Whether it is reasonable and effective to set regulations on personal data from country to country

1. Introduction

There is no border relating to services provided through the Internet. Amazon sells various products on its website and people around the world can purchase them. Facebook provides various information-sharing tools which are popular all over the world. When traveling, anyone can easily book restaurants, hotels, or airplanes in other countries. Through these services, Amazon, Facebook, and many other companies gather the personal data of people living in foreign countries. However, regulations on gathering and treating personal data are set from country to country. Is it possible to effectively protect personal data by such country-specific regulations?

2. Japanese personal data protection law

Before studying in Columbia Law School as an LL.M. student, I worked as a lawyer in Japan and supported some international platformers’ businesses and often researched regulations on personal data by Act on the Protection of Personal Information (the “Japanese Act”). Through such experiences, I felt that the Japanese Act are unreasonable and not effective in the situation of the extraterritorial application.

According to the Japanese Act and its guidelines, if a company in a foreign country (here means a country other than Japan) provides products or services to residents in Japan and gathers personal data through such business, the Japanese Act applies to the company.

However, if a foreign company does not comply with the Japanese Act, the possibility that the Japanese company takes a certain administrative action against such a company must be very low. To take administrative action, an investigation on the compliance status (e.g. what kind of measures to protect personal data are taken) is necessary. As large companies such as Amazon and Facebook have Japanese subsidiaries, it might be possible for public offices to investigate their parent or group companies through such subsidiaries. However, as for companies having no subsidiary or branch in Japan, it is almost impossible to conduct the necessary investigation. Sadly, there are not many human resources in Japanese public offices who can read and communicate in English and other languages.

Thus, I think foreign companies have little incentive to make effort to comply with other countries’ regulations.

3. How other countries deal with this problem

(i) GDPR Same as the Japanese Act, Article 3.2 of the GDPR provides that it applies to a controller or processor not established in the EU, where the processing activities are related to:

(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

(b) the monitoring of their behavior as far as their behavior takes place within the Union.

However, differently from the Japanese Act, in addition to Article 3.2, Article 27 of GDPR provides as follows:

1. Where Article 3(2) applies, the controller or the processor shall designate in writing a representative in the Union.

3. The representative shall be established in one of the Member States where the data subjects, whose personal data are processed in relation to the offering of goods or services to them, or whose behavior is monitored, are.

4. The representative shall be mandated by the controller or processor to be addressed in addition to or instead of the controller or the processor by, in particular, supervisory authorities and data subjects, on all issues related to processing, for the purposes of ensuring compliance with this Regulation.

Thus, under GDPR, foreign companies are required to prepare a representative, which allows the EU to effectively conduct an investigation on the compliance status and take administrative actions.

(ii) India

Regulations in India strengthen the feasibility and effectiveness of investigation and administrative actions on foreign companies. They require entities that are not established in India but offer goods or services to consumers in India to have a company incorporated in India, as well as to appoint an Indian resident as a nodal person of contact to ensure compliance with applicable laws (https://practiceguides.chambers.com/practice-guides/data-protection-privacy-2021/india/trends-and-developments).

3. Conclusion

Even if each country sets the personal data protection regulations applicable to foreign companies, such regulations seem to be unreasonable, not effective, not enforceable, and meaningless if it does not require a certain contact person who can cooperate with an investigation by the country’s authority. Thus, Japanese Law should be amended by reference to GDPR or Indian regulation to Japanese people.

In addition, if the rigidity of regulation differs from country to country, people in some countries may be appropriately protected but people in other countries may not, which is unreasonable and unequal. Thus, to protect all customers’ personal data from companies providing services or products around the world via the Internet like Amazon or Facebook, it is better to create international rules regulating the treatment of personal data rather than relying on regulations by each country’s government.