New Amendment To Japan’s Data Privacy Law (APPI)
By 新井 敏之
The Act on Protection of Personal Information (APPI), Japan’s data privacy law, was amended in June 2020 and is expected to be implemented by early 2022 after accompanying cabinet orders, PPC (Personal Information Protection Commission) regulations and FAQs have been drafted. While the subject areas amended are diverse in scope, the following topics are important to note from the perspective of foreign data controllers and processors dealing with Japan-derived personal data.
Data that, while being inadequate to identify individuals in its present form, can be revived as Personal Data by matching against additional data is called “Personal-related Data” under new Article 26-2. Cookie data is an example. If such data is transferred to a third party (e.g., a platformer) that has additional data to decode anonymity, such Personal-related Data will be convertible into Personal Data. Thus, this data has transfer restrictions.
A PI Operator may not transfer Personal-related Data to a third party unless (a) the data subject consents to such transfer; or (b) if the transfer is to a foreign country third party, the PI Operator provides information to the data subject relating to issues of personal data protection and measures afforded to data subject’s privacy in that jurisdiction. Article 26-2, Para. 1, Items 1 and 2.
- Data Breach Notification
- Personal Information Handling Operators (data controllers and processors combined, “PI Operators”) are required to file a report on data breach as required in PPC Regulations to be drafted. Article 22-2, Para. 1.
- PI Operators are also required to notify data subjects of the same. Article 22-2, Para. 2.
- Before the amendment, the law only required PI Operators to make best efforts to report such incidents.
- Data Subject’s Right for Suspension of Use
- A data subject may seek suspension of the use of his personal data if his rights or legitimate interests are likely to be injured by PI Operator’s processing of his data. Article 30, Paras. 5 and 6.
- Prohibition against Inappropriate Use of Personal Information
- PI Operators are prohibited from using personal information “in a manner that would facilitate or induce illegal or inappropriate actions.” Article 16-2. An example discussed is a website called “Bankrupt Party Map.”
- This has been added to the existing requirement to prohibit illicit acquisition of personal information or that without the data subject’s consent (with six exceptions.) Article 17.
- The new provision focuses on the manner of use of Personal Data, rather than the purpose of doing so. This type of use has been dealt with under public policy discussion or torts in Civil Code, and with this amendment, it can also be dealt with by enforcement mechanisms under APPI, e.g., order, publication, and penalties.
- Personal-related Anonymized Data
- Foreign PI Operators Subject to Penalty
Prior to this amendment, no penalty was assessable on foreign parties because of the perceived lack of PPC’s authority over foreign parties. It is no longer. Article 75. Such penalties are assessed via subpoena of data reports and PPC’s orders on them under APPI provisions. Further PPC can publicize violations of APPI against foreign parties.
The regulators usually use issuance of “administrative guidance,” which is a directive to achieve a desired result under the law not as an order but as an administrative directive. Japanese PI Operators typically honor and follow such directive, although foreign domiciled operators would not be so cooperative in various cases. This is why measures to enforce APPI needed to be implemented in this amendment.
6. Increased Fine
Violation of APPI can lead to a penalty of 100 million yen (about USD1M). Before the amendment it was only 500,000 yen (about USD5000). Article 87. Business revenue based penalty (as in GDPR) was discussed but not implemented primarily because penalties are rarely invoked under APPI.