The General Data Protection Regulation (GDPR) that has gone into effect in the EU cannot simply be swept aside as a new rule for a distant region. It is a historical regulation governing the protection of personal information.
The regulation basically returns various rights relating to personal information to individuals, who are the rightful owners of that information. This may seem only natural, but up until now companies have been using personal information obtained through free search services and other means as they have so desired. The regulation put the brakes on such action.
In an information leak from Facebook Inc. that surfaced as a global problem this spring, it emerged that users' "likes" had been analyzed and used to strategically target them with political ads and other information. Such actions constitute a clear violation of terms.
What makes the GDPR groundbreaking is the fact that even companies in Japan and other countries that are not operating in Europe could be subject to the regulation, regardless of their size. There is no room for them to remain indifferent about it.
Companies that collect personal information must explain what they use it for in easily understandable terms, and obtain users' consent to do so. If there are any data breeches or abuse affecting this private information, they must report this within 72 hours. Furthermore, administrators who are asked to delete private information provided in the past must complete the erasure of the information promptly, including backups.
The greatest feature of the regulation is probably the hefty financial penalties it imposes for violations. Violators are subject to a fine of up to 20 million euros (about 2.6 billion yen), or 4 percent of their annual worldwide turnover of the preceding financial year, whichever is greater.
Even if companies have no intention of doing business in the EU, they must be careful. For example if users of a free game delivered online from Japan are in the EU, then the same level of information management as European companies is required of the Japanese company.
Yet while there was a two-year awareness period before the regulation came into effect, Japanese companies have been slow to respond. Even if the party involved is a small company or a local body, it must quickly act in light of the fact that world ideas on personal information are undergoing a great change.
In the global economy, regulations that are introduced in main markets first can end up becoming global standards. This new regulation raises the question over whether it is all right for companies in another country to be swallowed by a large wave from overseas.