On April 1, Japan’s amended Act on Protection of Personal Information will come into force. In our previous article, we explained how to amend privacy notices to comply with the amended APPI, mainly focusing on the updated guidelines and Q&As. In this article, we will describe the other key portions of the guidelines and Q&As.
For more information on Japan’s APPI amendments, including an analysis and explanation of amending privacy notices, please see the previous articles below.
Japan enacts Amendments to the Act on the Protection of Personal Information
Japan updates enforcement rules for amended APPI
Practical notes for Japan's amended APPI: How to amend privacy notices
Expansion of extraterritorial application
The APPI amendment will expand its extraterritorial application, which is currently limited to foreign business operators that acquire personal information directly from data subjects in relation to supplying a good or service to a person located in Japan and handle the personal information in a foreign country. However, under the updated APPI, extraterritorial application will extend to foreign business operators that handle personal information on data subjects located in Japan in relation to supplying a good or service to a person located in Japan. The amended guidelines clarify that extraterritoriality can be applied when a foreign business operator acquires personal information indirectly from a third party, not just directly from individuals. Thus, some foreign companies that have not yet been subject to the APPI will now face the extraterritorial application.
In addition, the amendments will give Japan’s data protection authority, the Personal Information Protection Commission, the authority to make companies in a foreign country submit reports and issue orders to overseas companies, which it currently is unable to do.
Report of data breaches and notification to data subjects
Under the APPI, the submission of a data breach report to the PPC is merely a “duty to make an effort” and notifying data subjects is only a recommendation. Under the amended APPI, in the event of a data breach (leakage, loss or damage) or where there is recognition of a possible breach, a business operator is required to report the breach to the PPC and notify the affected individuals. The reporting obligation is in effect for breaches or potential breaches involving sensitive personal information, risk of property damage, improper use (i.e., cyberattack) and breaches involving more than 1,000 data subjects.
In the event of a data breach, the guidelines require a business operator to (1) report the data breach internally to an appropriate person in charge of the business and take measures to prevent an increase in damage, (2) investigate the relevant facts and determine the causes, (3) identify the scope of impact, and (4) examine and implement measures to prevent recurrence.
- Practical deadline of a preliminary report
There are two stages of reporting obligations: a preliminary and a final report. The amended APPI requires a business operator to submit a preliminary report "promptly after the recognition of the occurrence of a potential data breach." The guidelines clarify this provision by stating that if the business operator is a corporation, in general the preliminary report must be filed within three to five days from the time when the data breach is recognized.
- Contents of the final report
The amended APPI requires a business operator to submit a final report within 30 days from the recognition of a data breach (60 days is the deadline for data breaches likely to have been committed for an improper purpose, such as a cyberattack). According to the PPC’s enforcement rules, the final report must contain nine items. However, the guidelines further clarify that if certain items are not yet identified by the deadline despite reasonable efforts, a business operator is allowed to submit a final report containing only those items identified at the time of submission and subsequently complete the report as soon as the outstanding items are identified.
Data subject rights will be expanded
The amended APPI will expand individuals’ rights of cessation of use, deletion and cessation of the provision of retained personal data to third parties. These rights can be exercised only in specific instances prescribed by the APPI. The amended APPI will add the following instances:
- If a business operator no longer needs to use the personal data.
- If a data breach subject to mandatory reporting occurs.
- If the data subject’s rights or legitimate interests are likely to be infringed.
The guidelines provide specific examples of instance three, one of which is where a business operator fails to cease the sending of direct mail to an individual after repeated requests to do so.
Regulation of personally referable information
Under the amended APPI, a data provider will have a new obligation to confirm a data subject’s consent if it anticipates a recipient will receive the provided information as personal data. Section 6 of our previous article provided an overview of these regulations:
When providing information about a living individual that does not fall under personal information, pseudonymized information and anonymized information ... to a third party, the amended APPI will impose a certain obligation on the data provider if the recipient is likely to receive the data in the form of personal data. In this case, the provider must confirm that the recipient has obtained the consent of the data subjects to the provision of such data. The updated guidelines further stipulate that before obtaining their consent, the data provider must provide certain information to the data subjects.
The guidelines give clarification and guidance on this new regulation.
- Meaning of “receive the provided information as personal data”
The guidelines state that to "receive the provided information as personal data" refers to cases where a data recipient intends to use the provided information as personal data, such as linking the received information with other personal data held by the recipient.
In a case where a data recipient does not directly link the provided information with other personal data held, even if the provided information can be readily collated with the personal data, it does not necessarily fall under the concept of "receive the provided information as personal data," and therefore, the data provider is not required to confirm that the data recipient obtained the consent.
- Meaning of “anticipation”
The term "anticipation" refers to cases where a data provider actually anticipates a recipient “receives the provided information as personal data” or when an ordinary person could normally anticipate it.
If the contract between a data provider and a data recipient stipulates that the recipient will not use the provided information as personal data, normally it would not anticipate the recipient will "receive the provided information as personal data." However, if there are circumstances which would make the data provider suspect the recipient intends to use the provided information as personal data, it is necessary to confirm how the data recipient will handle the provided information and determine whether or not it anticipates the recipient will "receive the provided information as personal data.”
- Information made available to data subjects when obtaining consent
When a data recipient obtains consent, it is required to clearly indicate to an individual the appropriate information necessary for the individual to decide regarding consent. Specifically, it is necessary to make the individual aware of (1) which entity receives provided information as personal data, (2) the items of personal information to be provided and (3) the purpose of use of the information after being received as personal data.
- Entity that obtains consent
The general rule is an entity that should obtain consent is the data recipient, which has contact with the individual and uses the information. However, a data provider is also allowed to obtain consent on behalf of the recipient on the condition that the rights and interests of the individual are protected in an equivalent manner. In practice, please note it is necessary to show the specific name of the recipient.
Regulation of cross-border transfers
Currently, a cross-border transfer can be permitted based on either the data subject’s consent or establishment of a personal information protection system. The amended APPI strengthens current regulations on data transfers to third parties outside Japan. An overview of the strengthened regulations can be found in this previous article.
- Mechanism based on data subject consent
The enforcement rules set out an exception rule to the first information item that must be provided to data subjects at the time of obtaining consent. If item 1, the personal information protection system implemented by the data importer, cannot be specified, a business operator should provide — instead of items 1 and 2 — both the reason(s) why it cannot be specified and any other helpful information for the data subject.
The PPC Q&As further explain that this exception applies when a business operator plans to outsource (i.e., entrust) data processing to a third party in a foreign country, but the foreign country’s location cannot be specified because the entrusted party has not yet been determined. In this case, information concerning the inability to specify the foreign country and provide the required information and the specific reason for the matter (including the necessity of obtaining the consent from the individual before the entrusted party has been determined) shall be provided to the data subject. In addition, if it is possible to provide information that would be helpful to the individual, such as information on the candidate foreign countries, such information must also be provided.
Regarding item 2 (i.e., the personal information protection system of the recipient country), a business can rely on the results of the PPC survey for 31 countries and areas previously mentioned here (Section 5).
For foreign countries other than European Economic Area countries and the U.K. not listed, the guidelines explain that the following points should be considered when providing the information:
(a) Existence or absence of a system for the protection of personal information in the foreign country.
(b) Existence or absence of information that can serve as an indicator of the foreign country's system for the protection of personal information.
(c) Existence or absence of obligations of the business operator or rights of the individual corresponding to the eight principles of the Organisation for Economic Co-operation and Development Privacy Principles.
(d) Existence or absence of other systems that may have a significant impact on the rights and interests of the individual.
- Mechanisms based on establishment of a personal information protection system
Regarding cross-border transfers based on establishment of a personal information protection system, the amended APPI mandates to "regularly monitor the establishment." The guidelines clarify this frequency requirement as once a year or more. Thus, a business operator relying on this mechanism must make sure to conduct such regular monitoring. The frequency and method of confirmation of foreign systems must also be explained to data subjects upon their requests.
Photo by Jaison Lin on Unsplash