Law in the Internet Society

View   r4  >  r3  ...
RisakoSuzukiFirstEssay 4 - 27 Jan 2022 - Main.RisakoSuzuki
Line: 1 to 1
 
META TOPICPARENT name="FirstEssay"
Changed:
<
<
Whether it is reasonable and effective to set regulations on personal data from country to country
>
>
Whether it is reasonable and effective to set regulations on personal data from country to country
 1. Introduction
Changed:
<
<
There is no border relating to services provided through the Internet. Amazon sells various products on its website and people around the world can purchase them. Facebook provides various information-sharing tools which are popular all over the world. When traveling, anyone can easily book restaurants, hotels, or airplanes in other countries. Through these services, Amazon, Facebook, and many other companies gather the personal data of people living in foreign countries. However, regulations on gathering and treating personal data are set from country to country. Is it possible to effectively protect personal data by such country-specific regulations?
>
>
There is no border relating to services provided through the Internet. Amazon sells various products on its website and people around the world can purchase them. Facebook provides various information-sharing tools which are popular all over the world. When traveling, anyone can easily book restaurants, hotels, or airplanes in other countries. Through these services, Amazon, Facebook, and many other companies gather the personal data of people living in foreign countries. However, regulations on gathering and treating personal data are set from country to country. Is it possible to effectively protect personal data by such country-specific regulations?
 
Changed:
<
<
2. Take the Act on the Protection of Personal Information (Japanese personal data protection law) as an example
>
>
2. Japanese personal data protection law
 
Changed:
<
<
Before studying in Columbia Law School as an LL.M. student, I worked as a lawyer in Japan and supported some international platformers’ businesses and often research regulations on personal data by Act on the Protection of Personal Information (the “Act”). Through such experiences, I felt that some provisions of the Act on the Protection of Personal Information are unreasonable and not effective. The followings are examples.
>
>
Before studying in Columbia Law School as an LL.M. student, I worked as a lawyer in Japan and supported some international platformers’ businesses and often researched regulations on personal data by Act on the Protection of Personal Information (the “Japanese Act”). Through such experiences, I felt that the Japanese Act are unreasonable and not effective in the situation of the extraterritorial application.
 
Changed:
<
<
(i) Extraterritorial application of the Act
>
>
According to the Japanese Act and its guidelines, if a company in a foreign country (here means a country other than Japan) provides products or services to residents in Japan and gathers personal data through such business, the Japanese Act applies to the company.
 
Changed:
<
<
According to the Act and its guidelines, if a company in a foreign country (here means a country other than Japan) provides products or services to residents in Japan and gathers personal data through such business, the Act applies to the company. Then, the foreign company. as a general rule, needs to: - specify and publicize the purpose of use of personal data; - obtain consent from customers and keep records of the date and name of the recipient if the company provides customers’ personal data to a third party; - take necessary and appropriate measures to protect personal data provided for in guidelines; and - publicize procedures to respond to customers’ requests to disclose, revise, stop using personal data held by the company.
>
>
However, if a foreign company does not comply with the Japanese Act, the possibility that the Japanese company takes a certain administrative action against such a company must be very low. To take administrative action, an investigation on the compliance status (e.g. what kind of measures to protect personal data are taken) is necessary. As large companies such as Amazon and Facebook have Japanese subsidiaries, it might be possible for public offices to investigate their parent or group companies through such subsidiaries. However, as for companies having no subsidiary or branch in Japan, it is almost impossible to conduct the necessary investigation. Sadly, there are not many human resources in Japanese public offices who can read and communicate in English and other languages.
 
Changed:
<
<
If an extraterritorial application provision like the above is provided for in many other countries’ personal data protection laws, theoretically, a company hoping to provide services or products worldwide needs to take measures necessary for complying with all such laws. To do so, the company must research the regulations of each country by using law firms of each country, which means significant waste of money, time, and resources. Researching and complying with any country’s law is impossible and ridiculous.
>
>
Thus, I think foreign companies have little incentive to make effort to comply with other countries’ regulations.
 
Changed:
<
<
In addition, if a foreign company does not comply with the Act, the possibility that the Japanese company takes a certain administrative action against such company must be very low. To take administrative action, an investigation on the compliance status (e.g. what kind of measures to protect personal data are taken) is necessary. As large companies such as Amazon and Facebook have Japanese subsidiaries, it might be possible for public offices to investigate their parent or group companies through such subsidiaries. However, as for companies having no subsidiary or branch in Japan, it is almost impossible to conduct the necessary investigation. Sadly, there are not many human resources in Japanese public offices who can read and communicate in English and other languages.
>
>
3. How other countries deal with this problem
 
Changed:
<
<
Thus, I think foreign companies have little incentive to make effort to comply with other countries’ regulations.
>
>
(i) GDPR Same as the Japanese Act, Article 3.2 of the GDPR provides that it applies to a controller or processor not established in the EU, where the processing activities are related to:
 
Changed:
<
<
(ii) Provision of personal data to a third party in a foreign country
>
>
(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
 
Changed:
<
<
Under the Act, if a company gathering personal data from its customers provides such data to a third party, the company must obtain prior consent from customers (“Ordinary Third-Party Provision Consent”). In addition, if the company provides personal data to a third party “in a foreign country,” the company must obtain consent from customers regarding “the provision of personal data to a third party in a foreign country” separately from the Ordinary Third-Party Provision Consent (“Foreign Third-Party Provision Consent”). However, if the third party is a company in the EU or U.K., Foreign Third-Party Provision Consent is unnecessary. That is because the EU and U.K. establish “a personal information protection system recognized to have equivalent standards to that in Japan in regard to the protection of an individual's rights and interests” (i.e. GDPR) (Article 24 of the Act). However, from the viewpoint of personal data protection, I feel it is unreasonable to ease regulations on some companies only because of their location without considering whether such companies actually take necessary and appropriate measures to protect personal data.
>
>
(b) the monitoring of their behavior as far as their behavior takes place within the Union.
 
Changed:
<
<
3. Conclusion
>
>
However, differently from the Japanese Act, in addition to Article 3.2, Article 27 of GDPR provides as follows:
 
Changed:
<
<
Even if each country sets the personal data protection regulations applicable to foreign companies, such regulations seem to be unreasonable, not effective, not enforceable, and meaningless. To protect customers’ personal data from companies providing services or products around the world via the Internet like Amazon or Facebook, it is better to create international rules regulating the treatment of personal data rather than relying on regulations by each country’s government.
>
>
1. Where Article 3(2) applies, the controller or the processor shall designate in writing a representative in the Union.
 
Added:
>
>
3. The representative shall be established in one of the Member States where the data subjects, whose personal data are processed in relation to the offering of goods or services to them, or whose behavior is monitored, are.
 
Changed:
<
<
It would improve the next draft to leave the Japanese example for the moment and learn about other countries' approach to the issues you raise, of establishing jurisdiction and assuring compliance. Howe does GDPR work? What about CCPA in California? What does the currently-pending Indian legislation do about making sure that foreign entities collecting personal information have Indian patties who will respond to its court orders? The advantage of studying here is that you can learn to think globally. Because there is mathematically exactly zero chance of international agreements given the differences among the world's dominant societies, it would be well to learn to understand the actual state of global play.
>
>
4. The representative shall be mandated by the controller or processor to be addressed in addition to or instead of the controller or the processor by, in particular, supervisory authorities and data subjects, on all issues related to processing, for the purposes of ensuring compliance with this Regulation.
 
Added:
>
>
Thus, under GDPR, foreign companies are required to prepare a representative, which allows the EU to effectively conduct an investigation on the compliance status and take administrative actions.
 
Added:
>
>
(ii) India
 
Added:
>
>
Regulations in India strengthen the feasibility and effectiveness of investigation and administrative actions on foreign companies. They require entities that are not established in India but offer goods or services to consumers in India to have a company incorporated in India, as well as to appoint an Indian resident as a nodal person of contact to ensure compliance with applicable laws (https://practiceguides.chambers.com/practice-guides/data-protection-privacy-2021/india/trends-and-developments).
 
Changed:
<
<

You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable. To restrict access to your paper simply delete the "#" character on the next two lines:
>
>
3. Conclusion
 
Changed:
<
<
>
>
Even if each country sets the personal data protection regulations applicable to foreign companies, such regulations seem to be unreasonable, not effective, not enforceable, and meaningless if it does not require a certain contact person who can cooperate with an investigation by the country’s authority. Thus, Japanese Law should be amended by reference to GDPR or Indian regulation to Japanese people.
 
Deleted:
<
<
Note: TWiki has strict formatting rules for preference declarations. Make sure you preserve the three spaces, asterisk, and extra space at the beginning of these lines. If you wish to give access to any other users simply add them to the comma separated ALLOWTOPICVIEW list.
 \ No newline at end of file
Added:
>
>
In addition, if the rigidity of regulation differs from country to country, people in some countries may be appropriately protected but people in other countries may not, which is unreasonable and unequal. Thus, to protect all customers’ personal data from companies providing services or products around the world via the Internet like Amazon or Facebook, it is better to create international rules regulating the treatment of personal data rather than relying on regulations by each country’s government.
 \ No newline at end of file

Revision 4r4 - 27 Jan 2022 - 07:29:11 - RisakoSuzuki
Revision 3r3 - 05 Dec 2021 - 22:52:17 - EbenMoglen
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM