The Personal Information Protection Commission (‘PPC’) published, on 29 November 2019, a document (‘the Revision Document’) on principal revisions to the Protection of Personal Information Act (Act No. 57 of 2003 as amended in 2016) (‘APPI’), based on its three-year review. In particular, the Revision Document addresses, among other things, disclosure procedures, the responsibilities of business operators, approaches to data utilisation measures, cross-border data transfers, legal penalties, and the handling of personal information through the public and private sectors.
Atsushi Okada, Partner at Mori Hamada & Matsumoto, told OneTrust DataGuidance, “The key amendments for businesses to be aware of include [among others] the expansion of data subjects’ rights to [encompass] the suspension and deletion of personal data, the regulation of cookies that are combined by a third-party transferee with other data to produce personal data, the introduction of mandatory data breach notifications, the relaxation of obligations for pseudonymised data, and the strengthening of the regulation of cross-border data transfers.”
Moreover, the Revision Document calls for the promotion and correct operation of the current disclosure request system, which is intended to make personal information retained by companies more useful for individuals. In addition, the Revision Document recommends expanding the scope of retained personal data that is subject to disclosure, as the progress of the information-oriented society has changed the risks associated with disclosure. Furthermore, the Revision Document recommends amendments to opt-out regulations, and highlights that the present opt-out procedures are difficult for individuals use.
A lot of issues remain that need further clarification
Okada further commented that, “For companies not already complying with the General Data the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’) and the Directive 2002/58/EC on Privacy and Electronic Communications the biggest impact will be the amendments to data subject rights and the regulation of cookies. [In addition,] new requirements for data exporters to inform data subjects which country their data are transferred to and what kinds of data-protection rules are in place there [may have a significant impact] depending on the level of detail required. [Furthermore,] the mandatory breach notifications may have a medium impact, depending on the details of the requirements. The relaxed obligations for pseudonymised data [may also] have a medium impact depending on what kind of actual benefits are granted to pseudonymised data.”
In addition, the Revision Document proposes enhanced explanations of the personal information held by business operators. The PPC noted that these enhanced explanations will provide individuals with a better understanding of the personal information held by businesses and support the proper handling of personal information. Furthermore, the Revision Document supports the clarification of appropriate usage obligations. Finally, the Revision Document proposes the diversification of the accreditation for personal information handlers, in order to allow organisations conducting activities in niche business areas to become accredited.
Okada concluded, “There are a few important issues which drew much attention but have not been included in the Revision Document, such as the introduction of data portability rights similar to the scope recognised in the GDPR, and the introduction of administrative fines. I believe these two issues are unlikely to be introduced in the next round of APPI amendments. […] While there are provisions in the Revision Document which have been [influenced] by the GDPR, there are a few provisions which, depending on the details, could be unique to Japanese legislation. [Furthermore], given that the current outline is quite brief, a lot of issues remain that need further clarification, [and which may] be included in the full version of the outline that will be published later this month.”
KESHAWNA CAMPBELL Privacy Analyst