Background and context

While pseudonymized information exists as a concept in other jurisdictions, the ways in which they can be handled under the 2020 Amendments are unique to Japan and quite narrow. There are various benefits to utilizing pseudonymized information, which are outlined in this article. However, there are significant limitations, particularly that pseudonymized information can only be used for internal purposes within a business, and cannot be transferred to third parties. Therefore, businesses who wish to utilize pseudonymized data need to carefully understand the amendments, and what they do and do not allow.

Quick overview of types of personal information under the APPI

Under the APPI, there are several key terms with respect to personal information, such as personal information, personal data, and sensitive data. In addition, the APPI stipulates different types of data that are distinguished from personal information, including anonymized and pseudonymized information.

Anonymized information was introduced to the APPI in 2017. Anonymized information is defined as information which is redacted to prevent identification of individuals pursuant to the relevant regulations. For data to be considered 'anonymized', it is important that such data cannot be restored. As such, anonymized information is not considered personal information, and subject to different requirements from those applicable to personal information. For instance, anonymized information may be transferred to third parties without the data subject's consent, as long as the business complies with certain disclosure requirements.

One of the key drawbacks of anonymized information under the APPI is the fact that for the data to be treated as 'anonymized', that data subjects need to have been put on notice (for example, through publication on a website) that their data would be 'anonymized' before the anonymization takes place. This can be practically challenging for many businesses.

Background of introduction of pseudonymized information

Given the hurdles of utilizing anonymized information mentioned above, the uptake in the use of anonymized information has not been as significant as originally expected.

It has been intended by the Japanese government that the APPI will evolve to balance the protection and use of personal information. With technological innovation associated with personal information contributing to both economic growth on the one hand and protection of an individual's rights on the other, the concept of pseudonymized information has been introduced to encourage businesses to more easily and readily process personal data sets in their possession, beyond the scope of what those data sets were originally obtained for.

Outline of the requirements to handle pseudonymized information

Pseudonymized information is defined as information relating to an individual that has been processed by erasing or replacing all, or part of, identifiers of personal information in such a manner that the individual is no longer identifiable unless it is combined with other information. The APPI sets out that pseudonymized information can be created using the following methods to delete or replace:

• a whole, or part of, those descriptions which can identify a specific individual contained in personal information, such as names (for example, replacing names, addresses, and other similar information with a random string of characters);

• all individual identification codes contained in personal information; or

• descriptions contained in personal information that are likely to cause property damage, such as credit card numbers.

Where businesses appropriately create pseudonymized information using these methods, then it is seen that the potential risks to data subjects is reduced. As such, some of the obligations which would typically apply will be relaxed, including:

Purpose limitation

Under the APPI, businesses are obliged to notify data subjects on the purposes for which the data subjects' personal data will be processed. It is prohibited to process the data beyond the purposes of what the data subjects have been notified of without their consent. However, where businesses convert the personal information into pseudonymized information, the latter can be used beyond the scope of the notified purpose without the data subject's consent. Naturally, this allows businesses to change the purposes of use of the gathered personal data and is useful where businesses want to process the data in a manner not originally anticipated.

Notification obligations to the authority and data subjects

While the 2020 Amendment introduces notification obligations to the data protection authority, and data subjects for personal data breaches, these obligations do not apply in case of breaches which only involve pseudonymized information.

Data subjects' right for disclosure, correction, and ceasing the use of the data

The APPI grants data subjects the right to request certain actions for businesses, which include the right for disclosure, correction, and ceasing the use of the personal data. Provisions regarding such individual rights do not apply to pseudonymized information.

One major limitation to pseudonymized information is that it cannot generally be transferred to third parties. The APPI only allows for transfers of pseudonymized information in limited circumstances where such transfers are based on laws and regulations. Companies cannot rely upon usual exceptions for transfer of personal data, such as outsourcing, entity conversion (e.g. merger and company split), and joint-use.

The following table summarises the differences between personal, pseudonymized, and anonymized information.

Suggested actions

While somewhat limited in scope, pseudonymized information does provide businesses with certain additional flexibility in processing personal data beyond original purposes. It is important to be aware of how personal data can be converted into pseudonymized information, and how it can then be processed.

Kensaku Takase Partner
[email protected]
Hayato Higa Associate
[email protected]
Baker McKenzie, Tokyo