The European Union's General Data Protection Regulation (GDPR) came into effect on May 25, 2018, marking a watershed moment for data protection law globally. It established a comprehensive and harmonized framework for the processing of personal data, aiming to provide a high level of protection for individuals' rights and freedoms. This regulation replaced the earlier EU Data Protection Directive 95/46/EC, introducing significant changes in scope, obligations, individual rights, and enforcement. Understanding these shifts is crucial for organizations worldwide, including those in Japan and the United States, that process data related to EU individuals. This article examines the core principles of GDPR, highlighting key distinctions from its predecessor, the Data Protection Directive.

From a Directive to a Regulation: A Fundamental Overhaul

The most fundamental difference between GDPR and its forerunner lies in their legal nature and how they apply across the European Union.

The Pre-GDPR Era: The EU Data Protection Directive 95/46/EC

The Data Protection Directive 95/46/EC, adopted in 1995, served as the EU's primary data protection instrument for over two decades. As a "Directive," it set out goals and principles that all EU member states were required to achieve. However, it left the specific methods of implementation to the national authorities of each member state. This meant that member states had to transpose the Directive's provisions into their own national laws. While this approach allowed for some flexibility to accommodate national legal traditions, it inevitably led to variations and inconsistencies in data protection laws across the EU. For businesses operating in multiple EU countries, this fragmentation created complexity and legal uncertainty, as they had to navigate differing national rules for data collection and use.

The GDPR: A Directly Applicable and Uniform "Regulation"

In contrast, the GDPR is a "Regulation," which means it has direct legal effect and is immediately binding in its entirety across all EU member states (and EEA countries) without the need for national implementing legislation. This was a deliberate choice to create a single, unified data protection law for the entire EU, thereby enhancing legal certainty and ensuring a consistent and high level of protection for individuals. The recitals of the GDPR explicitly state that a key objective was to ensure that "the level of protection of the rights and freedoms of natural persons with regard to the processing of such data should be equivalent in all Member States" (Recital 10) and to remove "differences in levels of protection of the rights and freedoms of individuals...which may prevent the free flow of personal data throughout the Union" (Recital 9).

While GDPR aims for maximum harmonization, it does permit member states to introduce specific national laws in certain limited areas, provided these do not undermine the Regulation's overall objectives. Examples where member states can legislate further include defining the age of consent for children's personal data in relation to information society services (Article 8(1) of GDPR), setting specific conditions for the processing of genetic data, biometric data, or data concerning health (Article 9(4) of GDPR), and derogations for purposes such as national security, defense, public security, and law enforcement (Article 23 of GDPR).

This shift from a Directive to a directly applicable Regulation is arguably the most significant structural change, streamlining the data protection landscape within the EU and creating a more predictable legal environment for businesses.

Key Changes and Strengthened Obligations under GDPR

The GDPR introduced a host of changes that significantly strengthened the data protection regime compared to the 1995 Directive. These include more robust obligations for organizations that process personal data (controllers and processors), new and enhanced rights for individuals (data subjects), and substantially increased penalties for non-compliance.

A. Enhanced Principles and Obligations for Data Controllers and Processors

The GDPR places greater responsibility and accountability on organizations for their data processing activities.

1. Transparency and Accountability (透明性の原則/説明責任 - tōmeisei no gensoku / setsumei sekinin)
The principle of transparency is given much greater prominence under GDPR. Article 5(1)(a) mandates that personal data shall be processed "lawfully, fairly and in a transparent manner in relation to the data subject." This goes beyond the Directive's requirement for "fair and lawful" processing, which was primarily interpreted as ensuring data subjects were not deceived or misled about the purposes of data processing. GDPR (Chapter III, Section 1, titled "Transparency and modalities") lays down detailed requirements for providing clear, concise, intelligible, and easily accessible information to data subjects about how their data is processed, often suggesting the use of plain language and even standardized icons.

Crucially, GDPR introduces a strong accountability principle (Article 5(2)). Data controllers are not only responsible for complying with the data protection principles but must also be able to demonstrate such compliance. This requires proactive measures, such as maintaining comprehensive records of processing activities, implementing data protection policies, and conducting regular reviews and audits.

2. Data Protection Impact Assessments (DPIAs - データ保護影響評価 - dēta hogo eikyō hyōka)
Under Article 35(1) of GDPR, a Data Protection Impact Assessment (DPIA) is mandatory for any processing operation that is "likely to result in a high risk to the rights and freedoms of natural persons," particularly when new technologies are involved. A DPIA is a systematic process for identifying, assessing, and mitigating data protection risks associated with a specific project or processing activity. It is considered an essential element of a "data protection by design and by default" approach. While the 1995 Directive implicitly required consideration of risks, GDPR formalizes the DPIA as a specific obligation in high-risk scenarios, requiring organizations to proactively evaluate and address potential privacy harms before commencing such processing.

3. Data Protection Officers (DPOs - データ保護オフィサー - dēta hogo ofisā)
The 1995 Directive (Article 17(1)) required controllers to implement appropriate technical and organizational measures to ensure data security, which often implied the need for designated personnel with data protection responsibilities. GDPR, under Article 37(1), makes the designation of a Data Protection Officer (DPO) mandatory for certain controllers and processors. This includes public authorities, organizations whose core activities involve large-scale, regular, and systematic monitoring of individuals, or organizations that process sensitive personal data (special categories of data) or data relating to criminal convictions on a large scale.

The DPO must possess expert knowledge of data protection law and practices and is tasked with a range of responsibilities, including informing and advising the organization and its employees of their GDPR obligations, monitoring compliance, providing advice on DPIAs, acting as a contact point for data subjects, and cooperating with supervisory authorities (as outlined in Article 39 of GDPR). The introduction of the mandatory DPO role has led to increased demand for data protection professionals across Europe.

4. Mandatory Data Breach Notification (データ侵害通知 - dēta shingai tsūchi)
Prior to GDPR, data breach notification requirements varied across the EU. The ePrivacy Directive imposed obligations on public electronic communications service providers, and many member states had their own national laws with differing thresholds and procedures for notifying breaches to authorities and affected individuals. GDPR harmonizes and strengthens these obligations for all data controllers.

• Notification to the Supervisory Authority (Article 33 of GDPR): In the event of a personal data breach, the controller must notify the competent supervisory authority "without undue delay and, where feasible, not later than 72 hours after having become aware of it," unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
• Communication to the Data Subject (Article 34 of GDPR): When the personal data breach is "likely to result in a high risk to the rights and freedoms of natural persons," the controller must communicate the personal data breach to the data subject without undue delay.

A "personal data breach" is defined in Article 4(12) of GDPR as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed." This definition is comprehensive and covers a wide range of security incidents impacting personal data. The concept is broadly analogous to what is often termed "personal information leakage" (個人情報漏えい - kojin jōhō rōei) in the Japanese context.

B. New and Enhanced Rights for Data Subjects

GDPR significantly empowers individuals by codifying existing rights and introducing new ones, giving them greater control over their personal data.

1. Right to Erasure ('Right to be Forgotten' - 消去の権利/忘れられる権利 - shōkyo no kenri / wasurerareru kenri)
Article 17(1) of GDPR establishes the data subject's right to obtain from the controller the erasure of personal data concerning them without undue delay under certain conditions. These grounds include situations where the data is no longer necessary for the purposes for which it was collected, the data subject withdraws consent (where consent was the legal basis for processing), the data subject objects to the processing and there are no overriding legitimate grounds, or the personal data has been unlawfully processed. This right codifies and expands upon principles that had emerged from European case law, providing a stronger basis for individuals to request the deletion of their data.

2. Right to Data Portability (データポータビリティの権利 - dēta pōtabiriti no kenri)
A novel right introduced by GDPR is the right to data portability, found in Article 20. This gives data subjects the right to receive the personal data concerning them, which they have provided to a controller, in a "structured, commonly used and machine-readable format." Furthermore, they have the right to transmit that data to another controller without hindrance from the original controller. This right applies when the legal basis for processing is consent or the performance of a contract, and when the processing is carried out by automated means. A commonly cited example is the ability for a user to migrate their personal data from one social networking service to another. This right is intended to foster competition and give individuals greater control over their data when moving between service providers.

Other important rights include the right of access, right to rectification, right to restrict processing, and the right to object to processing, many of which were present in the Directive but are clarified or strengthened under GDPR.

Significantly Strengthened Penalties for Non-Compliance

One of the most widely discussed and impactful features of GDPR is its significantly enhanced enforcement regime, particularly the potential for substantial administrative fines for non-compliance. Article 83 of GDPR outlines two tiers of fines, depending on the nature and severity of the infringement:

• For certain violations (e.g., obligations of the controller and processor related to technical and organizational measures, DPO designation, certification), fines can be up to €10 million, or in the case of an undertaking, up to 2% of its total worldwide annual turnover of the preceding financial year, whichever is higher (Article 83(4) of GDPR).
• For more severe infringements (e.g., violations of basic principles for processing, including conditions for consent; data subjects' rights; rules on international data transfers), fines can be up to €20 million, or in the case of an undertaking, up to 4% of its total worldwide annual turnover of the preceding financial year, whichever is higher (Article 83(5) of GDPR).

These potentially massive fines underscore the seriousness with which the EU views data protection and serve as a powerful incentive for organizations worldwide to take their GDPR compliance obligations seriously. The calculation based on worldwide annual turnover means that even very large multinational corporations face the prospect of penalties running into billions of euros. Supervisory authorities are required to ensure that fines imposed are effective, proportionate, and dissuasive, taking into account various factors such as the nature, gravity, and duration of the infringement, any intent or negligence, actions taken to mitigate damage, and previous infringements.

The "Japanese Lens": Considering GDPR from a Different Perspective

While GDPR is an EU regulation, its principles and impact are felt globally. From a "Japanese lens," several observations can be made:

• Emphasis on Harmonization: The GDPR's shift from a Directive (allowing national variations) to a directly applicable Regulation aimed at creating a single, harmonized law is a significant step. This contrasts with Japan's national APPI, which applies uniformly within Japan. However, Japan also engages in efforts to align its data protection framework with international standards, notably achieving an adequacy decision from the EU, which facilitates data flows.
• Principles of Data Protection: Core GDPR principles like lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, and confidentiality, and particularly accountability, resonate with evolving global best practices. While Japanese data protection culture may have historically emphasized different nuances, the global trend, influenced by regulations like GDPR, is towards more explicit articulation and operationalization of these principles.
• Role of Supervisory Authorities: The GDPR establishes strong, independent Data Protection Authorities (DPAs) in each member state with extensive investigative and corrective powers. Japan's Personal Information Protection Commission (PPC), established as a centralized and independent authority, shares some functional similarities in its oversight role, though its specific powers and enforcement approach are defined by Japanese law.
• Individual Rights: The robust set of data subject rights under GDPR, including the right to erasure and data portability, represents a strong emphasis on individual control over personal data. Comparing these with the rights available under Japan's APPI can highlight different philosophical approaches or stages of development in data subject empowerment.

The intense global scrutiny and discussion surrounding GDPR have undoubtedly influenced data protection thinking in Japan, contributing to ongoing reviews and refinements of its own legal framework to ensure it remains robust and facilitates international data exchange in a trusted manner.

Conclusion: GDPR's Enduring Influence on Global Data Protection

The General Data Protection Regulation represents a significant evolution from the EU's previous Data Protection Directive, establishing a more stringent, unified, and far-reaching data protection regime. Its direct applicability across all member states, the strengthening of obligations for data controllers and processors, the introduction of new and enhanced rights for data subjects, and the imposition of formidable penalties for non-compliance have collectively set a new global benchmark. Organizations around the world, regardless of their location, that process personal data of individuals in the EU or offer them goods or services, must engage seriously with GDPR's requirements. Its principles are increasingly influencing data protection laws and business practices beyond the EU's borders, underscoring a global trend towards more robust protection of personal information in the digital age.