Japan’s Act on Protection of Personal Information comes into effect on May 30
Japan’ s Act on Protection of Personal Information (“APPI”), one of Asia’s oldest data protection laws, was originally created in 2003, and came into effect in 2005. Over the following decade, developments in information technology and the globalization of data have had the effect of aging the APPI and shifting it out of line with internationally accepted standards. Changes to the APPI were passed by the Diet in September 2015; some provisions, mainly those establishing and governing the Personal Information Protection Commission, are in force, and the remaining provisions are taking effect on May 30, 2017.
Key provisions of the APPI that are covered in this article are as the follows:
- Creation of the Personal Information Protection Commission
- Expansion of the scope of “Personal Information”
- New category of “Sensitive Personal Information”
- New category of “Anonymized Information”
- Record keeping
- Elimination of small enterprise exemption
- Cross-border transfer restrictions
Additional topics worth noting include the introduction of criminal liability (comparatively low penalties) and the continued lack of specific requirements for the appointment of a data protection officer.
Creation of the Personal Information Protection Commission
Under the 2005 regime, personal information protection falls under the remit of national ministries based on business sectors, often resulting in overlapping jurisdiction over the private sector, lack of clarity as to how to comply with the APPI, and a data protection regime that is not uniformly or strongly enforced.
The “My Number Act” of 2013 established a central data protection authority called the Specific Personal Information Protection Commission with limited powers to oversee protection and use of the new social security numbers, in addition to the sector-specific ministries.
The amended APPI restructures this limited-purview commission to form the new Personal Information Protection Commission (PPC) , which has assumed centralized data protection authority over all sectors from the ministries as of January 01, 2016.
Expansion of the scope of “Personal Information”
Previously, the APPI defined personal information as only the name, address, and date of birth. The amended APPI seeks to be more comprehensive by including any “personal identifier code”, referring to biometric information (e.g., DNA sequences, fingerprints, facial appearance), specific identifier numbers (e.g., passport and driver’s license, resident cards, “My Number”), other IDs uniquely assigned to an individual (e.g., health care cards, credit cards), and any codes the PPC might designate in the future as being equivalent to the prior categories.
Note that for now, unlike the European General Data Protection Regulation (GDPR), the APPI only includes codes assigned to individuals, not to devices (e.g., IP addresses, mobile subscription identification numbers).
New category of “Sensitive Personal Information”
The concept of “Sensitive Personal Information” has been added to the amended APPI. Sensitive information includes information about a person’s race, religious beliefs, social status, medical history, criminal record, any crimes a person has been a victim of, and any other information that might cause the person to be discriminated against.
The provision of sensitive information to third parties is subject to a higher level of scrutiny. Prior consent is required from the individual whose sensitive information would be given to a third party
New category of “Anonymized Information”
In addition to sensitive information, the amended APPI also introduces “Anonymized information”, referring to any information about individuals from which all personal information, and all personal identifier codes, have been removed, making it impossible to re-identify the data subject. In essence, anonymized information no longer constitutes personal information.
To improve the traceability of personal information shared between businesses, the amended APPI requires businesses to keep records of how or from whom it obtained personal information and to whom it transferred personal information. The transfer records must be kept for a period specified by the Commission; the retention period is currently generally three years.
Elimination of small enterprise exemption
Under the 2005 regime, enterprises which hold the personal information of not more than 5,000 individuals have been exempted from the APPI. This exemption has been dropped.
Cross-border transfer restrictions
Under the amended APPI, only three types of legitimate transfers of personal information to a third party in a foreign country are covered. First, the transfer is to a country that the PPC has designated as having an acceptable level of data protection (there are none currently). Second, the same level of data protection as in Japan has been ensured (e.g., through a data transfer agreement imposing the requirements of the APPI on the transferee). Third, transfers with the individual’s consent.
Note that Japan is part of the APEC Cross Border Privacy Rules (CBPR) system, so it is deemed that compliance with the CBPR system is an efficient way for companies to establish the requisite systemic protections to transfer personal information internationally.
An offshore company which acquires personal information of individuals in Japan for the purpose of it supplying goods or services to those persons will be subject to the APPI even if it does not handle any personal information in Japan.