Japan: APPI changes to come
On 24 March 2021, the Personal Information Protection Commission ('PPC') announced that the 2020 amendments ('the 2020 Amendment') to the Act on the Protection of Personal Information ('APPI') will enter into full effect on 1 April 2022. The PPC also finalised amendments to subordinate regulations (i.e. (a) the Cabinet Order to Enforce the APPI ('the Cabinet Order'); and (b) the Enforcement Rules for the APPI ('the Enforcement Rules')). In April 2021 Atsushi Okada, Partner at Mori Hamada & Matsumoto, analysed the key provisions introduced by the updated subordinate regulations.
Restriction on cross-border transfers
In principle, the APPI requires a transferor to obtain the prior consent of the data subjects to transfer their personal data to a third party located in a foreign country. The data subjects' consent to overseas data transfers is not necessary if any of the following conditions are met:
- the foreign country is specified in the Enforcement Rules as a country having a data protection regime with a level of protection equivalent to that of Japan;
- the data importer has a system of data protection which meets the standards prescribed by the Enforcement Rules; or
- certain other exceptional circumstances.
As regards the first point, as of today, the Enforcement Rules have listed only EEA countries and the UK as such foreign countries.
In regards to the second, under the Enforcement Rules, the standards of the data protection system that a data importer must meet are either of the following:
- there is assurance, by appropriate and reasonable methodologies (e.g. contracts or intra-group privacy policies), that the data importer will treat the disclosed personal data in accordance with the principles of the requirements for handling personal data under APPI; or
- the data importer has been certified under an international arrangement, recognised by the PPC, regarding its system of handling personal data. To date, the only PPC-recognised international arrangement is the APEC Cross Border Privacy Rules System.
In the case of a transfer of personal data based on the data subjects' consent, the amended Enforcement Rules will require the provision of the following information to be provided to data subjects at the time of obtaining consent:
If the data exporter does not obtain a consent and relies instead upon Section 1.1(b) above (i.e. the fact the data importer has a system of data protection which meets the standards prescribed by the Enforcement Rules), then it must do the following:
- take necessary actions to ensure that the data importer has in place continuous security measures to protect personal data (i.e. (a) periodic confirmation of the status of the handling of personal data by the data importer and whether there is a system in the foreign country that might affect protection of personal information, and (b) measures to be taken if a problem arises with the proper handling of personal data, including suspension of the data provision if it becomes difficult to cause the continuous implementation of the relevant measures); and
- upon the request of data subjects, provide information regarding respective actions taken (such as the name of the foreign countries, the safeguards to be taken by the data importer to protect personal information, and the existence and outline of the foreign system that may affect the implementation of such measures).
Please note that data transfers to EEA countries or the UK will be exempt from the above new regulations.
Under the current APPI, submitting a data breach report to the PPC is merely a 'duty to make an effort' and notifying affected data subjects is only a recommendation.
The 2020 Amendment will introduce mandatory obligations to report data breach incidents to the PPC and notify the affected data subjects.
In this regard, the Enforcement Rules provide that the following four categories are currently considered data breaches subject to mandatory reporting/notification (a threshold is not required except for the last item):
- breach of sensitive information;
- risk of financial damage of data subject;
- breach as a result of unauthorised access, etc.; and
- large number (more than 1,000 data subjects) of breach occurrences
As for reporting to the PPC, the Enforcement Rules provide for two steps: the preliminary report and the definitive report:
- the preliminary report which only includes an overview of the data breach must be made 'promptly'; and
- the definitive report which includes the causes of the breach and recurrence prevention measures must be made within a specific deadline (30 days; in case of a breach caused by unauthorised access, etc., 60 days).
Under the current APPI, there is no concept of 'pseudonymisation', while the concept of 'anonymisation' was introduced in the previous amendments.
The 2020 Amendment will introduce the concept of 'Pseudonymously Processed Information' (i.e. personal information processed in a manner that can only identify the specific individual by collation with other information), which looks somewhat similar to that of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). The scope of exemptions applicable to pseudonymisation will include obligations with regard to data subject rights and data breach notification. Further, internal utilisation of pseudonymously processed information will be permitted beyond the purpose of use published or notified to data subjects.
The Enforcement Rules provide the standards for producing pseudonymised information as follows: deleting (i) all or part of a description that can identify a specific individual contained in personal information, (ii) all of individual identification codes contained in personal information and (iii) a description contained in personal information that is likely to cause financial damage due to improper use.
Restriction on provision to a third party (and potential cookies regulation)
The provision of personal data to third parties generally requires the consent of the data subject unless certain exceptions apply. Whether such personal data transfer restrictions apply has been understood to be determined by whether the discloser can identify an individual, while the recipient's ability to do so has been irrelevant.
The 2020 Amendment will require a discloser to confirm a data subject's consent about a third-party transfer if it is anticipated that the recipient may identify an individual, even if the discloser cannot identify an individual.
Targeted advertising is one of the areas which may potentially be affected by this amendment. Under the current law, an online identifier is not listed as an example of personal information, unlike the GDPR. Therefore, under the current interpretation of the APPI, there are no specific restrictions on cookies or other online identifiers unless they can be easily linkable to other information and thereby identify a specific individual on the discloser's side. Under the 2020 Amendment, even if a discloser (such as a publisher) cannot identify a specific individual based on cookies, the provision of cookies to third parties (such as ad tech providers) will become subject to consent confirmation requirements if it is anticipated that the recipient may identify an individual.
According to the Enforcement Rules, the consent should typically be obtained by the recipient, and the transferor is only required to confirm that fact by a method such as receiving a declaration from the recipient. The amended Cabinet Order and Enforcement Rules also impose record-keeping obligations on the discloser and recipient.
Additional elements to be published for personal data
The amended Cabinet Order will require a business operator to disclose measures taken to ensure the security management of personal data. It is permitted to make such disclosure without delay upon the request of data subjects. The PPC intends to provide examples in the PPC Guidelines to be issued later this year.
Atsushi Okada Partner
Mori Hamada & Matsumoto, Tokyo