Important Changes to Japan's Privacy Law Take Effect April 1, 2022: Is Your Business Ready?

Next month, businesses located outside of Japan that provide goods or services to Japanese consumers and businesses may soon feel the long arm of Japan’s privacy regulator, the Personal Information Protection Commission (“PIPC”). When amendments to the Personal Information Protection Act (“PIPA Amendments”) take effect on April 1, foreign business that provides goods or services to Japanese consumers and businesses will be subject to all obligations and restrictions under PIPA, including investigations and orders from the PIPC. Until now, these types of investigations and orders were limited to businesses located in Japan. These PIPA Amendments also impact businesses in Japan by making significant changes to existing privacy compliance requirements. The PIPA Amendments, related guidelines, and enforcement orders impose new compliance obligations in several key areas, including data breach notification, cross-border data transfers, and the use of cookies.

This alert outlines some key changes made by the PIPA Amendments and offers practical compliance steps for businesses to consider.

Mandatory Breach Reporting to the PIPC

Under the PIPA Amendments and amended guidelines, the PIPC must now be notified if a data breach meets the criteria established by the PIPC. Previously, businesses subject to regulatory oversight by the Financial Services Agency (“FSA”) were subject to mandatory reporting requirements to supervising authority while all other businesses were “expected” to notify the PIPC.

The amended PIPC guidelines clarify that notification is required for breaches that involve or are likely to involve: (a) sensitive personal information; (b) personal information that is likely to cause property damage (such as credit card information or ID and passwords used for online purchases); (c) unauthorized access to a data server or malware infection by a third party; or (d) more than 1000 individuals. However, where businesses have deployed advanced encryption measures to protect such information, notification to the PIPC will not be required. According to PIPC’s Q&A regarding the guidelines, it is likely that an advanced encryption is consider to be deployed if (i) cryptographic techniques listed in the e-Government Recommended Ciphers List or ISO/IEC18033, etc., which security has been confirmed by appropriate evaluation organizations, are used and properly implemented, and (ii) decryption measures are properly managed (e.g., appropriate measures are taken to separate the encrypted information from the decryption key and to prevent leakage of the decryption key itself; a function to delete encrypted information or decryption key by remote control is provided; or the key is designed to prevent a third party from exercising the decryption key).

When notification to the PIPC is required, businesses must make both an initial notification (“Sokuho” in Japanese) promptly (within around three to five days from the day on which the organization learned of the data breach incident, subject to case-by-case consideration) and a final notification (“Kakuho” in Japanese) within 30 days (or, in the case of unauthorized access, within 60 days) from the day on which the business learned of the breach. These initial and final notification requirements are included in the current practice, but the PIPA Amendments and amended PIPC guidelines establish these notice requirements as clear rules and clear deadlines for a final notification.

Notice to affected individuals is also required as soon as possible depending on the circumstances, but there is no deadline for this notice. If such notice is practically difficult to make (for example, the business’s contact information is not current so the impacted individual cannot be reached), then it is sufficient for the business to publish information about the breach, including the business’s contact information, on the business’s website.

Cross-Border Transfer of Personal Data

Since January 2019, when the European Commission issued a decision recognizing PIPA as providing adequate protection, businesses in Japan may receive personal information from or transfer personal information to the member countries of the European Economic Area (EEA) and the United Kingdom without restriction. To transfer personal information to any other country, such transfer requires either consent from the individuals concerned or the establishment of a data transfer agreement (“DTA”) with the receiving organization in the third country. The PIPA Amendments impose new requirements on transfers to these third countries. Specifically, where such transfers are made on the basis of consent, transferors are required to provide detailed information on the transfer prior to obtaining consent from the individuals concerned. Such information includes:

• the country where the transferee is located;
• information on legislation for the protection of personal information in the country where the transferee is located, which is obtained by appropriate and reasonable means; and
• information on measures taken by the transferee to protect personal information (i.e., whether the transferee takes measures that correspond to the eight principles of the OECD (Organisation for Economic Co-operation and Development) Privacy Guidelines, including measures to respond to claims based on the rights of the individual, and if not, which measures are not taken).

The same notice obligations apply when Personal-Related Information described below (e.g., cookies) is transferred cross-border to a third party and will be transformed into personal information by the third party, in which case, the third party or the transferor on behalf of the third party is responsible for providing the above information and obtaining consent of data subject, and the transferor is responsible for confirming that the consent is obtained by the third party.

However, where personal information will be transferred cross-border on the basis of a DTA, such information need not be provided to individuals but they expressly request the following information must be provided:

• the country where the transferee is located;
• the manner of maintaining appropriate security measures, (e.g., by agreement with the transferor);
• a summary of the data handling measures maintained by the transferee;
• the manner of confirming such security measures and the frequency of confirmation;
• a summary of the privacy laws of the country where the transferee is located;
• whether there are any issues with the data handling measures taken by the transferees and, if so, a summary of such issues; and
• measures that the transferor would take to solve such issues.

In addition, for all cross-border transfers of personal information and non-personal information to non‑EEA countries, transferors must:

• confirm periodically (i.e., once or more per year) the transferee’s data handling measures and the existence and contents of the personal data protection laws in the country where the transferee is located that may affect the implementation of the handling measures; and
• take appropriate and necessary measures if there is an issue with the transferee’s security measures, and, if the transferor believes that the transferee may not maintain appropriate personal data handling measures, stopping the provision of personal data to the transferee.

To assist business operators in assessing the level of protection in third countries, the government commissioned a survey and has posted its findings on the following countries. Australia, Brazil, Cambodia, Canada, Hong Kong, India, Indonesia, Laos, Malaysia, Mexico, Myanmar, New Zealand, Philippines, Russia, Singapore, Switzerland, Taiwan, Thailand, Turkey, Ukraine, United States (states, as well as Illinois, California, and New York), and Vietnam.

Cookies/Personal-Related Information

The PIPA Amendments include a new definition of “Personal-Related Information,” which refers to data relating to a living individual that is not personal information, pseudonymized information, or anonymously processed information. This new definition intends to cover data that are not “personal information” on their own, but are likely to become personal information when combined with other data maintained by a data transferee. Personal-Related Information includes: (i) browsing history collected by cookies, (ii) an email address which does not contain personal information, or (iii) location data. The PIPA Amendments require opt-in consent before transferring Personal-Related Information, including such information that is collected from the use of cookies (e.g., browsing history, location data), to third parties. Opt-in consent is only required, however, where the transferor anticipates that the transferee will collate this information with personal information it has sourced from elsewhere to configure a new set of personal information.

A business that (i) maintains a database containing Personal-Related Information and (ii) knew or should have known that the transferee may use the Personal-Related Information as personal information will be subject to the new requirements. For example, if the transferor (a) knows that the transferee has certain personal information that could be used to identify the individual associated with the Personal‑Related Information, (b) knows the transferee’s intended use of such Personal-Related Information (e.g., for individually targeted advertisements), and (c) transfers both Personal-Related information and IDs that may be associated with personal information, this would likely be deemed a situation where the transferor knew, or should have known, that the transferee could use the Personal‑Related Information as personal information.

In such cases, the transferee (or the transferor on behalf of the transferee) must obtain opt-in consent from the individual. If the transferor is obtaining consent on behalf of the transferee, the PIPA Amendments require the transferor to identify the transferee when obtaining such consent. In this case, the transferee must also indicate the purposes for which the information will be used, for example, by posting the purposes of such use in the privacy policy on the transferee’s website homepage. The transferor must confirm that the transferee has obtained consent before transferring the Personal‑Related Information for both domestic and international transfers.

Other Changes

The PIPA Amendments make some additional changes with respect to the following:

Publication of measures taken for security control measures. The PIPA Amendments require a business to make available to data subjects (or responds without delay at the request of data subjects) the measures taken in order to ensure the security control of the retained personal data, unless such publication may cause issues in relation to the security control. These measures include organizational security control, human security control, physical security control, and technological security control, as well as perception of external environment in case a business processes personal data outside Japan (i.e., a business needs to take appropriate measures in light of the legislation or system related to the protection of personal information in the foreign country), which a category of security control measures newly described in the PIPC guidelines.

Expanded individual privacy rights. Under the current PIPA, access and correct rights are limited to personal data that is retained longer than six months. The PIPA Amendments expand those rights by revising the definition of retained data to include all personal data, regardless of its retention period. In addition, individuals may request access to the transfer history of their personal data that has been shared with third parties, except when public or other interests may be harmed by such disclosure. Furthermore, individuals may choose how they would like to receive the requested information, including in electronic form. However, if the method of disclosure chosen by the individual requires significant costs, or if disclosure by that method is difficult, then disclosure must be made in writing. If disclosure by a method chosen by the individual is difficult, a business must notify the person to that effect without delay.

Pseudonymized Information. The PIPA Amendments establish a new category of “pseudonymized information,” or personal information which is processed in such a manner that the specific individual cannot be identified without additional information. If a business only holds the pseudonymized information and no longer holds the additional identifying information that was removed (i.e., pseudonymized information is no longer personal information), then its compliance obligations under PIPA are reduced (i.e., obligations applicable to handling of pseudonymized information, which is non‑personal information, are limited to prohibition of transfer to a third party, security control, supervision of employee or contractor, handling of complaint). On the other hand, if a business continues to hold the additional identifying information that was removed, then the pseudonymized information is still treated as personal information, but a change of purposes of use of pseudonymized information does not require consent of data subject which was otherwise required for personal information. Creation of this new category of information is intended to facilitate the internal use of big data without having to satisfy the PIPC’s strict anonymization standards that require irreversible de‑identification.

Use of Opt-Out Consent. Transfers of personal information to third parties within Japan based on opt‑out consent will not be allowed if: (a) the information was collected by inadequate means; or (b) the information was originally transferred to the business from another third party based on opt-out consent.

Increased criminal penalties, etc.. The PIPA Amendments strengthen criminal penalties for failure to comply with PIPA, including increasing the amount of criminal fines and prison time that can be imposed. More specifically, (i) the penalty for violation of an order issued by PIPC was strengthened from, “imprisonment with labor for not more than six months or a fine of not more than 300,000 yen” to, “imprisonment with labor for not more than one year or a fine of not more than 1,000,000 yen”, (ii) the upper limit of the fine for a legal entity for provision or use by stealth of personal information database for the purpose of seeking illegal profits was raised from 500,000 yen to 100 million yen only when applied to a legal entity as opposed to an individual, and (iii) the upper limit of the fine for failure to submit a report or materials requested by the PIPC or false submission of such report was raised from 300,000 yen to 500,000 yen.  In addition, in case of (i) above, the PIPA Amendments allow the PIPC to make public announcement regarding the violation of the order. These increases of the criminal penalties are already in effect.

Practical Compliance Steps for Businesses to Consider. In light of the abovementioned amendments, a business is encouraged to update its privacy policy to include newly required items for disclosure, as well as conduct data-mapping to confirm whether the personal information it holds will be affected by the amendments and change its operation and internal rules for handling of personal information as necessary and appropriate. Specifically, for example, if a business involves a cross-border transfer of personal data, it needs be prepared to provide necessary information upon obtaining consent or request of data subject, depending on how it structure the cross-border transfer (i.e., transfer upon consent or relying on DTA). If a business currently deletes personal data within six months and thus is not treating such data as retained personal data, which is subject to requirements for disclosure, etc., then the business needs to change its operation so that such data will also be treated as retained personal data. If a business collects cookies or other non-personal information, it needs to confirm if the collection involves a transfer of such data where a transferee combines such data with other information to identify a specific individual. Furthermore, if a business processes personal data outside Japan (including through a contractor), it needs to confirm the legislation or system related to the protection of personal information in the foreign country and take appropriate security control measures.