On the 25th May 2018, the EU’s General Data Protection Regulation (GDPR EU 2016/679) will take effect.
For many website owners in Japan, this post might be the first occasion to hear about the new European regulation.
a) What’s it all about?
The European Union has been moving for some years toward strengthening the digital data protection rights of it’s citizens and residents. Recent high profile cases of private data mishandling have no doubt increased the resolve of regulators in this area.
The GDPR boils down to seven key principles.
Lawful, fair and transparent processing
When personal data is collected, it must be clear as to why that data is being collected and how the data will be used.
Purpose limitation
Organizations should be clear about the specific purpose for which they are acquiring personal data.
Data minimization
Organizations must be sure that they are only storing the minimum amount of data required for each purpose.
Data accuracy
Personally identifiable information must remain accurate, valid and fit for purpose.
Data storage limitations
Organizations must have controls over the storage and movement of collected personal data.
Data security
Organizations should evaluate how well they are enforcing security policies, utilizing access controls, verifying the identity of those accessing the data and protecting against malicious data access.
Data processing accountability
Organizations should be able to demonstrate compliance through an audit trail and an identifiable process for responding to requests from users to access, edit or delete their personal data.
b) What kinds of data are impacted?
The GDPR broadly defines personal data, as “Any information relating to a living, identified or identifiable natural person.”
This specifically includes:
– Names
– Addresses
– Telephone numbers
– Email addresses
– Location data
– Online identifiers
Location data is any information that has any kind of geographic position attached to it. This is classed as personal because it could be used to identify where an individual lives, works, and sleeps, or to find out social, religious or cultural identities.
Online identifiers refer to digital information such as IP addresses, cookie strings or mobile device IDs. For example, as an IP address can be used to find out where an individual is located, it is clearly personal data.
c) Do I REALLY need to worry about this?
The intent of the rules is that they will apply regardless of where the organization handling the data is located.
Depending on your circumstances, as a website owner, the answer could be:
a) “YES”,
b) “PROBABLY NO”
c) “PROBABLY NO – BUT MAYBE YOU SHOULD ANYWAY”
The first point to make clear is that the GDPR is intended to potentially apply to any organization which collects, processes and stores information of residents of the EU. The intent of the rules is that they apply regardless of where the organization handling the data is located. So any organization based in Japan whose activities relate to “offering of goods and services to data subjects in the EU” needs to assess their liability and compliance strategy.
“What does ‘offering of goods and services to data subjects in the EU’ actually mean?”
Article 3 (Recital 23) of the GDPR governs its territorial scope.
The following seem to be clear cases where GDPR compliance liability would apply.
You have a website which:
– Is in a European language
– Offers European currency options
– Has a European TLD (mywebsite.eu, mywebsite.fr, mywebsite.nl etc)
– Has geographically targeted Adword campaigns
– Mentions European customers, European delivery or European services
Simply having a website on the global internet that visitors from Europe randomly access would seem to NOT fall within the scope of GDPR compliance.
The Court of Justice of the European Union (CJEU) has considered when an activity is “directed at” EU Member States in other contexts. A similar requirement can be found in Article 15 of Regulation 44/2001, known as the Brussels Regulation, which deals with contract disputes involving more than one country. In that context, a joint declaration by the EU Council and the Commission states that “the mere fact that an Internet site is accessible is not sufficient of Article 15 to be applicable, although a factor will be that this Internet site solicits the conclusion of distance contracts and that a contract has actually been concluded at a distance.”
The next obvious question is:
“OK. But how likely is it that EU authorities will enforce EU regulations beyond their borders?”
This is where it gets a bit murky, since we don’t have a lot of precedent yet about how the rules will be enforced. However, Article 50 (International cooperation for the protection of personal data) states:
“In relation to third countries and international organisations, the [European] Commission and supervisory authorities shall take appropriate steps to: (a) develop international cooperation mechanisms to facilitate the effective enforcement of legislation for the protection of personal data;”
So, while international enforcement mechanisms at the moment might be still evolving, it is clearly an area of enforcement litigation that could develop over time. There is a non-trivial risk of litigation against non-EU organizations both now and in the future.
The final point worth noting is that the Japanese government have themselves also been moving in the direction of stricter regulation and enforcement of personal data protection. The Japanese Act on Protection of Personal Information (2017) was enacted to create a similar privacy protection framework to the EU. So there is already a legislative necessity for organizations based in Japan to meet certain privacy protection standards. Reviewing GDPR compliance might therefore be a good opportunity to assess how fully Japanese organizations are meeting the existing local regulatory requirements.
d) What (if anything) do I need to do about this?
The potential costs of not doing anything are worth noting.
Under the GDPR, EU courts may impose a fine of “Up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is greater.”
Organizations that want to meet their GDPR obiligations need to consider the following:
1. Create and make publicly available a GDPR compliance policy. Many organizations will already have a Privacy Policy web page. GDPR compliance could be an additional section to it, a separate page or a downloadable document link. The GDPR section needs to deal with each of the seven principles mentioned above.
A typical GDPR Compliance Table of Contents might include:
Who we are
What personal data we collect and why we collect it
– Blog comments
– Digital media uploads
– Contact form information
– Cookies
– Embedded content from other websites
– Analytics
– User account data you provide
Who we share your data with
Who can see my personal information
How long we retain your data
How we protect your data and what data breach procedures we have in place
What rights you have over your data
* Note to current clients: If you’d like help developing your GDPR compliance statement, feel free to contact us.
2. Get an explicit “opt-in” from users who submit personal data. This could be as simple as a check-box on a contact form acknowledging “I have read and agree to the GDPR compliance and privacy policy”.
3. Have processes in place which give users the opportunity to:
i) request a digital copy of any personal data being held about them
ii) edit the data if it is invalid
iii) request deletion of all personal data.
The latest version of WordPress (4.9.6 at the time of this post) has some inbuilt tools for dealing with requests for user data and data deletion.
e) Are there any exceptions to the GDPR rules?
Generally speaking, the EU regulation will support the rights of the data subject (the user) with respect to GDPR. However, there are some circumstances where an organization could claim that they have a “legitimate interest” in withholding or processing data in a way that doesn’t meet GDPR standards.
It is a three part test. You will need to:
– identify a legitimate interest;
– show that the processing is necessary to achieve it; and
– balance it against the individual’s interests, rights and freedoms.
A practical example of the “legitimate interest” test would be the issue of website backups. There is a compelling argument that website owners need to retain complete database records for a period of weeks or even months in order to maintain effective security and stability of their systems. In most cases, such backups are digitally compressed, encrypted and access to them is strictly locked down. This could be relied upon to override a data subjects “right of erasure” from the organizations records.
– The website owner has a legitimate interest in keeping the data (for system backup purposes only)
– There are no practical alternatives to keeping the data (i.e. it is necessary)
– Subjectively, these “interests” weigh greater than the individuals right to “be forgotten” from data backups.
To claim a “legitimate interest” exemption, organizations should state the reasons in their GDPR compliance policy. If the exemption is something that data subjects would not reasonably expect, or if it would cause unjustified harm, their interests are likely to override a legitimate interest claim.
AUG 2020 UPDATE: WebsitePolicies.com (Attorney Drafted Legal Agreements) have provided me with a link to Sample Privacy Policy Template. Check it out.
Other Resources:
Wikipedia
SEQ Legal – Free Privacy Documents
Termly – Legal Templates
Termageddon – Managed Service
Article 3 – Recital 23 (Offering Goods or Services in EU)
* Disclaimer: Tokyo Web Designs is not a law company. We are not qualified to offer a legal opinion and this article should not be regarded as such. All of the information contained herein is a result of researching layman’s articles across the internet. For proper legal advice you should consult a recognized legal practitioner.
