Data protection legislation in Europe is about to undergo a major overhaul, with the current legal regime predating the advent of Facebook, Twitter and other social media platforms. The recent revelations regarding third-party harvesting of certain social media users’ personal information for allegedly improper and undisclosed purposes has highlighted both the significant value attached to personal information and the need for additional regulation and transparency around its use.
The European General Data Protection Regulation (“GDPR”) comes into force on 25 May 2018 and will apply to all businesses that offer goods and services for sale in the EU, or process the personal information of EU residents – even if those businesses are located outside of the EU. Given this extra-territorial reach, there will be a clear impact on the Japanese funds industry, where EU resident investors are involved.
GDPR affords EU citizens new rights in respect of their personal data, including the right to access, the right to amend incorrect or out-of-date information, and the right of erasure, more commonly known as “the right to be forgotten”. EU citizens will have the right to be told in a clear and transparent manner why their personal information is being collected, for what purpose and by whom, immediately upon their data’s collection by a third party. In addition, GDPR sets out requirements for processes and systems to be designed to protect personal data and the rights of data subjects.
Fines for breaching GDPR are significant – up to €20m or 4% of global turnover, whichever is greater. Accordingly, Japanese entities doing business in the EU or processing EU citizens’ personal data will need to carefully assess their business processes to ensure that they embed GDPR compliance within their strategies. Fund managers should take action to determine whether or not the scope of GDPR extends to a particular fund or service provider they deal with, and a robust compliance and monitoring programme should then be implemented to manage ongoing adherence to the legislation.
In Japan, the Act on the Protection of Personal Information (the “Act”) provides obligations for business operators who deal with personal information. For example, the Act includes a general prohibition on disclosure of personal information without the consent of the data subject (with exceptions under certain circumstances). Prior to 30 May 2017, the Act was applicable only to business operators who are in possession of the personal information of 5,000 or more individuals. However, as a result of an amendment effective as of that date, the Act is now applicable to any business operator using a personal information database for their business.
Given the transnational nature of the funds industry, it is essential for industry players to be aware that, under both GDPR and the Japanese legislation, there is strict regulation around the transfers of data out of the European Economic Area (“EEA”) and Japan, respectively. Under GDPR, transfers to third countries are prohibited unless to a country deemed by the EU Commission as having equivalent standards of data protection as the EU (namely Jersey, Guernsey and the Isle of Man, among a small number of others), or under strict contractual controls prescribed by the EU legislation.
As regards transfers of personal data to a third country from Japan, the Act allows three types of legitimate transfers of personal information to a third party in a foreign country:
A recent development in EU-Japan data privacy relations saw the publication of a joint statement, in mid-2017, by the European Commission and the Japanese government on international transfers of personal data. The statement detailed that the EU and Japan will continue their cooperation and aim by early 2018 to recognise each other as having adequate levels of personal data protection. If this does occur, it would mean that transfers of personal data between the EU and Japan could take place without the need for additional measures such as standard contractual clauses or binding corporate rules.
As a provider of fund administration services, with a presence in Japan as well as various non-EU jurisdictions, Moore is observing the dialogue with interest and believes that mutual recognition of equivalency will be an important step in facilitating the transnational development of the Japanese funds industry.
While Moore is headquartered in Jersey, which is outside of the EU, Jersey is also introducing legislation designed to mirror GDPR in May 2018 – as are the Cayman Islands (in 2019), whose unit trust structure is extremely popular in the Japanese market.
During 2017, Moore’s parent company, First Names Group, formed a GDPR project team comprising four work streams: Legal, Compliance, Information Security and Data Mapping and Analysis. This project team is overseen by the Group’s Information Security Committee. The project team has been working over the last nine months to determine the impact of this legislation on our business and to develop an approach to ensure compliance. The result of this planning and preparatory work is that we have developed what we believe to be a robust but proportionate approach to GDPR compliance, which is modelled on the UK ICO “12 Steps” guidance paper issued in May 2017.
With support from external advisors, we completed a readiness assessment exercise in September 2017, which has validated our approach and confirmed that we are in good shape and on the right track to be in compliance when GDPR comes into effect on 25 May 2018.
We look forward to supporting our clients across the globe as we move towards a new regulatory environment in which the privacy of investors’ personal data will be placed at the forefront of our service.