< Back

Share |

A new Bill to amend the personal data protection legislation in Japan

May 2015

The Act on the Protection of Personal Information (Act No. 57 of 2003) (APPI) sits at the centre of Japan's regime for the protection of personally identifiable information (PII). The new Bill to amend the APPI (Bill) was submitted to the Diet on March 10, 2015 . This is the first amendment to the Act in more than ten years since the APPI's original enactment in 2003 and its full enforcement in 2005.

Remarkable progress in information and communications technology has made it possible to store and analyse 'big data' at a much lower cost than ever before. It has been recognised that the APPI needs to be amended to set out a new system to facilitate the utilisation of personal data while protecting the privacy of individuals.

This article considers several key issues among many draft amendments (which may yet change before they are finalised) contained in the Bill.

Expanding scope of protection for "Personal Information"

Under the APPI, "Personal Information" is defined as "information about a living individual which can identify the specific individual by name, date of birth, or other description contained in the information (including such information as will allow easy reference to other information and will thereby enable the identification of the specific individual" (Article 2, Paragraph 1).

The Bill adds two types of information to be covered by the present definition of "personal information":

  • codes pertinent to the physical characteristics of individuals, such as fingerprint recognition data and face recognition data; and
  • codes allocated to individuals in relation to services or goods provided to the individuals or to documents issued to the individuals where those codes are individually allocated, such as identification numbers, passport numbers and driver licence numbers.

Cell phone numbers will be subject to future discussions.

Information that needs to be treated with special attention (sensitive personal information)

The APPI does not distinguish sensitive personal information from other kinds of information but non-legally binding guidelines were issued to provide additional protection for sensitive information.

hand scanThe Bill does, however, recognise sensitive personal information as "information that needs to be treated with special care". The Bill defines sensitive personal information as information on race, creed, social status, criminal records, past records, victim history, medical history and other information that may cause social discrimination.

The Bill prohibits the obtaining sensitive personal information without the data subject's consent.

Anonymised Information

Under the APPI, the transfer of PII data requires advance consent of the relevant data subject, subject to certain exceptions. The Bill, however, states that a new system will be introduced in which consent need not be obtained for the transfer of PII data that is being processed into anonymised or pseudonymised data with the effect of making the individual unidentifiable.

It has been noted that, despite processing anonymised data or pseudonymised data, individuals may sometimes still be identified and personal rights may be violated if data is not handled properly. Further measures will be introduced to set out the proper handling of data by the Personal Information Protection Commission.

Extraterritorial application

In respect of extraterritorial application, the APPI is generally interpreted not to apply to foreign entities. The Bill prescribes that the APPI may apply to foreign entities that provide goods or service to people residing in Japan. Further, in order to ensure the proper handling of personal data by such foreign entities, the amendment will provide a legal basis for the Personal Information Protection Commission to provide foreign enforcement authorities with useful information to aid enforcement under any relevant law and regulations.

Global transfer regulation

While the transfer of PII data is regulated under the APPI, there is no additional requirement or regulation of extraterritorial transfer of PII data. The Bill provides that if an entity handling personal information transfers PII data to a foreign entity, such entity will be required to take certain actions such as entering into contracts to protect the security of the PII data.

global connectionsThe additional requirements regarding extraterritorial transfer will not apply where PII data is being transferred to a place that has been certified as having PII data protection standards equivalent to those of Japan by the Personal Information Protection Commission and where the foreign transferee has personal information protection standards which are equivalent to the standards specified by the Personal Information Protection Commission.

The Bill introduces amendments to the APPI in three stages and the main amendments are expected to be enacted and in force in 2017. This represents a significant update of Japanese data protection law.

If you have any questions on this article or would like to propose a subject to be addressed by the Global Data Hub please contact us.

social network on tablet device
Takashi Nakazaki

Takashi Nakazaki      

Takashi (of Anderson, Mori & Tomotsune) looks at Japan's plans to update its data protection law.

"The Bill represents a significant update of Japanese data protection law."