Amended Japan Privacy Law Will Come into Effect in April 2022

Tokyo was O’Melveny’s first international expansion destination, and we have offered robust Japan related Corporate and Dispute Resolution services for our clients for more than 30 years.

オメルベニー・アンド・マイヤーズの東京事務所は、オメルベニーで最初の米国国外の国際的な拠点として開設され、30年以上にわたってコーポレート及び紛争解決のいずれにおいても、歴史に残るような案件、影響力の大きな案件を手がけてきました。

The Amended Act on Protection of Personal Information, which was passed by the Japanese legislature in June 2020 (“Amended APPI”) ^[1], will come into effect on April 1, 2022^[2].

Since the passage of the Amended APPI, a number of key implementing regulations and supporting documents have been released, including Amendments to the Order for Enforcement of APPI and the Personal Information Protection Commission (“PPC”) rule, updated PPC guidelines (“Guidelines”), and related Q&A.  These regulations and documents address a number of important requirements, including the requirements for transferring personal data outside Japan, the requirements for transferring person-related-information, the requirements for notifying data security breaches, and the requirements for creating pseudonymous information exempt from certain obligations under the Amended APPI.

1. Personal Data Transfer to a Third Party Outside Japan

The Amended APPI requires consent to transfer personal data outside of Japan (the “opt-in principle”).  The PPC rule provides that for the opt-in to be effective, a business^[3] must provide certain information by way of email, written material, oral explanation, publication on website, or other methods which assure that the data subjects can review and understand the contents, including:

1. Name of country or region where a receiving third party is located;
2. A description of the personal information protection system in such country or region, which the Business confirmed by an appropriate and reasonable method, for example, confirming information published by a governmental agency of the country or Japan; and
3. Information related to personal information protection measures that a receiving third party will take, for example, explain details if the receiving third party does not take any measures correspondent to the OECD privacy principles.

A Business transferring personal data must research and describe the personal information protection system (i.e. privacy laws) of the countries to which the personal data is being transferred.  The PPC, however, has stated that it will research the personal information protection systems in 31 countries and regions^[4] and release its research results by the end of 2021.  According to the Guidelines, if personal data is being transferred to one of the countries covered by the PPC’s research, the Business may provide the personal information protection system description published by the PPC, which will make it easier for Business to meet this requirement.

The PPC rule also provides the requirements for claiming one of the key exemptions to the opt-in principle, i.e. transfer to a third party which has personal information protection measures of a level that correspond to those required under the APPI (“Measures”).  The Business transferring personal data must take necessary steps to ensure that a recipient third party continuously complies with the Measures, and, upon request, the Business must provide information about such steps to a data subject.  The PPC rule sets forth that the steps the Business must take include:  (i) regular check of implementation of the Measures by the recipient third party, and whether the relevant foreign country has any system which may affect implementation of the Measures by the recipient third party, and (ii) necessary and appropriate measures when any obstacle against implementation of the Measures arises.  If the recipient third party is unable to maintain continuous implementation of the Measures, the Business shall cease personal data transfer to the recipient third party.

2. Person-Related-Information

The Amended APPI introduced a new concept of “Person-Related-Information,” which means information related to an individual that does not fall into the categories of personal information, pseudonymous information or anonymous information^[5].

In some cases, information not identifiable with respect to a specific individual when held by a business that is transferred to a third party may be used as personal data by that third party if it collates the transferred data together with data that it holds.  Before the Amended APPI, unless information falls into the definition of personal information at a business transferring the data, it has remained outside the scope of the APPI, even when the information is used as personal data at a recipient third party.

To enhance protection for information which may thus be used as personal data after transfer, the Amended APPI requires a Business^[6] transferring information that does not identify a specific individual to check the following matters with a third party receiving the information (“Recipient” in this section), unless falling into certain exemptions, if it is expected that the Recipient will use the information as personal data.

1. Confirm that Recipient has obtained consent from data subjects to the effect that Recipient may receive Person-Related-Information from a thirty party and collate such data with other information and use the Person-Related-Information as personal data to identify the data subject.
2. If a Recipient is located outside of Japan, confirm that explanation of the personal information protection system in the country or region and measures for Recipients to take to protect personal information, and other information helpful for data subjects have been provided.

3. Data Breach Notification

The PPC rule stipulates that mandatory data breach notification to the PPC is required if any of the following data breach incidents has occurred or is likely to have occurred (“Incidents”), unless measures to protect data subjects’ rights from leak, loss or damage (“Breaches”), such as advanced encryption, have been taken:

1. Breaches of data including sensitive data;
2. Breaches of data including data which may result in economic loss if used improperly (e.g., stolen credit card information, leaked login ID and its password for a web service with payment or settlement services);
3. Breaches with unjust purposes (e.g., personal data were stolen by unauthorized access, personal data were taken as a hostage by ransomware); or
4. Number of data subjects subject to Breaches is more than 1,000.

Following occurrence of an Incident, a Business shall file two notifications with the PPC.  First, the Business shall file a preliminary notification promptly after becoming aware of the Incident, describing matters to the extent the business has been able to confirm at that point.  The Guidelines explain that “promptly” is determined case-by-case, but generally means three to five calendar days.

A second, final notification must be filed within 30 calendar days (60 calendar days in case of Incident type (C) above) of becoming aware of an Incident, after the Business has had an opportunity investigate the Incident.  In the final notification, the Business must notify all of the following matters:  (i) summary of the Incident, (ii) categories of personal data subject to the Incident, (iii) number of data subjects whose personal data were breached, (iv) what caused the Incident, (v) potential secondary damage caused by the Incident, (vi) any actions of notification to data subjects, (vii) any actions of announcement of the Incident, and (viii) any other information which helps the PPC understand the Incident.

Please note that in the case where handling of personal data has been outsourced and an Incident occurred at the outsourcing contractor, and if the outsourcing contractor promptly (approximately three to five calendar days) after becoming aware of the Incident notifies the business that entrusted the data to it, it is the business that entrusted the data, not the outsourcing contractor, which must file the notification with the PPC.  The outsourcing company must cooperate with the entrusting Business to investigate the Incident and prepare the data breach notification.

When a data breach notification to the PPC is required, the Business also must give notice of the Incident to data subjects “promptly depending on situation” after becoming aware of the Incident.  Although timing of “promptly depending on situation” is determined on a case-by-case basis, notice would not be required until the Business has enough information to provide effective notice to the data subjects. 

4. Pseudonymous Information

Pseudonymous Information is a newly introduced concept under the Amended APPI that allows businesses to use data internally and more flexibly.  A business using Pseudonymous Information will be exempted from rights of data subjects and mandatory data breach notification with respect to Pseudonymous Information, as long as the Pseudonymous Information is produced by all of the following methods, to the extent relevant:

1. Deletion of all or part of descriptions identifiable to a specific individual;
2. Deletion of all personal identification numbers; or
3. Deletion of descriptions which may cause economic damage if used improperly (e.g., credit card number, login ID and password for a website with remittance, payment or settlement services).

In addition, a business which holds “Deleted Descriptions,” which means descriptions or identification numbers deleted from personal information when producing Pseudonymous Information and the method that actually produced the Pseudonymous Information, shall take a security measure to protect Deleted Descriptions from being used to reidentify the information, including (i) enactment of authority and responsibility rules that limit the individuals handling Deleted Descriptions, (i) codification of handling rules, compliance, assessment, and review procedures, and (iii) measures to prevent unauthorized access to Deleted Descriptions.

Pseudonymous Information may or may not fall into the definition of personal information depending on whether the business also holds Deleted Descriptions.  Obligations of businesses handling Pseudonymous Information differ depending on whether Pseudonymously Processed Information is considered as personal data, but a business must comply with following requirements for information qualified as Pseudonymous Information:  (i) prohibition of third party transfer, unless falling within exemptions^[7], (ii) obligation to take security measures, (iii) obligation to oversee employees, (iv) obligation to oversee outsourcing companies, (v) obligation to make efforts to assure appropriate and smooth handling of complaints, (viii) prohibition to collate with other information for the purpose of identifying data subjects, and (ix) prohibition to contact data subjects via telephone, mail or email using Pseudonymous Information.

The Amended APPI aims to enhance protection of personal information by expanding data subjects’ rights and adding obligations on Businesses.  On the other hand, the Amended APPI aims to promote usage of data at Businesses by introducing the concept of Pseudonymous Information.  A foreign business will be subject to the Amended APPI as long as the foreign business processes personal information of data subjects in Japan for its business purposes.  The Amended APPI also significantly increases the penalties which may be imposed on businesses, to up to JPY 100 million per violation.

Businesses that operate in multiple jurisdictions face a complex data regulatory environment and must build a system to share personal information among affiliate companies in many different jurisdictions if necessary and prepare an action plan in case of a data breach incident that complies with data privacy regulations in all countries where they operate.  If a business’ operating environment includes Japan, or if the business holds data of Japanese data subjects, then it must incorporate compliance with the Amended APPI into its broader data management system.

[1] Please review our previous alert for key changes by Amended APPI.

[2] Increased penalties under the Amended APPI went into effect on December 12, 2020, and the expansion of matters to be notified or made available, and filed with the PPC, went into effect on October 1, 2021.

[3] A business under the APPI generally means a business using personal data for its business purposes.  Herein after referred as to “Business.”

[4] The 31 countries and regions include:  UAE, UAE (Abu Dhabi Global Market), UAE (Dubai Healthcare City), UAE (Dubai International Financial Centre), India, Indonesia, Ukraine, Australia, Canada, Korea, Cambodia, Singapore, Switzerland, Thailand, Taiwan, China, Turk, New Zealand, Philippines, Brazil, USA (Federal), USA (Illinois), USA (California), USA (New York), Vietnam, Hong Kong, Malaysia, Myanmar, Mexico, Laos, and Russia.

[5] Pseudonymous Information and Anonymous Information are information produced from personal data by deleting all or part of information identifiable a specific individual.  Third party transfer of them is prohibited in general.

[6] In this section, “Business” means a business using Person-Related-Information for its business purposes.

[7] A Business may transfer Pseudonymous Information to a third party in connection with outsourcing, business transfer, and co-use of Pseudonymous Information.  In addition, a Business may transfer Pseudonymous Information when required by law and regulations.

O’Melveny & Myers gaikokuho kyodojigyo horitsujimusho is the registered office in Japan of O’Melveny & Myers LLP, and operates as a joint enterprise among our U.S. and Japanese licensed attorneys resident in Tokyo as permitted under Article 49 3 of Japan’s Special Measures Law Concerning the Handling of Legal Business by Foreign Lawyers.

This memorandum is a summary for general information and discussion only and may be considered an advertisement for certain purposes. It is not a full analysis of the matters presented, may not be relied upon as legal advice, and does not purport to represent the views of our clients or the Firm. Scott Pink, an O’Melveny special counsel licensed to practice law in California and Illinois, David G. Litt, an O’Melveny of counsel licensed to practice law in California, District of Columbia, and a registered foreign lawyer in Japan, and Yuko Zaha, an O’Melveny counsel licensed to practice law in Japan and New York, contributed to the content of this newsletter. The views expressed in this newsletter are the views of the authors except as otherwise noted.

© 2021 O’Melveny & Myers LLP. All Rights Reserved. Portions of this communication may contain attorney advertising. Prior results do not guarantee a similar outcome. Please direct all inquiries regarding New York’s Rules of Professional Conduct to O’Melveny & Myers LLP, Times Square Tower, 7 Times Square, New York, NY, 10036, T: +1 212 326 2000.