Japanese executives play risky game of 'wait and see' on EU data compliance

Japan Map

10 September 2017. By Sachiko Sakamaki.

As Japan's data-protection agency scrambles to negotiate a deal with the European Commission on personal-data transfers, Japanese companies are watching and waiting. That may leave them vulnerable to new, stricter EU rules set to come into force next year.

Japanese and EU leaders agreed in July to seek simultaneous, mutual findings of an adequate level of privacy protection by early next year. That news, announced alongside the Japan-EU economic partnership agreement, was welcomed by the 2,500 Japanese companies operating in the EU.

But some experts question whether Japan's Personal Information Protection Commission can come up with rules strict enough to satisfy the EU, whose General Data Protection Regulation (GDPR) comes into effect on May 25, 2018.

Many companies are counting on an agreement, said an official at the powerful Japanese business lobby Keidanren. If it doesn't come through, they could be left non-compliant with the GDPR — and with too little time to get into shape.

Recent months have brought a boom in seminars on the GDPR in Japan. The events, hosted by law firms, accountancies and IT-related companies, are often fully booked and have enlightened specialists working mostly in companies' legal, compliance and IT departments.

But such awareness hasn't permeated the executive suites of Japanese corporations, data specialists say. That top-level attention is necessary to ensure the handling of personal data by sales, human resources and other departments is examined and adjusted.

Many Japanese companies operating in the EU will also need to appoint an independent data protection officer, but there is no evidence of such appointments in reports on shareholder meetings held in recent months, says Hiroshi Miyashita, associate professor of law at Chuo University.

Top corporate leaders don't seem aware of the risks associated with GDPR violations, Miyashita says.

To operate safely under the GDPR, he thinks, many Japanese companies should seek binding corporate rules, or BCRs, on data protection and transfer authorized by European data-protection authorities, because many companies transfer personal data globally.

Action and inaction

Rakuten, an e-commerce conglomerate, became Japan's first company to win BCR accreditation on data protection and transfer last December. Internet Initiative Japan, a network-solution provider, filed its BCR application to the UK Information Commissioner's Office last October and is awaiting approval. IIJ provides cloud services to some 1,600 companies, including hundreds of businesses operating in Europe.

The companies that do realize the severity of the risks surrounding the GDPR are still a minority in Japan, says Hirotaka Kamata, the deputy manager of IIJ's business risk consulting department.

Kamata says some companies haven't even started taking the first steps to examine which departments handle what kind of personal data, a process called data mapping. Companies should also look at the contracts they have with outsourcing companies that handle their personal data, he says.

Shimpei Ogawa, general manager of IIJ's business risk consulting department, says more companies will likely start taking action later this year and early next year to make themselves compliant with the GDPR.

But it may take one Japanese company getting punished with a hefty fine for GDPR violations for all Japanese companies to become fully aware of the risks.

Privacy report