered, including digital data.

Scope of companies covered by GDPR

Next, we will explain the scope of companies to which the GDPR applies.

Companies with subsidiaries or branches in the EU

The GDPR always applies to companies with subsidiaries or branches in the EU that handle personal data, even if their headquarters are in Japan. Regardless of whether the processing takes place in the EU or not, it is subject to the GDPR.

Companies that provide goods or services within the EU

The GDPR applies to companies that provide goods or services to users in the EU, even if they do not have subsidiaries, branches, or other locations in the EU. This applies, for example, when a European user registers his/her ID and e-mail address through the company's e-commerce site and purchases a product.

Companies that are entrusted by EU companies to process personal data

GDPR applies to companies and organizations that handle personal data on behalf of companies that have subsidiaries or branches in the EU.

When understanding and analyzing user behavior within the EU

Even companies that do not have subsidiaries or branches in the EU and do not provide goods or services to users in the EU are subject to the GDPR regulations if they understand and analyze user behavior in the EU. Be careful if your company's website is heavily accessed from the EU and obtains personal data such as names and cookie information. This includes targeted advertising and recommendations.

Differences between GDPR and Japan's Personal Information Protection Law

The law regarding the protection of personal information in Japan is the Personal Information Protection Law. This section provides an overview of the Act in terms of the definition of personal information, scope of protection, and penalties, comparing the differences with the GDPR.

What is the Personal Information Protection Law in Japan?

Japan's Personal Information Protection Law, enacted in 2003 and fully enforced in 2005, is a law that provides for Japanese companies, sole proprietors, and other companies that handle personal information. The law has been revised every few years, and recently, regulations regarding cookie information have been tightened.

The law is intended to protect the rights and interests of individuals as well as its usefulness in improving services and operational efficiency in various fields such as government and business. The law applies to all businesses and organizations that handle personal information as well as national administrative agencies, independent administrative corporations, and local public entities.

What is the difference between GDPR and Japan's Personal Information Protection Law?

• Definition of personal information (scope of protection)
  • GDPR
    Any information that can be used to identify an individual, such as name and address (including IP addresses, cookies, etc.)
  • Personal Data Protection Law
    Information that can identify a specific individual by name, date of birth, address, photograph, etc.

• Scope of application
  • GDPR
    All organizations that handle personal data within the EU
  • Personal Data Protection Law
    Businesses that handle personal data in Japan

• Penalties
  • GDPR
    10 million euros or less" or "2% or less of the annual global turnover in the previous fiscal year, whichever is higher
    20 million euros or less" or "4% or less of the annual global turnover in the previous fiscal year", whichever is higher.
  • Personal Information Protection Law
    In the case of a corporation: A fine of up to 100 million yen
    In the case of an individual: imprisonment for not more than one year or a fine of not more than 1,000,000 yen

The definition of personal information and the scope of application of the GDPR are also broad. In particular, looking at the penalties, it can be seen that while the maximum fine under Japan's Personal Information Protection Law is 100 million yen, under GDPR the fines are in the billions of yen.

Responsibilities of Companies under the GDPR

The GDPR details the responsibilities of companies that are controllers of personal data and clarifies the protection of personal data and their obligations to businesses. The responsibilities of companies with respect to personal data include the following

Responsibility to put in place systems and personnel systems for handling personal data in line with the GDPR

The GDPR stipulates that the controller, i.e. the company, must take and improve appropriate measures, both technically and organizationally.

In the handling of personal data, responsibilities include pseudonymizing and encrypting data, establishing highly confidential systems, and appointing a person within the organization responsible for monitoring compliance with the GDPR.

Responsibility for keeping records of personal data handling

Covered companies are required to keep records of their personal data handling activities on a case-by-case basis. These records should include the name and contact information of the controller, the purpose of the personal data handling, the type of personal data, and the information of the acquirer to whom the data was disclosed.

Responsibility for responding in the event of a personal data breach or information leak

In the event of a personal data breach or information leakage at a covered company, the company is required to respond promptly by notifying the prescribed authorities within 72 hours, and if there is a delay, the reason for the delay is also required. The individual whose personal data has been breached must also be notified if there is a potential risk to that individual.

Companies doing business in the EU should be aware of and take measures to comply with the GDPR!

In many cases, Japanese companies have personal data handling manuals that are compliant with domestic personal data protection laws, but are not compliant with GDPR.

Companies that are already doing business in the EU or plan to do so in the future must be aware of the possibility of GDPR application to their companies, as companies that may be subject to GDPR may suddenly find themselves subject to penalties, large fines, or be asked to cease doing business with EU companies. The risk is that they may suddenly find themselves subject to penalties, large fines, or be asked to cease doing business with EU companies. To avoid these risks, companies need to take immediate steps to address the GDPR.

If you do business with EU companies, or if your company's website is frequently accessed from within the EU, you are likely to already be subject to the GDPR.

A lawyer explains GDPR

The FRONTEO Legal Link Portal (FLLP), a media site operated by FRONTEO, features up-and-coming lawyers from Japan and abroad explaining legal topics that are useful in business settings, and new videos are being added all the time. If you are interested in learning more about GDPR or are concerned about how to handle personal information, please check out FLLP's videos.

More than 600 instructional videos on legal IP supervised by top lawyers and experts are available free of charge!

List of contents related to GDPR
List of contents related to "Information Leakage and Personal Information