Japan Enacts Significant Amendments to its Data Privacy Law, Opening the Door to Restrictions on Foreign Businesses Doing Business in Japan
October 22, 2020
On June 5, 2020, the Japanese legislature passed several amendments (“Amendment Act”) to the Act on Protection of Personal Information of Japan (“APPI”) that will expand protections for personal data and impose new obligations on all businesses using personal data for business purposes, including non-profit organizations. Most significantly, the Amendment Act removed certain limitations on the extra-territorial application of the APPI, such that the APPI will apply more broadly to non-Japanese businesses if they process personal data of data subjects in Japan collected through their supply of goods or services to data subjects in Japan.
The Amendment Act goes into effect in within two years of June 5, 2020, which is expected in Spring 2022 but the exact date will be separately determined by the cabinet order. Over that period, the Personal Information Protection Commission (PPC) will likely issue regulations providing further guidance on compliance with the APPI as amended. Companies doing business in Japan should monitor the regulations that will interpret these changes so that they are in compliance with the law when it goes into effect.
The key changes made by the Amendment Act include:
- Extraterritorial application
Under the current APPI, certain provisions, including inspection, collection of reports, and issuance of orders by the PPC, do not apply to foreign businesses. The Amendment Act removed such limitation, meaning foreign businesses may be subject to the entire APPI, including inspection, collection of reports, and orders by the PPC.
- Enhancement of individual rights
The APPI currently provides data subjects with a right to request that businesses stop use of or delete personal data under certain limited circumstances. The Amendment Act expands these rights to apply when: (i) the business uses the personal data in improper ways by potentially facilitating illegal or unjustifiable conduct, (ii) there is no need for the business to use the personal data, (iii) a data breach occurs, and (iv) when rights or legitimate interests of data subjects are interfered with by use of the personal data (such as the sending of unsolicited emails after a consumer has opted out). The PPC will be issuing regulations clarifying the scope of these rights.
- Expanded scope of personal data subject to the APPI
The APPI exempted from data subject rights any personal data that is deleted within six months. The Amendment Act removed this exemption, meaning that the data subject rights apply to personal data, regardless of the length of time the business holds or processes the personal data.
- Limitation on “Opt-Out” exemption for third-party transfer
The APPI provides that a business can generally transfer personal data to a third party within Japan by giving an opt-out right to data subjects, disclosing or making publically available certain information in advance, and making a filing with the PPC. The Amendment Act narrowed the scope of personal data that may be transferred pursuant to the Opt-Out exemption by excluding (i) personal data that is illegally obtained, and (ii) personal data that is provided to the business based on an opt-out provision.
- Disclosure of records of third-party transfer of personal data
Under the APPI, a business is required to make a record when transferring or receiving the personal data of data subjects to or from a third party. The Amendment Act permits data subjects to request the business to disclose the record of the third-party transfer. The regulations will likely provide further guidance as to the form of record that must be provided.
- Additional obligation when transferring information of data subjects to a third party
Under the current APPI, no consent from a data subject is required when transferring information to a third party if the information did not constitute personal data. Under the Amendment Act, however, if the recipient of information intends to combine that information with other information the transferee already holds that it identifies the data subject, then (a) the recipient is required to obtain the consent from data subjects and (b) the transferor is required to confirm with the recipient in advance of the transfer if the recipient has obtained necessary consent. This may require companies engaging in data transfers to enter agreements that specifically address the consent requirement.
Although information collected through cookies or other identifiers does not necessarily fall into the definition of personal data under the APPI, the transfer of such information may be subject to this new obligation. Businesses that transfer or receive such information will need to comply with these requirements.
- Introduction of Pseudonymously Processed Information
Unlike the GDPR, the current APPI does not include a concept of pseudonymisation. The Amendment Act references “Pseudonymously Processed Information,” which means data created from personal information by deleting certain information such as name or personal identification number that is not identifiable to a specific person without combining with other information. This concept is introduced so that businesses can use such information for their benefit, such as conducting internal analyses, without being subject to the APPI’s requirements. For example, Pseudonymously Processed Information shall not be subject to an individual’s rights to request to disclose or cease utilization of information, and to require a mandatory report in case of data breach, etc.
- Mandatory report of data breaches
The APPI does not require businesses to report to the PPC or notify data subjects in the event of a data breach, although the PPC recommends such reporting and notification in certain cases. The Amendment Act will require businesses to report to the PPC and notify data subjects when there is a security breach that may materially interfere with an individual’s personal rights. The PPC will be issuing regulations that will clarify in more detail when breaches must be reported and the timing of notice to individuals.
- Increase in penalties
The Amendment Act increases the maximum fine for violating an order issued by the PPC from JPY 300,000 to JPY 100 million (approximately US$1 million). In addition, the PPC may make public that the business violated the order issued by the PPC.
The Amendment Act reflects the trend of countries increasing the protection of personal data and applying their protections extra-territorially to businesses that offer goods and services in their countries. Businesses need to monitor developments in all countries in which they do business to ensure they are in compliance.
This memorandum is a summary for general information and discussion only and may be considered an advertisement for certain purposes. It is not a full analysis of the matters presented, may not be relied upon as legal advice, and does not purport to represent the views of our clients or the Firm. Lisa Monaco, an O’Melveny partner licensed to practice law in the District of Columbia and New York, Scott Pink, an O’Melveny special counsel licensed to practice law in California, and Yuko Zaha, an O’Melveny counsel licensed to practice law in Japan and New York, contributed to the content of this newsletter. The views expressed in this newsletter are the views of the authors except as otherwise noted.
© 2020 O’Melveny & Myers LLP. All Rights Reserved. Portions of this communication may contain attorney advertising. Prior results do not guarantee a similar outcome. Please direct all inquiries regarding New York’s Rules of Professional Conduct to O’Melveny & Myers LLP, Times Square Tower, 7 Times Square, New York, NY, 10036, T: +1 212 326 2000.