Amendments to the Personal Information Protection Act (PIPA) were passed by the National Diet on 3 September and promulgated on 9 September 2015. Most of the amendments will come into force within two years from the date of promulgation. The amendments introduce significant changes to the current personal data protection regime in Japan including:
- the establishment of a central regulating authority (the Personal Information Protection Commission or PIPC)
- new concepts of sensitive personal information and anonymised information
- the removal of the de minimis threshold
- new rules on cross-border transfer of personal data
- the extra-territorial application of PIPA to the use of personal data collected from data subjects in Japan
- new rules to enhance traceability
- a strengthened opt-out scheme for third party data sharing
- strengthened enforceability and sanctions.
Definitions & Scope
Personal Information – It has been clarified that information containing numbers, symbols and codes that allow the identification of individuals, such as face or fingerprint recognition data or passport numbers, fall within the definition of Personal Information.
Sensitive Information – The concept of sensitive personal information, such as information relating to race, beliefs, medical history or criminal history (as well as history of being a victim of crime), will be adopted; a detailed definition will be provided by cabinet order. Collection of sensitive personal information will require the data subject’s prior consent, save for limited exceptions such as where required by law or in case of emergencies. Transfers of such information to third parties may not be based on opt-out.
Small Amounts of Data – The current exemption for business operators handling personal data of less than 5,000 individuals will no longer apply; instead certain types of data will be excluded.
Anonymisation – To facilitate the use of Big Data, the concept of anonymised information will be adopted to clarify how and when information irreversibly anonymised personal information can be utilised.
Cross-Border Transfer & Extra-Territorial Scope
Transfers of personal data to third parties outside Japan will require the data subject’s consent except where:
- to a jurisdiction designated by the PIPC as providing a level of protection comparable to that of Japan; or
- to a person satisfying PIPC criteria for protective measures in handling personal data.
PIPA will also apply extra-territorially to business operators located outside Japan who use personal information of data subjects located in Japan which was collected by the business operator in connection with the provision of goods or services to such data subjects.
To prevent the trafficking of illegally obtained personal data (as in the recent Benesse data leak case), the amended PIPA seeks to improve traceability of data obtained from third parties: the recipient of personal data from a third party must verify certain information from the provider and both provider and recipient must maintain records of the transfer.
Stricter rules for third party transfers under opt-out
The PIPA allows the transfer of personal data to third parties without the consent of the data subjects if the transferor provides the data subjects the opportunity to request the transferor to stop the transfer (opt-out). Although the opt-out terms need to be made publicly available, e.g. by posting on the website of the transferor, many data subjects are in practice not even aware of the identity of the transferor of his/her personal data nor of the fact that an opt-out is available. The amended PIPA will require the transferor utilising the opt-out scheme to notify the terms of its opt-out to the PIPC, which will make it publicly available.
Legally enforceable rights of data subjects to require disclosure, correction, and suspension of use
While PIPA provides that data subjects may request business operators handling their personal data to disclose, correct, or suspend the use of their data, it is not apparent that the data subject may seek to enforce such rights through the courts of law and in fact, a lower court decision denied such legal right of enforcement. The amended PIPA clarifies that the data subject may file an action with the civil courts, if the data handler fails to comply with the data subject’s demand within two weeks of the demand.
The PIPC (which will be established on 1 January 2016) will have authority and powers backed by penal sanctions to enforce the PIPA. It may conduct onsite inspections, require reporting, and issue recommendations and orders. Criminal penalties will be extended to the provision or theft of personal data (or copies thereof) for one’s own or others’ unlawful benefit, punishable by imprisonment of up to one year or a fine of up to 500,000 Japanese yen.