Japan and China: New Data Protection and Transfer Laws Imminent in Asia Pacific

Kate Chan, KrolLDiscovery, Legaltech News

Editor’s note: this article originally appeared in Legaltech News.

The global ediscovery community is abuzz about data protection. 2018 will usher in new data protection and transfer laws in the European Union (EU), but many ediscovery professionals are less informed about similar changes in Asia that have recently taken effect.

Japan: Land of the Rising Sun

Japan’s Act on the Protection of Personal Information (APPI) stands as one of Asia’s oldest data protection laws and has remained unchanged since it went into effect in the early 2000s. The decision to enact Japanese amendments to the APPI was most likely influenced by three factors: a significant increase in the volume of data being created, a rise in data breaches and illegal sale of private information and a pressure to update policies in light of the EU’s work on the General Data Protection Regulation (GDPR).

A word of warning: The APPI amendments went into full effect on May 30, 2017 and Japanese authorities expect companies to make immediate changes. Below are some key provisions of the APPI amendments in Japan.

1. Creation of the Personal Information Protection Commission: The amended APPI went into partial effect in 2016, creating the Personal Information Protection Commission (PPC) as a central, independent regulatory authority with enforcement powers.

2. Two new classifications: Two information classifications will determine whether data can be transferred and if the owner of that information can give consent to its transfer: sensitive information and anonymized information. Sensitive information (information about a person’s race, creed, social status, medical records, criminal history, etc.) receives enhanced regulatory protection, with the person’s consent required before such data can be transmitted. Anonymized information (personal information where there is no possibility of identifying the person) can be transmitted with restrictions but without the express consent of the individual.

3. “Opt-in” is now “opt-out”: The current rules require the user’s permission before personal data can be transferred. Under the amendments, companies can share data without permission if they disclose certain information to the user beforehand, such as the nature and purpose of the personal data being provided, and the way the data is being provided. The company transferring the information must also give the user the option to opt out of the transfer before it occurs. Businesses must disclose to the PPC if they will continue to default to an “opt-out” policy, or change the process transferring information to a third party. The PPC will make these changes known to the public.

4. International data transfer policy: For the first time, the APPI will address international information sharing. Any company transferring personal records outside Japan’s borders will need the user’s permission and opting out will not be an option unless the foreign jurisdiction has similar privacy standards.

5. Sanctions for noncompliance: The PPC is enacting a two-tiered criminal penalty measure into the APPI and its guidelines. A negligent violation will bring about an enforcement notice ordering the company to either correct the issue or halt data transfer operations. Failure to comply may result in imprisonment up to six months or a fine up to JPY 300,000. Intentionally stealing or providing personal information for a dishonest purpose may result in a direct penalty of up to one year in prison or a fine up to JPY 500,000.

China: The Red Dragon

In early June 2017, the People’s Republic of China implemented its controversial Cybersecurity Law. The government is becoming more involved with data protection and strengthening enforcement. Up until now, its current rules have not been clearly defined or regularly enforced, so it is important to keep up with developments or risk getting caught off guard.

Unlike Japan’s focus on protecting data, China turns its attention to the network operators managing data. Below are some key facets to its new policy.

1. Data stored in mainland China: The new law insists that Chinese citizens’ “personal information” and “important data” be stored on servers within its borders. Any companies claiming an exception that is “truly necessary” must undergo a security assessment before information can be released. This will affect the majority of foreign companies that operate in China; in particular, those that use their global infrastructure and IT resources to operate their business in China, as the original data collected, including business data and customer data, within China will typically be stored directly in the data centers or servers physically located overseas. For example, many global companies are still using email servers located outside China for their China operations.

2. Law applies to network product and service providers: The majority of the new law’s provisions apply to “Critical Information Infrastructure Operators” (CIIO) possessing data critical to China’s security. Industries predominantly targeted in this new definition include financial, transportation, health care, utilities and telecommunications.

3. Stronger data protection provisions: Supplementing existing data privacy guidelines in China, network operators must first obtain their clients’ consent before collecting and disclosing personal information, including the reason for the disclosure, and take measures to ensure the security of personal information. Companies need to ensure that an appropriate framework is established for collecting and using data, demonstrating that any data collected has a proper purpose and that its use can be explained in detail. Companies should also ensure appropriate security and protection measures are in place to safeguard the data as well as incident response procedures for responding and reporting any breach.

4. Security examinations: All network providers must pass a “network security examination.” This includes specific requirements that network operators must follow when purchasing new network systems.

5. Severe consequences for noncompliance: While specific penalties are unknown at this time, cancellation of a business license is part of the current regulations. Additionally, the new regulations require CIIO’s to establish violation reporting mechanisms, suggesting that China is taking the new law very seriously.

In instances where there are concerns with removing data from China, or the company premises themselves, a mobile solution may be the answer. Over the past couple of years, mobile technology has become incredibly powerful, facilitating processing, filtering and analysis onsite. Onsite mobile solutions can also be used in tandem with traditional processing by acting as a cost-effective method of segregating and filtering out personal information, sensitive company data or privileged documents early on and prevent unwanted disclosure. When conducting ediscovery or internal investigations in China, companies must review and clear any state secrecy or data privacy concerns, and redact sensitive information prior to sharing it out of the country. This, in turn, reduces the risks and costs associated with over-collection by culling irrelevant data and focusing on what is relevant or responsive.

As legal and technology professionals in law firms and corporations prepare for the data protection implications of the EU GDPR, do not disregard important changes afoot in Asia. Most importantly, seek guidance from local, in-country experts, prepared to help you collect, host and transport data in investigations, litigation or regulatory matters around the world.