Third Amendment of the Japanese Privacy Law – Amendment based on the Digital Arrangement Act
Third Amendment of the Japanese Privacy Law – Amendment based on the Digital Arrangement Act
This May, three acts relating to the digital society and environment have been approved by the Diet and promulgated in Japan- the Basic Act on the Formation of a Digital Society, the Act on the Establishment of the Digital Agency and the Act on the Arrangement of Related Acts for the Formation of a Digital Society(the "Digital Arrangement Act").
While the first two acts focus mainly of stipulating the basic principles and the establishment of a new government organization (the Digital Agency ), the third act is aimed to implement measures for the formation of a digital society and amend relevant laws, including the Act on the Protection of Personal Information ("APPI") and the My Number Act.
This article provides an overview of major amendments made to the APPI.
1. Integrating and combining the three laws relating to personal information
Currently in Japan, the applicable laws differs depending on the person/organization handing the personal information. The APPI only applies to personal information handled by the private sectors, while the Act on the Protection of Personal Information held by Administrative Organs ("APPIAO") applies to personal information handled by national governmental agencies, and the Act on the Protection of Personal Information held by Incorporated Administrative Agencies ("APPIIAA") applies to personal information by incorporated administrative agencies . The Ministry of Internal Affairs and Communications is the governing agency of the APPIAO and APPIIAA, while the Personal Information Protection Commission ("PPC") has administrative jurisdiction on the APPI.
Furthermore, the APPIAO and APPIIAA only applies to national agencies, and the local governments implement their own ordinance in relation to the handling of personal information. Since there is no unified nationwide rules, the definitions, rules and exemptions vary depending on each ordinance enacted by the local governments (which is sometimes called the "P2K problem" in Japan, based on the number of ordinances related to personal information at the local government level). The current situation has actually caused problem in certain cases where cooperation between local governments are necessary, such as disaster relieves and, most recently, the Covid-19 situation.
The Digital Arrangement Act integrates and combines APPIAO and APPIIAA into the APPI, and will also stipulate the common rules for personal information handled by local governments. This amendment is considered to be meaningful in terms of the digitalization and data utilization on the administrative area, and is also likely to promote public-private partnerships in the digital field. PPC will have the administrative jurisdiction to the unified law, meaning it will become the comprehensive administrative organization for personal information in Japan.
2. Unifying regulations in the medical and academic fields.
As mentioned above, the rules of handling personal information differs among the public sector and private sector. This has also caused an issue especially in the medical fields, since in Japan, a certain number of the major medical institutions are operated by incorporated administrative agencies, and the difference of rules has become an obstacle to the usage of information between these institutions and private hospitals.
The Digital Arrangement Act amends the APPI so that the rules that apply to the private sector will be applied to certain incorporated administrative organizations which continuously collaborate and use data containing personal information with business operators in the private section. The incorporated administrative organizations to which the rule of private sector applies include: national research and development agencies, national university corporations, inter-university research institute corporation, the National Hospital Organization (NHO), the Japan Community Health care Organization (JCHO), the Open University of Japan Foundation (OUJ), and the personal information in the operation of hospitals conducted by the Japan Organization of Occupational Health and Safety(JOOHS), and the Okinawa Institute of Science and Technology Graduate University (OIST).
3. Amending the exemption provisions for academic research and stipulating exceptions for each individual obligation in the APPI.
Chapter IV of the current APPI does not apply to universities, organizations and groups aimed at academic studies, or a person belonging thereto, when personal information is being provided for the use in academic studies (Article 76). Therefore, most of the obligations imposed to business operators under the current APPI does not apply to academic researches. The current legislation itself was stipulated to respect the academic freedom, not to mention that academic researchers often deal with a vast amount of information, and stipulating such a conclusive exemption expedites academic research.
However, as a result of this conclusive exemption provision, the personal data transferred from EU to academic research institutions in Japan is not subject to the adequacy decision under the GDPR. Therefore, concerns have been raised from the academic society in Japan, since this situation is likely to become an obstacle on conducting joint research with institutions in the EU.
The Digital Amendments Act deletes the conclusive exemption provision in relation to the academic research in the APPI, and instead, stipulates exception clauses to certain provisions. The articles and obligations that newly include exceptions in the APPI are as follows:
(i) Article 18 (Current article 16): Restriction due to Utilization Purposes
Exceptions on restriction due to utilization purposes newly include the following:
- Cases in which an academic research institution needs to handle personal data for academic research purposes.
- Cases in which personal information is provided to an academic research institution and the institution needs to handle the personal data for academic research purposes.
(ii) Article 20(2) (Current article 17(2)): principal's consent on acquiring special care-required personal information
Exceptions on consent by principle newly include the following:
- Cases in which an academic research institution needs to handle special care-required personal information for academic research purposes.
- Cases in which the special care-required personal information is acquired from an academic research institution, and such information is acquired for academic research purposes (Limited to cases where the business operator and the academic research institution, jointly conduct academic research)
(iii) Article 27(1) (Current article 23(1)): Restriction on Third Party Provision
Exceptions on restriction due on provision of personal data to third parties newly include the following:
- Cases in which an academic research institution handles personal data and it is unavoidable for the purpose of publication or teaching of academic research results.
- Cases in which an academic research institution needs to provide the personal data for academic research purposes (Limited to cases where the academic research institution and the recipient jointly conduct academic research).
- Cases in which the recipient is an academic research institution and the recipient needs to use the personal data for academic research purposes.
* Cases where there is a risk of unjust infringement on the rights and interests of individuals are excluded from all of the above the exceptions.
4. Unifying the definition used in the three laws relating to personal information
Under the current legislations, the definition of "personal information" is different between the APPIAO / APPIIAA, and the APPI. In addition, APPIAO / APPIIAA and the APPI use different terms and definitions on anonymized information, and anonymized personal information under the APPIAO and APPIIAA is construed as "personal information" under the APPI, whilst anonymously processed information is considered as non-personal information . The difference between the definitions and concepts is not only confusing, but is also considered as a factor that hinders data flow and distribution.
The Digital Amendments Act unifies the definition of personal information, and the definition of personal information in the public sector will be changed to that of the private sector (as defined in the current APPI). Anonymously processed information by administrative organizations will be considered as non-personal information (such as anonymously processed information by business operators in private sectors under the current APPI), and administrative organizations shall be subject to the rules and obligations reconstituted by the amended APPI with respect to the production, usage and provision of anonymously processed information.
5. Enforcement Schedules of the Amendment
The main amendments of the APPI are scheduled to come into force by May 2022. However the implementation of the matters concerning the rules for personal information handled by local governments are to come into force by May 2023.
It is speculated that the main amendments of the APPI are to become effective on April 1st 2022, together with the second amendment of the APPI which was promulgated last year.
Article provided by INPLP member: Satoshi Shono (Matsuda & Partners, Japan)
Dr. Tobias Höllwarth (Managing Director INPLP)