22 September 2015

Changes to Japan’s Personal Information Protection Act

Japan’s National Diet passed a bill earlier this month amending PIPA to strengthen the data protection regime and creating (with effect from 1 January 2016) a central regulator with enforcement powers.  Most of the other amendments will come into force within two years; these include, along with other significant changes, the introduction of a cross-border transfer restriction and expansion of the PIPA’s territorial scope.

Summary | Definitions & Scope | Cross-Border Transfer & Extra-Territorial Scope | Traceability | Stricter rules for third party transfers under opt-out | Legally enforceable rights of data subjects to require disclosure, correction, and suspension of use | Strengthened Sanctions

Summary

Amendments to the Personal Information Protection Act (PIPA) were passed by the National Diet on 3 September and promulgated on 9 September 2015. Most of the amendments will come into force within two years from the date of promulgation. The amendments introduce significant changes to the current personal data protection regime in Japan including:

  • the establishment of a central regulating authority (the Personal Information Protection Commission or PIPC)
  • new concepts of sensitive personal information and anonymised information
  • the removal of the de minimis threshold
  • new rules on cross-border transfer of personal data
  • the extra-territorial application of PIPA to the use of personal data collected from data subjects in Japan
  • new rules to enhance traceability
  • a strengthened opt-out scheme for third party data sharing
  • strengthened enforceability and sanctions.

Definitions & Scope

Personal Information – It has been clarified that information containing numbers, symbols and codes that allow the identification of individuals, such as face or fingerprint recognition data or passport numbers, fall within the definition of Personal Information.

Sensitive Information – The concept of sensitive personal information, such as information relating to race, beliefs, medical history or criminal history (as well as history of being a victim of crime), will be adopted; a detailed definition will be provided by cabinet order. Collection of sensitive personal information will require the data subject’s prior consent, save for limited exceptions such as where required by law or in case of emergencies. Transfers of such information to third parties may not be based on opt-out.

Small Amounts of Data – The current exemption for business operators handling personal data of less than 5,000 individuals will no longer apply; instead certain types of data will be excluded.

Anonymisation – To facilitate the use of Big Data, the concept of anonymised information will be adopted to clarify how and when information irreversibly anonymised personal information can be utilised.

Cross-Border Transfer & Extra-Territorial Scope

Transfers of personal data to third parties outside Japan will require the data subject’s consent except where:

  1. to a jurisdiction designated by the PIPC as providing a level of protection comparable to that of Japan; or
  2. to a person satisfying PIPC criteria for protective measures in handling personal data.

PIPA will also apply extra-territorially to business operators located outside Japan who use personal information of data subjects located in Japan which was collected by the business operator in connection with the provision of goods or services to such data subjects.

Traceability

To prevent the trafficking of illegally obtained personal data (as in the recent Benesse data leak case), the amended PIPA seeks to improve traceability of data obtained from third parties: the recipient of personal data from a third party must verify certain information from the provider and both provider and recipient must maintain records of the transfer.

Stricter rules for third party transfers under opt-out

The PIPA allows the transfer of personal data to third parties without the consent of the data subjects if the transferor provides the data subjects the opportunity to request the transferor to stop the transfer (opt-out). Although the opt-out terms need to be made publicly available, e.g. by posting on the website of the transferor, many data subjects are in practice not even aware of the identity of the transferor of his/her personal data nor of the fact that an opt-out is available. The amended PIPA will require the transferor utilising the opt-out scheme to notify the terms of its opt-out to the PIPC, which will make it publicly available.

Legally enforceable rights of data subjects to require disclosure, correction, and suspension of use

While PIPA provides that data subjects may request business operators handling their personal data to disclose, correct, or suspend the use of their data, it is not apparent that the data subject may seek to enforce such rights through the courts of law and in fact, a lower court decision denied such legal right of enforcement. The amended PIPA clarifies that the data subject may file an action with the civil courts, if the data handler fails to comply with the data subject’s demand within two weeks of the demand.

Strengthened Sanctions

The PIPC (which will be established on 1 January 2016) will have authority and powers backed by penal sanctions to enforce the PIPA. It may conduct onsite inspections, require reporting, and issue recommendations and orders. Criminal penalties will be extended to the provision or theft of personal data (or copies thereof) for one’s own or others’ unlawful benefit, punishable by imprisonment of up to one year or a fine of up to 500,000 Japanese yen.

Osamu Ito
Kyoko Naka

Allen & Overy is an international legal practice with approximately 5,600 people, including some 580 partners, working in more than 40 offices worldwide. A current list of Allen & Overy offices is available at allenovery.com/global/global_coverage.

Allen & Overy means Allen & Overy LLP and/or its affiliated undertakings. Allen & Overy LLP is a limited liability partnership registered in England and Wales with registered number OC306763. Allen & Overy (Holdings) Limited is a limited company registered in England and Wales with registered number 07462870. Allen & Overy LLP and Allen & Overy (Holdings) Limited are authorised and regulated by the Solicitors Regulation Authority of England and Wales.

The term partner is used to refer to a member of Allen & Overy LLP or a director of Allen & Overy (Holdings) Limited or, in either case, an employee or consultant with equivalent standing and qualifications or an individual with equivalent status in one of Allen & Overy LLP’s affiliated undertakings. A list of the members of Allen & Overy LLP and of the non-members who are designated as partners, and a list of the directors of Allen & Overy (Holdings) Limited, is open to inspection at our registered office at One Bishops Square, London E1 6AD.

© Allen & Overy LLP 2022. This document is for general information purposes only and is not intended to provide legal or other professional advice.

allenovery.com