On March 10, the Cabinet of Japan approved a bill to amend the Act on the Protection of Personal Information. The Diet is expected to approve the bill during its regular session by June 17, and after the Cabinet order and the rules of the Personal Information Protection Commission regarding the amendments are made, the amendments are expected to take effect in 2021 or the first half of 2022, although it is not clear exactly when.

Data subject’s rights

(1) Scope of data subjects’ rights

Under the current law, data subjects have the right to demand the cessation of use, deletion of and cessation of third-party transfer of their retained personal data only if the retained personal data was used for purposes other than those notified to the data subjects, was collected by deceit or other improper means, or was provided to a third party in violation of the APPI. However, the amendments will expand the scope of data subjects’ rights by allowing data subjects to exercise their rights when their rights and legitimate interests are likely to be infringed because of the data processing of business operators (e.g., in cases when business operators no longer need to use the personal data).

(2) How retained personal data may be disclosed

The amendments will also change the current methods of disclosing retained personal data. The current law does not expressly allow data subjects to demand the disclosure of retained personal data by electronic means. The amendments, however, will allow data subjects to require their retained personal data be disclosed to them electronically. In addition, data subjects will be able to demand disclosure of any records kept by business operators on any provision of their personal data to third parties. Note: Under the current law, both data providers and data recipients are required to keep records regarding the provision of personal data to the recipients.

(3) Scope of personal data subject to data subjects’ rights

Under the current APPI, any personal data that is prearranged to be erased within six months from acquisition is not "retained personal data" and is, therefore, not covered by data subjects’ rights vis-à-vis retained personal data. The amendments will remove the six-month qualification, thereby making any personal data "retained personal data" regardless of the data retention period.

(4) Stricter restrictions on provision of personal data to third parties by opt-out scheme

The provision of personal data to third parties under the current APPI generally requires the consent of data subjects, unless certain exceptions apply. One such exception is the opt-out scheme — that is, personal data may be provided to third parties without data subjects' consent if certain requirements of the opt-out scheme, including filing with the PPC and making certain information available to data subjects, are satisfied.

However, the amendments will restrict the range of personal data that may be provided to third parties based on the opt-out scheme. Under the bill, the following personal data cannot be provided to third parties based on the opt-out scheme: (1) personal data collected by deceit or other improper means; and (2) personal data received by a person from another person based on an opt-out scheme of that another person.  

Expanding the responsibilities of companies

(1) Data breach report/notification

Under the current law, if there is a data breach, the business operator merely has a "duty to make an effort" to submit a report of the data breach to the PPC and notifying affected data subjects is only a recommended course of action. However, the amendments will introduce mandatory obligations to report data breach incidents to PPC and notify the affected data subjects in cases when the data subjects' rights and interests are likely to be infringed. Details of these obligations are not in the bill.

Thus, we need to keep a close eye on further details, including (1) thresholds for mandatory reporting (e.g., the number of affected individuals and the deadline); and (2) any exceptions (e.g., pseudonymized information), which will be stipulated in the rules of the PPC.

(2) Restriction on unlawful or undue use of personal data

Unlike the current law, the amendments will make it clear that business operators must not use personal data in ways that encourage or cause unlawful or undue use.

Mechanisms to promote voluntary efforts by companies

Accredited personal information protection organizations, which are organizations accredited by the PPC to deal with complaints and to give guidance to its members who process data, already exist. However, these organizations are currently required to cover all areas of data processing specified in the APPI. The amendments will allow the PPC to accredit organizations only for specific aspects of the data processing of its members.

Promotion of and regulations on data use

(1) Introduction of 'pseudonymized information'

To promote innovation, the concept of “pseudonymized information” will be introduced. The bill describes pseudonymized information as personal information that can identify a specific individual only by collation with other information. If business operators handle personal data that is considered pseudonymized information, they will not need to comply with certain obligations under the APPI, such as complying with demands to disclose or cease the use of retained personal data. The use of pseudonymized information is limited to the internal use of the business operator, and the provision of pseudonymized information to third parties is prohibited. Note: The standards for processing personal data as pseudonymized information will be stipulated in the rules of the PPC.   

(2) Regulations regarding provision of personal data to third parties

Under the current law, the provision of personal data to third parties generally requires the consent of the data subject unless certain exceptions apply. It has been understood that whether the regulations on the provision of personal data to third parties apply is determined only by whether the discloser can identify an individual, not by the recipient’s ability to identify that individual.

However, the amendments will regulate the provision of data if the recipient will likely receive the data as personal data. In this case, the provider must confirm that the recipient has obtained the consent of data subjects to the transfer of their data as personal data. In addition, if data will be transferred to a third party in a foreign country, the provider must inform the data subjects of details regarding the data protection rules and regulations of the country to which personal data will be transferred and must take necessary actions to ensure that the overseas data recipients have in place continuous security measures to protect personal data.

As of this writing, the current intention is for the rules of the PPC to detail how data providers can comply with their new obligations to confirm with recipients and inform data subjects.

Amending the penalties

The bill will toughen the statutory penalties for violating an order of the PPC or submitting a false report to the PPC. In the case of violating an order, the penalty will be imprisonment with labor of up to one year or a fine of up to 1,000,000 yen; in the case of submitting a false report, it will be a fine of up to 500,000 yen.

In the case of a corporate body violating an order of the PPC, the penalty will be a fine of up to 100 million yen.

Also, the PPC will be able to publish the name of companies, including overseas companies, that did not follow any order of the PPC.

Extraterritorial applicability and data transfer to third parties outside of Japan

(1) Extraterritorial applicability

Currently, the PPC does not have the authority to make companies in a foreign country submit reports, nor can it issue orders to overseas companies, but the amendments will give such authorities to the PPC.

(2) Data transfer to third parties outside Japan

The bill will strengthen current regulations on data transfers to third parties outside Japan. For example, the amendments will require the provision of certain information to data subjects. In the case of a transfer of personal data based on the data subjects’ consent, data transferors must provide the data subjects with relevant information, such as the data protection system of the foreign country to which personal data will be transferred and data protection measures of the overseas data transferee. If the data transferors transfer personal data to third parties that have established a system that conforms to standards prescribed by the PPC, they must take necessary actions to ensure the overseas data transferees have in place continuous security measures to protect personal data and must, at the request of data subjects, provide information regarding the actions so taken.

The PPC rules will prescribe how such information must be provided to data subjects.

Photo by Manuel Cosentino on Unsplash