This article is written by Kazi Ashique Azfar pursuing Diploma in Cyber Law, FinTech Regulations, and Technology Contracts from LawSikho.
Japan amended its data privacy law, the Act on Protection of Personal Information (APPI), on 5th June, 2020 as part of its “every three years” review policy, inserted by the 2015 amendment. The law brought initially in 2003 has undergone several revisions throughout the years to keep pace with the rapid development of technology and the global standards of personal data protection. While the APPI governs the private sector, the public sector and government bodies were governed by different laws – the Act on the Protection of Personal Information Held by Administrative Organs (APPIHAO), Act on the Protection of Personal Information Held by Independent Administrative Agencies (APPI-IAA), and local regulations (jyorei) legislated by local governments. The Japanese cabinet, the National Diet, has submitted a draft bill implementing the amendments necessary to integrate these public data protection laws into the APPI.
Taking forward the past trend, this amendment to the APPI expands its scope and has increased the obligation on companies to maintain transparency and secure the personal data of Japanese residents. The APPI has come closer in line with the EU’s General Data Protection Regulation “GDPR” with the changes, including criminal penalties and increased fines in case of non-compliance. The major part of the amendment shall come into effect in 2022, however, stricter statutory penalties have already become effective. The cabinet of Japan issued an order to enforce the amended APPI in March, 2021 and the Personal Information Protection Commission (PPC) issued the enforcement rules regarding the same.
The aim and reasons behind the amendment
While the amendment was due for 2020, the changes that have been brought in are not minor revisions as part of routine but significant updates. The changes result from a string of high-profile data breaches, making it necessary for the legislature to take data privacy and cybersecurity matters seriously.
For example, Japan’s Uniqlo retail chain announced a data breach in 2019 that affected over 460,000 customers. At the same time, another critical case was being heard in the courts related to personal data. According to the Japan Times, Benesse, an education technology firm, had a data breach in which a subsidiary employee stole and sold the personal data of an estimated 29 million customers. According to Benesse, the data breach included over 35 million documents. The court stated that Benesse should have had better supervision and also found both parties to be liable “for damages of JPY 3,300 (approx. €27) plus 5% late charges per annum per affected individual”. Although not officially stated, these stories and experiences are a significant reason behind the overhaul of the APPI.
The broad changes that this amendment aims to bring in are increasing the individual’s rights over their data and putting a greater onus on the companies to report data breaches.
Overview of the Act on Protection of Personal Information (APPI) amendments
Data subject’s rights
Under the current law, the data subjects’ right to demand access, correction, deletion, and cessation of the use of their personal data is restricted to personal data that is intended to be kept for six months or more. This is because “retained personal data” is defined to exclude any data that is to be erased within six months and not retained beyond it. The amended APPI expands the definition of “retained personal data” and removes the six-month requirement, and extends the data subject’s rights to any data stored, regardless of the period.
The data subject currently can demand the cessation of use, deletion of, and cessation of third-party transfer of their retained personal data but only if the PIH operator (who provides personal information database, etc. for use in business.) obtained the data through deceit or other improper means, or the data is used beyond the purposes notified to the data subjects. The APPI amendment again expands the scope to allow the data subjects to make the same demands if there is a risk of damage to their legitimate interests.
The amendment is also set to bring a change in how the disclosure of personal data (right to access) can be demanded through expressly allowing electronic means (e-mail). Further, data subjects will also have the right to access records of transfer(s) of their personal data to third parties. Another change regarding transfers to a third party that is stipulated in the amended APPI is the increased restrictions on PIH operator ability to transfer personal data based on an opt-out scheme.
While the provisions of the current law require the PIH operator to seek consent for data transfers, there are exceptions. The opt-out scheme being a major one that allowed the transfer of personal data without consent through “disclosing certain matters such as the items of personal data to be transferred and the opt-out request method to the public or the data subjects” and filing with the PPC. Though this scheme did not apply to sensitive personal information, it was still an inadequacy in the law, and the amendment changes the same.
The amended APPI limits the scope of personal data that may be transferred to third parties based on opt-out schemes by restricting from being transferred any personal data obtained using deceit or other improper means. It also restricts personal data collected from a third party based on an opt-out scheme itself to be transferred again through an opt-out procedure.
The amended order and rules state that the method to confirm that consent of the data subjects has been acquired is to obtain a declaration to such effect from the third party. It also requires the PIH to keep a record regarding the fact that the consent was confirmed, the date of such confirmation, the name and address of the third party, and categories of information provided for a period of three years.
The increased obligation of companies
The current law neither provides for strict obligation on the companies to report data breaches to the PPC nor requires it to notify affected data subjects of the breach. Although the law takes into account both the provision, there is no mandatory action needed to be taken. However, the amendment will oblige the companies to report data breaches to the PPC and notify affected data subjects where their rights and interests are likely to be infringed. Details of these obligations are yet to be decided.
The amended order and rules also provide for reporting obligation in case of a data breach or when it is likely to have occurred in certain circumstances. The reporting is mandatory in case sensitive personal information is involved, there is a risk of property damage, likely to have been committed for an illegal purpose, and if more than a thousand data subjects are affected. Further, two stages of reporting to PPC are required – first, a preliminary report and another final report. The preliminary report is to be made promptly after a potential data breach, and the final report is to be made within a month (30 days), except for a breach for an illegal purpose like cyber-attacks, in which case the limit is 60 days.
Further, there is no provision regarding the transfer of data that is not strictly personal data but can be used to identify specific individuals indirectly. The amended APPI defines this kind of information as “Personal Related Information”, which is vague but is understood to include cookie information, IP addresses, and the PPC can also issue guidelines to specify any other kind of information. The amendment creates a provision for a consent-based transfer model as is followed for personal data requiring prior consent with regards to the transfer of information that can be used to identify a specific individual, even indirectly through reference to other data. Additionally, in case of transfers to foreign countries, it mandates informing the data subjects regarding the data protection rules and regulations of that country and also ensures that adequate measures for the protection of the personal data are in place.
The amended APPI also introduces “pseudonymisation of information”, which is data processed in such a manner that it in itself cannot be used to identify a specific individual but can be decrypted through the utilisation of other data. This is introduced because of the lack of utilisation of “Anonymous Processed Information” (which made it impossible to decrypt the information) and in the hopes that the use of pseudonymised data will further innovation. It puts less obligation on the companies for compliances such as disclosure and cessation of use of the data and therefore is seen as a way to enable the companies to use it for internal matters.
The order and rules as issued by the PPC require a standard practice for the processing of pseudonymised information. It entails the deletion or replacement of – description that can be used to identify specific individual identification codes, a description that can cause property damage.
Extra-territorial applicability and cross-border transfer
Although the APPI governs data collection and transfer of the personal information of data subjects residing within Japan, even if the data collector is a foreign entity, the PPC is not given any supervision authority, and thus it is not effective. The amended law grants the PPC the power to make foreign entities report on the status of the processing of data and issue orders on violation of the APPI. It also provides for the imposition of penalties in cases of violation of orders.
As already mentioned, the amended APPI requires the consent to be informed consent in case of transferring data to a foreign country. Thus the data subject is required to be informed about the rules regarding personal data in the foreign country. Further, it also requires that proper measures equivalent to the requirements of APPI are taken while processing the data and provide information regarding the actions taken if requested.
At the time of obtaining consent from data subjects, the order and rules mandate to provide to the data subjects – the name of the country where data is to be transferred, personal information protection rules and regulation, and measures taken by the foreign entity. It also obligates the company sending the data to take periodic confirmation of the status of personal data processing and measures taken for the protection of the same, measures stipulated in case of any problem arising in the processing of the data, and measures taken by the foreign entity for continued security
Compared to the GDPR, the penalties for violation of APPI or non-compliance with the PPC’s order are very light. The amendment will toughen the penalties for violation of the order to promote compliance. It stipulates an increase in penalties up to JPY 100 million on companies in cases of violation of orders of the PPC, and the individuals responsible for the breach can also be subjected to fines and penalties. While the penalty for violating an order may be a fine of up to JPY 1 million or even imprisonment up to a year, it also stipulates a fine of up to half a million yen for instances of false reporting. The PPC can also publish names of companies, both domestic and overseas, for non-fulfilment of the order.
After a series of high-profile data breaches, the Japanese government has brought these amended laws to ensure data security and protection of personal data in line with laws being followed in other developed countries. The 2020 Amendment aims to tighten rules in several ways, including fines, reporting requirements, and extra-territorial compliance. However, it also provides for exemption to the APPI to further innovation through data analysis or other purposes if certain rules are followed.
It follows the trend of enhancing personal data security and extending its exterritoriality to foreign companies operating within their countries.
- The New Japanese Privacy Law: What Businesses Need to Know (auth0.com)
- 20200612_comparative_table_amended_APPI.pdf (ppc.go.jp)
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join: