Official Guidelines Released for Upcoming Changes to Japanese Data Privacy Law | Hogan Lovells

On August 3, 2021, Japan’s Personal Information Protection Commission (“PPC”) released its long-awaited Guidelines on the 2020 Enacted Amendments (the “2020 Amendments”) to Japan’s Personal Information Protection Act ( the “APPI”). While many of the 2020 amendments do not enter into force until April 1, 2022, they aim, among other things, to strengthen penalties (these amendments entered into force in 2020), to introduce mandatory reporting of certain breaches, to strengthen the extraterritorial application of the APPI, and expanding the scope of data protected by the APPI.

Although the Japanese government passed a Cabinet Order and Commission Rules in March 2021 (see our previous article for details, here), what regulatory approaches can be taken in practice with respect to certain aspects of the 2020 Amendments remained unclear. The new release Guidelines (in Japanese only) are intended to provide clarification in this regard as well as to clarify other uncertainties arising from the existing APPI. A summary of the clarifications found in the guidelines is presented below.

Extraterritorial application

Foreign companies located outside of Japan doing business in Japan should take note of the extraterritorial application of the APPI following the 2020 amendments. application of the APPI will extend to all entities in a foreign country that process personal information, personally referable information*, information processed under a pseudonym* or information processed anonymously* that relates to individuals data subjects in Japan, with respect to the supply of goods or services to any data subject in Japan. The existing APPI only applies to companies that have obtained personal information directly from data subjects in Japan in connection with the provision of goods or services.

Important and useful details

The Guidelines address, among others, the following important issues that companies doing business in Japan should consider.

  • Mandatory reporting of violations. Reporting to the PPC (or a designated authority depending on the reporter, e.g. in the case of a notified/registered telecom operator) and data subjects in the event of a breach is a new regulation for Japan, and the standard mandatory reporting is quite different from that of voluntary reporting under the current APPI. The guidelines aim to specify as far as possible the conditions that trigger the reporting obligations. For example, applicable cases of data leakage and loss or damage are explained (for example, if personal data is secured by a sophisticated encryption system, the leakage of such data will not require reporting). In addition, they provide for the measures to be taken in the event of an incident of this type, including (a) taking internal communication and protection measures so as not to spread, (b) an investigation of the facts and causes, (c) specification of affected scope, (d) investigation and conduct of measures not to recur, and (e) the above reporting obligation.
  • New categories of information. The guidelines show how to define, use, process and share information processed under a pseudonym and personally referable information (which is collectively referred to as “linked personal information”). These are two new categories of information introduced by the 2020 Amendments to help protect personal information or to easily use big data.
    • Personally Referrable Information. There is still no clear specific requirement for a cookie policy. However, the guidelines make it clear that an individual’s browsing history obtained via cookies as well as an individual’s location data, purchase history and preferences are examples of personally identifiable information. unless the information falls within the scope of personal information, information processed under a pseudonym, or information processed anonymously. The Guidelines specify, to some extent, in what situations a business operator is required to confirm, before sharing information with third parties, whether data subjects consent to such third parties receiving their information, how such consents should be obtained and how the company the operator must confirm these consents. The guidelines state, for example, that such confirmation is generally not required where the third party will not use (for example, where a contract prohibits the third party from using) personally identifiable information transferred to it with other available information that enables the third party to identify a data subject, and that a business operator wishing to transfer personal information to third parties may obtain data subject consent on behalf of such third parties.
    • Information processed under a pseudonym. The guidelines clarify certain obligations and other details relating to the processing of information processed under a pseudonym. Under the current APPI it is relatively difficult to use the existing system of anonymized information (compared to other jurisdictions) due to the high standards that must be met for the data to be recognised. as information processed anonymously. These clarifications for information processed under a pseudonym will help make the use of big data a little easier.
  • Clarity on data transfer obligations. The Guidelines provide further details on the new obligations for transferring data to third parties or internationally, for example by describing the verification obligations before the transfer of data and the transparency to be obtained when obtaining consent. of the person concerned. Economic operators may still find that disclosing the required information to a data subject when obtaining their consent for international data transfers can be a demanding task. The same applies to the task of disclosing information at the request of a data subject when, for example, an international data transfer has been implemented without the consent of the data subject, on the basis of a data transfer agreement. There are also still uncertainties or unresolved practical issues regarding data transfers, which may require further clarification or assistance from the CPP. For example, depending on the countries to which the personal data is transferred, a commercial operator may have to expend considerable effort to provide the required information to a data subject, including by investigating the privacy protection systems in foreign countries. The PPC plans to publish information about privacy protection systems in certain foreign countries, which should be helpful for this purpose (more details on this may be available later this year).
  • Extended data subject rights. The guidelines describe how to handle complaints based on individuals’ expanded rights due to the 2020 changes, such as complaints to stop using their data or to delete stored data.
  • Other details. The Guidelines contain further examples of how to specify the purpose of the use of personal information, and they specify that the publication of the name of an entity that does not comply with the APPI is a possible administrative sanction.

More APPI changes are coming soon

Now that the CPP has provided guidance for implementing the 2020 changes, companies that were taking a wait-and-see approach should update their compliance programs. Particular areas to consider when considering the impact of the guidelines on business practices are internal reporting systems and personal information privacy policies in relation to the Japanese market. In addition, it is likely that designated authorities for particular business sectors (e.g. finance, telecommunications), and perhaps the PPC, will continue to issue guidance to facilitate compliance.

On May 19, 2021, the Japanese government announced further changes to the APPI (the “Changes 2021”). The amendments seek to integrate separately enacted data protection laws for government agencies, national hospitals, national universities and other independent administrative institutions, with the APPI, and to stipulate common rules nationwide. for local governments. The 2021 amendments have been enacted but the exact date they will come into force has not yet been decided (this should be within 1-2 years of enactment). The guidelines for the 2021 changes are currently open for public comment.

* The English terms “Personally Referable Information”, “Pseudonymously Processed Information” and “Anonymously Processed Information” are English translations prepared by the PPC – please see here for the PPC’s English translation of the APPI Amendment Act which enacts the 2020 Amendments.

[View source.]