Due to the continuing digitalization of society and business the issue of data protection gains increasing importance also from a legal perspective. Faced with the rapid technological developments, Japan has reformed the Japanese Data Protection Act (“Act on Protection of Personal Information“ – “APPI“), which has become effective on 30 May 2017 (“Amendment”). The Amendment is the first major reform of the APPI since its enactment in 2005. This special newsletter provides an overview of the main changes to the APPI as well as the measures companies need to consider in light of the Amendment.
1. Reform of the data protection law in Japan
The only statutory law on the protection of personal information in Japan is the APPI. The APPI establishes rules concerning handling of personal information, including the acquisition, use and transfer of such personal information. While not legally binding, for certain areas guidelines established by the competent ministry inter alia include suggestions for interpreting the APPI, e.g. the “Financial Services Agency of Japan Guidelines” (“FSA Guidelines”), the “Ministry of Economy, Trade and Industry of Japan Guidelines” (“METI Guidelines”), and the “Ministry of Health, Labor and Welfare Guidelines” (“MHLW Employment Guidelines”).
a) Under the Amendment, the scope of the APPI has been extended. In its pre-amended version, the APPI was not applicable to business operators having no more than 5,000 identifiable individuals in its database on any day during the past six months. For a large number of companies, in particular small and medium-size subsidiaries of foreign companies, the APPI therefore did not apply. This has changed with the Amendment. Due to the extension of the scope, also those business operators, handling a smaller number of data, so-called “Small-Size Database Operators“, are now covered and need to comply with the requirements of the APPI.
b) For the first time the Amendment introduces and defines the term “Sensitive Personal Information“. This new category includes information, such as race, religious beliefs, social status, criminal records, and medical history or any other information that may lead to a discrimination or prejudice. The collection and handling of Sensitive Personal Information by a business operator requires a prior explicit consent of the individual concerned. Several directives (such as of the FSA) further include additional provisions concerning the handling of such sensitive personal information.
c) Likewise a new category of “Anonymized Data“ has been introduced. This category includes any personal data that does not contain particular descriptions or items that could be used to identify a person. No prior consent is necessary for the transfer of anonymized data to third parties under certain conditions.
d) Additionally, a New Data Protection Committee for Supervision and Enforcement of Data Protection Regulations was established. The Committee, which consists of experts from practice and academics, operates as a first point of contact for questions regarding data protection as well as supervisory body. The further responsibilities include defining the countries which will be considered as having an adequate level of data protection as Japan as further described under item 1. e) below.
Continue Reading (PDF)