Japan’s Amended Privacy Law Creates New Categories of Regulated Personal Information and Cross-Border Transfer Requirements – Privacy

The amended law takes effect in April and covers new categories of personal information, including personal information and sensitive personal information.

In June 2021, Japan enacted an amendment to its Privacy and Data Protection Act, the Personal Information Protection Act (“APPIThe new APPI requirements and obligations will come into effect next month – April 2022 – and companies operating in Japan, or processing personal information from or located in Japan, should review and update their policies. and confidentiality procedures to ensure they comply with the changes.

The APPI was originally passed in 2003, making it one of the first omnibus privacy and data protection laws to be enacted. Since 2003, the law has been amended several times, adjusting it to current trends in privacy law and imposing more restrictions on businesses, while granting more rights to consumers.

This most recent amendment to the APPI largely focused on further regulating cross-border data transfers (requiring voluntary consent) by creating new categories of information regulated by law (such as personal information).

Below is a summary of the key changes businesses should be aware of.

Scope of the APPI

To understand the impact of the new amendments to the APPI, it is important to understand the full scope of the law itself.

A company need not operate directly in Japan to fall within the scope of the APPI. Instead, the APPI applies to and regulates the privacy and data protection activities of any company deemed to be a commercial operator processing personal information. In addition, a “personal information processor business operator” includes any business that provides a database of personal information for a business purpose. Under the APPI, a “personal information database” essentially includes any collection of personal information that is organized in such a way that specific personal information can be retrieved through a computer.

Generally, any business that receives or collects Japanese personal information in the course of providing services or products to individuals located in Japan, the business will be subject to the APPI, whether the business itself is or not located in Japan.

Thereafter, “personal information” within the meaning of the APPI includes any information that can (i) identify an individual; or (ii) contains an “individual identification code”. This second category of personal information includes computer-generated numbers, symbols or codes that are used to identify a bodily characteristic and to identify a person (i.e. fingerprint scanning); or a number, symbol or other unique identifier assigned to a service or product provided to an individual in order to identify that individual.

Although the scope of the APPI is narrower than other omnibus privacy and data protection laws (such as the EU General Data Protection Regulation), the APPI remains generally applicable to consumer-facing businesses operating in Japan.

Cross-Border Data Transfer

One of the most significant changes under the APPI Amendments are new requirements for businesses that transfer personal information from Japan to another location.

From April 2022, companies under the APPI will either (i) obtain an individual’s consent before transferring that individual’s personal information to a location outside of Japan; or (ii) establish a privacy protection system with the party receiving the personnel in the foreign jurisdiction.

For opt-in consent to be effective and operative, the individual must, at the time they consent to the transfer, be aware of the privacy and data protection laws set forth in the country to which the personal information is transferred, safeguards and the measures the company has implemented and maintained to ensure the protection of personal information and any other information deemed necessary by Japan’s Personal Information Protection Commission in any implementing regulations or guidelines.

Additionally, if the Personal Information that is subject to a cross-border transfer is also transferred to a third party in that foreign country, the Business must ensure that the third party complies with the safeguards and measures that the Business has set forth. in his opinion of the individual.

Under the Personal Information Protection System option, a company transferring personal information from Japan to another country must sign a contract with the foreign country receiving the personal information. For example, if you transfer personal information to the United States and to a third-party processor based in the United States, a company will need to implement contractual guarantees that the third party meets the required safeguards. The safeguards that must be included in such a contract must set out the “necessary measures” to oblige the receiving party to treat the personal information in accordance with the APPI.

Sensitive information

The amended APPI also introduces new categories of regulated information; one of them is sensitive personal information, called “personal information requiring special attention”.

Under the APPI, sensitive personal information includes any information about race, creed, social status, medical history, criminal record, crime victim history, or any other information that could lead to a discrimination or social disadvantage. The definition of sensitive personal information in the APPI focuses heavily on social and ethnic information that could lead to discrimination. This is a narrower definition than that provided by other omnibus privacy and data protection laws, which also include such information, but also financial information, biometric information and/or location information. .

Companies under the APPI may not collect or use an individual’s sensitive personal information without first obtaining their prior consent.

Related personal information

A second new category of information added by the amended APPI relates to personal information. “Linked Personal Information” includes any information related to an individual that does not fall within the scope of Personal Information, Pseudonymous Information or Anonymous Information.

What differentiates personal information from information outside the scope of the APPI is that personal information can still be used to identify an individual if it is linked to other information. Although there are no specific examples in the APPI, cookies and IP addresses would likely fall into this category.

As with personal information, no opt-in consent is required before a company collects personal information. Instead, notice and choice, in the form of a privacy policy that takes due account of the purposes for which personal information is collected, is sufficient.

Pseudonymous information

Another new concept contemplated by the amended APPI (in line with most other omnibus privacy and data protection regulations) is pseudonymous information. Such a category of information was not originally envisaged under the APPI.

Pseudonymous Information under the Amended APPI includes information that relates to an individual but is processed in a way that does not identify a specific individual unless linked to other information that could identify the individual. Therefore, pseudonymous information is considered personal information if it is linked to identifying information (ie, stored together with personal information).

Specifically, the Amended APPI sets forth the only methods by which Personal Information may otherwise fall into the category of Pseudonymous Information. There are three methods: (i) by removing all descriptions or information that identifies a specific person; (ii) deleting all personal identification numbers; or (iii) removing any descriptions that would cause economic harm if breached.

The APPI’s amended definition of pseudonymous information is broader than other concepts frequently used in omnibus privacy and data protection laws, such as anonymized information or anonymized information.

Data Breach Notification

In its initial version and in its most recent version, the APPI did not require mandatory data breach notifications to the Commission for the Protection of Personal Information.

However, under the recently amended APPI, companies within the scope of the law must report a data breach to the Privacy Commission if the breach includes: (i) sensitive information; (ii) data that could result in significant economic loss (i.e. financial information); (iii) an “unfair purpose”, such as personal information hacked by ransomware; or (iv) more than 1,000 personal information of individuals.

A company must “promptly” provide the initial notification to the Personal Information Protection Commission. Additionally, a second and final notification is required within 60 days if the breach involves more than 1,000 pieces of personal information, or 30 days if the breach falls into one of the other three categories listed above.

The final notification should inform the Personal Information Protection Information Commission of a summary of the incident, categories of personal information involved, total number of individuals involved, root cause, extent of damage (including any consequential damages that may result) and any actions taken since the data breach.

Although the penalties and fines under the current APPI are lower than those under other omnibus privacy and data protection laws, the amended APPI implements new penalties and fines for businesses if an employee fraudulently discloses or uses personal information. The fine that can be imposed on a business for such a violation is $930,000, with additional fines possible against the actual person who committed the fraudulent act.

Take away food

Companies that operate in Japan or that process personal information from Japan should review and make necessary updates to their privacy policies and procedures. This review and update process is expected to be completed before April 2022.

The content of this article is intended to provide a general guide on the subject. Specialist advice should be sought regarding your particular situation.