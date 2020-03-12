The Personal Information Protection Commission (‘PPC’) announced, on 10 March 2020, that the Cabinet of Japan had proposed a Bill (‘the Bill’) to partially amend the Protection of Personal Information Act (Act No. 57 of 2003 as amended in 2016) (‘APPI’). In particular, the Bill is aimed at establishing an obligation to report data breaches to the PPC and to notify data subjects affected. In addition, the Bill seeks to increase penalties against corporations for violations of PPC orders, place restrictions on personal data transfers to third parties abroad, and to introduce new pseudonymisation requirements.

Impact on Businesses

Hiroyuki Masuda, Lawyer at One Asia Lawyers Group, told OneTrust DataGuidance, “Currently, under the APPI a person may demand an entity handling personal information to cease or delete retained personal data only if they are utilising the personal information beyond the specified purpose […] or if the personal information is acquired by deceit or other improper means […]. [However,] the Bill expands the cases in which a person may demand the cessation of the utilisation of personal information retained by an entity handling personal information to cases which are likely to cause harm to the rights and interests of individuals. This [amendment] might cause entities handling personal information to [deal with] requests by individuals to cease the utilisation of their personal information for the advertisement or promotion of its service which might harm the rights and interests of individuals, even if such utilisation purpose is notified to such individual.”

Masuda further highlighted, “[T]he amendment in respect of the cessation of the utilisation of the personal information […] may be in line with Article 17 of the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’).”

Obligations for PICs

The Bill introduces new obligations for personal information controllers (‘PICs’) including the requirement of reporting data breaches to the PPC. Specifically, the Bill notes that breach reporting is required when there is a risk to the rights and interests of the individual. Masuda commented, “[A]nother big change [is the requirement that] entities handling personal information must obtain the consent of persons whose information is transferred to another entity handling personal information, even if the information itself is not personal data as defined in the Act. Examples of the information which itself is not a [considered] personal information [under the APPI] may include cookie information, login ID, and passwords.”

Penalties

Masuda clarified, “[An] administrative monetary penalty system has not been adopted, although there have been discussions [surrounding] whether to set out [a monetary system] in the Bill. After all, criminal penalties [have been] strengthened [from] imprisonment with labour for not more than six months, or a fine of not more than JPY 300,000 (approx. €2,570), to imprisonment with labour for not more than 12 months, or a fine of not more than JPY 1 million (approx. €8, 570).”

Next Steps

The PPC highlighted that the Bill is designed to balance the protection of personal information with technological innovation, clarify the obligations of business in the information technology era, and address the emerging risks associated with cross-border data transfers. The Bill will be submitted to the current Cabinet session.

