The Amendment Act to the current Act on the Protection of Personal Information ('the Amended Act') was approved on 5 June 2020 and promulgated on 12 June 2020. Currently, some provisions (relating to the penalty) came into force on 12 December 2020, most of the remaining provisions of the Amendment Act is scheduled to become effective on 1 April 2022.

The PPC is an authority established under the APPI, which has issued a number of guidelines providing guidance on its interpretation. In line with the Amended Act, the PPC has begun its review of the current guidelines and, in August 2021, introduced draft amendments to several of these. Amendments have been proposed and introduced for the following guidelines on 2 August 2021:

• General APPI Guideline ('the General Guideline');
• Guideline in Respect of Provision to a Third Party in a Foreign Country ('the Data Transfers Guideline');
• Guideline in Respect of Obligation to Confirm and Record on Third Party Provision; and
• Guideline in Respect of Anonymously Processed Information.

These amendments have not become effective and are subject to further change based on public comments and the Amended Act becoming effective. The guidelines listed above provide guidance for better interpretation of the APPI and do not introduce new regulation in addition the Amended Act.

This article focuses on the major topics related to data breach reporting obligations and data transfers to a third party in a foreign country under the Amendment Act and how these are addressed in the amended guidelines.

Data breach reporting obligation

One of the big changes to the APPI is the new reporting obligation in case of a data breach. When there is a leakage of personal data, the Amended Act will require a report to a data subject or relevant authority. In this regard, Article 22-2 of the Amended Act sets out that it is mandatory for the personal information controllers ('PIC') to report to the PPC and notify a data subject in case that an incident such as a leakage of personal data occurs, which may cause a violation of the data subject's rights and interests. The Amended Act however does not in itself provide clear guidance on when and what levels of data breach should be reported.

In this regard, the amendment to enforcement rules for the APPI (promulgated on 24 March 2021, also effective on 1 April 2022) ('the Amended Enforcement Rules') provide detailed conditions/requirements and procedure for the reporting. The Amended Enforcement Rules detail that such reports are required as follows:

• where personal data, including special care-required personal information, is leaked, lost, or damaged;
• where the personal data, which if leaked will likely result in harm to property of the individual if such information is used for improper purpose, is leaked, lost, or damaged;
• where the leakage, loss, or damage of the personal data occurred for an improper purpose; and
• where the leakage, loss, or damage to the personal data involves or is likely to involve the personal data of 1,000 or more individuals.

The Amended Enforcement Rules set out that the PIC in question must report the above data breach to the PPC no later than 30 days (or 60 days depending on the grounds of data breach) after the PIC comes to know of such data breach and must report to the data subject promptly according to the circumstances. The Amended Enforcement Rules further provide the details of information/items to be included in the report to the PPC.

The General Guideline elaborates on the Amended Enforcement Rules and provides more detailed guidance for the interpretation of the reporting obligation, showing some examples. The General Guideline provides some case examples which will fall under each of the requirements for reporting above, the contents of the report, the timeline of the report, examples of exemptions where the report will not be required, etc. The General Guideline will help with understanding how and when data breaches should be reported.

Data transfer to a third party in a foreign country

The APPI sets out the situations where transfers of personal data to a third party in a foreign country is allowed. As a principle and except for certain situations, the PIC must obtain a data subject's consent to the effect that he/she approves the provision of their personal data to a third party in a foreign country in advance. When transferring personal data to a third party in a foreign country, the PIC will be required to provide information to the data subject regarding the handling of personal information by the recipient under the Amended Act. The PIC shall provide the information to the data subject regarding the handling of personal information by the recipient, including the systems which the country maintains for personal information protection and actions taken for the protection of personal information to be taken by such recipient.

In addition to the General Guideline, the Data Transfers Guideline specifically provides detailed examples and guidance on the interpretation of the provision related to the overseas data transfer. The Data Transfers Guideline details how to interpret the relevant provisions of overseas data transfer generally, and also gives examples of how to provide the necessary information to the data subject when the PIC intends to transfer its data to a third party in a foreign country. For example, this includes the emails, written document, verbal communication, to give access to the website where the necessary information is obtained, etc.

Importance of the guidelines

The APPI guidelines provide important tips for business operators to ensure that personal information is handled in accordance with the APPI. The above covered only a few topics of the amended guidelines which correspond to the Amended Act. It is important to read these guidelines together with the APPI and its enforcement rules not only when preparing an effective privacy policy, but also when the business operator might face a situation where a certain data breach might occur.

Hiroyuki Masuda Lawyer
[email protected]
One Asia Lawyers, Tokyo