Skip to content

Discerning Data

  • About Us
  • Additional Resources
  • Contact Us

DISCERNING DATA

A Faegre Drinker Blog Covering the Latest in Privacy, Cybersecurity and Data Strategy
  • Privacy
  • Cybersecurity
  • Data Strategy
  • Disruptionware

Japan’s Protection of Personal Information Amendments Go into Effect

Share

The amendments to Japan’s Act on the Protection of Personal Information went into effect on May 30, 2017. The amendments provide clarity on what types of personal information will be regulated and steps operators need to take to be in compliance.

The Act, Generally

Formulated “to protect an individual’s right and interests while considering the utility of personal information,” the Act (1) sets forth the overall vision and policy regarding the proper handling and protection of personal information, (2) clarifies the responsibilities and obligations of the central and local governments in the protection of personal information, and (3) ensures that the proper application of personal information contributes to the creation of new industries, the realization of a vibrant economic society, and an enriched quality of life for the people of Japan.

Recent Amendments

The 2015 amendments  provide a clearer definition of what constitutes “personal information,” which it now defines as information relating to a living individual that contains:

(i) a name, date of birth, or other similar description that has been stated, recorded, or otherwise expressed using voice, movement or other methods in a document, drawing or electromagnetic record (including those which can be readily collated with other information and thereby identify a specific individual); or

(ii) an individual identification code.

Article 2(1).  The amendments introduce and define “special care-required personal information” as “personal information comprising a principal’s race, creed, social status, medical history, criminal record, fact of having suffered damage by a crime, or other descriptions etc. prescribed by cabinet order as those of which the handling requires special care so as not to cause unfair discrimination, prejudice or other disadvantages to the principal.” Article 2(3).

The amendments also lay out the obligations of a “personal information handling business operator,” which they define as “a person providing a personal information database for use in business” that is not a central government organization, a local government, an incorporated administrative agency, or a local incorporated administrative agency. Article 2(5)  A personal information handling business operator must explicitly specify the purpose of utilizing the personal information and it cannot handle personal information beyond this purpose without obtaining advance consent from the data principal. Article 15, 16.

The amendments establish the Personal Information Protection Commission (PIPC), which now serves as the central supervising and enforcement authority for the Act.  Prior to the creation of the PIPC, this oversight was performed by government ministers for each industry sector.

The amendments also introduce new measures relating to cross-border transfers of personal information.  In most instances, a personal information handling business operator should not provide personal data to a third party in a foreign country without obtaining the data principal’s consent in advance.  Article 24.  The operator must also maintain a record of information relating to third-party transfers, including the name of the third party, date of transfer, a description of the information, and other matters prescribed by the PIPC.  Article 25.

Effect

The amendments provide greater clarity about what types of personal information are subject to regulatory oversight, how and by whom that oversight will be performed, how companies should handle cross-border transfers, and what steps data operators should take to comply.

As with other privacy protection regulations, there is a wide range of penalties for non-compliance with the Act, which include monetary fines, imprisonment, and imprisonment with labor.  Companies that handle personal information in Japan may need to adjust their internal privacy and data protection policies and contractual agreements with foreign entities, including technology or outsourcing vendors, affiliate companies and foreign governments.  The amendments do not provide a grace period for compliance, so these companies should move to ensure compliance with haste.

The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.

Receive Email Alerts to New Articles

SUBSCRIBE

August 7, 2017
Written by: Discerning Data Editorial Board
Category: International, Privacy
Tags: International

Post navigation

Previous Previous post: Time to Focus on Cybersecurity in Health Care
Next Next post: And the Winner is….. FTC Announces Winner of IoT Home Device Security Contest

Search the Blog

Sign Up for Email Alerts

PODCASTS

Faegre Drinker on Law and Technology

©2023 Faegre Drinker Biddle & Reath LLP. All Rights Reserved. Lawyer Advertising.

  • About Us
  • Additional Resources
  • Contact Us
We use cookies to improve your experience with our website. By browsing our site, you are agreeing to the use of cookies. For more information about how we use cookies, please review our privacy policy and cookie policy. OK
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT