The Japanese Diet has recently approved a bill to amend the APPI. This is expected to result in a strengthening of rights for data subjects while making data breach notifications mandatory and increasing penalties for noncompliance. Is your business ready for these upcoming changes?
- Overview of the Amendment
On 5 June 2020, the Japanese Diet approved a bill to partially amend the Act on the Protection of Personal Information (the “APPI”). The amendment is intended to respond to the increased need to balance the protection and utilization of personal information with the risks arising from domestic and cross-border data transfers. This was done through strengthening the rights of data subjects and the imposition of new obligations on companies that collect and handle personal information, such as:
- the obligation to notify the Personal Information Protection Commission (“PPC”) of certain data breaches (the threshold for reporting obligations has not yet been decided);
- expanding the PPC’s authority to request reports or to investigate offshore companies (if an offshore company refuse such a request, they may be subject to a fines;
- introducing the concept of pseudonymisation which allows business operators to utilize personal data more easily; and
- increasing penalties to be imposed on companies for breaches of the APPI and/or administrative orders issued by the PPC.
The amended APPI could have a significant impact on companies that handle personal information. Thus it is important to understand the amendment and also prepare for any relevant enforcement actions in advance. Below are some key points to know about the amendment
- Strengthening the Rights of Data Subjects
Under the current APPI, data subjects have the right to request access, correction, deletion and cessation of the use of their personal data that is or is intended to be retained for six months or more (the “Rights of Data Subjects“). The amended APPI removes the 6 months threshold, and all personal data is nowsubject to the Rights of Data Subjects.
Also, under the current APPI, data subjects may exercise the right of deletion and cessation of use of personal data only if a PIH Operator (i) has obtained the personal data by deceit or other improper means; or (ii) uses such personal data beyond the necessary scope to achieve the purpose of use. Under the amended APPI, in addition to (i) and (ii), data subjects can exercise the rights of deletion and cessation of use of personal data if there is a risk that his/her rights or legitimate interests would be damaged.
Further, the amended APPI allows data subjects to choose the method (in writing or through electronic means such as by email) to receive personal data upon exercising the right of access. Data subjects may also request PIH Operators to disclose all records of transfers of personal data to third parties.
Except for sensitive personal information, the current APPI stipulates that a PIH Operator is able to transfer personal data without obtaining consent from data subjects by (i) pre-emptively disclosing certain matters such as the items of personal data to be transferred and the opt-out request method to the public or to the data subjects; and (ii) notifying the same to the PPC. The new APPI limits the scope of personal data that can be transferred to a third party through opt-out. Specifically, the personal data that has been obtained by deceit or other improper means; and personal data that has been provided to the PIH Operator through the opt-out method may not be transferred by way of opt-out.
- Increasing the PIH Operator’s Obligations
- Data Breach Report
Under the current APPI, PIH Operators are basically not strictly obligated to report data breaches to the PPC nor to notify any affected data subjects under most circumstances. However, under the amended APPI, reporting to the PPC and notifying affected data subjects will become mandatory in the event of a data breach in certain circumstances. certain data breaches. Data breaches that will be subject to these mandatory obligations have not yet been decided by the PPC, but it is likely that the PPC will limit the scope to cases which have significant impact on data security (e.g., cases which involve a large number of data subjects).
- Consent of Data Subjects for Personal Related Information
Under the current APPI, it is not clear what kind of obligations a transferor has when it transfers data which does not fall under the definition of personal data but through which the receiving party can identify a specific individual from the data. The amended APPI defines information which is related to personal matters but that does not fall under the definition of personal data as “Personal Related Information”. The definition of Personal Related Information is quite vague, but it is generally accepted that it includes cookie information and IP addresses among other items (please note that the PPC may issue guidelines in the future further specifying the scope of Personal Related Information). The amended APPI stipulates that prior-consent from data subjects is necessary if Personal Related Information is transferred to a third party and the receiving party can identify a specific individual by way of referencing such Personal Related Information with any information that the receiving party already has in its possession.
- Extraterritorial application and cross-border data transfers
The APPI applies to foreign entities if such foreign entity obtains personal information of data subjects physically located in Japan upon supplying goods or services to such data subjects. However, currently the PPC does not have any direct authority to supervise such foreign entities. The amended APPI will grant the PPC the authority to request foreign entities to report on the status of the processing of such personal information and issue subsequent orders if a foreign entity is found to be in violation of any applicable requirements under the APPI. Violation of the orders may lead to the imposition of monetary penalties/fines on these foreign entities (please refer to Section 6 below for more information on what the penalties range from).
The amended APPI further stipulates that if a PIH Operator transfers personal data to third parties based offshore by way of a data subject’s consent, the PIH Operator is required to provide certain information regarding the protection of such transferred personal data (e.g., what sorts/types of data protection measures will be taken by the receiving party, data protection systems in the country where the receiving party is located, etc.) to the data subject in question, and also take necessary measures to ensure that the recipient of such data continuously takes proper measures to process the data in a manners equivalent to the requirements of the APPI.
The current APPI has the concept of “Anonymous Processed Information” that is produced by processing personal information in a manner so that such information is not able to be used to identify a specific individual nor be fully restored. However, given the high hurdle of utilizing Anonymous Processed Information, such information has been less utilized than originally expected. Therefore, the amended APPI introduces the concept of “Pseudonymized Information”, which is information that is processed so that such information is (i) not able to be used to identify a specific individual; but (ii) is able to be de-crypted by referencing other information. For example, Pseudonymized Information is information in which names, addresses, and other similar such information are replaced with a random string of characters. The details of Pseudonymized Information and any related requirements to utilize it have not yet been fully decided, but it is likely that companies could utilize “Pseudonymized Information” for internal data analytics purposes.
The penalties for violations of the current APPI, or non-compliance of the PPC’s orders under the APPI, are extremely light compared to those in the GDPR and data privacy regulations in other countries. To close these gaps with the aim to further promote compliance, the amended APPI will toughen the penalties for non-compliance. This will be done by imposing penalties of up to JPY 100 million (about USD$930,000) on companies if representatives, officers, or employees fraudulently use or leak personal data . On top of this, the individuals responsible for a breach may also be subject to individual fines/penalties as well.
The amended APPI will come into effect within two years from 5 June 2020, and is expected to be effective around Spring 2022. Before the effective date, the PPC will issue detailed rules and guidance documents regarding the amendment. Therefore, we recommend checking the PPC’s rules and guidelines regularly and taking necessary measures to fully comply with the amended APPI when it takes effect.
If you have any questions on what this may mean for you or your organisation, please contact the authors listed above or your regular DLA Piper contact.
 A PIH Operator means a person providing a personal information database etc. for use in business.
 APPI stipulates that a PIH Operator shall set its utilization purpose of the collected personal information and it can handle the collected personal information within necessary scope to achieve the utilization purpose.