While countries around the world are enacting data barriers, the Japanese government has kept their data borders relatively free from constraints. Other countries create data barriers based on the rationale that it will mitigate privacy and cybersecurity concerns.[1] Governments such as Russia and China restrict where data can be stored or processed, a concept known as “data localization.”[2]
In contrast, Japan has made an effort to secure the free flow of data across borders.[3] With recent amendments to Japan’s Act on the Protection of Personal Information taking full effect on May 2017, the Japanese government has looked to provide stronger regulations for data protection domestically and has pushed to centralize rules on cross border data transfers internationally.[4]
Japan believes that by being committed to international procedures, such those set out by the Asia-Pacific Economic Cooperation (APEC), it can promote an open and secure information and communication technology (ICT) market that will benefit all countries.[5] Moreover, there is also less incentive for Japan to enact data localization laws due to Japanese consumer habits, the conservative environment, and the open opposition against forced localization measures from Japan’s technology industry. In essence, Japan creates great openness and pushes for data movement across borders – but also creates great barriers in other ways.
Potential Barriers: The Act on the Protection of Personal Information
In effort to promote an international standard of data transfer, Japan has made recent amendments to its data protection policies through additional procedures and restrictions. Extensive reforms were made to Japan’s Act on the Protection of Personal Information (APPI) by the National Diet in 2015. First, the amended APPI took partial effect on January 2016, establishing a new Personal Information Protection Commission (PPC) – a centralized data protection authority with enforcement powers backed by penal sanctions.[6]
In addition to new regulatory guidelines issued by the PPC, the amendments added and defined two new concepts known as “sensitive personal information” and “anonymized information.” While obtaining sensitive information (e.g., race, social status, medical history) requires consent from the data subjects, anonymized information can be disclosed to a third party without consent.[7] “Anonymized information” refers to any information about individuals from which all personal information – including any sensitive information – has been removed permanently. As the Commission published rules for disclosure, including the standards of anonymization, these rules can be considered Japan’s approach to data processes and cross-border data transfers.
However, one of the most significant amendments to APPI is the addition of cross-border transfer restrictions. On top of the general requirements for disclosure or joint use of data, the amended APPI prescribes three types of legitimate transfers of personal information to a third party in a foreign country: (1) transfers with prior consent from individuals, (2) transfers to a third party in a foreign country having a data protection system which is equivalent to the system required under the APPI, (3) transfers to a country that is designated by the Committee as providing an adequate level of protection.[8] The Committee has yet to designate any countries as providing an acceptable level of data protection. These new restrictions seem comparable to data localization laws such as EU’s General Data Protection Regulation (GDPR), which generally bans the transfer of personal data outside of its member states apart from a few trusted nations that are deemed to have adequate levels of data protection.[9]
Arguably, Japan passed these restrictions to encourage other countries to enter international cybersecurity related commitments and efforts that could work towards a unification of data protection rules and standards across nations. Director Yoshikazu Okamoto of the PPC Secretariat reiterated Japan’s commitment to the Asia-Pacific Economic Cooperation’s Cross Border Privacy Rules (CBPR) system, and noted that certification of compliance to the CBPR system is a good way for companies to establish the requisite systemic protections to transfer personal information internationally.[10]
Further, Japan’s Ministry of Economy, Trade and Industry (METI) is committed to popularizing the Cross Border Privacy Rules system, which aims to appropriately protect personal information in cross-border transfers.[11] Under this system, independent accountability agents are recognized to examine and certify the rules and frameworks of companies and other entities that concern personal information protection in cross-border transfers.[12] Currently, only Japan, Canada, Mexico, and the United States participate.
Although there is relatively little name recognition for the program, a report from the Information Integrity Solutions has shown that the CBPR process helped considerably in a company’s application for binding corporate rules in the EU.[13] Additionally, with recent changes to Japan’s APPI, companies are reported to consider that those with CBPRs will be qualified under the PPC for providing acceptable levels of data protection.[14] These growing sentiments are positively supporting Japan’s goal to secure the freedom of cross-border data transfers and to unify the regulations of data protection policies across countries.[15]
Potential Barriers: Culture and Customs
Some countries erect barriers to cross-border data flow that are the equivalent of “data protectionism” meant to keep foreign competitors out of domestic markets. However, in the Japanese market, protectionist policies already exist in various forms, which creates a challenging environment for foreign competitors. For instance, Japan has maintained the most protected auto market in the industrialized world. Japanese automakers control 96% of the domestic automotive component market.[16]
In part this is because Japan is a very bureaucratic country, with a dense network of regulations and procedures, with many of these restrictions designed to be entry barriers against newcomers.[17] In addition, traditional financial conglomerates – known as Keiretsu – still dominate Japanese industries. Although the old structure is gradually breaking down, it is still difficult to do any commerce across the boundaries of these Keiretsu.[18] As an example, Japan’s taxi association does not want Uber to come to Japan and have been blocking expansion.[19] Further, Japanese consumer habits generally favor the purchase of locally made products over imported brands.[20] Hence, taking all these existing barriers into account, the Japanese government has low incentives to expressly enact data localization laws for protectionist reasons.
Conclusion
In order to maintain national security and protect domestic markets, most countries see these data localization policies as a simple solution to the challenges of the modern global economy. While some countries enact blanket bans on data transfers or sector specific rules, Japan aims to develop effective procedures for international data transfers. Through the recent amended APPI, the centralized Commission and guidelines continues to fortify Japan’s cybersecurity capabilities. Japan also implemented new restrictions on data transfer policies for the sake of pushing their international goal of unifying data protection rules across countries.
However, since protectionism already runs very deep in its economic and political systems, the Tokyo government has less incentive to enact data localization laws as “data protectionism” compared to other countries. These complications against data localization policies will continue to play a huge force in the future discourse of Japanese governmental policies on cybersecurity and data privacy.
Endnotes
[1] Nigel Cory, “Cross-Border Data Flows: Where Are the Barriers, and What Do They Cost?,” Information Technology & Innovation Foundation, May 1, 2017.
[2] “Security for the 21st Century Economy: Borders Hold Less Meaning – and That’s a Good Thing – Information Technology Industry Council,” accessed July 31, 2017
[3] “Japan’s First Certification of a Business under the APEC CBPR System(METI),” accessed July 31, 2017.
[4] Hogan Lovells-Harriet Pearson et al., “Changes in Japan Privacy Law to Take Effect in Mid-2017; Key Regulator Provides Compliance Insights | Lexology,” accessed July 31, 2017.
[5] “Japan’s First Certification of a Business under the APEC CBPR System(METI).”
[6] Pearson et al., “Changes in Japan Privacy Law to Take Effect in Mid-2017; Key Regulator Provides Compliance Insights | Lexology.”
[7] “Definitions in Japan – DLA Piper Global Data Protection Laws of the World,” accessed July 31, 2017.
[8] “Transfer in Japan – DLA Piper Global Data Protection Laws of the World,” accessed August 1, 2017.
[9] “Commission Decisions on the Adequacy of the Protection of Personal Data in Third Countries – European Commission,” accessed August 1, 2017.
[10] Pearson et al., “Changes in Japan Privacy Law to Take Effect in Mid-2017; Key Regulator Provides Compliance Insights | Lexology.”
[11] “Japan’s First Certification of a Business under the APEC CBPR System(METI).”
[12] “Cross Border Privacy Rules System,” accessed August 1, 2017.
[13] “Report Explores CBPR Benefits,” accessed August 1, 2017.
[14] “APEC Examines CBPR Program, Japan Now Fully on Board,” accessed August 1, 2017.
[15] “Japan, EU Launching High-Level Talks on Safe Data Transfers,” Nikkei Asian Review, accessed July 31, 2017.
[16] “Japan Automotive Smart Keys Market 2015-2020 – Projected to Reach $1.3 Billion by the End of 2020 – Research and Markets,” March 15, 2016.
[17] “Japan Market Entry: Why Is It Difficult? How to Succeed,” JapanStrategy, accessed August 1, 2017.
[18] Ibid.
[19] “What Companies Get Wrong When Entering the Japan Market,” accessed August 1, 2017.
[20] “Bikkuri! Surprising Facts about Japanese Consumers,” AP GLOBAL TALENT, May 3, 2016.