The Japanese Diet passed amendments to the Personal Information Protection Act on September 3, 2015, which will become effective within the next two years. While further details will be revealed in upcoming implementing regulations, several major changes, which are summarized below, are clear from the text of the statute. Companies doing business in Japan should take a close look at their privacy policies and personal data procedures in preparation for these changes.

More leeway to disclose anonymous data

“Anonymized” personal data – stripped of personal identifiers such as names and dates of birth – may now be transferred to third parties, including companies who would use the data for marketing purposes, without the subject’s consent. The disclosure must still be reported to the “Personal Information Protection Committee” (discussed further below), and must also be publicly announced. This is one of the few “pro-business” changes in the amendment, and will allow companies to use and sell “big data” about their customers, which was previously a gray area in Japanese data privacy law.

Sensitive information

New restrictions will be imposed on particularly sensitive information, including race, medical history and criminal history. This data cannot be collected without the subject’s prior consent, except in certain emergency circumstances. It is also subject to more severe restrictions on disclosure to third parties; simply referring to such disclosure in a privacy policy will not suffice.

New regulators

The government will establish a “Personal Information Protection Committee” (“Committee”) in January 2016. Any disclosure of personal data to third parties, or change to the proposed use of personal data, will require a report to the Committee, and the report will become public information (most likely on the Internet). The Committee will also have the authority to investigate data collection and protection practices, including on-site inspections.

New restrictions on exporting data

Personal information databases cannot be transferred to a party outside of Japan unless the recipient has adequate data protections in place, or its country has been recognized as having adequate privacy laws (the Committee will have the power to determine what is adequate). Businesses outside of Japan that collect personal data in the course of supplying goods and services to Japan will also be subject to the Act’s provisions. While Japanese regulators will not have jurisdiction outside Japan, they will have a mandate to share information with regulators in other countries as necessary to enforce the Act.

Criminal liability

Theft or transfer of a personal information database for improper gain will now be a crime, and both companies and their employees (including former employees) may be charged. The maximum penalty is one year in prison or a fine of 500,000 yen.

Extension of scope

The definition of “personal information” now includes biometric data and identifying numbers (such as passport and membership numbers). Businesses handling the information of no more than 5,000 individuals were previously exempt from the Act, but the Act will now cover all businesses that handle personal data.

These amendments have been enacted alongside the introduction of a new personal identification number, popularly called “My Number.” Starting in October, all Japanese residents will be given an identification number, which will be used for tax, pension, health care and other official purposes from 2016 onward. “My Number” has itself been controversial in Japan, and businesses should note that many Japanese consumers are still very sensitive to the subject of data privacy.