Pixel-Map-Japan

Okaerinasai, or welcome back, to this article series on conducting discovery in Japan. Part I of this series discussed how the 2015 amendments to the U.S. Federal Rules of Civil Procedure have affected document and data collections and discovery in Japan. The second part of this series explores the current data privacy landscape in Japan and addresses key logistical and cultural issues that practitioners should consider when seeking or conducting discovery in Japan.

Privacy & Data Protection

Japan's Act on the Protection of Personal Information (APPI), one of Asia's oldest data protection regulations, was implemented in 2003 “to protect an individual's right and interests while considering the utility of personal information.” The APPI was intended to (1) provide an overall vision and policy regarding the proper handling and protection of personal information, (2) clarify the responsibilities and obligations of the central and local governments in the protection of personal information, and (3) ensure that the proper application of personal information contributes to the creation of new industries, the realization of a vibrant economic society, and an enriched quality of life for the people of Japan.

In 2015, Japan amended the APPI to better address the exponential increase in the volume and variety of data being created by organizations, as well as the steady rise in data breaches relating to the unauthorized bartering of private information. These amendments, which went into full effect on May 30, 2017, (1) better define what constitutes “personal information” and “special care-required personal information”; (2) lay out obligations of business operators handling personal information; (3) introduce new measures relating to cross-border transfers of personal information; and (4) establish the Personal Information Protection Commission.

The amended APPI also responds to the European Union's impending General Data Protection Regulation (GDPR), which will take effect on May 25, 2018. Under the GDPR, EU citizens' data can be transferred outside the European Economic Area (EEA), which includes the European Union, Norway, Iceland and Liechtenstein, if the receiving country's level of protection has been deemed “adequate” by the European Commission. If the receiving jurisdiction has not been deemed adequate under the GDPR, EU citizens' data can be transferred outside the EEA only if the transferring entity has provided appropriate safeguards provided for in the GDPR, including binding corporate rules, model contractual clauses, and non-standard contractual clauses, or the transfer fits within a specific derogation under the GDPR.

The amendments to Japan's APPI have brought Japan's data protection framework into much closer alignment with the EU's privacy landscape, and it is expected that Japan will be granted adequacy determination by the European Commission sometime in 2018. Though there has not been any U.S. case law dealing with Japan's APPI so far, Japanese and foreign entities should strongly consider it when dealing with data that may contain personal information.

Japanese Business Culture

Japanese business culture values concepts such as tradition, hierarchy, cooperation, patience and trust. Long-term relationships are the most trusted, and it takes time to build these relationships. These concepts extend into all aspects of Japanese life, including the daily business culture.

Japan's corporate environment differs from the West in many respects, from how business cards are exchanged to where people sit in business meetings or stand in elevators. Unsurprisingly, these differences extend into how technology is used in the corporate setting. Company-owned devices, for example, are typically not used for personal reasons in Japan, and collecting data from company-owned devices can present a host of technological challenges.

Another example is that in Japan, documents are most often saved to shared sites and not on employee computers, and paper documents are stored in central filing areas, not within employee-specific locations. Moreover, because many Japanese companies still rely on hard copy documents, digitizing these documents can be burdensome and time-consuming. Often, data cannot be removed from on-site locations, and vendors need to handle—or contract with—onsite scanning or copying resources.

It would be impossible to appreciate every nuance of the Japanese culture and corporate environment, but it behooves foreign legal practitioners to learn as much as they can and to lean on appropriate resources as necessary.

Four Practical Considerations

Once you understand the legal, business and cultural aspects of conducting discovery in Japan or seeking documents and data from Japan, you should keep in mind a few key practical considerations that will help you in your efforts.

Do engage the right vendor: The importance of finding the right technology vendor cannot be overstated. Ideally, your vendor should have a local presence in Japan; native fluency in the Japanese language; proven technological expertise in Japanese data architecture, programs and systems; and an established mastery of the cultural, legal and regulatory environment in Japan. You should also seek to secure a vendor that has the industry-specific experience, such as pharmaceutical, financial services, automotive or electronics, most related to your matter.

Don't expect the vendor to do everything: As you may imagine, conducting discovery in Japan is not a “set it and forget it” endeavor. Building and maintaining trust in your chosen vendor(s) is important, but legal practitioners must stay closely involved in the major (and oftentimes daily) decisions relating to the vendors' activities, which usually involve and affect every stage of the EDRM lifecycle. Though technology vendors can provide invaluable insight into the discovery process, legal practitioners should ultimately be driving decisions relating to discovery. These decisions may relate, for example, to defensible data collection, the use of analytics or technology assisted review, scope of responsiveness, timing of document productions, and ongoing preservation and hardware decommissioning decisions.

Practitioners also have a duty to promptly and properly inform data vendors of the duty to preserve client data, and to monitor vendor compliance. Practitioners must also review and adjust privacy and data protection agreements with vendors to ensure compliance with the recent APPI amendments discussed above.

Do devise the right workflow: Will the review take place in Japan or the U.S.? Will you need to use Japanese language reviewers, Japanese-to-English translations, or both? If you are going with translations, will machine translations suffice or will you need to secure human translations? Will translators be needed for on-site collections? Where will the data be hosted? What happens moving forward, as new data and documents are created? These are just a few of the nuanced issues that you will need to think through when constructing the right workflow for your matter. Given the complexities and differences in legal systems, language, technology and culture discussed in this article series, a general rule here is “measure twice (or three times) and cut once.”

Don't expect the work to flow perfectly: Regardless of the prior paragraph, don't expect everything to go according to plan. You will most likely run into some snags in your workflow, no matter how perfect it is. Conducting discovery in Japan or any foreign jurisdiction can be daunting, and preparation, resiliency and maneuverability are keys to success. Therefore, you should plan judiciously, anticipate hiccups, be flexible, have the right team in place, and learn from your missteps. And, most importantly, ganbatte!

Michael C. Zogby is a partner in the Products Liability & Mass Tort department at Drinker Biddle & Reath LLP, and he is co-lead of the firm's Pharma and Life Sciences Industry Group. Yodi S. Hailemariam is a senior associate in the firm's Information Governance and E-Discovery practice group.