Official Guidelines issued for Japan’s upcoming data privacy law amendments

On 3 August 2021, Japan's Personal Information Protection Commission (“PPC”) published its long-awaited Guidelines on amendments enacted in 2020 (the “2020 amendments”) to Japan’s Act on the Protection of Personal Information (the “APPI”). While many of the 2020 amendments do not take effect until 1 April 2022, they aim to, among other things, strengthen penalties (these amendments took effect in 2020), introduce mandatory reporting of certain breaches, strengthen the extraterritorial application of the APPI, and expand the scope of data that is protected under the APPI.

Although the Japanese government adopted a Cabinet Order and Commission Rules in March 2021 (see our previous article for details, here), what regulatory approaches may be adopted in practice with respect to certain aspects of the 2020 amendments remained unclear. The newly released Guidelines (Japanese only) aim to provide clarity in this respect as well as to clarify other uncertainties arising under the existing APPI. A summary of clarifications found in the Guidelines is below.

Extraterritorial application

Foreign companies located outside Japan doing business in Japan should take note of the extraterritorial application of the APPI following the 2020 amendments. The Guidelines make it clear that once the 2020 amendments take effect, the APPI’s application will expand to all entities in a foreign country handling any personal information, Personally Referable Information*, Pseudonymously Processed Information* or Anonymously Processed Information* that relates to data subjects in Japan, in relation to the supply of goods or services to any data subjects in Japan. The existing APPI applies to only those companies that have obtained personal information directly from data subjects in Japan in relation to the supply of goods or services to them.

Important and useful clarifications

The Guidelines address, among other things, the following important matters which companies doing business in Japan should take note of.

  • Mandatory breach reporting. Reporting to the PPC (or a designated authority depending on the reporter, e.g., in case of a notified/registered telecommunication business operator) and data subjects in the event of a breach is a new regulation for Japan, and the standard for mandatory reporting is quite different from that of voluntary reporting under the current APPI. The Guidelines aim to specify as much as possible the conditions that trigger reporting obligations. For example, the applicable cases of leakage and loss or damage of data are explained (e.g., if personal data is secured by a sophisticated encryption system, leakage of that data will not require a report). Further, they provide measures required to be taken in the event of any such incident including (a) taking internal communication and protection measures not to spread, (b) investigation for facts and causes, (c) specifying the affected scope, (d) study and conduct of measures not to reoccur, as well as (e) the reporting obligation above.
  • New categories of Information. The Guidelines show how to define, use, process and share Pseudonymously Processed Information and Personally Referable Information (which are together referred to as “Personal Related Information”). These are two new categories of information introduced by the 2020 amendments to assist in the protection of Personal Information or to utilize big data conveniently.
    • Personally Referable Information. There is still no clear specific requirement for a cookie policy. However, the Guidelines make it clear that an individual’s browsing history obtained via cookies as well as an individual’s location data, purchase history, and preference are examples of Personally Referable Information, unless the information falls within the scope of Personal Information, Pseudonymously Processed Information, or Anonymously Processed Information. The Guidelines clarify, to some extent, in what situations a business operator is required to confirm, before sharing information with third-parties, whether data subjects consent to those third parties receiving their information, how such consents should be obtained, and how the business operator should confirm such consents. The Guidelines indicate, for example, that such confirmation is not generally required where the third party will not use (e.g., where a contract prohibits the third party from using) Personally Referable Information transferred to it together with other available information which enables the third party to identify a data subject, and that a business operator who wishes to transfer Personally Referable Information to third parties may obtain consent to do so from data subjects on behalf of those third parties.
    • Pseudonymously Processed Information. The Guidelines clarify certain obligations and other details relating to the handling of Pseudonymously Processed Information. Under the current APPI, it is relatively difficult to use the existing system of Anonymously Processed Information (compared to other jurisdictions) due to the high standards that must be met for data to be recognized as Anonymously Processed Information. These clarifications for the Pseudonymously Processed Information will help to make it slightly easier to use big data.
  • Clarity on data transfer obligations. The Guidelines provide further details on the new obligations for transferring data to third parties or internationally, for example by describing verification obligations before transferring data and transparency obtaining when obtaining data subject consent. Business operators may still find that disclosing required information to a data subject when obtaining their consent for international data transfers can be a demanding task. The same may be said for the task of disclosing information upon a data subject's request where, for example, an international data transfer has been implemented without the data subject's consent, based on a data transfer agreement. There are also still some uncertainties or unsolved practical issues relating to data transfers, which may require further clarification or assistance from the PPC. For example, depending on the countries to which personal data is transferred, a business operator may need to make substantial efforts to provide the required information to a data subject, including investigating the privacy protection systems in the foreign countries. The PPC plans to publish information on the privacy systems in some foreign countries which should be of some assistance for this purpose (more details on this may be made available later this year).
  • Expanded rights of data subjects. The Guidelines describe how to handle claims based on the expanded rights of individuals due to the 2020 amendments, such as claims to cease use of their data or to delete stored data.
  • Other clarifications. The Guidelines contain further examples on how to specify the purpose of use of Personal Information, and they clarify that the publication of the name of an entity that is not complying with the APPI is a possible administrative sanction.

Further amendments to the APPI are coming

Now that the PPC has provided Guidelines related to implementation of the 2020 amendments, companies that were taking a wait a see approach should proceed to update their compliance programs. Particular areas to take into account when considering how the Guidelines will impact company practices are internal reporting systems and privacy policies for personal information in relation to the Japanese market. Further, it is likely that the designated authorities for special business sectors (e.g., finance, telecommunication), and possibly the PPC, will continue to publish guidance to aid with compliance.

On 19 May 2021, the Japanese government announced further amendments to the APPI (the “2021 amendments”). The amendments aim to integrate the separately enacted data protection laws for governmental bodies, national hospitals, national universities, and other independent administrative institutions, with the APPI, and to stipulate nationwide common rules for local governments. The 2021 amendments have been enacted but the exact date on which they will take effect has not been decided yet (it must be within 1 to 2 years of their enactment). The guidelines for the 2021 amendments are currently open for public opinion.

* The English terms “Personally Referable Information”, “Pseudonymously Processed Information”, and “Anonymously Processed Information” are English translations prepared by the PPC – please see here for the PPC’s English translation of the Act to Amend the APPI which enacts the 2020 amendments.

 

Authored by Hiroto Imai and Mizue Kakiuchi.

 

Contacts
Hiroto Imai
Partner
Tokyo
Mizue Kakiuchi
Senior Associate
Tokyo

 

This website is operated by Hogan Lovells International LLP, whose registered office is at Atlantic House, Holborn Viaduct, London, EC1A 2FG. For further details of Hogan Lovells International LLP and the international legal practice that comprises Hogan Lovells International LLP, Hogan Lovells US LLP and their affiliated businesses ("Hogan Lovells"), please see our Legal Notices page. © 2024 Hogan Lovells.

Attorney advertising. Prior results do not guarantee a similar outcome.