Amendment on Enforcement Rules of the Japanese Privacy Law
The amendment on the Enforcement Rules for the Act on the Protection of Personal Information ("Enforcement Rules") was promulgated on March 26 of this year. The amended Enforcement Rules are to be enforced on April 1st, 2022 together with the amended Act on the Protection of Personal Information ("APPI"). This article introduces the main points of the amended of the Enforcement Rules.
1. Business Operators Reporting to the Personal Information Protection Commission ("PPC")
(1) Cases to Report
The amended APPI requires business operators to report to the PPC in case of data breaches of which there is a large possibility of harming an individual's rights and/or interests.
The Enforcement Rules stipulates the following cases when business operators are required to report data breach:
- Cases in which leakage, loss or damage ("Leakage") of personal data containing special care-required personal information (excluding information that advanced encryption or other measures necessary to protect the rights and interests of individuals is implemented) has occurred or is likely to occur
- Cases in which Leakage of personal data has occurred or is likely to occur that may cause financial damage due to unauthorized use
- Cases in which Leakage of personal data that may have been conducted by a wrongful purpose has occurred or is likely to occur
- Cases where there has been or is likely to have been a Leakage of personal data involving more than 1000 persons
(2) Matters to Report
Business operators are required to report the following matters to the PPC in cases of Leakage of personal data:
- Overview of the Leakage
- Items of personal data where Leakage has occurred or is likely to have occurred
- The number of individuals of which the Leakage of personal data has occurred or is likely to have occurred
- Cause of the Leakage
- Whether there is any secondary damage or the likelihood, and the details (if any)
- Status of measures regarding response to the individuals
- Status of disclosure
- Measures to prevent recurrence
- Other matters for reference
(3) Timeframe of Report
Business operators are required to promptly give a preliminary report to the PPC when it becomes aware of the Leakage. In addition, business operators are required to report the matters stipulated above to the PPC within 30 days from the day on which the operator became aware of the Leakage (However, the timeframe for reporting the number of individuals of Leakage shall be within 60 days).
(4) Notifying Individuals
The amended APPI also requires the business operators to notify the individuals in cases of Leakage of personal data. The notification of the following matters shall be promptly given to the extent necessary to protect the rights and interests of the individual:
- Overview of the Leakage
- Items of personal data where Leakage has occurred or is likely to have occurred
- Cause of the Leakage
- Whether there is any secondary damage or the likelihood, and the details (if any)
- Other matters for reference
2. Standards on Processing Pseudonymously Processed Information
The amended APPI introduces a new concept of information named “Pseudonymously Processed Information”, in which business operators may alter the purpose of use of pseudonymously processed information without the consent of the individual, provided that the business operators process the personal information appropriately in accordance with laws and regulations, and are in compliance with the rules set in the APPI.
The Enforcement Rules stipulates the standards that the information needs to processed as follows:
- Deleting all or part of the descriptions that can identify a specific individual contained in the personal information (including replacement of all or part of the descriptions with another description by a method with no regularity capable of restoring the descriptions).
- To delete all of the individual identification codes contained in the personal information (including replacing the individual identification code with another description by a method with no regularity capable of restoring the individual identification code.).
- To delete the descriptions contained in the personal information that may cause financial damage due to unauthorized use (including replacement of the descriptions with another description by a method with no regularity capable of restoring the descriptions).
3. Personal Referable Information
The Amendment Act, requires the consent of the individual when it is assumed that a third party acquires Personal Referable Information as “personal data”. The business operator is, in principle, required to confirm whether the consent of the individual is obtained by the receiving party, when providing personal referable information. The Enforcement Rules stipulates that the confirmation shall be made by ways of the business operator to receive report from the receiving party.
Business operators are also required to keep records of the confirmation of personal referable information. The business operators need to keep the records for three year in principle. The records shall include:
- Confirmation of the consent of the individual has been obtained, Confirmation of information being provided to the individual (in cases of cross-border transfer)
- Date on which the personal referable information was provided
- The name and address of the receiving party and the name of its representative (in cases when the receiving party is a juridical person)
- Items of such personal referable information that are acquired.
4. Cross-border transfer
(1) Providing Information when Transferring Personal Data etc.
The Amendment act requires the business operator to provide information to the individual when obtaining his/her consent, in cases when transferring personal data across borders and when transferring personal referable information across borders.
The Enforcement Rules stipulates the following rules regarding the provision of information.
(I) In principle, the business operator needs to provide the information to the individual
- The name of the foreign country;
- Information on the laws and regulations concerning the protection of personal information in the foreign country, which information has been obtained by appropriate and reasonable methods
- Information concerning measures for the protection of personal information taken by the receiving party
(II) If a business operator cannot specify the name of the foreign country at the time when obtaining the consent of the individual, the business operator shall provide information on the following matters in lieu of items (I) a) and b).
- The fact that the name of the foreign country cannot be specified and the reason therefor;
- In case there is any information that serves as a reference for the Individual in lieu of the name of the foreign country, such information.
(III) If a business operator is unable to provide information concerning measures for the protection of personal information taken by the receiving party at the time when obtaining the consent of the individual, the business operator shall state that effect and provide information on the reason thereof in lieu of such information.
(2) Necessary Measures and Providing Information
The amended APPI requires the business operator (I) to take necessary measures to ensure the continuous implementation of equivalent measures by the receiving third party and (II) provide information concerning the necessary measures to the individual if requested, in cases where the business operator provides personal data to a third party in a foreign country, and such receiving party has established a system as prescribed in Article 24, paragraph 1 of the APPI
(I) Necessary Measures to Ensure the Continuous Implementation of Equivalent Measures
The Enforcement Rules stipulates the following measures for ensuring the continuous implementation of equivalent measures:
- To confirm periodically by appropriate and reasonable methods, i) the implementation status of equivalent measures by the receiving party, and ii) the existence and details of the laws and regulations in foreign countries that may affect the implementation of the equivalent measures.
- To take necessary and appropriate measures when the implementation of equivalent measures by the receiving party is interfered, and to cease the provision of personal data when it becomes difficult to ensure the continuous implementation of the equivalent measures.
(II) Providing Information to the Individual
1. The Enforcement Rules requires the business operator in principle, to provide the individual with information when having received a request, concerning the following matters without delay:
(i) The method of establishment of the system as prescribed in Article 24, paragraph 1 of the APPI by the receiving party;
(ii) The outline of the equivalent measures implemented by the receiving party;
(iii) The frequency and method of confirmation as prescribed in (I) (a);
(iv) The name of the foreign country;
(v) Existence and outline of the details of the laws and regulations in foreign countries that may affect the implementation of equivalent measures of the receiving party (if any);
(vi) Whether there is an interference on the implementation of equitable measures of the receiving party, and the outline of the interference (if any);
(vii) Outline of the measures taken by the business operator pursuant to (I) (b) towards the interference
2. The business operator is not obliged to provide all or part of the above information in cases where the provision of information is likely to substantially interfere with the proper conduct of its business. However, when the business operator has decided not to provide all or part of the information, the business operator shall notify the individual and endeavor to explain the reasons.
5. Future Schedules
PPC is currently working on the amendment of the guidelines, as well as implementing a (new) guideline for Pseudonymously Processed Information. The guidelines are likely to be drafted and disclosed for public comment later this year (2021). In addition, a bill for further amendment of the APPI has been submitted to the diet and is currently under deliberation. The main focus of the bill is on personal information held by government agencies and independent administrative agencies, however since the bill has integrated articles from other laws, the number and order of articles on the (current) APPI are expected to be significantly changed.
Article provided by: Satoshi Shono (Matsuda & Partners, Japan)
Discover more about INPLP, the INPLP-Members and the GDPR-FINE database
Dr. Tobias Höllwarth (Managing Director INPLP)