On 3 September 2015, extensive amendments were introduced to the law in Japan which deals with the protection of personal information, “The Act on the Protection of Personal Information” (“APPI”). The effective date of the amended APPI has not yet been fixed; however, the law will take effect two years from its date of publication. While the details on the manner of its implementation still remain unclear, the following are some of the noteworthy amendments to the law:
1. Amended definition of “Personal Information”
The amended APPI expands the definition of “personal information” to include a person’s bodily information, such as fingerprint data and face recognition data. Numeric codes associated with an individual will also be covered by the new definition, such as passport numbers and driver’s license numbers.
2. Establishment of the Personal Information Protection Committee
A new government authority will be established, which will be called the “Personal Information Protection Committee” (the “Committee”). The Committee will have the authority to exercise certain functions, such as the ability to request data controllers to submit reports, conduct onsite inspections and issue administrative orders. How large and structured this Committee will be is still uncertain.
3. Handling of anonymized information
The amended APPI creates obligations on business operators when anonymizing personal data to be transferred to third parties. For example, a business operator must create the anonymized data pursuant to the regulations of the Committee, and ensure that the original pre-anonymized data may not be recreated.
4. Sensitive data
Under the previous APPI, there were no specific definitions concerning sensitive data such as race, religion or medical history. Under the amended APPI, business operators are prohibited from obtaining such sensitive data without the data subject’s consent. It is likely that other restrictions will also be imposed on sensitive data.
5. Transfer of personal data to third parties
Under the amended APPI, a business operator which receives personal data which has been transferred to them will need to confirm how the personal data was obtained, and retain for a certain period, a record of when the personal data was received.
6. Criminal sanction for the misuse of personal data
Under the amended APPI, individuals who are involved in the handling of personal data which has been subject to misuse or which has been stolen for unjust profit will be subject to a criminal penalty.
7. Opt-out for transfers of personal data
Under the previous APPI, a business operator may transfer personal data to third parties without the data subject’s consent if the data subject opts-out from doing so. Under the amended APPI, a prior notification to the Committee is necessary in order to use this opt-out arrangement.
8. Cross-border transfer of personal data
The amended APPI provides that personal data may be transferred to a foreign country only when the country has a legal system that is deemed equivalent to the Japanese personal data protection system, or to a third party which undertakes adequate precautionary measures for the protection of personal data, as specified by the Committee.