This article is to provide an overview of the Amendment Act of APPI.
1. Strengthening the protection on Individual Rights
(1) Expanding the rights of individuals
The current APPI allows the individual to request the cease of utilization, deletion, or cease third-party provision (“Utilization Cease”) of his/her Retained Personal Data (c.f. (4) ), in cases when business operators violates Article 16 (Restriction due to a Utilization Purpose) and Article 17 (Proper acquisition) of the Act. The Amendment Act, expands the right of the individual and allows him/her to request the Utilization Cease in cases such as the use of personal information has become unnecessary, when there is leakage, loss or damage or other situation concerning the insurance of security in connection with the retained personal data, or where handling of information can harm the rights or legitimate interest of the individual
(2) Methods of disclosure of Retained Personal Data
Under the current APPI, the business operator needs to deliver the Retained Personal Data in written documents, when responding to disclosure requested by the individual. The Amendment Act allows the individual to choose the method of disclosure, which will include digitalized methods.
(3) Disclosure of records of third party provision.
Business operators are required to keep records when providing personal data to at third party. However, the current Act does not have a provision on the disclosures of these records. The Amendment Act allows the individual to request the disclosure of these records on the transfer of his/her personal data to a third-party.
(4) Data to disclose and/or to Utilization Cease
The obligation of a busines operator to disclose and/or to Utilization Cease of an individual is limited to “Retained Personal Data”. The current APPI excludes short-term data that are deleted within 6 months, from such Retained Personal Data. The Amendment Act alters the definition of Retained Personal Data, and short-term data will no longer be excluded.
(5) Limiting third party provision by Opt-Out
The current APPI requires the business operator to obtain consent from the individual when providing personal information to a third party. However, in cases where the business operator has informed or disclosed to the individual and notified the PPC the details of third-party provision (e.g. purpose of use, categories of personal data, method of third-party provision), and is set to cease the provision of personal data in response to the individual's request, the consent of the individual is exceptionally not necessary (“Opt-Out”). The current APPI does not allow Special Care-Required Personal Information to be provided to a third-party by this Opt-Out. The Amendment Act excludes, in addition, information that has been acquired in violation of the provisions of Article 17 (e.g. personal information that are acquired by deceit or other improper means), or been provided by another business operator pursuant to this Opt-Out Provisions, from this Opt-Out exception.
2. Obligations on business operators
(1) Report on Data Breach to PPC
The Amendment Act requires business operators to report to PPC in case of data breach in cases where there is a large possibility of harming an individual's rights and/or interests. The details on the new rules are to be stipulated in the enforcement rules of APPI. It is likely that the cases to report to PPC are to be limited to certain important incidents (e.g. number of breach that are more than a certain number).
(2) Prohibition of Inappropriate use of Personal Information.
The current APPI prohibits business operators from handling personal information that are acquired by deception or other wrongful means. The Amendment Act expands the obligation of the operator, by prohibiting operators from using personal information in means that has the possibility of fomenting or prompting unlawful or unfair acts.
3. Rules on usage of Data
(1) Pseudonymously Processed Information
The Amendment Act introduces a new concept of information named “Pseudonymously Processed Information”. Pseudonymously Processed Information is information relating to an individual that can be produced from processing personal information so as not to be able to identify a specific individual unless collated with other information by deleting or restoring descriptions/individual identification codes. Business operators may alter the purpose of use of Pseudonymously Processed Information without the consent of the individual. Therefore Pseudonymously Processed Information may be used by business operators, in purposes that are outside the scope of the (original) purpose of use. However, business operators are strictly restricted not to provide the Pseudonymously Processed Information to third-parties. Business operators are subject to other obligations, such as not to collating Pseudonymously Processed Information with other information in order to identify individuals.
(2) Personal Referable Information
The APPI requires the consent of the individual, if his/her personal information is provided to a third party (c.f. 1,(5)). Personal Data is construed as information that a specific individual can be identified by the provider of the information (and not the recipient). In other words, the current legislation does not require the consent of the individual in cases where the information can be identified by the recipient, but cannot be identified by the provider. The Amendment Act, requires the consent of the individual when a third party acquires Personal Referable Information as “personal data”. Therefore, if the recipient is to receive information that a specific individual is identifiable, the consent of the individual will become necessary.
4. Amendments to Enforcement
(1) Penalties
The penalties and the fines for legal entities under the Amendment Act will increase. The penalties for the current APPI are (i) for violation of an order issued by the PPC: Imprisonment with labor for not more than 6 months or a fine of not more than 300,000 yen, and (ii) for false submission of a report to the PPC: A fine of not more than 300,000 yen. Under the Amendment Act, these penalties will be increased to (i) for violation of an order issued by the PPC: Imprisonment with labor for not more than 1 year or a fine of not more than 1,000,000 yen, and (ii) for false submission of a report to the PPC: A fine of not more than 500,000 yen.The maximum amount fines on legal entities for wrongful provision, utilization of personal information database, or violation of an order issued by the PPC, will also rise significantly from 500,000 yen or 300,000 yen to 100 million yen.
5. Extraterritorial Application of the APPI and Cross-Border Transfer
(1) Extraterritorial Application of the APPI
The current APPI requires foreign business operators with no juridical personalities in Japan), which supply goods or services in Japan (“Foreign Business Operators”) who handle personal information of an individual within Japan to comply with certain rules of APPI. However certain articles in Section 3 (Supervision) does not apply under the current legislation. The Amendment Act allows articles such as submitting reports to the PPC, onsite Investigation by the PPC, and the PPC on giving orders when there is serious infringement of an individual’s rights and interest, to apply to Foreign Business Operators. In cases where the Foreign Business Operators do not comply with the orders, the PPC be allowed to make public announcement of such violation.
(2) Providing Information to individuals
The Amendment act requires a business operator to provide information of the foreign country/territory to the individual, when transferring across borders. The details of information to be provided (e.g. types of information and how much detailed it should be) is likely to be stipulated in the enforcement rules of APPI.
6. Future Schedules
As mentioned above, the Amendment Act is to come into force by June 2022. PPC will need to amend the Cabinet Order to Enforce the APPI, and the Enforcement Rules on the Protection of Personal Information before the enforcement of the law. The draft of the amendment of the Cabinet Order and the Enforcement Rules is likely to be disclosed for public comment in the next couple of months. PPC will also be amending the current guidelines in relation to APPI, as well as implementing a (new) guideline for Pseudonymously Processed Information. The guidelines are likely to be drafted and disclosed for public comment once the Cabinet Order and the Enforcement Rules is promulgated. In addition, another amendment of the APPI is expected next year, regarding personal information held by government agencies and independent administrative agencies.
Article provided by: Satoshi Shono (Matsuda & Partners, Japan)
Discover more about INPLP, the INPLP-Members and the GDPR-FINE database
Dr. Tobias Höllwarth (Managing Director INPLP)