On Nov. 29, the Japanese data protection authority, the Personal Information Protection Commission, published a skeleton outline of amendments to the Act on the Protection of Personal Information. In this article, we will explain the contents of the skeleton outline, which consists of seven main topics.
It is expected the PPC will publish the full outline in mid- to late December and that the draft bill will be published in early 2020 to pass the amendment during the parliamentary session in 2020 (estimated to be between January 2020 and June 2020).
Data subjectsâ€™ rights
The proposed amendment may expand individualsâ€™ rights of cessation of use, deletion and cessation of third-party provision of retained personal data. Under the current law, these rights are not exercisable at the request of the data subject; they are only permitted if the personal data was used for purposes other than those notified, it was collected by deceit or other improper mean, or if it was provided to a third party in violation of the APPI.
The amendment may also promote the digitalization of the right to disclosure. For instance, it would allow data subjects to demand disclosure of retained personal data by electronic means. There is no reference to this process in the current law. It may also expand the scope of personal data covered by abolishing the exception that does not protect data that is deleted within six months.
Provision of personal data to third parties generally requires the consent of data subjects, but there are some exceptions. Personal data can be provided to third parties without consent if it is notified to the PPC and data subjects are given the right to opt out. However, the amendment may limit the scope of personal data that could be provided based on this exception and may also give data subjects a right of disclosure of records, which must be kept by data processors in case of provision of personal data to third parties.
Expanding the responsibility of companies
Under the APPI, submitting a data breach report to the PPC is merely a â€œduty to make an effortâ€� and notifying data subjects is only a recommendation. There are also no clear rules regulating a companyâ€™s usage of personal data in an improper manner. The amendment may create new legal obligations to notify the PPC and data subjects in the event of a data breach. It may also make it clear that companies cannot use personal data in an improper manner.
Mechanisms to promote voluntary efforts by companies
Under the current law, personal information protection organizations accredited by the PPC deal with complaints and give guidance to its members who process data. The amendment may allow the PPC to give accredited organizations more flexibility to diversify personal information protection organizations.
The current law already requires the publication of certain elements by the personal information handling operator with regard to retained personal data. In practice, this publication is usually made by using privacy policies. The amendment may add a system for processing personal information and safeguards to protect personal information, as well as guidance on elements to be published when processing retained personal data.
Policies regarding data use
The proposed amendment may introduce the concept of â€œpseudonymized information,â€� which is personal information that can only identify the specific individual by collation with other information. As for â€œpseudonymized information,â€� some of the regulations applicable to personal information may be exempted under some conditions.
Under the current law, the provision of personal data to third parties generally requires the consent of the data subject unless certain exceptions apply. Whether these regulations regarding the provision of personal data to third parties apply has been understood to be determined by whether the discloser can identify an individual, while the recipientâ€™s ability to do so has been irrelevant.Â However, the amendment may also regulate the provision of data by the discloser if it is obvious to the discloser that the recipient may identify an individual, even if the discloser cannot identify an individual. The scope of the regulations may therefore be broadened.
This amendment may also clarify the exception to data use for public purposes to promote data use. The PPC will publish guidelines and a Q&A on where companies can, based on the public purpose exceptions, transfer personal data to third parties or use personal data beyond its specified utilization purpose. The PPC will update existing guidelines and Q&As from companies regarding personal data and make both publicly available.
Making amendments to the penalties
The amendment may review the current penalties and introduce more severe penalties for legal entities compared to natural persons.
Extraterritorial applicability and data transfer to third parties outside of Japan
Currently, the PPC does not have the authority to make companies in a foreign country submit reports, nor can it make orders to overseas companies, but the amendment may give such authority to the PPC. The PPC may also be able to publish the fact that an overseas company did not follow such an order.
Data transfer to third parties outside of Japan is already regulated, but the amendment may strengthen these regulations. The amendment may require an explanation to data subjects with regards to such data transfer, including the names of the countries where the data is exported and information regarding whether there are regulations to protect personal data in those countries.
Harmonizing regulations between governments and the private sector
Under the current version of APPI, regulation of personal information handled by governments and the private sector is not harmonized. In addition, regulations are different for each local government. So the PPC will aim to harmonize such regulations that will lead to more consistent data utilization between the private sector and governments, including national and local governments and universities.