On 12 June 2020 the Diet promulgated the Amendment Act of the Act on the Protection of Personal Information, which will come into force by June 2022.(1) Many of the act's provisions have been delegated to subordinate regulations, including:
- the Cabinet Order to Enforce the Act on the Protection of Personal Information; and
- the Personal Information Protection Commission's (PPC's) Enforcement Rule for the Act on the Protection of Personal Information.
In December 2020 further proposed amendments to these regulations were published.(2) This article outlines the new provisions and information categories that the amendments introduce.(3)
Development of provisions for service and service by publication
Following a 2014 amendment, most of the Act on the Protection of Personal Information's provisions apply to businesses outside Japan. However, foreign businesses remain outside the scope of the provisions relating to reporting and on-site inspections. Article 75 of the amendment act ensures that all of the provisions of the Act on the Protection of Personal Information will apply to foreign businesses without limitation. According to the PPC, this amendment aims to remove the previous exceptions for foreign businesses and clarify that non-compliance may lead to penalties.
Articles 58-2 to 58-5 of the amendment act establish provisions concerning service and service by publication, one of which must be made prior to taking any administrative actions, including:
- requesting a report;
- requiring the submission of materials; or
- issuing a recommendation or order.
While the amendment act does not relate solely to foreign businesses, it is understood that the main purpose of this amendment is to avoid practical problems when implementing administrative actions against foreign businesses.
Article 27 of the proposed PPC rule amendment specifies which documents require the implementation of administrative actions. Further, Article 28 of the proposed PPC rule amendment holds that:
- service by publication will, in principle, entail publication in an official gazette or a newspaper; and
- service outside Japan may include notice of the fact that service by publication has been made in Japan, instead of by publication in an official gazette or a newspaper in the foreign country.
Introduction of pseudonymised information
The amendment act introduces the concept of pseudonymised information to:
- encourage businesses to analyse data; and
- promote innovation by exempting businesses from complying with data subjects' requests for the provision or cessation of use of their data where such data has been processed to remove any personal information.
Article 2(9) of the amendment act provides that 'pseudonymised information' refers to information relating to an individual obtained by processing personal information from which it is impossible to identify a specific individual unless such information is collated with other information.
The proposed cabinet order amendment adds provisions to supplement the amendment act's definition of terms such as 'pseudonymised information database'. Further, the proposed PPC rule amendment establishes:
- processing standards for creating pseudonymised information; and
- safety management measures for preventing leakage of information about the processing methods used to generate the pseudonymised information.
Introduction of individual-related information
The amendment act introduces the concept of 'individual-related information', which refers to information concerning a living individual that is expected to be used as personal data after being transferred to a third party and does not fall under the categories of:
- personal information;
- pseudonymised information; or
- anonymously processed information.
Article 26-2(1) of the amendment act states that a typical example of such data is online history which is unconnected to a data subject's name, location or cookies. This article also provides that businesses must check whether a data subject's consent has been obtained prior to transferring any individual-related information to a third party. Several of the amendment act's requirements concerning the provision of personal data to a third party and the related obligations to prepare and retain records will also apply directly or mutatis mutandis to the provision of individual-related information to a third party.
Prior to the publication of the proposed cabinet order and PPC rule amendments, the PPC stated that when acquiring data subjects' consent, businesses should provide them with sufficient information to ensure that they have substantial opportunity to be fully informed. Further, businesses should obtain data subjects' express consent only after the data subjects have a full understanding of such information. Businesses should closely analyse the contents of the proposed revisions to the guidelines, which are due to be published from June 2021 onwards, as these are expected to clarify the scope and details of the regulations on individual-related information.
Strengthening of data subject rights
Disclosure request methods
Under Article 28(1) of the amendment act, data subjects may request that businesses disclose any retained personal data through the means prescribed in the PPC rule. Article 18-6 of the proposed PPC rule establishes that data subjects may make such requests:
- electronically;
- in writing; or
- by other methods specified by the business.
Disclosure of confirmation records regarding provision of personal data to third parties
Under Articles 25 and 26 of the Act on the Protection of Personal Information, businesses must confirm certain matters and keep records when:
- providing personal data to a third party; and
- receiving personal data from a third party.
Article 28(5) of the amendment act provides that data subjects may request the disclosure of such records. Article 9 of the proposed cabinet order amendment prescribes four exclusions where a business operator may refuse to disclose this information, including where such disclosure is likely to result in harm to the life, body or property of the data subject or a third party.
The proposed cabinet order and PPC rule amendments include matters which could require business operators to reconsider their existing practical treatment of personal data and the scope and content of their privacy policies. Companies should examine how the proposed cabinet order and PPC rule amendments may affect their business and consider whether any additional measures are required. Businesses will likely have to seek guidance from legal professionals to comply with the new legally binding reporting obligations and ensure that all necessary reports and notices are made when appropriate.
Further, a foreign company which exchanges personal data with a Japanese company will have to provide the Japanese company with the information necessary for it to comply with the equivalent laws and regulations in the foreign company's country. Although the PPC already conducts investigations into foreign companies, it may now carry out more investigations due to the revisions to the regulations regarding service. While high penalties (as in the EU General Data Protection Regulation) and private lawsuits (as in the California Consumer Privacy Act) are uncommon in Japan, awareness of individuals' rights regarding personal information is steadily increasing. Foreign companies which conduct business in Japan will need a sound understanding of the provisions of the amendment act and the proposed cabinet order and PPC rule amendments to ensure that they and their Japanese business partners comply with Japanese data protection regulations.
Endnotes
(1) For further information please see "Amendment Bill of the Act on the Protection of Personal Information".
(2) The amendments will be promulgated between mid-February and early April 2021. Their enforcement date will be specified by a Cabinet Order and announced on the PPC website.
(3) This is the final article in a series on the proposed amendments to the Act on the Protection of Personal Information. For earlier articles in the series, please see:
