Amendments to the Act on the Protection of Personal Information and Relevant Issues | Practical Law

Amendments to the Act on the Protection of Personal Information and Relevant Issues | Practical Law

The article introduces the amendments to the APPI and the My Number Act as well as recent discussions on data protection and the relatively new My Number System.

Amendments to the Act on the Protection of Personal Information and Relevant Issues

Practical Law UK Articles 8-617-6697 (Approx. 11 pages)

Amendments to the Act on the Protection of Personal Information and Relevant Issues

by Hiromi Hayashi and Rina Shimada, Mori Hamada & Matsumoto.
Law stated as at 01 Aug 2017
The article introduces the amendments to the APPI and the My Number Act as well as recent discussions on data protection and the relatively new My Number System.
This article is part of the PLC Global Guide to data protection. For a full list of contents, please visit www.practicallaw.com/dataprotection-guide.

Amendments to the APPI and the My Number Act

On 3 September 2015, a law providing for amendments to the following laws (Amendments Law) was enacted:
  • Act on the Protection of Personal Information (Act No. 57 of 30 May 2003, as amended) (APPI).
  • Act on the Use of Numbers to Identify a Specific Individual in Administrative Procedures (Act No. 27 of 31 May 2013, as amended) (My Number Act).
  • Other relevant laws.
Most parts of the Amendments Law came into force on 30 May 2017. Some parts (mainly regarding My Number Act) will come into force no later than September 2018.

General overview of the APPI

The APPI is the main data protection legislation in Japan. It proceeds on the basic principle that the cautious handling of personal information under the principle of respect for individuals will promote the proper handling of personal information (Article 3, APPI).
The APPI provides a general framework for both private entities and administrative organs. However, there are specific additional obligations that apply only to private entities. The obligations that apply to general administrative organs and independent administrative agencies are covered under the:
  • Act on the Protection of Personal Information Held by Administrative Organs (Act No. 58 of 30 May 2003, as amended).
  • Act on the Protection of Personal Information Held by Independent Administrative Agencies (Act No. 140 of 5 December 2001, as amended).
Furthermore, there are local regulations (jyourei) provided by local governments.

The need to amend the APPI

The Japanese Government published one of its main strategies, the "Japan Revitalization Strategy Revised in 2014 – Japan's challenge for the future" (Japan Revitalisation Strategy) on 24 June 2014 and updated the strategy on 30 June 2015. The strategy has the objective of making Japan the world's leading IT society, a vital part of Japan's industry revitalisation plan.
Under the Japan Revitalisation Strategy, the government plans to implement widespread legal reforms on vital matters relating to data use, such as:
  • Setting up an independent data authority.
  • Reducing personal identification in data handling. This is to promote the utilisation of personal data while protecting personal information and privacy in the era of big data.
The "Policy Outline of Institutional Revisions for the Utilization of Personal Data" (Policy Outline) was published by the Strategic Headquarters for the Promotion of an Advanced Information and Telecommunications Network Society. The Policy Outline observed the exponential progress in information and communications technology since the full enforcement of the APPI in 2005. The development is expected to contribute to creating Japanese innovations in the future, such as enabling the collection and analysis of diverse and vast amounts of data (big data) which greatly contribute to creating new industries and services and resolving various issues surrounding Japan.
The Policy Outline recognised the need to amend the APPI in two ways:
  • By abolishing the existing grey areas on the use of personal data, which is currently a major issue for business operators.
  • By harmonising data systems globally to address issues on cross-border use and the transfer of data and privacy protection outside of Japan.
One of the biggest personal information leakages in Japan was uncovered following the issue of the Policy Outline. The scandal influenced deliberations on the bills which proposed the Amendments Law, such that the final form of the Amendments Law passed by the Diet included additional provisions to prevent leakage of personal information (see below, Strengthening the protection of personal information).
The main amendments are:
  • Establishing a Personal Information Protection Commission.
  • New legislation on international data transfers.
  • Extraterritorial application of the APPI.
  • Expanding the definition of personal information.
  • Distinguishing "sensitive information".
  • New legislation on anonymised information.
  • Strengthening the protection of personal information.
The Amendments Law which established the Personal Information Protection Commission came into force on 1 January 2016. Most of the other parts of the Amendments Law came into force on 30 May 2017.

Establishing a Personal Information Protection Commission

There was no single independent regulatory authority that is responsible for implementing the previous APPI. Each Ministry that regulates specific industries was responsible for enforcing the previous APPI in that industry. The Amendments Law established a Personal Information Protection Commission (Kojin Jyouhou Hogo Iinkai) (PPC) which is responsible overall for implementing the APPI (see Amendments to My Number Act).

New legislation on international data transfer

The previous APPI did not have special restrictions regarding the transfer of personal information abroad. Under the Amendments Law, the new restrictions regarding international data transfer was introduced. In principle, the Amendments Law requires the transferors to obtain prior consent of the individuals in order to transfer their personal information to a third party located in a foreign country. However, the data subjects' consent to overseas data transfers is not required if:
  • The foreign country is specified in the PPC Ordinance as a country having a data protection regime with a level of protection equivalent to that of Japan. As of 30 June 2017, the PPC Ordinance has not identified any such foreign country.
  • The third party recipient has a system of data protection that meets the standards prescribed by the PPC Ordinance.
Under the PPC Ordinance, the standards of the data protection system that a third party recipient outside Japan must meet are either:
  • There is assurance, by appropriate and reasonable methodologies, that the recipient will treat the disclosed personal information in accordance with the spirit of the requirements for handling personal information under the APPI.
  • The recipient has been certified under an international framework, recognised by the PPC, regarding its system of handling personal information.
The implementation of the PPC Ordinance is contained in the PPC's Guidelines. Under the PPC Guidelines, "appropriate and reasonable methodologies" include agreements between the disclosing party and the recipient, or inter-group privacy policies, which ensure that the recipient will treat the disclosed personal information in accordance with the spirit of the APPI. The PPC Guidelines identified the APEC Cross Border Privacy Rules (CBPR) System as the recognised international framework on the handling of personal information.

Extraterritorial application of the APPI

The previous APPI did not explicitly provide for its application outside of Japan. Under the Amendments Law, the APPI applies to entities outside of Japan if they receive personal information in connection with the provision of goods or services to individuals residing in Japan.

Expansion of the definition of personal information

Personal information is defined in the previous APPI as information about specific living individuals that can identify them by (Article 2, paragraph 1, previous APPI):
  • Name.
  • Date of birth.
  • Other descriptions contained in the personal information (including information that will provide easy reference to other information that may identify the individual).
The Amendments Law expanded the definition of personal information to include "Individual Identification Codes" (Kojin Shikibetsu Fugou). Individual Identification Codes are listed in the cabinet order and PPC Ordinance but are divided into:
  • Codes that relate to the physical characteristics of individuals.
  • Codes allocated to individuals in relation to the provision of services or goods, or documents issued to the individuals (where the codes are individually allocated).
Face recognition data, driver's licence numbers, and passport numbers are included in the Individual Identification Codes, but mobile phone numbers and credit card numbers are not included in the Individual Identification Codes.

Distinguishing sensitive information

The previous APPI made no distinction between sensitive information and other kinds of personal information. The Amendments Law address the oversight by introducing the concept of "information that needs to be treated with special care" (Youhairyo Kojin Jyouhou). This includes information on:
  • Race.
  • Creed.
  • Social status.
  • Medical history.
  • Criminal records.
  • A crime victim's history.
  • Other sensitive information that may lead to social discrimination or disadvantage.
The Amendments Law introduced new restrictions for sensitive information, including a prohibition on obtaining and providing sensitive information without the data subject's consent.

New legislation on anonymised information

Under the Amendments Law, individual consent is not necessary to transfer personal information that is being anonymised to third parties. This framework is expected to lead to the utilisation of big data, innovations and new businesses.

Strengthening the protection of personal information

Several amendments aim to strengthen the protection of personal information and include the following:
  • The Amendments Law removed the exemption from certain data protection obligations for business operators with fewer than 5,000 individuals in their personal information database at any time within the previous six months. All private business operators will be considered "Handling Operators" covered by the APPI.
  • The Amendments Law penalises any Handling Operator that provides personal information to a third party for any unlawful gain with imprisonment of up to one year or a fine of up to JPY500,000.
These amendments were triggered by one of the largest personal information scandals in Japan, which became public in July 2014. Benesse Corporation (one of the biggest correspondence education companies in Japan) announced that an employee of its subcontractor (in charge of data handling and security) had sold the personal information of more than 3.5 million of the corporation's customers to name list traders. The Benesse leakage focused governmental and public attention on measures to prevent the recurrence of such an incident and led to the proposed amendments described above.

My Number Act/My Number System

The My Number Act is a relatively new law that was enacted in 2013 and fully enforced on 1 January 2016. The purpose of the My Number Act is to improve administrative efficiency, enhance public convenience, and enhance fairness in tax administration and social welfare in Japan.
Under the My Number Act, each resident in Japan is assigned his own 12-digit individual number (Kojin Bangou) (Individual Number). The Individual Numbers are used for administrative procedures relating to social security, taxation, and disaster response by central governmental organisations and local governments.

Relationship between the APPI and the My Number Act

The APPI is the principal data protection legislation in Japan. Both Individual Numbers (see above) and Specific Personal Information (see below) fall within the definition of personal information and are restricted under the APPI. Therefore, in relation to Individual Numbers and Specific Personal Information, business operators must follow both the My Number Act and the APPI. However, due to the sensitive nature of Individual Numbers and Specific Personal Information, the data is subject to stricter restrictions under the My Number Act than the APPI (see below).

When do business operators handle Individual Numbers?

Although the My Number System is for social security and tax numbering purposes, the Individual Numbers are handled by governmental bodies and also business operators. There are three main circumstances where business operators handle Individual Numbers:
  • Tax and social security operations handle Individual Numbers regarding employees (and their dependants) use Individual Numbers, which must be printed on certain documents such as:
    • certificates of income and withholding tax for employment income which are to be submitted to tax offices; and
    • notices of acquisition of insurance qualification for social insurance.
  • A business operator who engages the services of an independent contractor must print the Individual Number of that contractor on the certificate of payment of fees which is to be submitted to tax offices.
  • Individual Numbers are required to be printed on:
    • certificates of payment of dividends; and
    • certificates of payment of insurance benefits which are to be submitted to tax offices.

Restrictions under the My Number Act

Each Individual Number is assigned to a specific individual and can be connected to that individual's sensitive information. As a result, the My Number Act imposes strict restrictions on the handling of Specific Personal Information (Tokutei Kojin Jyouhou) which is defined as personal information that includes the Individual Number (Article 2, paragraph 8, My Number Act). The restrictions under the My Number Act are stricter than those under the APPI (see below).

Purpose of handling the Individual Numbers

The My Number Act lists the circumstances in which Individual Numbers can be used, and prohibits the collection, storage or use for any purpose other than those listed under the Act. Business operators cannot collect, store and use Individual Numbers or Specific Personal Information for any purpose outside the procedures for social security administration, taxation, and disaster response (Articles 9, 15, 19 and 20, My Number Act). Business operators cannot even ask for a person's Individual Number except in the circumstances listed in the laws and ordinances. Business operators are permitted to check Individual Number Cards, which are issued to residents, to confirm the identity of customers. However, they cannot record or copy the Individual Numbers that appear on the Individual Number Cards.
Under the APPI, a Handling Operator is required to specify the purpose of use of personal information, and in principle cannot use personal information other than as necessary to achieve the specified purpose without the data subject's consent. However, in addition to this restriction, the My Number Act also prohibits the use of Special Personal Information beyond the scope necessary to achieve the specified purposes of use of Special Personal Information, even if the individual gives consent to the business operators.

Security control measures

Business operators are required to take measures necessary for the appropriate management of Individual Numbers, such as preventing disclosure, loss, or damage (Article 12, My Number Act).
The guidelines covering specific measures were released by the Specific Personal Information Protection Commission, that was replaced by PPC, on 11 December 2014, and were partially amended on 1 January 2016 by the PPC (Guidelines for proper handling of Specific Personal Information (for business operators) (Tokutei Kojin Jyouhou no Tekisei na Toriatsukai ni kansuru Gaidorain (jigyousha hen)). Under the guidelines, a business operator who handles Specific Personal Information must take the following measures:
  • Establish and operate appropriate handling of Specific Personal Information.
  • Take systematic security control measures.
  • Develop an organisational framework (for example, appoint a manager or an official to handle Specific Personal Information).
  • Record system logs or usage records to confirm how the Specific Personal Information is being handled.
  • Develop a system to handle the leakage of information.
  • Regularly improve its security control measures.
  • Train and supervise persons handling Specific Personal Information.
  • Take physical and technical security control measures.
  • Manage and supervise the physical area handling Specific Personal Information (for example, introduce entry control system to the area).
  • Prevent the theft of machines and data storage devices.
  • Prevent data leakage if the data storage device is taken out of the supervised area.
  • Delete and abolish the data machines or data storage devices in a proper way and in a timely manner.
  • Execute proper access control.
  • Identify and authenticate persons with access.
  • Implement proper unauthorised access prevention measures.
  • Implement proper leakage prevention measures.
A business operator that handles Specific Personal Information inappropriately can receive guidance (shidou) or advice (jogen) or even a recommendation (kankoku) or order (meirei) from the PPC. Under the My Number Act, the Specific Personal Information Commission was replaced by the Personal Information Commission under the Amendments Law (see Proposed amendments to the My Number Act).

Limitation of provision

The My Number Act prohibits the provision of Specific Personal Information to a third party except in limited cases provided; for example, where a business operator provides the Specific Personal Information of its employee to pension offices for pension insurance applications (Article 19).

Corporate Number

Under the My Number Act, a number is also issued to companies (corporate number) (Houjin Bangou) (Corporate Number). Each Corporate Number has 13 digits, which is the company's 12-digit registration plus another one-digit number.
Unlike an Individual Number, there are no strict restrictions regarding Corporate Numbers, including the scope of their use by business operators. In addition, the government plans to publish the Corporate Numbers of companies on the internet.
Amendments to My Number Act
The Amendments Law also amended the My Number Act. The main amendments include:
  • Replacing the Specific Personal Information Protection Commission with the PPC, which handles not only Specific Personal Information but also other personal information (see above, Establishing a Personal Information Protection Commission)
  • Expanding the scope of use of the Individual Numbers in the medical field, such as information for administrative operations regarding prophylactic inoculation.
  • Expanding the scope of use of the Individual Numbers in the financial field, such as information regarding bank saving accounts.
Amendments establishing a Personal Information Protection Commission and expanding the scope of use of Individual Numbers in medical field were enforced on 1 January 2016. The amendment expanding the scope of use in the financial field is not yet in force but will come into force no later than September 2018.

Further movements regarding the new Number System in the medical field

The government is considering further expansion of the scope of use of Individual Numbers in the medical fields. According to the report of the Study Group regarding the Utilisation of the Number System in Medical Fields published on the website of the Ministry of Health, Labour and Welfare (Iryou tou Bunya ni okeru Bangou Seido no Katsuyou tou ni kansuru Kenkyukai), in a rapidly ageing society and with the insurance system facing difficulties, there are high expectations of developments in the use of information systems in medical fields. Developments include:
  • Health management by using information and communication technology (ICT) by each citizen, thereby providing high quality medical and nursing services efficiently.
  • The use of accumulated and enormous data by insurers and governmental organisations to develop the national health, pension and welfare system.
Under the My Number Act, the use of Individual Numbers in medical fields is limited to the administrative work of administrative bodies and medical insurers. However, the new number systems which will be used by medical institutions are being discussed in several governmental committees and meetings.
According to the Growth Strategy 2017 (Mirai Toushi Senryaku 2017), which was approved by the Japanese Cabinet on 9 June 2017, it is aimed that a new number system separate from the My Number System is to be launched through a step-by-step operation in 2018 and full-scale operation in 2020. It is hoped that the number system can be used to improve the quality and efficiency of medical support:
  • For the patient's benefit (that is, the sharing of a patient's medical information among hospitals, clinics and pharmacies).
  • From an entire medical field's perspective (for example, the use of anonymised data for research and development).
There are also parallel discussions on data safety. It has been proposed that the number specifically used for medical fields must be different from the Individual Number, given the highly sensitive nature of medical information and the need for the patient's consent to the use of his medical data. The detailed structure of this proposal system is now under discussion.

Contributor profiles

Hiromi Hayashi, Partner

Mori Hamada & Matsumoto

Image 1 within Amendments to the Act on the Protection of Personal Information and Relevant Issues
T + 81-3-5220-1811
F + 81-3-5220-1711
E [email protected]
W www.mhmjapan.com
Professional qualifications. Japan Bar, 2001; New York Bar, 2007
Areas of practice. Mergers and acquisitions; finance; information and communication technology; telecommunication and broadcasting.
Non-professional qualifications. B.S.Econ., The University of Tokyo,1989; LL.B., The University of Tokyo,1997; LL.M., Harvard Law School, 2006
Languages. Japanese, English
Professional associations/memberships. Dai-ni Tokyo Bar Association.
Publications. "Legal Practice of Corporate Revitalization (2nd Edition)"(2012) (KINZAI Institute for Financial Affairs, Inc.), "The International Comparative Legal Guide to: Telecoms, Media and Internet Law and Regulations"(2010) (Global Legal Group).

Rina Shimada, Associate

Mori Hamada & Matsumoto

Image 2 within Amendments to the Act on the Protection of Personal Information and Relevant Issues
T + 81 3 6266 8924 
F + 81 3 6266 8824 
E [email protected]
W www.mhmjapan.com
Professional qualifications. Japan Bar, 2010
Areas of practice. Labour and human resources; corporate; litigation.
Non-professional qualifications. JD, The University of Tokyo, 2009; LL.B., Keio University, 2007
Languages. Japanese, English
Professional associations/memberships. Dai-ni Tokyo Bar Association.
Publications. "Getting the Deal Through – Pension & Retirement Plans 2016 – Japan” (2016) (Law Business Research Ltd), "The New Guide to Employment Law Practice", Roumugyousei Co., Ltd., October 2014.