Japan: Impact of adopted APPI amendment bill
On 5 June 2020, the Japanese National Diet passed a bill to amend the Act on the Protection of Personal Information (Act No. 57 of 2003 as amended in 2015) ('APPI'). It is expected that subordinate rules and guidelines will be released in 2021 and then the amended APPI will come into force sometime (no later than June) in 2022. The amendments to the APPI ('the Amendments') are based on the 'Every-Three-Year-Review' Outline of the System Reform1 published by the Personal Information Protection Commission ('PPC') in 2019. Atsushi Okada, Partner at Mori Hamada & Matsumoto, analyses the key provisions introduced by the Amendments, drawing comparisons with the European General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), and explains their impact on businesses.
Principal rights will be broadened
Right to erasure and right to restriction of processing
Under the current law, the rights to deletion, cessation of use, and cessation of the provision of personal data to a third party are not exercisable merely at the request of a principal (i.e. data subject); they are only permitted if the retained personal data is factually inaccurate, if it is used for purposes other than the purposes notified, it was collected by deceit or other improper means, or if it is provided to a third party in violation of the APPI.
The Amendments will broaden principal rights. However, the scope will remain narrower than the right to erasure and the right to object under the GDPR. These rights may be exercised only if it becomes unnecessary for a personal information controller ('PIC') to process personal data, or if a PIC fails to process personal data in a proper manner or is likely to infringe a principal's rights or legitimate interests.
Please also note that, while any personal data set to be erased within six months are not considered as 'retained personal data' and therefore not subject to a principal's rights under the current law, the Amendments will abolish the six-month rule on 'retained personal data'. Therefore, a principal's rights may be exercised regardless of the retention period set by a PIC.
Right of access and right to data portability
Although there have been active discussions in Japan about the right to data portability recognised under GDPR, the right to data portability will not be introduced in the amended APPI.
However, the Amendments will enable principals to demand disclosure of the retained personal data by electronic means. Furthermore, the Amendments will broaden the scope of information to be made accessible to principals with regard to retained personal data. Specifically, subordinate rules (which are expected to be released in 2021) will likely add the following to the matters that are required to be published by a PIC:
- a structure in processing personal information;
- safeguards to protect personal information; and
- how retained personal data is processed.
Mandatory data breach notification
Under the current law, with regard to data breach notification to the PPC, there is merely a 'duty to make an effort' and notifying affected principals is only a recommendation. However, depending on the nature, cause and impact of the data breach at issue, it is possible that the PPC may consider a failure to issue a notification of the breach as a factor that may demonstrate a lack of 'necessary and appropriate measures' for security control of personal data as required under the APPI. Therefore, under current general Japanese practice, most companies notify the PPC and the affected principals of data breach incidents, subject to certain exceptions.
The Amendments will introduce mandatory obligations to report data breach incidents to the PPC and notify the affected principals. However, the amended APPI does not set a specific time period (such as 72 hours under the GDPR). In this regard, we expect that the subordinate rules and guidelines will merely stipulate that the first report of a data breach shall be reported 'promptly', while a specific time period may be set as to a definitive report which follows after the first report. We expect that the subordinate rules and guidelines will provide further details, including thresholds for mandatory reporting (e.g. the number of affected individuals) and potential exceptions (e.g. pseudonymised information).
Concept of pseudonymisation will be introduced
Under the current law, there is no concept of 'pseudonymisation', while the concept of 'anonymisation' was introduced in the previous amendments a few years ago. The amended APPI will introduce the concept of 'pseudonymously processed information' (i.e. personal information processed in a manner that can only identify the specific individual by collation with other information), which looks somewhat similar to that of the GDPR. The scope of exemptions applicable to pseudonymisation will include obligations with regard to a principal's rights and data breach notification. Furthermore, internal utilisation of pseudonymously processed information by a PIC will be permitted beyond the purpose of use published or notified to principals.
Restriction on provision to a third party (and potential cookies regulation)
Summary of the impact on businesses
The amended APPI will regulate a third-party transfer if it is anticipated that the recipient may identify an individual, even if the discloser cannot identify an individual. Given that provision of online identifiers (such as cookies) to third parties may become subject to consent requirements, this amendment will likely affect targeted advertising and other ad tech practices. The practical impact of the Amendments on businesses, in this respect, is high. However, given that it is already necessary to obtain a consent for processing cookies under the ePrivacy Directive and the GDPR, the impact on European companies which already comply with the ePrivacy Directive and GDPR may be low to moderate.
The provision of personal data to third parties generally requires the consent of the principal unless certain exceptions apply. Whether such personal data transfer restrictions apply has been understood to be determined by whether the discloser can identify an individual, while the recipient's ability to do so has been irrelevant.
The Amendments will require a discloser to confirm a principal's consent for a third-party transfer if it is anticipated that the recipient may identify an individual, even if the discloser cannot identify an individual. Targeted advertising is one of the areas which may potentially be affected by this amendment.
Under the current law, unlike the GDPR, an online identifier is not listed as an example of personal information. Therefore, under the current interpretation of the APPI, there are no specific restrictions on cookies or other online identifiers unless they can be easily linkable to other information and thereby identify a specific individual on the discloser's side.
Under the amended APPI, even if a discloser (such as a publisher) cannot identify a specific individual based on cookies, the provision of cookies to third parties (such as ad tech providers) will become subject to consent confirmation requirements if it is anticipated that the recipient may identify an individual.
Please note that terminal identifiers (such as cookies) per se were not defined as personal information under the amended APPI. Rather, the regulation will change only in the context of provision to a third party as described above.
Stricter restrictions on cross-border transfers
In principle, the APPI requires a transferor to obtain the prior consent of the principals to transfer their personal data to a third party located in a foreign country. The principals' consent to overseas data transfers is not necessary if any of the following conditions is met:
- the foreign country is specified in the enforcement rules as a country having a data protection regime with a level of protection equivalent to that of Japan;
- the third-party recipient has a system of data protection which meets the standards prescribed by the enforcement rules; or
- certain other exceptional circumstances.
For item (a), as of today, the enforcement rules have listed only EEA countries and the UK as such foreign countries.
For item (b), under the enforcement rules, the standards of the data protection system that a third-party recipient outside Japan must meet are either of the following:
- there is assurance, by appropriate and reasonable methodologies, that the recipient will treat the disclosed personal data in accordance with the principles of the requirements for handling personal data under the APPI; or
- the recipient has been certified under an international arrangement, recognised by the PPC, regarding its system of handling personal data. To date, the only PPC-recognised international arrangement is the APEC Cross Border Privacy Rules System.
Under the PPC guidelines, 'appropriate and reasonable methodologies' in item (i) above include agreements between the disclosing party and the recipient, or inter-group privacy policies, which ensure that the recipient will treat the disclosed personal information in accordance with the principles of the APPI.
In addition to the existing restrictions on cross-border transfer, the Amendments will require a PIC to inform principals of the details of a data transfer to a third party located in a foreign country.
If a PIC relies upon a consent, it will need to inform principals of information such as:
- data protection rules and regulations in the countries to where the data is exported; and
- safeguards to be taken by the recipient to protect personal information.
If a PIC does not obtain consent and relies instead upon item (b) above (i.e. the fact the third-party recipient has a system of data protection which meets the standards prescribed by the enforcement rules), then it will, upon a request from principals, need to provide information regarding such system established by the recipient. These are unique regulations and we need to keep a close eye on further details which will be stipulated by the subordinate rules and guidelines.
Please note that data transfer to EEA countries or the UK will be exempt from the above new regulations.
Administrative fines will not be introduced
Although there have been active discussions in Japan about the administrative fines recognised under the GDPR, the introduction of administrative fines has not been included in the amended APPI.
On the other hand, the amended APPI will introduce more severe criminal penalties against both natural and legal persons, however the practical impact of the Amendments on businesses, in this respect, is not high.
Broadened extraterritorial enforcement options
Under the current law, key provisions of the APPI apply to entities outside of Japan if they acquire personal information in connection with supplying goods or services to individuals located in Japan. However, the PPC's enforcement options against foreign companies are quite limited. The PPC does not have the authority to make foreign companies submit reports nor order them to take necessary measures. The PPC's enforcement options against foreign companies are limited to rendering 'guidance' (shido) or 'advice' (jogen), or making 'recommendation' (kankoku) that the PIC cease the violation and take other necessary measures to correct the violation.
The amended APPI will give the PPC the authority to make foreign companies submit reports and order them to take necessary measures. The PPC will also become able to publish the fact that a foreign company did not follow such an order.
Atsushi Okada Partner
Mori Hamada & Matsumoto, Tokyo