Although the Japanese government adopted a Cabinet Order and Commission Rules in March 2021 (see our previous article for details, here), what regulatory approaches may be adopted in practice with respect to certain aspects of the 2020 amendments remained unclear. The newly released Guidelines (Japanese only) aim to provide clarity in this respect as well as to clarify other uncertainties arising under the existing APPI. A summary of clarifications found in the Guidelines is below.
Foreign companies located outside Japan doing business in Japan should take note of the extraterritorial application of the APPI following the 2020 amendments. The Guidelines make it clear that once the 2020 amendments take effect, the APPI’s application will expand to all entities in a foreign country handling any personal information, Personally Referable Information*, Pseudonymously Processed Information* or Anonymously Processed Information* that relates to data subjects in Japan, in relation to the supply of goods or services to any data subjects in Japan. The existing APPI applies to only those companies that have obtained personal information directly from data subjects in Japan in relation to the supply of goods or services to them.
Important and useful clarifications
The Guidelines address, among other things, the following important matters which companies doing business in Japan should take note of.
- Mandatory breach reporting. Reporting to the PPC (or a designated authority depending on the reporter, e.g., in case of a notified/registered telecommunication business operator) and data subjects in the event of a breach is a new regulation for Japan, and the standard for mandatory reporting is quite different from that of voluntary reporting under the current APPI. The Guidelines aim to specify as much as possible the conditions that trigger reporting obligations. For example, the applicable cases of leakage and loss or damage of data are explained (e.g., if personal data is secured by a sophisticated encryption system, leakage of that data will not require a report). Further, they provide measures required to be taken in the event of any such incident including (a) taking internal communication and protection measures not to spread, (b) investigation for facts and causes, (c) specifying the affected scope, (d) study and conduct of measures not to reoccur, as well as (e) the reporting obligation above.
- New categories of Information. The Guidelines show how to define, use, process and share Pseudonymously Processed Information and Personally Referable Information (which are together referred to as “Personal Related Information”). These are two new categories of information introduced by the 2020 amendments to assist in the protection of Personal Information or to utilize big data conveniently.
- Pseudonymously Processed Information. The Guidelines clarify certain obligations and other details relating to the handling of Pseudonymously Processed Information. Under the current APPI, it is relatively difficult to use the existing system of Anonymously Processed Information (compared to other jurisdictions) due to the high standards that must be met for data to be recognized as Anonymously Processed Information. These clarifications for the Pseudonymously Processed Information will help to make it slightly easier to use big data.
- Clarity on data transfer obligations. The Guidelines provide further details on the new obligations for transferring data to third parties or internationally, for example by describing verification obligations before transferring data and transparency obtaining when obtaining data subject consent. Business operators may still find that disclosing required information to a data subject when obtaining their consent for international data transfers can be a demanding task. The same may be said for the task of disclosing information upon a data subject's request where, for example, an international data transfer has been implemented without the data subject's consent, based on a data transfer agreement. There are also still some uncertainties or unsolved practical issues relating to data transfers, which may require further clarification or assistance from the PPC. For example, depending on the countries to which personal data is transferred, a business operator may need to make substantial efforts to provide the required information to a data subject, including investigating the privacy protection systems in the foreign countries. The PPC plans to publish information on the privacy systems in some foreign countries which should be of some assistance for this purpose (more details on this may be made available later this year).
- Expanded rights of data subjects. The Guidelines describe how to handle claims based on the expanded rights of individuals due to the 2020 amendments, such as claims to cease use of their data or to delete stored data.
- Other clarifications. The Guidelines contain further examples on how to specify the purpose of use of Personal Information, and they clarify that the publication of the name of an entity that is not complying with the APPI is a possible administrative sanction.
Further amendments to the APPI are coming
Now that the PPC has provided Guidelines related to implementation of the 2020 amendments, companies that were taking a wait a see approach should proceed to update their compliance programs. Particular areas to take into account when considering how the Guidelines will impact company practices are internal reporting systems and privacy policies for personal information in relation to the Japanese market. Further, it is likely that the designated authorities for special business sectors (e.g., finance, telecommunication), and possibly the PPC, will continue to publish guidance to aid with compliance.
On 19 May 2021, the Japanese government announced further amendments to the APPI (the “2021 amendments”). The amendments aim to integrate the separately enacted data protection laws for governmental bodies, national hospitals, national universities, and other independent administrative institutions, with the APPI, and to stipulate nationwide common rules for local governments. The 2021 amendments have been enacted but the exact date on which they will take effect has not been decided yet (it must be within 1 to 2 years of their enactment). The guidelines for the 2021 amendments are currently open for public opinion.
* The English terms “Personally Referable Information”, “Pseudonymously Processed Information”, and “Anonymously Processed Information” are English translations prepared by the PPC – please see here for the PPC’s English translation of the Act to Amend the APPI which enacts the 2020 amendments.
Authored by Hiroto Imai and Mizue Kakiuchi.