4 August 2016
The Personal Information Protection Commission (‘PPC’) launched, on 2 August 2016, a consultation on the draft amendments to the Order for Enforcement of the Act on the Protection of Personal Information (‘APPI’) (‘the Order’) and the Ordinance for Enforcement of the Act on the Protection of Personal Information (‘the Ordinance’). The consultation follows the promulgation of the APPI amendments on 9 September 2015, which will come into force two years after the day of promulgation. The specific date will be further specified by a cabinet order.
“The draft amendments to the Order and Ordinance address a broad range of key terms and concepts under the amendments to the APPI,” Ryuichi Nozaki, Director at Atsumi & Saki Europe Limited, told DataGuidance. “Therefore all data controllers should keep an eye on the drafts and development of the consultation process.”
The draft amendments to the Order and Ordinance address various issues, including the definition of ‘Personal Identification Code,’ sensitive personal information, and data exempted from the ‘Personal Information Database,’ rules regarding ‘opt-out’ provisions, a checklist for data controllers to meet the due diligence requirement when receiving personal data from a third party, and standards for data anonymisation. In addition, the draft amendments to the Order and Ordinance provide general standard for the PPC’s delegation of its enforcement power to sector-based regulatory bodies.
“Upon completion of the public consultation process, the PPC is expected to publish a Q&A list, which should be helpful in getting more insightful and practical understanding”
Nozaki commented, “The draft amendments to the Order and Ordinance have added helpful clarifications for some important rules, such as items to be included in data transfer records and check points for due diligence in transferring data, whilst just providing general direction and insight of approach, without detail, on other points.”
In particular, the draft amendments provide the general security standard that an offshore third party should meet for an international transfer and for such a transfer to be treated as domestic. It also provides that a record needs to be created by a data controller that transfers personal data to a third party.
Nozaki concluded, “Upon completion of the public consultation process, the PPC is expected to publish a Q&A list, which should be helpful in getting more insightful and practical understanding.”
Ningxin Xie | Privacy Analyst