On Tuesday, March 10, the Japanese Cabinet approved a bill to revise the Act on the Protection of Personal Information (“APPI”), which would require companies to take certain additional measures to protect personal data of data subjects. The reported goals of the bill include, for example: (i) broadening data subjects’ powers to exercise control over their data; and (ii) to establish a system to facilitate corporation’s internal use of “big data.” The proposed amendment will be submitted to the ordinary session of the Diet for approval. The update comes as part of the Japanese government’s commitment to update Japan’s privacy law every three years. The last update came into force in May 2017.
While the final version may change, the version approved by the Cabinet contemplates the following major amendments:
- Right of data subjects to request a data handler cease use of data and erase data: The APPI currently provides for data subjects to request companies cease use of data or erase data under limited circumstances. The update aims to broaden these powers, making it easier for data subjects to request that a data handler cease use of or delete stored data.
- Right of data subjects to demand disclosure of data: The amendments would broaden the types of retained data (i.e., data retained for less than 6 months will be included in the definition of the retained data) a data handler must disclose to a data subject upon request.
- Restricting the use of the “opt-out” exception for third-party consent: The current version of the APPI allows data handlers to use an “opt-out provision” for transfers to third-parties if they provide certain information to the Personal Information Protection Commission (“PPC”). The update envisions limiting the cases this exception can be used. That is to say that: (i) personal data which was improperly collected (i.e., violating Article 17 of the APPI); and (ii) personal data which was transferred from a third party using the same “opt-out” exception may not be transferred using the “opt-out” exception.
- Pseudonymisation: Unlike the GDPR, the APPI currently does not provide for pseudonymisation of data. The update contemplates adding this in some form, which a data handler can utilize in limited circumstances, with the intent that controls on personal data that has been pseudonymised in accordance with the APPI will be relaxed; for example, the rights of data subjects to demand disclosure, correction and ceasing of usage.
- Additional instructions on obligations when transferring data to third parties: Even where data may not rise to the level of “personal data” on the side of the transferor, if the data could become personal data when combined with other data on the side of the transferee, in general, the consent of the data subject must be obtained. This may apply to, for example, data collected through Internet cookies.
- Mandatory reporting: In specific cases, the update requires data handlers to report a data breach to the PPC and the affected data subjects.
- Revising and strengthening of penalties: The maximum fine on data handlers is contemplated to be raised to 100 million yen if a data handler fails to comply with an order of the commission. The current fines are 500,000 yen or less, or 300,000 yen or less, depending on the nature of the violation.
The PPC has prepared provisional English translations of the changes on its website, which can be found here.
This post was originally published as a Hogan Lovells’ alert.