Asset management firms—both in Japan and abroad—may need to take quick action to comply with the amended Act.
On September 9, 2015, the amendments to the Act on the Protection of Personal Information (PIPA) were promulgated, and they became effective on May 30, 2017. This LawFlash summarizes the parts of these amendments that are most relevant to registered financial instruments business operators (FIBOs) in Japan, their head offices, and affiliates in other jurisdictions.
Entities Subject to the PIPA
The PIPA applies to so-called “business operators handling personal information” (BOHPIs), which, under the PIPA prior to the amendments (Former PIPA), excluded businesses whose databases contained only a limited amount of personal information on any single day during the preceding six-month period (that is, an amount based on which it would not be possible to identify more than five thousand individuals).
This “small business operator exclusion” is no longer available under the PIPA following the effective date of the amendments (Amended PIPA). This means that businesses that maintain personal information databases for business use are subject to the Amended PIPA regardless of how many individuals are identifiable based on the information contained in these databases.
Applicability outside Japan
The Former PIPA was applicable only to conduct that occurred in Japan. However, under Article 75 of the Amended PIPA, major parts of the Amended PIPA will apply to conduct that occurs outside Japan where a business has acquired personal information in connection with supplying a good or service to a person in Japan and then utilizes such personal information in a foreign country. For example, if a business sells products or supplies services to a person in Japan directly or through a Japanese office or branch, the Amended PIPA applies to the handling of that person’s personal information or anonymously processed information even if it occurs at the foreign headquarters of the business located outside Japan.
Transfers of Personal Information to and from Third Parties
Under the Amended PIPA, if a BOHPI provides personal data to third parties outside Japan, it must—in addition to the other third-party rules that originally exist—obtain advance consent from the subject(s) of the personal information confirming that the subject(s) consent to such personal information being provided to a third party in a foreign country.
However, certain exceptions to this consent requirement apply when
- the receiving third party is in a foreign country prescribed by the rules of the Personal Information Protection Commission as having equivalent standards to those required in Japan in regard to the protection of an individual's rights and interests, or
- the receiving third party has established a system conforming to standards prescribed by the rules of the Personal Information Protection Commission as a necessary system in order to continuously take measures equivalent to the measures that should be taken by a BOHPI.
Unfortunately, however, because the Personal Information Protection Commission has not so far designated any countries that are recognized as having such equivalent standards, the first exception above is not currently available in practice.
When the BOHPI provides personal data to a third party, the BOHPI must keep a record pursuant to the rules of the Personal Information Protection Commission on the date of the personal data provision, the name of the third party, and other matters prescribed by the rules (subject to certain exceptions). These records must be maintained for the period prescribed by the Ordinance for Enforcement of the Amended PIPA, which is generally three years.
Article 26, Paragraph 1 of the Amended PIPA contains a new requirement (subject to certain exceptions) that a BOHPI receiving personal data from a third party must confirm the name and address of the third party and, if the third party is a corporation, the name of the third party’s representative, as well as the circumstances under which the personal data was acquired by that third party (subject to certain exceptions). The BOHPI must then create and maintain records of matters related to such confirmation and other matters prescribed by the rules of the Personal Information Protection Commission (subject to certain exceptions). These records must be maintained for the period prescribed by the Ordinance for Enforcement of the Amended PIPA, which is generally three years.
Penalties for Noncompliance
The Amended PIPA provides for criminal and civil penalties for disclosure or misuse of personal information covered by its provisions. Where a BOHPI (if a BOHPI is a corporation, officers, representatives, or administrator of the BOHPI) or an employee or a person who used to be in such status transfers such information to a third party for payment or other personal benefit to the individual or another, that individual will be subject to imprisonment with labor (penal servitude) for a period of one year or less and a fine not exceeding ¥500,000.
In addition, a BOHPI that violates an order issued by the Personal Information Protection Commission under the Amended PIPA may be sentenced to penal servitude of not more than six months or a fine not exceeding ¥300,000.
Impact on Foreign Asset Managers and FIBOs Generally
Larger FIBOs have for some time been taking steps to address their obligations under the Amended PIPA and ensure compliance with its provisions—both in Japan and abroad. In particular, obtaining customer consent to share information covered by PIPA with foreign parent organizations and affiliates has been a major challenge given the delicate relationships local FIBOs have with major Japanese investors, as well as the difficulty of seeking post-facto consent to sharing.
Compounding the problem is the relatively low recognition of the new obligations under the Amended PIPA among the typically small offices of many foreign-capitalized FIBOs in Japan. Many client relationship management (CRM) databases are networked and freely accessible by head offices and affiliates outside Japan in circumstances where evidence of specific client consent to such sharing may be difficult to demonstrate. Under the Amended PIPA, it may be possible to make arrangements whereby affiliates could meet the standards for sharing prescribed by the rules of the Personal Information Protection Commission, but in many instances these arrangements may not yet have been implemented. Compliance officers in Japan and abroad should carefully review whether their current systems meet the new requirements and, if necessary, take action to limit access to data covered by PIPA until relevant consents are secured or compliance sharing procedures implemented.
What Asset Management Firms Should Do
Asset management firms outside Japan that are only now becoming aware of the Amended PIPA and that have or seek Japanese investors should do the following as soon as possible:
- Review databases to determine the extent of Japanese investor personal information held
- If there are any employees located in Japan, the types of employee information held by the firms should be reviewed and appropriate information security and consent procedures should be put in place with respect to such employee personal information
- Review and update the Personal Information Policies (typically included in Japan Compliance Manuals maintained locally) of Japanese affiliates to ensure that they are in compliance with the Amended PIPA
- Amend “client intake processes” for Japanese investors (including contacts as well as clients) to include express consents to the sharing of personal information amongst affiliated firms (including parent companies)
- Prevent access by affiliates to Japanese investor information until relevant consents are obtained if the current system does not meet the standards prescribed by the rules of the Personal Information Protection Commission
- Put in place written compliance policies and transparent systems sufficient to demonstrate compliance with the Amended PIPA in regulatory inspections