On 12 June 2020, Japan enacted amendments to the Act on the Protection of Personal Information (APPI). The most significant change will be the tougher statutory penalties with an upper range of close to USD 1 million for serious breaches. In addition, the new law, among other things, expands the scope of the data subjects' rights, restricts the range of personal data that may be provided to third parties, introduces mandatory obligations to report and notify data breach incidents, and introduces "pseudonymized information". The new law is expected to take effect in the last quarter of 2021 or in the first half of 2022, although the exact timing is not yet determined.
The amended Act on the Protection of Personal Data (Amended APPI) will impose significant obligations on companies that handle personal information, and requires preparation in advance to ensure compliance. Companies should assess the significant changes that have been introduced, and review current policies and procedures in order to ensure compliance when the approved changes come into force, including the following.
- Review and update of privacy policies to address the expanded data subject rights.
- Conduct a review of data flows within organizations in order to capture transfers of information to third parties, which currently is not recognized as personal data, and update relevant company policies and procedures.
- Update or implement data breach incident policies and procedures to comply with the mandatory notification requirements.
Reach out to your usual Baker McKenzie contacts to discuss how this legislation may impact your organization and discuss a plan to ensure your organization is prepared when the amended APPI takes effect.
On 10 March 2020, the Cabinet of Japan approved a bill to amend the current Act on the Protection of Personal Information, which took effect in May 2017, to account for rapid advancements in technology, and the necessity to deal with the emerging risks brought about by increased cross-border data flows.
The bill was approved "as is", and was promulgated into law on 12 June 2020.
This alert outlines the key changes introduced by the Amended APPI and draws out the main differences from the requirements of the existing law.
Enhanced rights of principals (data subjects)
In the current APPI, principals (data subjects) can only request for the erasure of personal information, the discontinuation of data processing, or the discontinuation of the transfers of personal information to third parties when the purpose for which personal information is collected and processed is found to have been violated, the personal information was collected illegally, or data subject’s consent was obtained illegally.
Under the Amended APPI, the requirements to exercise these rights have been eased and data subjects are now able to request for the deletion, discontinuation of data processing, or discontinuation of transfers to third parties in instances where there is a possibility of violations of their rights or legitimate interests. The data subject also has the right to request for the disclosure of records of transfers of his/her personal information to third parties.
Short-term data, which is data in the possession of a business operator intended to be deleted within 6 months, which had been exempted from by definition but will now form part of the "retained personal data", and be subject to demands for disclosures and requests for discontinuation of processing. Where a data subject could only previously request for written copies of "retained personal data", the Amended APPI introduces a new method of disclosure via the provision of electronic records.
Mandatory data breach notification requirements
While the current APPI only imposes a duty to make an effort to notify data subjects of a data breach, the Amended APPI introduces mandatory notifications in the event of a data breach. Subject to certain exceptions, business operators are now mandated to report to the PPC and to notify affected data subjects where a breach specified by the PPC as those which may result in violations of individual rights and interests occurs. The PPC's regulations to specify the actual types of breach that "may result in violations of individual rights and interests" will be published by the effective date of the amendment. The Amended APPI does not specify a time period by which these notifications must be made.
The current APPI recognizes the concept of anonymized data; however, the Amended APPI goes a step further and introduces "pseudonymized information", a concept whereby a data subject’s name or any identifying information is deleted and data is processed in such a manner that the individual can only be identified by referencing other data.
If a business operator processes "pseudonymized information", they will be relieved of the obligation to comply with certain requirements under the APPI, such as demands for disclosure or erasure.
Restrictions on data transfers to third parties
The current APPI generally requires consent of the data subject prior to transfers of personal information to third parties. However, whether these restrictions apply is generally determined by whether the transferor can identify an individual by the personal information transferred, rather than the receiving party's ability to do so.
The Amended APPI will now regulate the transfer of personal information based on whether the recipient will likely receive the data as personal information. This will require the transferor to confirm with the receiving party that the data subject has consented to the transfer of personal information.
Stricter limitations on consent for cross-border transfers
Currently, in order to transfer personal information to a third party outside of Japan, the transferor must satisfy specific exceptions under the APPI, including obtaining prior consent of the data subjects. Another exception is where a third party has a data protection framework in place that offers equal or greater protections than the standards mandated on a business operator in Japan concerning the handling of personal information.
Under the Amended APPI, where a business operator chooses to obtain the consent of the data subject for justifying the cross-border transfers, the busines operator should provide the data subject, prior to the transfer, information on the data protection framework in the foreign country where the third party is located and the measures undertaken to protect personal information.
Where a business operator legalized the cross-border data transfers based on the another exception mentioned above, the business operator must take necessary measures to ensure compliance with the data protection framework and provide information relating to such measures to the data subjects upon request.
Tougher penalties for certain violations
Violation of an order by the PPC is now punishable by imprisonment with labor for not more than 1 year or a fine of not more than JPY 1 million or approx. USD 9,300. (from imprisonment with labor for not more than 6 months or a fine of not more than JPY 300,000 or approx. USD 2,800).
Submission of a false report is now punishable with a fine of not more than JPY 500,000 or approx. USD 4,700 (from a fine of not more than JPY 300,000 or approx. USD 2,800).
Entities which engage in the wrongful provision or utilization of a personal information database or which violate an order issued by the PPC will be imposed a fine of not more than JPY 100 million or approx. USD 933,000.
Increased options for foreign enforcement
The current APPI applies certain provisions to entities located outside the country if they acquire personal information in connection with supplying goods or services to individuals in Japan. However, the PPC is currently unable to demand that foreign companies submit reports or take necessary measures. Rather, the PPC role with respect to foreign businesses is limited to guidance and advice without power of enforcement.
The Amended APPI will enable the PPC to order foreign businesses to make reports and take necessary measures, and will permit the PPC to publish the fact that a foreign business has failed to do so.