Recent changes to Japan’s Act on the Protection of Personal Information (APPI) and the establishment of a new Personal Information Protection Commission (PPC) have raised questions about how the world’s third-largest economy plans to implement new domestic requirements and engage internationally on crossborder data transfers, APEC, new technologies, and more. In anticipation of the amended APPI taking full effect on 30 May 2017, Hogan Lovells recently hosted two of Japan’s most senior officials and authorities on these topics—Director Yoshikazu Okamoto of the PPC Secretariat and Keio University’s Dr. Fumio Shimpo—to provide guidance during a luncheon presentation in our Washington offices. Partners Julie Brill and Harriet Pearson moderated the session.

Japan’s APPI dates back to 2003 and stands as one of Asia’s oldest data protection laws. The National Diet passed extensive reforms to the APPI in September 2015 following a series of high profile data security breaches and revelations of unlawful sales of personal data in Japan. At the Hogan Lovells briefing, Director Okamoto highlighted key aspects of the amended APPI:

The new Personal Information Protection Commission will be the centralized data protection authority. The amended APPI took partial effect on 1 January 2016, establishing the PPC, a central, dedicated regulatory authority with enforcement powers backed by penal sanctions. Previously, the APPI delegated discretion to interpret and enforce the data protection law to the national ministries that oversee particular business sectors. Director Okamoto noted that this often resulted in overlapping jurisdiction over private sector businesses, lack of clarity as to how to comply with the APPI, and a data protection regime that was not uniformly or strongly enforced. The “My Number Act,” which was enacted in May 2013 to assign unique government identification numbers to Japanese citizens, previously established a central data protection authority called the Specific Personal Information Protection Commission with limited powers to oversee protection and use of the new government identification numbers, in addition to the sector-specific ministries. The amended APPI restructured this limited-purview commission to form the new PPC, which has assumed centralized data protection authority over all sectors from the ministries. The new PPC is composed of one chairman and eight commissioners appointed by the Prime Minister with the consent of the Diet. The current commissioners come from varying backgrounds, including academia, consumer protection, local government, and private enterprise. Director Okamoto noted that the PPC issued new guidelines to replace prior sector-specific data protection guidelines from the ministries in November. The new guidelines are currently available only in Japanese, but the PPC will likely issue English versions in the future.

— Consent is required to use or disclose “special care-required personal information.” The amended APPI requires in principle, business operators to obtain consent from the data subject to collect “special care-required personal information.” “Special care-required personal information” broadly corresponds to concepts of “sensitive personal data” receiving enhanced regulatory protection, as seen in other jurisdictions, most notably the EU and an increasing number of jurisdictions in the Asia-Pacific region. Under the amendments to the APPI, “special care-required personal information” includes information about a data subject’s race, creed, social status, medical record (e.g., disabilities, results of a medical check-up, specific health guidance, medical care, or prescriptions), criminal history (e.g., that criminal proceedings have been brought against a data subject as a suspect or defendant), and status as a victim of crime. Director Okamoto clarified that “social status” does not include information such as that a data subject is a CEO of some enterprise, but rather is focused on more sensitive characteristics of a data subject’s background or personal history. He clarified that the additional restrictions around these types of sensitive personal information are intended to protect data subjects from potential discrimination.

— No consent is required to process or transfer anonymously processed information. The amended APPI also introduces the concept of “anonymously processed information.” Where personal information has been anonymized, pseudonymized, or otherwise processed so that there is no practical possibility of re-identifying the data subject, consent of the data subject will not be required for businesses to process or transfer the data. Director Okamoto tied the introduction of this category of data to the Japanese government’s desire to facilitate and legitimize business analytics and positive uses of Big Data. To make re-identification of data subjects impracticable, businesses must delete names, biometric information, and government issued numbers and/or apply other techniques towards removing links between the data and data subjects, such as generalizing data fields; for example, a specific age should be replaced with an age range (e.g., 26- 30) or a specific address should be replaced with a district of residence. Director Okamoto also advised that identifiable outliers (e.g., a 116-year old person) should not be included in anonymous data sets. 

— Additional records of data transfers are required. To improve the traceability of personal information shared between businesses, the amended APPI in principle, requires businesses to keep records of how or from whom it obtained personal information and to whom it transferred personal information, for example. Director Okamoto indicated that businesses can receive additional guidelines from the PPC on record keeping requirements. 

— There are three methods to legitimize international transfers of personal information of an individual in Japan. One of the most significant amendments to APPI is the addition of cross-border transfer restrictions. The amended APPI prescribes three types of legitimate transfers of personal information to a third party in a foreign country: (1) transfers to a country that the PPC has designated as having an acceptable level of data protection; (2) transfers to a third party in a foreign country in circumstances in which actions have been taken to ensure the same level of data protection as in Japan (such as entering into a data transfer agreement imposing obligations on the transferee meeting the requirements of the APPI); or (3) transfers with the data subject’s consent. The PPC has yet to designate any countries as providing an acceptable level of data protection, and Director Okamoto would not speculate as to if or when the United States or any other jurisdiction would receive such designation.

— International transfers of personal information may continue if reasonable safeguards are in place. For those organizations already doing business in Japan, Director Okamoto provided assurance that existing reasonable measures to support cross-border data transfers would be very helpful to achieve compliance with the amended APPI. It appeared from the briefing that a totalityof-the circumstances approach would be a useful way to approach compliance in this area, so that businesses that have reasonable institutional safeguards in place (e.g., privacy policies, data protection terms in contracts) may continue to proceed as they have been doing even after the amended APPI takes full effect on 30 May 2017. Director Okamoto also reiterated Japan’s commitment to the APEC Cross Border Privacy Rules (CBPR) system, and noted that certification of compliance to the CBPR system is a good way for companies to establish the requisite systemic protections to transfer personal information internationally. 

— The amended APPI takes full effect 30 May 2017. There will not be a grace period for implementation, as Director Okamoto noted that the PPC expects companies will use the next few months to prepare themselves for compliance. Guidance from the PPC is currently available on the PPC’s website in Japanese. 

At our luncheon presentation, Dr. Shimpo, a noted expert on Japanese privacy and technology law and policy, discussed how data protection intersects with Japan’s goal to be the world’s premier “Robotics Superpower” and a world leader in robotics and artificial intelligence. In 2015, the Japanese government published “New Robot Strategy: Vision, Strategy, Action Plan,” which details a strategic plan to build upon Japan’s long history and excellence in the field of robotics to ensure continued success in the Internet of Things era. Dr. Shimpo predicted that there will be seismic shifts in how society functions as robots shift from doing simple routine tasks to autonomous activity, buoyed by self-learning abilities, advanced sensor technology, and higher processing power. Dr. Shimpo urged policy makers locally and globally to work together to craft appropriate laws and regulations to balance beneficial applications and uses against the negative consequences of artificial intelligence so that human-robot society can function symbiotically. Dr. Shimpo noted that the Japanese government is already considering artificial intelligence policies, incorporating principles such as transparency, user assistance, controllability, security, safety, ethics, accountability, and privacy. A draft of such policies was presented by the Minister for Internal Affairs and Communications to the G7 ICT Ministerial Meeting held last April. 

Hogan Lovells’ international data privacy team will continue to closely monitor implementation of Japan’s amended APPI and is available to advise on practical compliance strategies with this and other jurisdictions’ requirements.