Updates for the Amendment of Japan's Act on the Protection of Personal Information
On 5 June 2020, the Japanese Diet approved a bill to partially amend the Act on the Protection of Personal Information (the “APPI”) and the amended APPI will come into effect on 1 April 2022. Please see our previous article: here for the overview of the amendment.
As discussed in our previous article, the amendment includes, among other things, strengthening the rights of data subjects, increasing the Privacy Information Handling Operator (the “PIH Operator”)’s obligations and strengthening the sanction, etc. In response to the amendment of the APPI, the Cabinet Order to Enforce the APPI and Enforcement Rules for the APPI were also updated. In addition, the Personal Information Protection Commission (the “PPC”) has issued several guidelines regarding the interpretation of the updated APPI. This series of changes in the Cabinet Order, the Enforcement Rules, and guidelines (collectively, the “New Guidelines”) clarifies the details of the regulations under the amended APPI. It is important for business operators to understand the New Guidelines as well as the amended APPI itself to make sure what is necessary for them to be in compliance with the amended APPI.
Data Breach Report
Under the amended APPI, a report to the PPC and notification to affected data subjects are mandatory in specific cases, and the New Regulations clarify the details of such obligation.
PIH Operators need to submit a report to the PPC if any of the following data breach incidents (including leakage, loss or destruction of personal information) occurs or is likely to have occurred:
- data breach containing special care-required personal information;
- data breach that is likely to harm the individuals’ property;
- data breach that is caused by malicious actions (for example, in the case of ransomware attack); or
- data breach that involves over 1,000 data subjects.
Reports to the PPC must be submitted twice. A PIH Operator shall, when it becomes aware of data breach incidents, immediately (ideally within 3-5 days) report the incident to the PPC. Thereafter, in addition to the first report, the PIH Operator shall file a second report within 30 days (or 60 days depending on the type of data breach) from the day of recognizing the data breach.
In addition to the data breach report to the PPC, a PIH Operator shall notify the incidents to each data subject promptly. If it is impossible to reach out to data subjects for any reason, then the PIH Operator must take alternative measures. Unlike the reports to the PPC, there is no specific time limit for notifying data subjects. The amended APPI requires business operators to notify the personal data breach to data subjects immediately according to the circumstances. Therefore, business operators need to judge the timing of notification on a case-by-case basis. For example, the official APPI guidelines state that if the details of the personal data breach are still unclear and there is a risk that providing notification based on this insufficient information will confuse the data subjects, then the business operator does not need to provide notification of that information to data subjects.
Consent of Data Subjects for Transfer of Personally Referable Information
The amended APPI defines information which is related to personal matters but that does not fall under the definition of personal information as Personally Referable Information (“PRI”). The New Guidelines reveal that PRI may include, but is not limited to, purchase history, location data, and web browsing history collected through cookies.The amended APPI stipulates that prior consent from data subjects is necessary to transfer PRI to third party if it is reasonably expected that the receiving party will identify a specific individual and use the received PRI as personal information by way of referencing such PRI with any information that the receiving party already has in its possession. If prior consent from data subjects is required, a PIH Operator who transfers PRI to a third party must confirm that the receiving party has obtained the relevant consent.
In addition to confirming the existence of a prior consent, a PIH Operator must prepare and keep records of the following information:
- the fact that the PIH Operator has confirmed the existence of consent of the data subject;
- the date of the transfer;
- the name and address (or the name of the representative) of the receiving party;
- the content of the transferred PRI.
Pseudonymously Processed Information
The amended APPI introduces the concept of Pseudonymously Processed Information, which is the information that is processed so that such information is (i) not able to be used to identify a specific individual but (ii) is able to be de-crypted with reference to other information. The example of Pseudonymously Processed Information includes, but is not limited to, information in which names, addresses, and other similar information are replaced with a random string of characters. The purpose of introducing this new concept is to expediate the use of data within a company, as opposed to Anonymously Processed Information which is intended for sharing with third parties. Consequently, it is generally prohibited to transfer Pseudonymously Processed Information to any third party. If a PIH Operator wants to transfer Pseudonymously Processed Information to a third party, it must satisfy specific requirements which mirror those required for transferring personal information to third parties.
Extraterritorial Application and Cross-Border Data Transfers
The amended APPI further stipulates that if a PIH Operator transfers personal data to third parties based offshore by way of a data subject’s consent, the PIH Operator is required to provide to data subjects the following information regarding the protection of such transferred personal data:
- the name of the foreign country to which the personal data is transferred;
- an outline of the data protection system in that foreign country; and
- the measures the receiving party will take to protect the transferred information (for example, whether or not the receiving party takes measures that are stipulated in OECD's Privacy Principles).
With respect to 2 the New Guidelines states that the following matters should be taken into account to decide the details of information to be provided with the data subjects:
- whether the country has legislation or regulations regarding the protection of personal information;
- whether the country has obtained an adequacy decision under the GDPR or is a member of Cross-Border Privacy Rules, or any other data protection frameworks;
- whether the data protection laws and regulations in the country accord with the OECD's Privacy Principles; and
- other data privacy related rules that would have a serious impact on the data subject’s interest.
Recently, the PPC disclosed a report explaining the data protection systems for 31 countries and regions (as shown in below chart) on its website. It is advisable for PIH Operators who are planning to transfer personal data to any of these countries to refer to the PPC’s list and accompanying outlines and prepare explanatory language in accordance with the report.
List of the 31 Countries
| 1 | United Arab Emirates (Federation) |
| 2 | United Arab Emirates (Abu Dhabi Global Market) |
| 3 | United Arab Emirates (Dubai Healthcare City) |
| 4 | United Arab Emirates (Dubai International Finance Centre) |
| 5 | India |
| 6 | Indonesia |
| 7 | Ukraine |
| 8 | Australia |
| 9 | Canada |
| 10 | Republic of Korea |
| 11 | Cambodia |
| 12 | Singapore |
| 13 | Switzerland |
| 14 | Thailand |
| 15 | Taiwan |
| 16 | China |
| 17 | Turkey |
| 18 | New Zealand |
| 19 | Philippines |
| 20 | Brazil |
| 21 | United States of America (Federation) |
| 22 | United States of America (Illinois) |
| 23 | United States of America (California) |
| 24 | United States of America (New York) |
| 25 | Vietnam |
| 26 | Hong Kong |
| 27 | Malaysia |
| 28 | Myanmar |
| 29 | Mexico |
| 30 | Lao People’s Democratic Republic |
| 31 | Russian Federation |
The PPC announced that it would issue an additional report explaining the data protection systems for the following countries within 2022: Israel, Qatar, Costa Rica, Tunisia, Panama, Peru, South Africa, Morocco and Mongolia.
In addition, if a PIH Operator transfers personal data based on grounds other than the data subjects’ consent (for example, transferring personal data to a contractor for the entrustment of processing of personal data), the PIH Operator is required to take the following measures to ensure that the receiving party of such data continuously takes proper measures to process the data in a manner equivalent to the requirements of the APPI:
- regularly confirm (i) the implementation status of the data protection measures by the receiving party, and (ii) whether there are any changes in data protection system in the recipient’s country that would affect the data protection measures which the receiving party would take, and
- if there is a problem in the receiving party’s data protection measures, implement a measure to deal with such problems, and if it is difficult for the receiving party to continuously take data protection measures, stop transferring personal data to the receiving party.
Disclosure
Under the current APPI, PIH Operators are required to disclose several information regarding personal data such as the name of the PIH Operator, the purpose of using personal data and contact information for complaints against the handling of personal data, etc. Under the amendments APPI, in addition to these items, it is required to disclose measures taken by the PIH Operator for the management of personal data.
Sanctions
As discussed in our previous article, the sanctions under the APPI were extremely light compared to those in the GDPR and data privacy regulations in other countries. The amended APPI toughens the penalties for non-compliance and for violation of a PPC order, and the maximum fine has been significantly raised from JPY500,000 and JPY300,000 to JPY100 million. The details of the penalties are as follows:
| Imprisonment | Fine | ||||
| Failure to comply with the orders by the PPC | Representatives, officers, or employees of a company (collectively “Officers and the Like”) | 1 year or less | JPY1 million or less | ||
| Companies | - | JPY100 million or less | |||
| Unfair provision of Personal information database | Officers and the Like | 1 year or less | JPY500,000 or less | ||
| Companies | - | JPY100 million or less | |||
| False reports to the PPC
| Officers and the Like | - | JPY500,000 million or less | ||
| Companies | - | JPY500,000 million or less | |||
The change in penalties took place on 12 December 2020, in anticipation of the other APPI changes discussed above.
What should businesses do?
To prepare for the enforcement of the amended APPI, businesses should consider taking the following steps:
- Establish internal procedures in case of data breach (filing a report to the PPC and notify the data breach to data subjects).
- Confirm whether to transfer personal data to foreign countries, and if so, make sure that the cross-border data transfer is in compliance with the amended APPI.
- Ensure implementation of adequate data security measures, and establish rules to disclose information regarding same.
- Establish rules to handles data subjects’ exercise of their rights (such as deletion request).
- Confirm whether to transfer PRI to third parties and, if so, ensure that such transfer complies with the amended APPI.
