Whether it is reasonable and effective to set regulations on personal data from country to country

1. Introduction

There is no border relating to services provided through the Internet. Amazon sells various products on its website and people around the world can purchase them. Facebook provides various information-sharing tools which are popular all over the world. When traveling, anyone can easily book restaurants, hotels, or airplanes in other countries. Through these services, Amazon, Facebook, and many other companies gather the personal data of people living in foreign countries. However, regulations on gathering and treating personal data are set from country to country. Is it possible to effectively protect personal data by such country-specific regulations?

2. Take the Act on the Protection of Personal Information (Japanese personal data protection law) as an example

Before studying in Columbia Law School as an LL.M. student, I worked as a lawyer in Japan and supported some international platformers’ businesses and often research regulations on personal data by Act on the Protection of Personal Information (the “Act”). Through such experiences, I felt that some provisions of the Act on the Protection of Personal Information are unreasonable and not effective. The followings are examples.

(i) Extraterritorial application of the Act

According to the Act and its guidelines, if a company in a foreign country (here means a country other than Japan) provides products or services to residents in Japan and gathers personal data through such business, the Act applies to the company. Then, the foreign company. as a general rule, needs to: - specify and publicize the purpose of use of personal data; - obtain consent from customers and keep records of the date and name of the recipient if the company provides customers’ personal data to a third party; - take necessary and appropriate measures to protect personal data provided for in guidelines; and - publicize procedures to respond to customers’ requests to disclose, revise, stop using personal data held by the company.

If an extraterritorial application provision like the above is provided for in many other countries’ personal data protection laws, theoretically, a company hoping to provide services or products worldwide needs to take measures necessary for complying with all such laws. To do so, the company must research the regulations of each country by using law firms of each country, which means significant waste of money, time, and resources. Researching and complying with any country’s law is impossible and ridiculous.

In addition, if a foreign company does not comply with the Act, the possibility that the Japanese company takes a certain administrative action against such company must be very low. To take administrative action, an investigation on the compliance status (e.g. what kind of measures to protect personal data are taken) is necessary. As large companies such as Amazon and Facebook have Japanese subsidiaries, it might be possible for public offices to investigate their parent or group companies through such subsidiaries. However, as for companies having no subsidiary or branch in Japan, it is almost impossible to conduct the necessary investigation. Sadly, there are not many human resources in Japanese public offices who can read and communicate in English and other languages.

Thus, I think foreign companies have little incentive to make effort to comply with other countries’ regulations.

(ii) Provision of personal data to a third party in a foreign country

Under the Act, if a company gathering personal data from its customers provides such data to a third party, the company must obtain prior consent from customers (“Ordinary Third-Party Provision Consent”). In addition, if the company provides personal data to a third party “in a foreign country,” the company must obtain consent from customers regarding “the provision of personal data to a third party in a foreign country” separately from the Ordinary Third-Party Provision Consent (“Foreign Third-Party Provision Consent”). However, if the third party is a company in the EU or U.K., Foreign Third-Party Provision Consent is unnecessary. That is because the EU and U.K. establish “a personal information protection system recognized to have equivalent standards to that in Japan in regard to the protection of an individual's rights and interests” (i.e. GDPR) (Article 24 of the Act). However, from the viewpoint of personal data protection, I feel it is unreasonable to ease regulations on some companies only because of their location without considering whether such companies actually take necessary and appropriate measures to protect personal data.

3. Conclusion

Even if each country sets the personal data protection regulations applicable to foreign companies, such regulations seem to be unreasonable, not effective, not enforceable, and meaningless. To protect customers’ personal data from companies providing services or products around the world via the Internet like Amazon or Facebook, it is better to create international rules regulating the treatment of personal data rather than relying on regulations by each country’s government.

It would improve the next draft to leave the Japanese example for the moment and learn about other countries' approach to the issues you raise, of establishing jurisdiction and assuring compliance. Howe does GDPR work? What about CCPA in California? What does the currently-pending Indian legislation do about making sure that foreign entities collecting personal information have Indian patties who will respond to its court orders? The advantage of studying here is that you can learn to think globally. Because there is mathematically exactly zero chance of international agreements given the differences among the world's dominant societies, it would be well to learn to understand the actual state of global play.

You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable. To restrict access to your paper simply delete the "#" character on the next two lines:

Note: TWiki has strict formatting rules for preference declarations. Make sure you preserve the three spaces, asterisk, and extra space at the beginning of these lines. If you wish to give access to any other users simply add them to the comma separated ALLOWTOPICVIEW list.