LITIGATION SUPPORT TIP OF THE NIGHT

In 2015, Japan passed its Act on the Protection of Personal Information. This data protection legislation established the Personal Information Protection Commission. The PPC works with government ministries to set guidelines on how to handle personal information; data breaches; data transfers to foreign countries; and data anonymization.

Specific guidelines also regulate how personal genetic data; credit information; and healthcare records are to be protected.

Data cannot be transferred to third parties unless the person concerned consents, but there are exceptions including those to protect the public health. Data transfers can proceed if no response has been received during an opt out period and notification has been provided.

An initial exemption for businesses which handle the data of less than 5,000 people was repealed in 2017.

The APPI can apply when foreign businesses acquire the personal data of Japanese citizens in order to provide goods and services in Japan.

This summer, China implemented the Personal Information Protection Law, its own version of the GDPR. The law requires companies that store personal information have a good purpose to hold the data. The personal data that can be retained is restricted to the extent it is necessary for stated aims for the data collection.

The Personal Information Protection Law also has measures to ensure that personal data transferred outside of China is protected.

Companies storing personal data must conduct regular self-reviews to guarantee that personal data is properly protected.

Data subjects must explicitly agree to have their health, financial, and location data processed. The PIPL also has provisions which allow consumers to reject targeted online ads.

While the law allows companies to conduct their own audits, a regulator can order an audit if complaints are made.

The Hamburg Commissioner for Data Protection issued a press release yesterday which noted that it has warned the city government about its use of the on-demand version of Zoom. The Commissioner believes that Zoom does not comply with the provisions of the General Data Protection Regulation. Data is transferred by Zoom to the United States, which has been judged to have inadequate privacy safeguards. (See the post on the Schrems II decision in the Tip of the Night for July 22, 2020.) The Commissioner determined that Zoom was not following the rules set by the European Data Protection Committee for the transfer of data to the United States.

The Commissioner issued a formal warning to the Hamburg Senate under Article 58(2) of the GDPR that processing operations in Zoom were likely to infringe the GDPR.

The on-demand version of Zoom is in effect a one-way webinar in which the participants cannot interact with the hosts as they would in a normal Zoom session. On-demand webinars are stored in the cloud, and are available to webinar registrants later on.

The Commissioner specifically recommended the use of a different video conferencing program.