Dr. Tobias Schiebe, LL.M., Rechtsanwalt und registrierter Foreign Attorney in Japan, ARQIS Foreign Law Office, Tokyo
Takashi Yoneyama, LL.M., Japanischer Rechtsanwalt (Bengoshi), TMI Associates, Tokyo
Due to the continuing digitalization of society and business the issue of data protection gains increasing importance also from a legal perspective. Faced with the rapid technological developments, Japan has adopted an Act on the reform of the Japanese Data Protection Act („Act on Protection of Personal Information“ – „APPI“), which has become effective on 30 May 2017 (“Amendment”). The Amendment is the first major reform of the APPI since its enactment in 2005. This special newsletter provides an overview of the main changes to the APPI as well as the measures companies need to consider in light of the Amendment.
1. Reform of the data protection law in Japan
The only statutory law on the protection of personal information in Japan is the APPI. The APPI establishes rules concerning handling of personal information, including the acquisition, use and transfer of such personal information. While not legally binding, for certain areas guidelines established by the competent ministry inter alia include suggestions for interpreting the APPI, e.g. the “Financial Services Agency of Japan Guidelines” (“FSA Guidelines”), the “Ministry of Economy, Trade and Industry of Japan Guidelines” (“METI Guidelines”), and the “Ministry of Health, Labor and Welfare Guidelines” („MHLW Employment Guidelines“).
a) Under the Amendment, the scope of the APPI has been extended. In its pre-amended version, the APPI was not applicable to business operators having no more than 5,000 identifiable individuals in its database on any day during the past six months. For a large number of companies, in particular small and medium-size subsidiaries of foreign companies, the APPI therefore did not apply. This has changed with the Amendment. Due to the extension of the scope, also those business operators, handling a smaller number of data, so-called „Small-Size Database Operators“, are now covered and need to comply with the requirements of the APPI.
b) For the first time the Amendment introduces and defines the term „Sensitive Personal Information“. This new category includes information, such as race, religious beliefs, social status, criminal records, and medical history or any other information that may lead to a discrimination or prejudice. The collection and handling of Sensitive Personal Information by a business operator requires a prior explicit consent of the individual concerned. Several directives (such as of the FSA) further include additional provisions concerning the handling of such sensitive personal information.
c) Likewise a new category of „Anonymized Data“ has been introduced. This category includes any personal data that does not contain particular descriptions or items that could be used to identify a person. No prior consent is necessary for the transfer of anonymized data to third parties under certain conditions.
d) Additionally, a New Data Protection Committee for Supervision and Enforcement of Data Protection Regulations was established. The Committee, which consists of experts from practice and academics, operates as a first point of contact for questions regarding data protection as well as supervisory body. The further responsibilities include defining the countries which will be considered as having an adequate level of data protection as Japan as further described under item 1. e) below.
e) Most importantly, the Amendment introduces for the first time restrictions for the transfer of data outside of Japan. While prior to the Amendment provisions only existed regarding the data transfer to a third party in general, the Amendment stipulates for the first time limitations under which data transfer to a place outside of Japan is permitted. The data transfer is hereunder only permitted (i) to overseas recipients in countries which have an „adequate“ level of data protection as in Japan (the Committee will determine which countries will be deemed to have an adequate level of data protection step by step over time), (ii) to overseas recipients with whom contractual agreements have been concluded to ensure compliance with data protection standards in Japan, or (iii) to overseas recipients in case the concerned individual has given its prior written consent to such transfer.
2. Measures to take
Following the Amendment, it is recommendable to review and confirm, if not yet done, the data handling processes of your Japanese business operations regarding the following items.
a) General
- Confirm whether personal information is handled at your company and if a privacy policy on the handling has been enacted.
- If personal information is handled and a privacy policy is not yet implemented, establish a privacy policy.
- Establish structures, processes and responsibilities to deal with requests of data subjects in order to react in time to protect the data subject’s rights.
b) International Data Transfer
- If personal information is transferred to a place outside of Japan, if possible, obtain the express consent of the data subject concerned because the countries with an adequate level of data protection similar to Japan have not yet been determined.
- Alternatively, if obtaining consent of the data subject is practically difficult, conclude a contractual agreement with the recipient to ensure compliance with data protection standards in Japan.
c) Outsourcing Data Handling
- When outsourcing data handling to a service provider, check if your written service agreement with the service provider at least includes the following provisions:
- Confidentiality obligation
- Prohibition to take personal information outside the business premises
- Prohibition to use personal information outside the admissible purpose of use
- Representations and warranties of sufficient data protection by the service provider
- Liability of service provider in case of leakage as well as an indemnification obligation
- Reporting obligation regarding compliance with the content of contract, audit right
- Return or destruction of specific personal information after the end of the service agreement
- Conclude an amendment agreement for existing service agreements to include the above matters if not yet covered.
NOTE: This article is provided for general information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the contents of this document.
Written by: Takashi Yoneyama, LL.M., Japanischer Rechtsanwalt (Bengoshi), TMI Associates, Tokyo and Dr. Tobias Schiebe, LL.M., Rechtsanwalt und registrierter Foreign Attorney in Japan, ARQIS Foreign Law Office, Tokyo