On 12 June 2020 the Diet promulgated the Amendment Act of the Act on the Protection of Personal Information, which will come into force by June 2022.(1) Many of the act's provisions have been delegated to subordinate regulations, including:
- the Cabinet Order to Enforce the Act on the Protection of Personal Information; and
- the Personal Information Protection Commission's (PPC's) Enforcement Rule for the Act on the Protection of Personal Information.
In December 2020 further proposed amendments to these regulations were published.(2) This article outlines the new matters to be disclosed by businesses.(3)
Measures taken for safety management
Article 8(j) of the proposed amendment to the Cabinet Order to Enforce the Act on the Protection of Personal Information introduces "measures taken for safety management of retained personal data" as an additional matter that businesses must disclose to the public.
While neither Article 20 of the Act on the Protection of Personal Information nor the proposed cabinet order amendment contain specific provisions regarding these measures, the Personal Information Protection Commission's (PPC's) Enforcement Rule for the Act on the Protection of Personal Information indicates that businesses must assess their individual situation with reference to the following:
- internal controls, including the establishment and periodic review of:
- rules on handling personal data; and
- people responsible for handling personal data and their duties (eg, regarding the acquisition, use, disclosure and disposal of personal data);
- organisational structure, including:
- the appointment of a person responsible for handling personal data and the definition of their position and duties; and
- the implementation of a reporting and liaison system to be used where data breaches occur;
- periodic self-inspections and audits by other departments and external bodies;
- officer and employee education, ensuring that:
- training is conducted regularly; and
- confidentiality clauses are included in employment rules and employees are made aware of such clauses;
- measures to prevent unauthorised access to personal data; and
- understanding of the external environment (ie, a system to protect personal information in foreign countries in which such information is handled).
Exceptions to the obligation to disclose measures implemented for safety management may apply where such disclosure may hinder the personal data's safety management. The PPC rule cites the following exceptions to the disclosure obligation:
- disposal methods for equipment that contains personal data;
- theft prevention measures;
- physical entry and exit control methods for personal data control areas;
- scope of access control and authentication methods; and
- unauthorised access prevention measures.
Specification of personal data usage
It was previously thought that the proposed cabinet order amendment would require businesses to publicly disclose their "measures of processing retained personal data". However, the proposed cabinet order amendment contains no such obligation. Instead, it indicates that businesses must clearly specify the purpose of using the collected personal data. The PPC rule suggests that this is preferable due to:
- concerns about trade secret leakage if businesses had to disclose their measures of processing retained personal data; and
- the importance of making data subjects aware that their personal data is being processed where such processing may not be easily assumed from the specified usage purpose.
The PPC rule provides the following examples of how to correctly explain the purpose of using personal data.
|
Data use purpose |
Good explanation of data use purpose |
Bad explanation of data use purpose |
|
Information such as browsing history and purchase history is analysed to distribute ads according to data subjects' preferences |
"Information such as browsing history and purchasing history acquired will be analysed and used for advertisements relating to new products and services according to your tastes." |
"We will use it for advertising distribution." |
|
Information such as online history (which clients may not assume is collected) is analysed and used for recruitment purposes in addition to information acquired from resumes and interviews |
"In addition to the resume and information obtained in the interview, online history and other information will be analysed and the results will be used for recruiting activities." |
"The acquired information will be used for recruiting activities." |
|
Information such as online history is compiled and scored and the score is provided to a third party without notifying the relevant data subject |
"Acquired online history and other information will be analysed and scored. The score will be provided to a third party." |
"The acquired information will be provided to a third party." |
The introduction of the new matters to be disclosed directly requires businesses to review their privacy policies. Depending on the guidelines, which are due to be published from June 2021 onwards, businesses may have to not only disclose any measures taken for safety management but also revise their descriptions of personal data usage purposes. This is particularly relevant for businesses that conduct profiling using behavioural targeting.
Endnotes
(1) For further information please see "Amendment Bill of the Act on the Protection of Personal Information".
(2) The amendments will be promulgated between mid-February and early April 2021. Their enforcement date will be specified by a Cabinet Order and announced on the PPC website.
(3) This is the second article in a series on the proposed amendments to the Act on the Protection of Personal Information. For the first article in the series, please see "Data protection regulation amendments: data breach reporting and notification obligations".
