The amended Act on the Protection of Personal Information1 (the "Amended APPI") was published on 9 September 2015 and at that time it was further announced that the Amended APPI would come into force within two years from the date of its publication, though a specific date was not mentioned. For a discussion of the primary changes adopted by the Amended APPI please click here to view the following newsletter from DLA Piper.
Since publication of the Amended APPI, the necessary preparations have been made for its enforcement. On 20 December 2016 it was finally announced that the Japanese Cabinet set an enforcement date for the Amended APPI of 30 May 2017. As groundwork for the enforcement of the Amended APPI the government has prepared (i) the amended basic policy of the protection of personal information as decided by the Japanese Cabinet on 28 October 2016, (ii) the amended cabinet order2, (iii) the enforcement rules3 of the Amended APPI as published on 5 October 2016 and (iv) the guidelines of the Amended APPI. The guidelines of the Amended APPI, which were published on 30 November 2016, contain guidance regarding: general rules, offshore transfer of personal data, book-keeping and verification obligations when transferring personal data to a third party, and big data processing. These foundational policies, rules and guidelines will become effective upon the enforcement date of the Amended APPI.
Full supervisory power over business operators handling personal information will be entrusted to the newly-established (as of 1 January 2016) Personal Information Protection Commission (the PPC). The PPC is an independent central supervisory body for the protection of personal information in Japan and currently has only partial supervisory power.
The PPC is also preparing guidelines addressing procedures for incidents of data breach and for the processing of personal information by financial institutions. Drafts of these guidelines have been published on the PPC website as of 6 of December 2016 and 13 of December 2016, respectively. Additional guidelines may be prepared by the PPC for enforcement on 30 May 2017.
The Amended APPI, the relevant cabinet order, enforcement rules and the guidelines published by the PPC were drafted primarily to clarify grey areas of the current APPI and to confirm existing accepted practices for handling personal information within Japan. That being said, there are several modifications to the rules including those governing cross-border management of personal information and for foreign companies handling personal information collected in Japan, which are outlined below.
Under the Amended APPI, if a business operator adopts an "opt-out" method whereby data subjects must proactively opt-out of allowing their personal data to be transferred to a third party, the business operator is required to preemptively disclose to the PPC, and the public or to the data subject the (i) provision of personal data to a third party and its purpose of use, (ii) specific personal data to be transferred, (iii) method of transfer, and (iv) the opt-out request method, among others. The PPC will then publish this information on its website. It has been announced on the PPC website that the PPC will receive "opt-out" notifications from business operators commencing 1 March 2017. Please note however, that the "opt out" option will not be available for offshore transfers unless the foreign country is white-listed under the enforcement rules of the Amended APPI or unless the third party receiving the personal data is determined to have established similarly adequate standards for privacy protection as specified in the enforcement rules of the Amended APPI. Further discussion of these requirements can be found below.
Transfer of Personal Data Offshore
The Amended APPI specifically provides that a business entity must obtain the prior consent of any data subject whose personal data will be provided to a third party located in a foreign country including: (i) offshore transfer by way of merger or business transfer, (ii) joint use of personal data by several entities and (iii) outsourcing the handling of personal data, unless the foreign country is white-listed under the enforcement rules of the Amended APPI or the third party receiving personal data has established similarly adequate standards for privacy protection as specified in the enforcement rules of the Amended APPI. Under the Amended APPI, if the data transfer is undertaken by way of merger or business transfer, joint use by several entities or through data handling outsourcing within Japan, no consent for a third party transfer is necessary. The current APPI does not require consent for (i) to (iii) above regardless of whether a domestic or offshore transfer is involved.
According to the published enforcement rules of the Amended APPI, "similarly adequate standards" means that the practices of the business operator handling the personal data accord with the requirements for protection of personal information under the Amended APPI or that the business operator has obtained recognition based on international frameworks concerning the handling of personal information. According to the guidelines for offshore transfer, one of the examples of an acceptable international framework is the APEC CBPR system. As of yet, no white-listed countries have been specified under the rules promulgated by the PPC.
If the data subject's consent to transfer the personal data to an offshore third party was obtained prior to the enforcement of the Amended APPI, this prior consent for offshore transfer is regarded as sufficient under the Amended APPI. No separate consent is required upon enforcement of the Amended APPI. If such consent was not obtained and the third party does not meet the requirements for protection of personal information under the Amended APPI, the business operator must freshly obtain consent of the data subject if the personal data involved is transferred offshore after enforcement of the Amended APPI commences. More specifically, business operators who (i) regularly transfer personal data to an offshore third party for joint use or (ii) utilize outsourced services from third parties must review their practices to determine whether consent for these offshore transfers is required under the Amended APPI, even if consent was not required prior to the amendment. To clarify, it is not necessary to freshly obtain consent for offshore transfers made prior to the enforcement of the Amended APPI so long as the present manifestation of the APPI did not require consent.
Most of the requirements under the Amended APPI apply to foreign entities that collect personal information through the supply of goods or services to data subjects in Japan and that handle the collected personal information or the relevant anonymized information in a foreign country. Guidelines for offshore transfer issued by the PPC provide several examples for applicability of the Amended APPI to offshore entities. For example, the Amended APPI will apply in scenarios where (i) a branch office collects personal information in Japan and handles such personal information at its headquarters located in a foreign company, (ii) a foreign entity sells goods on a website to customers in Japan and collects personal information from the Japanese customers and uses the personal information for sale and delivery of goods, or (iii) a foreign company provides email services to customers in Japan and collects their personal information by requiring Japanese customers to create accounts on the company website by supplying their email address to be processed offshore. If the PPC finds any violation of the requirements under the Amended APPI, the PPC may advise the foreign entity on best practices or recommend that the foreign entity take necessary actions to protect personal information. However the PPC has no power to impose administrative fines or penalties to offshore entities.
The Amended APPI permits the PPC to provide information to an equivalent privacy authority in certain foreign jurisdiction in order to enforce its mandate against business entities located in foreign countries handling personal information that was collected in Japan.
The amendments to the APPI were prepared primarily to clarify uncertainties in the current APPI as well as to confirm existing accepted practices for handling personal information. However, in order to meet certain internationally accepted standards, notably including an equivalent level of protection to that required by the EU, more burdensome requirements for offshore data transfers were enacted along with the contemporaneous establishment of the PPC to centralize governmental oversight of privacy issues.
Domestic and offshore business operators handling personal information of a data subject located in Japan must carefully consider these new requirements of the Amended APPI in order to lawfully comply with these new protections.