GDPR (General Data Protection Regulation)

What Is GDPR

GDPR (General Data Protection Regulation) is a comprehensive legal framework governing the protection of personal data within the EU. Enforced on May 25, 2018, it is known as one of the world's strictest data protection laws.

GDPR's distinguishing feature is its broad scope of application. It applies not only to organizations based in the EU but also to organizations that offer services to individuals in the EU or monitor the behavior of individuals in the EU. This means Japanese companies are also subject to GDPR if they handle personal data of EU residents.

Penalties for violations can reach up to 4% of global annual revenue or 20 million euros, whichever is higher - extremely substantial amounts. Notable cases include Meta (formerly Facebook) being fined 1.2 billion euros and Amazon being fined 746 million euros.

GDPR Basic Principles and Data Subject Rights

GDPR establishes seven basic principles for personal data processing.

• Lawfulness, Fairness, and Transparency: Data processing requires a legal basis and must be transparent to data subjects
• Purpose Limitation: Data should only be collected for specified, legitimate purposes and not used beyond those purposes
• Data Minimization: Only the minimum data necessary for the purpose should be collected
• Accuracy: Data must be kept accurate and up to date
• Storage Limitation: Data should not be retained beyond the period necessary for the purpose
• Integrity and Confidentiality: Data must be protected with appropriate security measures
• Accountability: Organizations must be able to demonstrate compliance with the above principles

Data subjects (individuals) are guaranteed the following rights.

• Right of Access: The right to know how your data is being processed
• Right to Rectification: The right to request correction of inaccurate data
• Right to Erasure (Right to Be Forgotten): The right to request deletion of data under certain conditions
• Right to Data Portability: The right to receive your data in a machine-readable format and transfer it to another service
• Right to Object: The right to object to specific data processing including profiling

Cookie Consent Banners and GDPR

The cookie consent banners displayed when visiting EU websites are based on GDPR (and the ePrivacy Directive) requirements.

Under GDPR, explicit user consent must be obtained before setting tracking cookies. Key points include:

• Opt-in Approach: Enabling cookies by default and having users opt out is not permitted. Cookies may only be set when users actively consent
• Freedom of Consent: Designs that make only the "Accept All" button prominent while making rejection difficult (dark patterns) are considered violations
• Withdrawal of Consent: Users can withdraw consent at any time, and the means of withdrawal must be as easy as giving consent
• Essential Cookie Exception: Cookies necessary for basic site functionality (session management, shopping cart, etc.) can be set without consent

Under Japan's Act on the Protection of Personal Information, cookies themselves often don't qualify as personal information, but the 2022 amendment strengthened regulations by classifying them as "personal-related information."

Impact on Japanese Companies and Response

GDPR has "extraterritorial application" provisions that apply to companies outside the EU, making it relevant to Japanese companies as well.

When GDPR Applies

• When offering products or services to EU residents in languages other than Japanese (English, French, etc.)
• When tracking the behavior of EU residents (analytics, ad targeting, etc.)
• When having a branch or office within the EU

Japan's Adequacy Decision

Japan obtained an "adequacy decision" from the EU in 2019, meaning personal data transfers from the EU to Japan are generally possible without additional protective measures. This signifies that the EU recognizes Japan's Act on the Protection of Personal Information as providing an equivalent level of protection to GDPR. However, transfers based on the adequacy decision require compliance with "supplementary rules."

Practical Response Points

• Privacy Policy Preparation: Create a privacy policy with high transparency that meets GDPR requirements
• Cookie Consent Management: Display GDPR-compliant cookie consent banners for access from the EU
• Responding to Data Subject Rights: Establish systems to handle requests for access rights, erasure rights, etc.
• Practicing Data Minimization: Minimize collected data and clearly define retention periods

To learn more about this topic, see Global Privacy Laws: Comparing GDPR, CCPA, and Japan's APPI.

Common Misconceptions

GDPR doesn't apply to Japanese companies

GDPR applies to Japanese companies that provide services to EU residents or track their behavior. If you operate a web service globally, you may be subject to GDPR as soon as there is access from the EU.

Displaying a cookie consent banner means GDPR compliance

Simply displaying a banner is insufficient. You must not set tracking cookies before user consent (opt-in approach), make rejection as easy as acceptance, and maintain consent records, among other substantive requirements.

GDPR vs. Japan's Act on the Protection of Personal Information

Related Terms

Related Articles