On March 24, 2021, the Cabinet of Japan issued the Order to enforce the amended Act on Protection of Personal Information and the Personal Information Protection Commission issued Enforcement Rules for the amended APPI on the same day.

Updates to the status of the amended APPI

The amended APPI was enacted June 5, 2020, and promulgated June 12, 2020. It will become effective April 1, 2022. However, stricter statutory penalties have already become effective, and the transitional measures for providing personal data to third parties through opt-out will become effective Oct. 1, 2021.

For an outline of the amended APPI, please refer to the previous articles below.

Analysis of Cabinet of Japan's approved bill to amend APPI

Japan enacts Amendments to the Act on the Protection of Personal Information

The regulatory guidelines of the amended APPI are expected to be finalized by summer 2021.

Currently, the public sector is regulated not by the APPI but by separate regulation. Each local government also has its own regulations regarding data protection in the public sector. A bill implementing the amendments necessary to integrate these public data protection laws into the APPI is expected to become law in 2021. Those provisions of the bill applicable to the national government are expected to become effective at the same time as the amended APPI. Provisions applicable to local governments are expected to become effective in 2023.

Key points of the amended Order and Rules

There are five key points of the amended Cabinet Order and Rules.

1. Report of  data breaches and notification to data subjects

The amended APPI implements a legal obligation to report to the Personal Information Protection Commission and notify data subjects when there is a risk of harm to the rights and interests of data subjects due to a data breach.

According to the amended Order and Rules, there is a reporting obligation when the data breach occurred or is likely to have occurred: (1) a data breach involving sensitive personal information, (2) a data breach with a risk of property damage, (3) a data breach that is likely to have been committed for an improper purpose, such as a cyberattack, and (4) data breaches of more than 1,000 data subjects are subject to a reporting obligation. In addition, under the Amended Order and Rules, there are two stages of reporting to the PPC: a preliminary report and a final report. The preliminary report must be made promptly after the occurrence of a potential data breach is recognized, and the final report must be made within 30 days (60 days in the case of (3) above).

2. Pseudonymized information

The amended APPI establishes a concept of "pseudonymized information." If business operators handle personal data that is considered pseudonymized information, they will not need to comply with certain obligations under the APPI, such as responding to demands to disclose or cease the use of retained personal data. The use of pseudonymized information is limited to the internal use of the business operator.

The amended Order and Rules require, as processing standards for pseudonymized information, the deletion or replacement of (1) descriptions that can identify specific individuals, such as names, (2) individual identification codes, and (3) descriptions that may cause property damage.

3. Regulations regarding the provision of data to third parties

Under the current law, the provision of personal data to third parties generally requires the consent of the data subject unless certain exceptions apply. It has been understood that whether the regulations on the provision of personal data to third parties apply is determined only by whether the discloser can identify an individual, not by the recipient’s ability to identify that individual. However, the amended APPI will also regulate the provision of data if the recipient is likely to receive the data in the form of personal data. In this case, the provider must confirm that the recipient has obtained the consent of the data subjects to the transfer of their data in the form of personal data.

According to the amended Order and Rules, the method by which the provider must confirm the consent of the data subjects is to obtain a declaration to such effect from the recipient. The amended Order and Rules also imposes record-keeping obligations on the provider, requiring it to record (1) the fact that the provider has made the required confirmation, (2) the date of provision, (3) the name, name of the representative, and address of the recipient, and (4) the categories of information provided. These records must, in principle, be retained for three years.  

4. Cross-border transfer

The amended APPI strengthens current regulations on data transfers to third parties outside Japan. In the case of a cross-border transfer based on the data subjects’ consent, data exporters must provide the data subjects with relevant information. In the case of a cross-border transfer based on the establishment of a personal information protection system (e.g., execution of a contract with the data importer to take measures equivalent to the APPI), the APPI requires "necessary measures" to ensure the continued proper handling of personal data by the data importer and the provision of information upon the request of data subjects.

The amended Order and Rules require the provision of the following information to be provided to data subjects at the time of obtaining consent: (1) the name of the country to which data is to be transferred; (2) the personal information protection system of the country in question, to be confirmed in an appropriate and reasonable manner; and (3) the measures to be taken by the data importer.

In addition, according to the amended Order and Rules, "necessary measures to be taken by the data exporter" shall include (1) periodic confirmation of the status of the handling of personal data by the data importer and the existence or non-existence of systems in the country of the data importer that may affect the status of the handling of personal data by the data importer, (2) measures to be taken in the event that a problem arises with the proper handling of personal data, and (3) measures to be taken by the data importer to ensure the continued proper handling of personal data.

In addition, in the case of a cross-border transfer based on the establishment of a personal information protection system, when a request for information is made by data subjects, the following information must be provided to data subjects:

(1) The personal information protection system implemented by the data importer.

(2) An outline of the equivalent measures to be implemented by the data importer.

(3) The frequency and method of confirmation of foreign systems.

(4) The name of the foreign country.

(5) The existence and outline of the foreign system that may affect the implementation of equivalent measures.

(6) The existence and outline of any impediments to the implementation of equivalent measures.

(7) An outline of measures to be taken in response to obstacles in (6).

5. Public disclosure

In the Amended Order and Rules, data security management measures are added to the items to be disclosed to the public regarding retained personal data.

Photo by David Edelstein on Unsplash

Editor's note: This article was updated April 7, 2021.