When Prime Minister Narendra Modi visited Japan in October 2018, an "India-Japan Digital Partnership" (I-JDP) was launched…With the changing political regime in India, Japan's interest in India is increasing due to a variety of reasons including India's big and growing market and its resources, especially human resources. The economic and commercial relations between Japan and India...
When Prime Minister Narendra Modi visited Japan in October 2018, an "India-Japan Digital Partnership" (I-JDP) was launched…
With the changing political regime in India, Japan's interest in India is increasing due to a variety of reasons including India's big and growing market and its resources, especially human resources. The economic and commercial relations between Japan and India have accelerated since the signing and implementation of the India-Japan Comprehensive Economic Partnership Agreement (CEPA) in August 2011.
When present Prime Minister Narendra Modi visited Japan in October 2018, an "India-Japan Digital Partnership" (I-JDP) was launched, furthering existing areas of cooperation as well as new initiatives within the scope of cooperation in science and technology/Information Communication Technology, focusing more on "Digital ICT Technologies". This is going to raise several queries around data privacy compliance as India is yet to get its Data Privacy Law.
Japan's APPI and the Indian Data Privacy Bill - Background:
Japan's data privacy regulations first came into effect in 2005 and the last amended version came into effect on 30 May 2017. Along with a significant number of changes, the new law also introduced the adequacy list concept similar to the European Union's (EU) General Data Protection Regulation (GDPR) for the compliant transfer of personnel between EU and Japan. The mutual recognition of levels of data protection provided by the APPI will make the EU the first jurisdiction to be added to Japan's adequacy list and will add Japan to the EU's adequacy list.
Presently in India, there are no specific Data Privacy Laws. It's only the Information Technology Act, 2000 (the Act) which contains specific provisions intended to protect electronic data (including non-electronic records or information that has been, are currently processed or are intended to be processed electronically. In Justice K. S. Puttaswamy (Retd.) vs. Union of India [Writ Petition Number 494/ 2012], a Constitution Bench of nine judges of the Supreme Court of India upheld that privacy is a fundamental right, which is entrenched in Article 21 (Right to Life & Liberty) of the Constitution. A committee of experts was then appointed by the Indian government which was presided over by former Supreme Court Justice Srikrishna.
The committee was named after the presiding judge as the Justice Srikrishna Committee. The Justice Srikrishna Committee submitted a comprehensive Personal Data Protection Bill in July 2018 which is yet to be presented in Parliament. The draft Bill combines three different approaches:
(a) an omnibus approach for the regulation of processing of personal data carried out by private entities, in order to ensure the autonomy of individuals;
(b) an American-style laissez-faire approach to balance out and allow the free (albeit) regulated flow of information; and
(c) an approach influenced by the Chinese Cyber Security Law (2017), which privileges the interests of the collective over the interests of the individual.
Japan's APPI versus India's PDPB:
Japan's reformed privacy law called Act on the Protection of Personal Information (APPI), came into full force May 30, 2017. The Japanese new law also introduced a similar concept as the EU's GDPR to give adequacy status to the countries having similar provisions in their data privacy laws as APPI to safeguard the personal data of Japanese individuals. Considering the Indian Personal Data Protection Bill (PDPB) is yet to be presented before the Parliament, changes in some provisions can be expected. Let's see the comparitive table below to understand the similarities and differences in both the laws:
Parameters | Personal Data Protection Bill (PDPB), India | Act on the Protection of Personal Information (APPI), Japan |
Name of Act | Personal Data Protection Bill (PDPB) | Act on the Protection of Personal Information Amendment (APPI Amendment) |
Date of Implementation | Not yet enacted | 30 May, 2017 |
Definition of Personal Data | Any data which leads to the identification of a natural person (Data Principal) | Information about a living person that would allow identification of the person as an individual (Data Subject). |
Definition of Sensitive Personal Data | Information that includes passwords, financial data, biometric and genetic data, caste, religious or political beliefs. | Information such as the data subject's race, beliefs, social status, medical history, criminal record, and whether the data subject has been a victim of crime. |
Who Does It Apply To? | Has an extraterritorial reach and any company (government and private entities) processing the personal data of Indian data principals would have to comply with the new law. | All business operators that handle the personal data of individuals in Japan. This refers both to companies that offer goods and services in Japan and are located within the country and those with offices outside it. |
Data Controller | Data Controller is termed as 'Data fiduciary' and is the same as a data controller in EU GDPR, where the defining characteristic is that it is the person or legal entity determining the purpose and means of processing. | 'Business operator' is an entity responsible for the proper handling of all 'Personal Information'. This is similar to the concept of data controller under EU GDPR. |
Data Processor | Any person, including the State, a company, any juristic entity or any individual who processes personal data on behalf of a data fiduciary, but does not include an employee of the data fiduciary; | No concept of Data Processor. As such, handling of personal data under the APPI should pertain to how a "business operator" treats and manages the personal information or personal data in its possession. |
Parameters | Personal Data Protection Bill (PDPB), India | Act on the Protection of Personal Information (APPI), Japan |
Data Subject Rights | PDPB grants Indian data principals the right to confirm, access and correct their data as well as the right to be forgotten and to data portability. | The data subject may request the business operator to disclose, correct, add or delete the retained personal data. |
Obligation of Data Controller | The Data Fiduciary has the following obligations:
(i) processing personal data in a fair andreasonable manner,
(ii) notifying the data principal of the nature and purposes of data collection, and their rights, among others, and
(iii) collecting only as much data as is needed for a specified purpose, and storing it no longer than necessary. | There are no obligations on business operator with regards to registering or notifying the Personal Information Protection Commission (PPC). However, if the Handling Operator provides the Personal Information to third parties without obtaining the prior consent of the principals, it is required to notify the PPC. |
Cross-Border Data Transfer | The Indian government would grant GDPRstyle adequacy status to countries it believes has an adequate level of data protection, similar to that existent in India. Cross-border data transfers would also be permissible if standard contractual clauses, as defined by the Data Protection Authority, would be applied. The bill in its current form does not clarify whether additional data principal consent would be required in either of these two cases. | Data transfers outside of Japan can only take place if the overseas recipients are located in countries that have an adequate level of data protection equal to Japan, contractual agreements that ensure compliance with data protection standards in Japan have been signed with the overseas recipients or the data subject whose personal information is to be transferred has given prior consent for such transfers. |
Practical Implications and Considerations:
Japan has already been added to the white-list of adequacy for the EU's GDPR. Indian Data Privacy Bill is also aimed at getting recognized for the EU's GDPR adequacy standard. Also, as per the Indian PDPB, countries recognized by India for adequacy will be able to ensure the mutual and smooth transfer of personal data between companies in Japan and India. However, the infrastructure, consent of data subjects and other compliance related activities will have to be done. Gap assessments of internal functions (human resources, administration, finance) will have to be conducted within the parameters of obligations of the Data Fiduciaries. Our data protection and technology law desk helps navigate through privacy impact assessments of processes and/or techniques/applications needed for afeguarding the personal data of the data subjects.
Disclaimer – The views expressed in this article are the personal views of the authors and are purely informative in nature.