On April 1, 2022, Japan’s amended Act on Protection of Personal Information will come into force. In previous articles, we explained the APPI amendments and updates related to subordinate regulations (i.e., enforcement orders and rules).
From August to September, Japan’s data protection authority, the Personal Information Protection Commission, published updated guidelines and Q&As for the amended APPI. These documents reveal how the PPC interprets the APPI and how it works as practical regulations businesses are required to follow.
In light of the release of the documents, businesses are now ready to move forward to comply with the amended APPI. This article mainly focuses on the guidelines and Q&As; we describe how businesses should revise their privacy notices, which play a key role in business practice.
Please note the amendments to the Personal Information Protection Law of 2021 will be enforced simultaneously on April 1, 2022, and article numbers of the previous APPI applicable to the private sector will shift (these amendments will focus on the unification of the personal information protection systems of the public and private sectors, etc., but not those related to local governments and local incorporated administrative agencies, the enforcement of which will follow at a later date).
The role of a privacy notice
The APPI does not mention a privacy notice on its face. Instead, the APPI stipulates that, in handling personal information or data, a business must (i) notify, (ii) make public, (iii) make easily available, or (vi) make available (including by being able to respond without delay when a request is made) certain information to data subjects (hereinafter collectively, “matters for publication, etc.”), depending on the APPI obligations. In practice, a privacy notice often serves to provide a mechanism for the provision of such information to the public.
Our previous article explained matters for publication, etc., of the amended APPI. (Please note our previous article assumed all matters for publication, etc., would be comprehensively set forth in a privacy notice for readers’ convenience, without distinguishing the specific categories of matters for publication, etc., such as notify, make public, and so on.) In this article, we will give an updated explanation of how to revise a privacy notice based on the latest points clarified in the guidelines and Q&As.
Public disclosure of the purpose of use
The current APPI requires the purpose of using personal information to be specified and to be notified or made public upon the acquisition of personal information.
- Description of the purpose of use should be more detailed
Regarding the specification obligation, the updated guidelines have the following statement: "When analyzing information on the behavior and interests of the individual, the business must specify the purpose of use in order that the data subject can predict or assume what kind of data processing is being performed.”
The guidelines also introduce a sample statement of such specification: "We will analyze acquired information such as browsing and/or purchase history and use the result for advertising of new products and services in accordance with your interests and preferences.” This new interpretation may affect a common business practice; presently, many businesses just state, "We use your personal information for distribution of advertisements," but after the amendment, such an abstract statement may not meet the new requirement.
On a separate note, this update addresses an issue already existing under the current APPI and is not related to the amendment of the APPI. Accordingly, the PPC updated the corresponding Q&A Sept. 30.
- Purpose of using pseudonymized information should be published
The amended APPI will introduce the concept of pseudonymized information. In order to create and utilize pseudonymized information for new purposes, the business is required to publicly disclose such purpose. The business can make use of a privacy notice for the required disclosure. This disclosure can be made at the time the business decides to benefit from the new concept.
- Joint use will require disclosure of additional elements
When a business relies on a “joint use” mechanism to share personal data with others, the current APPI requires certain matters be notified or made easily available to the data subjects. The amended APPI adds to these matters an address of the business in charge of managing the jointly used data and the name of a representative of that business. While the currently required matters are, in practice, often disclosed in a privacy notice, businesses should consider whether the updated matters are included in their notice or in a linked website easily accessible via the notice — for example, containing its business profile (e.g., “About us”). Please note that, in general, these updated matters may be changed frequently, and thus using the link method may be more convenient and can avoid frequent updates of the privacy notice.
- Matters for publication, etc., regarding ‘retained personal data’
With regard to “retained personal data,” the APPI requires certain information be made available to data subjects. This includes responding to data subjects without delay when there are inquiries from data subjects. However, it is not mandatory to cover all the elements in the privacy notice. In the past, most businesses in practice included almost all the elements in the privacy notice, but some may take the position not to and instead just provide information upon the request of data subjects, because disclosure and updates regarding the third element below can be complicated. The amended APPI and enforcement orders stipulate the following matters should be additionally disclosed in the same manner.
- The address of the business and the name of a representative of the business.
- A description about the updated rights of data subjects. The APPI imposes an obligation to provide an explanation of data subject rights. In response to the updated rights of data subjects under the amended APPI, such updates are also explained here.
- The security management measures in place to protect “retained personal data.” This new disclosure obligation has a significant impact in line with a new security safeguard required under the amended guidelines. We discuss this new obligation below.
The current guidelines state the following measures as the security management measures required to protect personal data: creation of a basic policy; establishment of internal rules for handling personal data; and organizational, personnel, physical and technical security safeguards. Usually, most businesses have such security management measures in place, and hence, disclosing the measure is not a significant burden.
However, the updated guidelines introduced a new security management measure: “understanding of the external environment.” This means if a business processes personal data in a foreign country, the business must understand the foreign country's legal system of personal information protection and, paying attention to that legal system, take necessary and appropriate measures to ensure the security of personal data.
More specifically, the Q&As explain “processing personal data in a foreign country” includes cases when a foreign branch, business establishment, employees who telework outside of Japan, server, processor, sub-processor or cloud service provider, etc., processes personal data outside of Japan. The guideline requires businesses to make available to data subjects the name of foreign countries where personal data is processed. It is also recommended to explain the personal information protection system of such foreign countries to data subjects. In this regard, please also refer to the investigation report of the PPC for 31 countries and areas as explained in the following section.
- Provision of relevant information in connection with cross-border transfer of personal data
In an earlier article, we explained the strengthened rules pertaining to the cross-border transfer of personal data under the amended APPI. In short, certain information, such as the personal information protection system of a data-importing country and the security measures taken by the data importer, is required to be provided to data subjects. If businesses rely on the consent of data subjects to establish legal grounds for the cross-border transfer of personal data, such information must be provided to data subjects before obtaining their consent. In practice, such information may be included in the privacy notice. If businesses use the establishment of a personal information protection system to establish legal grounds for the cross-border transfer of personal data, such information can be provided to data subjects upon their request and it is not necessary to include such information in the privacy notice.
This obligation does not apply to the U.K. and European Economic Area countries, since the PPC has made an adequacy decision for those regions recognizing they have an equivalent level of protection for personal data as Japan does.
The PPC is now investigating the data protection regulations of 31 foreign countries and areas: Australia, Brazil, Cambodia, Canada, China, Hong Kong, India, Indonesia, Laos, Malaysia, Mexico, Myanmar, New Zealand, the Philippines, Russia, Singapore, South Korea, Switzerland, Taiwan, Thailand, Turkey, Ukraine, the United Arab Emirates (federal, Abu Dhabi Global Market, Dubai Healthcare City, and Dubai International Financial Centre), the United States (federal, Illinois, California and New York) and Vietnam. The DPA expects to release the result by the end of 2021. The business can rely on the research result upon providing the required information to data subjects.
- Regulation of personally referable information
When providing information about a living individual that does not fall under personal information, pseudonymized information, and anonymized information (e.g., a person's website browsing history collected through cookies and other online identifiers as well as information that indicates an individual's product purchase history, service usage history, and interests and concerns) to a third party, the amended APPI will impose a certain obligation on the data provider if the recipient is likely to receive the data in the form of personal data. In this case, the provider must confirm that the recipient has obtained the consent of the data subjects to the provision of such data. The updated guidelines further stipulate that before obtaining their consent, the data provider must provide certain information to the data subjects. The more detailed contents of providing information will be explained in the next article, where we will outline notable aspects of the guidelines and Q&As other than a privacy notice.
Photo by Jezael Melgoza on Unsplash