Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Japan: Pseudonymisation under Amended APPI

The recent Amendments to the Act on the Protection of Personal Information (Act No. 57 of 2003 as amended in 2015) ('APPI'), which were introduced in 2020 ('the 2020 Amendments'), came into force on 1 April 2022. The 2020 Amendments introduce a new concept of 'pseudonymisation' to Japanese privacy law and rules on how such information should be handled. Kensaku Takase and Hayato Higa, from Baker McKenzie's Tokyo IP Tech practice group, outline how pseudonymised information can be utilised under the APPI and the rules businesses need to be aware of in order to remain compliant with the amendments.

Mlenny / Signature collection / istockphoto.com

Context

While pseudonymised information exists as a concept in other jurisdictions, the ways in which they can be handled under the 2020 Amendments are unique to Japan and quite narrow. There are various benefits to utilising pseudonymised information, which are outlined in this article. However, there are significant limitations, particularly that pseudonymised information can only be used for internal purposes within a business, and cannot be transferred to third parties. Therefore, businesses who wish to utilise pseudonymised data need to carefully understand the amendments, and what they do and do not allow.

Quick overview on types of personal information under the APPI

Under the APPI, there are several key terms with respect to personal information, such as personal information, personal data, and sensitive data. In addition, the APPI stipulates different types of data that are distinguished from personal information, including anonymised and pseudonymised information.

Anonymised information was introduced to the APPI in 2017. Anonymised information is defined as information which is redacted to prevent identification of individuals pursuant to the relevant regulations. For data to be considered 'anonymised', it is important that such data cannot be restored. As such, anonymised information is not considered personal information, and subject to different requirements from those applicable to personal information. For instance, anonymised information may be transferred to third parties without the data subject's consent, as long as the business complies with certain disclosure requirements.

One of the key drawbacks of anonymised information under the APPI is the fact that for the data to be treated as 'anonymised', that data subjects need to have been put on notice (for example, through publication on a website) that their data would be 'anonymised' before the anonymisation takes place. This can be practically challenging for many businesses.

Background to the introduction of pseudonymised information

Given the hurdles of utilising anonymised information mentioned above, the uptake in the use of anonymised information has not been as significant as originally expected.

It has been intended by the Japanese government that the APPI will evolve to balance the protection and use of personal information. With technological innovation associated with personal information contributing to both economic growth on the one hand, and protection of an individual's rights on the other, the concept of pseudonymised information has been introduced to encourage businesses to more easily and readily process personal data sets in their possession, beyond the scope of what those data sets were originally obtained for.

Outline of the requirements to handle pseudonymised information

Pseudonymised information is defined as information relating to an individual that has been processed by erasing or replacing all, or part of, identifiers of personal information in such a manner that the individual is no longer identifiable unless it is combined with other information. The APPI sets out that pseudonymised information can be created using the following methods to delete or replace:

  • a whole, or part of, those descriptions which can identify a specific individual contained in personal information, such as names (for example, replacing names, addresses, and other similar information with a random string of characters);
  • all individual identification codes contained in personal information; or
  • descriptions contained in personal information that are likely to cause property damage, such as credit card numbers.

Where businesses appropriately create pseudonymised information using these methods, then it is seen that the potential risks to data subjects is reduced. As such, some of the obligations which would typically apply will be relaxed, including:

Purpose limitation

Under the APPI, businesses are obliged to notify data subjects on the purposes for which the data subjects' personal data will be processed. It is prohibited to process the data beyond the purposes of what the data subjects have been notified of without their consent. However, where businesses convert the personal information into pseudonymised information, the latter can be used beyond the scope of the notified purpose without the data subject's consent. Naturally, this allows businesses to change the purposes of use of the gathered personal data and is useful where businesses want to process the data in a manner not originally anticipated.

Notification obligations to the authority and data subjects

While the 2020 Amendment introduces notification obligations to the data protection authority, and data subjects for personal data breaches, these obligations do not apply in case of breaches which only involve pseudonymised information.

Data subjects' right for disclosure, correction, and ceasing the use of the data

The APPI grants data subjects the right to request certain actions for businesses, which include the right for disclosure, correction, and ceasing the use of the personal data. Provisions regarding such individual rights do not apply to pseudonymised information.

One major limitation to pseudonymised information is that it cannot generally be transferred to third parties. The APPI only allows for transfers of pseudonymised information in limited circumstances where such transfers are based on laws and regulations. Companies cannot rely upon usual exceptions for transfer of personal data, such as outsourcing, entity conversion (e.g. merger and company split), and joint-use.

The following table summarises the differences between personal, pseudonymised, and anonymised information.

Personal information

Pseudonymised information

Anonymised information

Purpose limitation

Applicable.

Applicable. However, restrictions regarding changes of purposes are relaxed.

Not required.

Notice required before changing the nature of the data?

Not applicable.

A notice is not required before converting personal information to pseudonymised information.

Data subjects must be placed on notice (for example, through publication on a website) prior to their personal data being converted into anonymised information.

Notification obligations of data breach incidents etc. to the privacy authority and data subjects?

Yes. Applicable (introduced under the 2020 Amendment).

No.

No.

Transfer of personal data to third parties?

Transfers are permissible either when obtaining consent from the data subject, or in case of falling under certain exceptions.

Transfers are only permissible in limited circumstances.

Transfers to third parties are permissible without limitation.

Request from data subjects

It is mandatory to respond depending on the data subjects' requests admitted under the APPI.

No obligations.

No obligations.


Suggested actions

While somewhat limited in scope, pseudonymised information does provide businesses with certain additional flexibility in processing personal data beyond original purposes. It is important to be aware of how personal data can be converted into pseudonymised information, and how it can then be processed.

Kensaku Takase Partner
[email protected]
Hayato Higa Associate
[email protected]
Baker McKenzie, Tokyo