We would like to ensure that you are still receiving content that you find useful – please confirm that you would like to continue to receive ILO newsletters.
09 April 2021
Development of provisions for service and service by publication
Introduction of pseudonymised information
Introduction of individual-related information
Strengthening of data subject rights
On 12 June 2020 the Diet promulgated the Amendment Act of the Act on the Protection of Personal Information, which will come into force by June 2022.(1) Many of the act's provisions have been delegated to subordinate regulations, including:
Following a 2014 amendment, most of the Act on the Protection of Personal Information's provisions apply to businesses outside Japan. However, foreign businesses remain outside the scope of the provisions relating to reporting and on-site inspections. Article 75 of the amendment act ensures that all of the provisions of the Act on the Protection of Personal Information will apply to foreign businesses without limitation. According to the PPC, this amendment aims to remove the previous exceptions for foreign businesses and clarify that non-compliance may lead to penalties.
Articles 58-2 to 58-5 of the amendment act establish provisions concerning service and service by publication, one of which must be made prior to taking any administrative actions, including:
While the amendment act does not relate solely to foreign businesses, it is understood that the main purpose of this amendment is to avoid practical problems when implementing administrative actions against foreign businesses.
Article 27 of the proposed PPC rule amendment specifies which documents require the implementation of administrative actions. Further, Article 28 of the proposed PPC rule amendment holds that:
The amendment act introduces the concept of pseudonymised information to:
Article 2(9) of the amendment act provides that 'pseudonymised information' refers to information relating to an individual obtained by processing personal information from which it is impossible to identify a specific individual unless such information is collated with other information.
The proposed cabinet order amendment adds provisions to supplement the amendment act's definition of terms such as 'pseudonymised information database'. Further, the proposed PPC rule amendment establishes:
The amendment act introduces the concept of 'individual-related information', which refers to information concerning a living individual that is expected to be used as personal data after being transferred to a third party and does not fall under the categories of:
Article 26-2(1) of the amendment act states that a typical example of such data is online history which is unconnected to a data subject's name, location or cookies. This article also provides that businesses must check whether a data subject's consent has been obtained prior to transferring any individual-related information to a third party. Several of the amendment act's requirements concerning the provision of personal data to a third party and the related obligations to prepare and retain records will also apply directly or mutatis mutandis to the provision of individual-related information to a third party.
Prior to the publication of the proposed cabinet order and PPC rule amendments, the PPC stated that when acquiring data subjects' consent, businesses should provide them with sufficient information to ensure that they have substantial opportunity to be fully informed. Further, businesses should obtain data subjects' express consent only after the data subjects have a full understanding of such information. Businesses should closely analyse the contents of the proposed revisions to the guidelines, which are due to be published from June 2021 onwards, as these are expected to clarify the scope and details of the regulations on individual-related information.
Disclosure request methods
Under Article 28(1) of the amendment act, data subjects may request that businesses disclose any retained personal data through the means prescribed in the PPC rule. Article 18-6 of the proposed PPC rule establishes that data subjects may make such requests:
Disclosure of confirmation records regarding provision of personal data to third parties
Under Articles 25 and 26 of the Act on the Protection of Personal Information, businesses must confirm certain matters and keep records when:
Article 28(5) of the amendment act provides that data subjects may request the disclosure of such records. Article 9 of the proposed cabinet order amendment prescribes four exclusions where a business operator may refuse to disclose this information, including where such disclosure is likely to result in harm to the life, body or property of the data subject or a third party.
The proposed cabinet order and PPC rule amendments include matters which could require business operators to reconsider their existing practical treatment of personal data and the scope and content of their privacy policies. Companies should examine how the proposed cabinet order and PPC rule amendments may affect their business and consider whether any additional measures are required. Businesses will likely have to seek guidance from legal professionals to comply with the new legally binding reporting obligations and ensure that all necessary reports and notices are made when appropriate.
Further, a foreign company which exchanges personal data with a Japanese company will have to provide the Japanese company with the information necessary for it to comply with the equivalent laws and regulations in the foreign company's country. Although the PPC already conducts investigations into foreign companies, it may now carry out more investigations due to the revisions to the regulations regarding service. While high penalties (as in the EU General Data Protection Regulation) and private lawsuits (as in the California Consumer Privacy Act) are uncommon in Japan, awareness of individuals' rights regarding personal information is steadily increasing. Foreign companies which conduct business in Japan will need a sound understanding of the provisions of the amendment act and the proposed cabinet order and PPC rule amendments to ensure that they and their Japanese business partners comply with Japanese data protection regulations.
For further information on this topic please contact Oki Mori, Keiji Tonomura, Emi Fujisaki or Naoki Fukumoto at Nagashima Ohno & Tsunematsu by telephone (+81 3 6889 7000) or email (email@example.com, firstname.lastname@example.org, email@example.com or firstname.lastname@example.org). The Nagashima Ohno & Tsunematsu website can be accessed at www.noandt.com.
(1) For further information please see "Amendment Bill of the Act on the Protection of Personal Information".
The materials contained on this website are for general information purposes only and are subject to the disclaimer.
ILO is a premium online legal update service for major companies and law firms worldwide. In-house corporate counsel and other users of legal services, as well as law firm partners, qualify for a free subscription.