Possible amendments to Japan’s Act on the Protection of Personal Information in 2019
July 2019 | EXPERT BRIEFING | DATA PRIVACY
On 25 April 2019, the Personal Information Protection Commission of Japan (PPC) published an interim report called “Interim report on the so-called review of APPI every three years”. The Act on the Protection of Personal Information (APPI), which was revised in 2015, was fully enforced on 30 May 2017. A rule to review the APPI every three years was established by Revision Act Supplementary Provisions, Article 12, Paragraph 3. During the review, 12 committees discussed various issues and summarised domestic and foreign policies, technologies and the state of affairs of industries concerning personal information protection, and conducted interviews with eight economic organisations. As a result of this consultation, the APPI may be amended in 2019 or 2020.
The interim report does not indicate a definite direction regarding the review of each issue, stating that further consideration is required. However, it points out four perspectives, which also serve as reference points for the possible direction of future study in each three-year review. First, a review must be conducted based on the expectation that there will be an increase in the handling of personal information. Second, the necessity of the review must be based on protecting and using personal information. Third, international harmonisation and coordination must be taken into account. Fourth, the APPI must be able to respond to changes to the risks which a data subject faces due to services that overseas operators use and the complexity of supply chains in cross-border businesses which handle personal information.
In addition to these four considerations, the interim report also stresses the importance of the ‘voluntary efforts’ of business operators, in line with actual business conditions, in the review of the current data protection system.
The interim report covers six main points, which are discussed below.
The interim report points out the necessity of carefully considering the involvement and opinions of data subjects in the handling of personal information, while at the same time paying attention to the multifaceted examination of various issues, such as the burden on employers. Specifically, with respect to a data subject’s request for disclosure, it is necessary to consider the possibility of providing information in a digital format given that, under existing laws, disclosure is by ‘delivery of documents’ in principle.
As for ‘data portability’, the interim report only mentions that it is necessary to keep an eye on the evolution of discussions, as the discussions are being conducted in various places.
In addition, under the current law, the cessation of use or the deletion of retained personal data is not permitted merely at the request of the data subject; it is only permitted if the personal data was used for purposes other than the purposes notified, it was published to data subjects or was collected by deceit or other improper means. However, the interim report states the need to consider the issue of the broadening of individual rights. If the rights to request the cessation of use and deletion of personal data are broadened, the burden on business operators handling personal information may increase. That said, the interim report makes no specific reference to how these rights may be broadened, thus further discussion is anticipated.
Under the current law, submitting a data breach report to the PPC is merely a “duty to make an effort”. However, the interim report stresses the need to make it a legal obligation because a data breach report is how the PPC becomes aware of the data breach and is able to protect the rights and interests of data subjects. The discussion on the reporting obligation involves various issues, such as the type of incidents to be covered or excluded, mandatory deadlines, and whether or not notification to data subjects will be required. These issues are treated as open issues in the interim report which require further discussion.
The interim report mentions that the PPC needs to consider a mechanism to promote voluntary efforts by private companies in light of the purpose of the law, evolving business models and technological innovation. In this regard, the interim report stipulates the following points: (i) enhancement of accredited personal information protection organisations, which are corporations which render certain services stipulated in the APPI, in order to ensure the proper handling of personal information by a personal information handling business operator; and (ii) further consideration in promoting the voluntary appointment of an officer in charge of data protection and privacy impact assessment (PIA).
The term ‘anonymously processed information’ refers to information relating to an individual that can be produced from processing personal information so as neither to be able to identify a specific individual nor to be able to recreate personal information by meeting the requirements stipulated in the APPI. In order to appropriately promote various uses of ‘anonymously processed information’, the interim report mentions the necessity of publishing model cases and best practice with regard to the utilisation of anonymously processed information.
In addition, the interim report also considers the need for a balanced review regarding the introduction of ‘pseudonymisations’ (which currently does not exist in the APPI), dealing with data utilisation given the progress of technology and dealing with targeted advertisements. In this regard, there may be various ways of defining and dealing with pseudonymisation, including an exclusion from the right of access and right of cessation of use or deletion of retained personal data, although no specific direction has been given. With regard to targeted advertising, currently there are no specific regulations on targeted advertising or cookies under the APPI. (Note that the current APPI may be applicable to cookies and targeted advertising in some cases. For example, if a cookie used for targeted advertising is linked with the personal information of a user who logged into the service, the cookie is regarded as personal information, and the APPI will apply). The interim report points to the possibility of regulating cookies, including the possibility of clearly defining cookies which are not linked with other personal information as personal information. However, the report notes that careful consideration must be made regarding the necessity of regulating cookies because of the significant impact of such a regulation in practice.
Under the APPI, currently, if a personal information handling operator breaches an order of the PPC, which has been issued as part of an administrative sanction, it may be subject to imprisonment of up to six months or a fine of up to ¥300,000. However, the PPC has not made any such order and, therefore, such a penalty has never been imposed. In practice, the PPC uses guidance or advice instead of issuing an order, and a personal information handling operator will typically follow the guidance or advice.
However, the interim report points out the global trend of strengthening penalties, including the European Union’s (EU’s) General Data Protection Regulation (GDPR). The interim report also mentions that the PPC will consider raising penalties and introducing other mechanisms, including surcharges. However, strengthening the penalty has had a major business impact. The interim report raises the possibility of further consideration from various viewpoints, such as whether it is an appropriate measure to achieve the intended purpose.
The previous revision of the APPI clarified that it could even apply to an operator in a foreign country that is handling personal information, except they would not face provisions on reporting to, on-site inspection by, and issuance of orders by the PPC. The interim report states that the scope and enforcement method of exterritorial applications are expected to be considered based on the state of enforcement of current regulations under the previous revision and from the viewpoint of securing equality between local companies and foreign companies.
As for cross-border transfers, the interim report points out the existence of data localisation regulations and access to data by the government in some jurisdictions. However, it also raises the importance of the global free flow of data and the necessity of changing regulations in this regard.
The contents of the review of the APPI every three years will be further developed by the PPC, based on public comments, as well as solicited opinions of and interviews with experts. All the issues discussed published in the interim report may affect the implementation and practical aspects of the APPI; thus we need to keep an eye on further developments.
Hiroyuki Tanaka is a partner and Noboru Kitayama is an associate at Mori Hamada & Matsumoto (Japan). Mr Tanaka can be contacted on +81 3 6266 8597 or by email: firstname.lastname@example.org. Mr Kitayama can be contacted on +81 3 6266 8931 or by email: email@example.com.
© Financier Worldwide
Hiroyuki Tanaka and Noboru Kitayama
Mori Hamada & Matsumoto (Japan)