The Amendment to the Act on the Protection of Personal Information of Japan that was promulgated in June 2020 (the “Amended APPI” or “APPI”) will take effect on April 1, 2022.
The following is an overview of what needs to be considered by business operators handling personal information in terms of complying with the Amended APPI- such as reviewing their privacy policies, internal policies on personal information protection and measures taken to protect personal information. As all business operators need to comply with the APPI regardless of the amount of personal information they hold, virtually every business that hires employees in Japan or otherwise handles a certain list of individuals residing in Japan for their business in Japan is required to make certain preparations for the coming into effect of the Amended APPI.
The APPI is also applicable to foreign business operators (even those with no base/entity in Japan) who acquire personal data in relation to the supplying of goods or services to individuals in Japan, even if they handle such personal data in a country outside Japan. For example, the APPI is applicable to foreign data processors who handle the personal data of Japanese users received through a service provided to such Japanese users by a Japanese business operator; since such handling of personal data would be related to the provision of goods or services to Japanese users. After the Amended APPI comes into force, all of the regulations thereunder will be applicable to such business operators outside Japan.
Please note that the Article numbers of the APPI indicated herein are those of the Amended APPI coming into effect this April, unless specifically noted otherwise.
Disclosure of Information
While the currently in-effect APPI (the “Current APPI”) requires that business operators either disclose or without delay respond to any inquiries made by a data subject with respect to matters such as the name of the business operator, and the purposes of use of the retained personal data, the Amended APPI adds items such as the address and name of the representative of the business operator, more detailed information on the purposes of use of the retained data and the security measures implemented by the business operator in handling personal data (except for matters which may hinder the security measures by making them known to the data subjects) as further items that need to be made available to data subjects. These regulations are added in order for the data subjects to be able to understand how their personal information is being handled.
For such purposes, business operators must provide such information on their website, or in their privacy policies, etc., or otherwise be prepared to respond to any inquiries on the above points in a prompt manner. According to the General Guidelines, a business operator may set forth its basic policies about its security measures on its website, and promptly provide additional relevant details when requested by the data subjects. It is to be noted that a mere statement as a disclosure or response that “the company is taking security measures in line with the General Guidelines” will not be deemed a sufficient disclosure or response.
According to the General Guidelines, the matters that may be made available to the data subjects as measures taken by the business operator for the secure handling of retained personal data are as set forth below:
Systems / Measures to be Implemented
Examples of Such Systems and Measures
-Drafting basic policies on the handling of personal data in line with the relevant laws and regulations and guidelines
Rules for Handling Personal Data
-Implementation of internal rules on the collection, use, transfer, deletion of personal data, the methods thereof and the persons in charge and their duties; and periodic reevaluation of the same
Organizational Security Measures
-Appointment of persons in charge and defining their duties
-Implementation of reporting lines for when any data breach is detected
-Methods of periodic verification and audits
Personnel Security Measures
-Educating employees via periodic training
-Ensuring awareness of confidentiality obligations
Physical Security Measures
-Zoning of areas handling personal data
-Measures for prevention of theft
-Deletion and destruction of personal data
Technical Security Measures
-Measures for the prevention of unauthorized access
Understanding External Environment(*1*2)
-Taking security measures in light of the personal data regulations of such foreign country if personal data is handled in a foreign country
Further, with respect to the purposes of use of personal information which the business operator must disclose or notify to the data subject under the Current APPI, the latest General Guidelines make it clear that a business operator must make information available on how the personal information will be processed and on whether the personal information obtained will be used to analyze the behavior or interest of the data subject, so that the data subject will be able to predict or imagine how their information will be handled. Some of the examples given are as follows:
Example of Purpose of Use not Sufficiently Identified
Example of Purpose of Use Identified
“Information obtained will be used to distribute advertisements.”
“Information obtained will be used to distribute advertisements with respect to new products and services relevant to the likes and tendencies achieved by analyzing information such as view and purchase history obtained.”
“Information obtained will be transferred to third parties.”
“Information such as behavior history obtained will be analyzed and the results will be scored, and such scores will be provided to third parties”
(*1) This is necessary if personal data will be handled in a foreign country- such as foreign branches or employees working abroad remotely and handling personal data of the business operator or if personal data is stored in a server located in a foreign country.
(*2) Even if personal data will be provided to cloud services provided by foreign companies, the transfer of personal data to such foreign company will not be deemed a transfer to a third party outside Japan if the cloud service provider does not have access to personal data. However, it is necessary to make available the name of the country in which such service provider is located as well as the country in which the server preserving personal data is located, the personal data regulations of such foreign countries and the measures taken by the service providers.
The Rights of Data Subjects to Request Disclosure and Suspension of Use, Etc.
While data subjects have certain rights under the Current APPI, such as the right to request the disclosure or correction of retained personal data, or the right to request that the utilization, disclosure and transfer of the retained personal data be stopped, the Amended APPI reinforces such rights. Under the Current APPI, business operators are not required to honor such request if they do not possess the personal data for more than six (6) months, but such exemption will no longer apply under the Amended APPI, and business operators will need to comply with such requests regardless of the retention period of retained personal data.
Under the Amended APPI, it will be necessary to accommodate data subjects so that they are able to select the method in which their data will be disclosed from amongst written form, digital records (such as by attaching the digital record and sending the same via email) or other methods designated by the business operator. As such, business operators may provide the available methods of disclosure in their privacy policies.
Under the Current APPI which was amended in 2017, when transferring personal data to third parties, both the transferor and transferee are required to keep records about the transfer (the “Record-Keeping Obligations”)(*3). These records are expected to be useful when a data breach occurs by enabling the data subjects to track the route of the data leakage. Such records are also subject to the rights of data subjects to request disclosure after the Amended APPI comes into effect. Therefore, business operators need to be ready to disclose such records in a prompt manner when requested by the data subjects, by confirming the flow under which such requests are processed within the business operator.
While the Current APPI allows data subjects to request a business operator to delete, or cease the utilization or transfer to third parties of retained personal data only when those actions are being performed in violation of the APPI(*4), after the Amended APPI takes effect, data subjects may request that their retained personal data be deleted when the business operator no longer needs to use the same. Data subjects may also ask the business operator to delete or stop using their retained personal data if a data breach occurs or there is a possibility that the rights of the data subject may be infringed. Since it is possible that such requests will increase due to the expansion of data subjects’ rights, it will be necessary for business operators to consider how and the extent to which such requests will be processed or honored internally.
(*3) For details on the Record-Keeping Obligations, please see Section 7 of our separate Newsletter regarding an overview of the APPI as a whole (the “Comprehensive Newsletter”):
(*4) Pursuant to Article 30 of the Current APPI, such as to (i) cease utilization or delete when retained personal data is used in violation of Article 16 (Restriction Due to a Utilization Purpose) or obtained in violation of Article 17 (Proper Acquisition); (ii) cease the transfer of retained personal data to third parties when such data is transferred in violation of Article 23.1 (Restriction on Third-Party Provision) or Article 24 (Restriction on Provision to a Third Party in a Foreign Country) (all articles referred to in this sentence are the articles of the Current APPI).
Reporting and Notice of Data Breaches
Although the guidelines recommend reporting with regard to certain types of personal data breaches or loss of data, the Current APPI does not obligate business operators to report data breaches to the Personal Information Protection Commission (the “PPC”) or data subjects.
Under the Amended APPI, however, business operators will be under the obligation to promptly report certain types of data breaches to the PPC and notify the affected data subjects. The threshold of data breaches to be reported or notified are those set forth by the Enforcement Rules as having a great risk of violating the rights and interests of the data subjects, such as those involving special care-required personal information(*5) (which basically means sensitive personal data such as that regarding one’s race, medical history and criminal record), those which may cause damage to one’s property, those that may have been caused for illicit or abusive purposes, or those involving the divulgence of personal data of more than 1,000 data subjects.
Although the timing in which business operators will need to report or notify depends on the individual case, the General Guidelines provide a rough threshold of within 3-5 days after the day on which any department within a business operator notices the incident as meeting the requirement of a “prompt” report at least on a preliminary reporting basis, and within 30 days (60 days for cases that may have been caused for illicit or abusive purposes) to provide a final report.
As such, business operators must be prepared to be able to provide such reporting and notices within such timeframes by reviewing their internal process for handling data breach incidents and training employees so that they may act in accordance with their internal policies.
(*5) For more details on special care-required personal information, please see Section 6 of the Comprehensive Newsletter.
Provision of Personal Data to Third Parties Located Outside Japan
Under the amendment which came into effect in 2017 (the Current APPI), business operators who transfer personal data to third parties outside Japan are basically under the obligation to obtain consent from the data subjects after informing them of the fact that the third-party transferee is located in a foreign country, unless certain exceptions(*6) apply. This is also true for when the third parties receive such personal data within the scope of entrustment, business transfer, or joint use, although business operators may transfer personal data to domestic third parties within Japan without the data subjects’ consent, if this is within the scope of the entrustment, business transfer, or joint use. However, there are certain transfers that are exempted from this obligation, such as transfers to recipients who are obligated to comply with the equivalent or comparable rules as those under the APPI by way of contracts with the disclosing party or policies put in place among group companies and have put in place necessary systems for taking appropriate measures with respect to personal information on a continuous basis (“Appropriate Measures”). Transfers to countries belonging to the EU/EEA or the United Kingdom are also exempted, as such countries have been approved as having the same level of personal information protection systems in place as Japan.
The Amended APPI will further impose the following obligations on business operators providing personal data to third parties located outside Japan.
Business operators must provide certain relevant information, such as: (i) the name of the country to which personal data will be transferred; (ii) information on the data privacy regulations of such foreign country; and (iii) the security measures implemented by the third-party transferee, when obtaining consent from the data subject. The purpose of this regulation is to enable data subjects to determine whether or not to give consent after knowing the extent of protection his/her personal information may be afforded in the country to which such personal information will be transferred. Information on the privacy regulations of major countries is provided on the PPC website.
If personal data is transferred not by way of obtaining the consent of the data subject but by taking Appropriate Measures, the transferor business operators must put in place necessary measures such as to periodically confirm that the third-party transferee is taking Appropriate Measures on a continuous basis. It is also necessary for transferors to confirm any changes to the data privacy regulations of the foreign country which may affect the Appropriate Measures to be taken by the third-party transferees, and further take necessary measures such as requesting corrective measures to be taken by the third party transferee or suspending the provision of personal data when any issues arise in the implementation of the Appropriate Measures, in order to resolve such issues. Further, it is necessary to provide the data subject with information on the necessary measures taken when requested by the data subject.
Although business operators transferring personal data to domestic third parties in Japan within the scope of entrustment, business transfer, or joint use are exempt from the Record-Keeping Obligations, business operators transferring personal data outside Japan within the scope of entrustment, business transfer, or joint use by obtaining the data subject’s consent (i.e., to countries other than in the EU/EEA or the UK, or without implementing the Appropriate Measures) must comply with the Record-Keeping Obligations under the APPI, and such records will be subject to the rights of data subjects to request disclosure after the Amended APPI comes into effect.
(*6) For example, pursuant to the laws or regulations or as necessary to protect life, limb and property.
Personally Referable Information
Under the Amended APPI, Personally Referable Information (“PRI”) is defined as information relating to a living individual that does not fall under the definitions of Personal Information, Pseudonymized Information, or Anonymized Information as defined in the APPI. Information related to individuals such as (i) browsing history collected by cookie data, etc., (ii) age, gender or family structure associated with personal email address, (iii) service use history, (iv) location data, (v) information which indicates personal interests, that cannot identify an individual (i.e., items that do not fall under the definition of Personal Information) are generally considered to fall under the definition of PRI. Please note that the APPI defines Personal Information as “information about a living individual which can identify the specific individual by name, date of birth or other description contained in such information (including such information as will allow easy reference to other information and will thereby enable the identification of the specific individual).” Thus, Personal Information includes any and all information so long as such information is linked to information which enables the identification of the specific individual. As a result, for example, browsing history linked to registration information such as names would constitute Personal Information, but not PRI.
Under the Current APPI, a business operator may transfer non-personal data (i.e., PRI under the Amended APPI) to a third party even if the business operator is aware that such data will become personal data to the transferee. However, after the Amended APPI takes effect, the business operator transferring the PRI on the basis of knowing or assuming that the PRI is to become personal data on the part of the transferee must first confirm that the transferee has obtained consent from the data subjects when it is disclosing PRI(*7). In addition, the transferor and transferee must keep internal records of such transfer and retain such records for a certain period of time.
In addition, if the transferee is a third party located outside Japan, the transferor must confirm that the following information has been provided to the data subjects: (i) the name of the country to which the PRI will be transferred; (ii) information regarding the personal data regulations of the country to which the PRI will be transferred; and (iii) the measures taken by the transferee in such country to protect personal information, unless a certain exemption applies.
For those business operators that intend to obtain PRI from a third party to be used as personal data, it will be necessary to obtain the consent of the data subject that the PRI will be received by the business operator as personal data in an explicit manner, such as by having the data subject click on the check box giving consent. It will also be necessary to review the business operator’s privacy policies to check if they properly disclose the purposes of use of the PRI obtained as personal data, and it is recommended that such purposes of use be indicated to the data subjects when obtaining their consent. Such business operator will also be subject to the obligation to keep internal records of the transfer and to retain such records for a certain period of time.
(*7) It is possible for the transferor to obtain consent from the data subject on the transferee’s behalf if the same level of protection is afforded to the rights and interests of the data subject.
The amendment to the APPI in 2017 (the Current APPI) introduced the concept of “Anonymized Information“ (tokumeikakojoho)(*8), but the Amended APPI will further introduce the concept of “Pseudonymized Information” (kameikakojoho), in furtherance of promoting innovation through the use of data.
While business operators have been required to abide by strict standards to anonymize personal information into “Anonymized Information,” personal information can instead be processed to become “Pseudonymized Information” by meeting less stringent standards- so long as such data is processed by deleting any reference to names, etc. so that it will not be possible to identify an individual without reference to other information. Roughly speaking, in order to qualify as Anonymized Information, it will be necessary to anonymize personal data to the extent that it is not possible to be restored as personal information, but it is possible for Pseudonymized Information to become personally identifiable by collating the same with other information to thereby identify an individual.
Pseudonymized Information may be used for purposes outside of the purposes for which the personal information was initially obtained, although it can only be used on an internal basis within the organization and may not be provided to third parties. Pseudonymized Information will also not be subject to the reporting and notification requirements, even in the case of data breach incidents, and also will not be subject to a request for disclosure or suspension of use by the data subjects, although it will also be necessary to take internal security measures for the methods of processing the names or other identifiers which were deleted (the “Deleted Information”).
Please note that, while Pseudonymized Information is usually Personal Information (as defined in the APPI), if business operators who receive Pseudonymized Information within the scope of entrustment, joint use, etc. do not have Deleted Information, such Pseudonymized Information may be non-Personal Information. Business operators who use Pseudonymized Information that is also Personal Information for purposes of use that are not already indicated in their privacy policies or are otherwise under certain obligations, such as the need to disclose such additional purposes of use. Further, when handling Pseudonymized Information, business operators are under certain obligations such as the need to implement security measures for Deleted Information, or the prohibition of identifying data subjects.
(*8) For details on Anonymized Information, please see Section 12 of the Comprehensive Newsletter.
Reinforcement of Opt-out Regulations
While the Current APPI regulates the use of opt-out methods(*9) by business operators by imposing registration with the PPC in order to use this method, which is considered to be quite burdensome to business operators, the Amended APPI reinforces such regulations by prohibiting the transfer to third parties of not only special care-required personal information under the Current APPI but also personal data obtained by fraudulent means and personal data obtained from third parties by way of an opt-out mechanism without obtaining the prior consent of the data subject.
(*9) Under an opt-out method, business operators may transfer personal data to third parties without obtaining the prior consent of the data subject by abiding by certain restrictions such as suspending the transfer to third parties when so requested by the data subject.
Penalties and Jurisdictional Reach
Although the APPI is applicable to all entities that use personal data for their business in Japan, and most of the regulations under the APPI are also applicable to businesses outside Japan if they collect personal information from data subjects in Japan and use the personal data in relation to the sale of products or the provision of services to such data subjects, under the Current APPI, some provisions relating to the supervisory power of the PPC, such as requiring reports, conducting onsite inspections, or ordering certain actions, do not apply to such foreign businesses.
However, under the Amended APPI, all of the provisions of the APPI will be applicable to such foreign businesses.
For example, the PPC will be empowered to: (i) order business operators to submit necessary information to the PPC; (ii) perform on-site inspections; (iii) provide instructions and advice; (iv) hand down a corrective order if a foreign business violates the APPI; and (v) make a public announcement if such orders are not complied with.
In addition, the Amended APPI expands the scope of applicability of the APPI to foreign businesses. Under the Amended APPI, it is applicable not only to businesses outside Japan who collect personal information directly from data subjects in Japan, but also ones who collect personal information indirectly from data subjects in Japan. Thus, for example, the APPI is applicable to a foreign data processor who handles personal data of Japanese users received through a service provided to Japanese users operated by a Japanese business operator.
The penalties for breach have been raised considerably, and the maximum amount of fine for corporations has increased to JPY 100,000,000(*10) up from JPY 500,000 under the Current APPI.
(*10) Note that this amendment has been in force from December 2020.
Other items not covered in this letter
The above explains the overview of the Amended APPI; however, there are additional amendments not covered under this letter. Please refer to the Comprehensive Newsletter for details on the overview of the entire APPI. In addition, more specific details should be confirmed by referring to the Amended APPI and its guidelines, and also consulting with legal advisors for advice on issues that need to be considered for each company/case.