In the not-too-distant future, the amount of data that an autonomous vehicle generates, processes, transfers and stores will be significant.
Original equipment manufacturers (OEMs), suppliers and service providers in the automotive industry are carefully considering data protection laws as part of the design process to ensure 'privacy by design', not least to avoid fines, or worse, product recalls.
To understand the implications of autonomous driving under more than 70 data protection regimes around the world, our clients have been reaching out to us to learn more about Japan’s data protection laws.
Here is a summary of answers to the key queries our clients have raised.
What is the main Japanese data protection law regarding autonomous driving?
The Act on the Protection of Personal Information (APPI). The latest amendment came into force on 30 May 2017 and another amendment is scheduled to take effect by June 2022.
Who does the APPI apply to?
The APPI applies to all business operators that handle the personal information of individuals in Japan. 'Personal information' means information about a natural person that would allow identification of that person. The information can be standalone or comprised with other information that will enable the identification of the person.
Why is the APPI applicable to autonomous driving?
Autonomous driving is likely to encompass the processing of the following personal information (among others):
- the identity of the user;
- the location of the user and, if applicable, passengers as well as pedestrians and drivers of other vehicles around the self-driving vehicle;
- pedestrians' and other drivers’ faces;
- biometric data (of the user and potentially passengers); and
- depending on the technology used, the height, weight, blood pressure, heart rate, disabilities, diseases and other physical conditions of the user.
Automotive OEMs are familiar with some of these as modern vehicles (that are not strictly related to autonomous driving) collect personal information in, for example, the vehicle's navigational system and other maintenance records.
Considerations when collecting personal information
If someone collects personal information, they must (with a few exceptions):
- tell the data subject, ie the individual, the purpose of collecting/processing; or
- publish the purpose.
Most market participants will publish the purpose on their website.
Can personal information be shared with affiliated contractors in Japan?
Yes, but generally the data subject’s consent is required. There are exemptions, which need to be carefully drafted into the 'purpose of use' statement.
Can personal information be exported outside Japan (eg for the purpose of research and development)?
The general principle is that the data subject’s consent is required, but there are exemptions.
To the EU and UK
Export of personal information to business operators subject to the EU general data protection regulation (GDPR) is unconditionally exempted from the data export restrictions set out in the APPI. The list of carved-out countries (which currently includes the UK) is reviewed and renewed at least every four years.
To other regions
Export is permitted if the criteria set out by the relevant authority (the Personal Information Protection Commission of Japan) is adhered to, namely:
- adopting (substantively) the same standards as the APPI; or
- being certified within an international data protection framework (eg Asia-Pacific Economic Cooperation's cross-border privacy rules system).
What about privacy and other relevant laws?
As a separate issue, the risk of claims for damages under Japanese tort laws for breaches of privacy rights should not be ignored. We recommend that clients set up a privacy plan for the collection, use, sharing and storage of information about vehicle owners, occupants and pedestrians collected by a self-driving car.
Japan does not yet have any specific cybersecurity laws that would apply to autonomous driving systems.
Where do we go from here?
Like many other legislators, Japanese regulators have in many respects been adopting a wait-and-see approach. We suspect that the universal relevance of and issues around autonomous driving will eventually lead to some form of unified global regulation for the industry.
