Written by Maki DePalo
Japan’s Act on Protection of Personal Information currently in force (“Current APPI”) dates back to 2003. It was originally enacted on May 30, 2003, and came into effect in 2005. Ten years later, the National Diet passed extensive reforms to modernize the Current APPI in September, 2015. Although the Amended Act on Protection of Personal Information (“Amended APPI”) has been partly in effect, it will come fully into effect on May 30, 2017.
It is important to note that the Amended APPI applies to “personal information handling business operators” which is defined as a person providing a personal information database for use in business (“Business Operators”). Although there are limited exceptions to this definition, certain obligations under the Amended APPI will apply to most businesses using a personal information database for their business in Japan, regardless of the place of incorporation.
At a high level, the Amended APPI bears some resemblance to the General Data Protection Regulation (“GDPR”). For example, most of the provisions under the Amended APPI will have extra-territorial applications if entities outside Japan collect personal information through the supply of goods or services to individuals in Japan even when entities do not have offices in Japan. The Amended APPI will also introduce a new cross-border data transfer framework. Under the new cross-border data transfer framework, individuals’ prior consent is required for cross-border transfer of personal data unless one of the exemptions applies. Such exemptions include adoption of appropriate and reasonable measures through contractual obligations between the disclosing Business Operator and the recipient or by use of internal policy and rules among global group entities. Another exemption is based on recipient’s certification under the APEC Cross-Border Privacy Rule (“CBPR”) framework.
In addition to the Amended APPI itself, tentative and unofficial translation versions of the Cabinet Order to Enforce the Amended APPI and the Enforcement Rules for the Amended APPI are available in English for reference. Guidelines and additional materials issued by the Personal Information Protection Commission (“PPC”), however, appear essential for fully understanding the provisions of the Amended APPI as well as the enforcement trends, given the unique authority of the PPC.
As a brief background, the PPC was established on January 1, 2016, under the partially enforced Amended APPI. The PPC has a stated mission to protect “the rights and interests of individuals while taking into consideration proper and effective use of personal information.” Under the Current APPI, competent Ministers have maintained the supervisory authority over particular business sectors on proper handling of personal information. In contrast, the newly established PPC is uniquely situated in Japanese legal framework as it is designed as an independent comprehensive supervising authority of personal information protection.
In its overview presentation, the PPC highlights three primary shifts in circumstances over the past ten years as the drivers of the Amended APPI: 1) increased opportunity for use of personal data in the era of information technology development; 2) evolution of “Big Data”; and 3) globalization. In turn, these shifts demanded 1) clarification of the definition of “personal information” (augmented by the definition of “personal data” and “retained personal data”); 2) recognition of the appropriate use of “Big Data” while protecting personal information; and 3) rules about cross-border data transfer.
The PPC also explains that the obligations imposed on Business Operators under the Amended APPI can be viewed from 4 different perspectives: 1) data collection and use; 2) storage and safeguard; 3) disclosure; and 4) response to individuals’ requests and complaints. First, the data collection and use perspective demands obligations to disclose the “purpose of use” prior to data collection. It also relates to the requirements on individual consent. The Storage and safeguard perspective involves various security measures and necessary vendor and third party management obligations to avoid data breach and unauthorized access to personal data. The disclosure perspective relates to the specific consent requirements for third party data sharing, newly introduced auditability, traceability, and retention requirements, as well as the cross-border transfer restrictions. The final perspective requires Business Operators to respond to individuals’ request and complaints. For example, Business Operators must disclose retained personal data upon request and allow correction or deletion of retained personal data when such data is inaccurate. The PPC urges Business Operators to be prepared to fully explain the “purpose of use” for retained personal data when inquired.
Although the PPC has issued various guidelines and additional references to clarify certain provisions of the Amended APPI, most of these guidelines and references appear available only in Japanese. It is advisable for Business Operators to engage counsels who are familiar with the Amended APPI to fully understand the obligations under the Amended APPI and prepare for compliance prior to May 30, 2017.
Read more about the Amended APPI on the PPC Information Website.