The Japanese government has amended the Act on the Protection of Personal Information (APPI) establishing a new Personal Information Protection Commission as of 1st January 2016. The new law includes some restrictions concerning overseas transfers of personal data, and imposes restrictions on the processing of sensitive information. The amendment was due to be passed in the Summer but was delayed because of a data breach incident involving pension records.

The amended APPI expands the definition of “personal information” to include a person’s bodily information, such as fingerprint data and face recognition data. Numeric codes associated with an individual will also be covered by the new definition, such as passport numbers and driver’s license numbers. A new government authority will be established, which will be called the “Personal Information Protection Committee” (the “Committee”). The Committee will have the authority to exercise certain functions, such as the ability to request data controllers to submit reports, conduct onsite inspections and issue administrative orders. How large and structured this Committee will be is still uncertain.

The amended APPI creates obligations on business operators when anonymizing personal data to be transferred to third parties. For example, a business operator must create the anonymized data pursuant to the regulations of the Committee, and ensure that the original pre-anonymized data may not be recreated. Under the previous APPI, there were no specific definitions concerning sensitive data such as race, religion or medical history.

Under the amended APPI, business operators are prohibited from obtaining such sensitive data without the data subject’s consent. It is likely that other restrictions will also be imposed on sensitive data. Under the amended APPI, a business operator which receives personal data which has been transferred to them will need to confirm how the personal data was obtained, and retain for a certain period, a record of when the personal data was received. Under the amended APPI, individuals who are involved in the handling of personal data which has been subject to misuse or which has been stolen for unjust profit will be subject to a criminal penalty. Under the previous APPI, a business operator may transfer personal data to third parties without the data subject’s consent if the data subject opts-out from doing so. Under the amended APPI, a prior notification to the Committee is necessary in order to use this opt-out arrangement.

The amended APPI provides that personal data may be transferred to a foreign country only when the country has a legal system that is deemed equivalent to the Japanese personal data protection system, or to a third party which undertakes adequate precautionary measures for the protection of personal data, as specified by the Committee. The effective date of the amended APPI has not yet been fixed, however, the law will take effect two years from its date of publication.