Data protection laws are evolving rapidly as the world becomes more digitalised, and Japan is working hard to keep its sword sharp, writes Putro Harnowo
I
n February, Kyodo News reported that the number of personal information leaks from Japanese listed companies in 2021 grew by 30% from the previous year to 137 incidents, which was a record high, based on findings from corporate research agency Tokyo Shoko Research.
When a major Japanese job-seeking platform, Rikunabi, was found to predict a job offer decline rate by using website cookies and other user information without consent in 2019, data privacy was thrust into the limelight in Japan. The company sold the data to various companies for up to JPY5 million (USD47,450).
Although Japan’s Act on the Protection of Personal Information (APPI) is scheduled to be reviewed every three years, the Rikunabi case and a string of other highly damaging data breaches showed the dangers of poorly written laws and loopholes, prompting the Japanese Diet (parliament) to amend the act in June 2020.
The amended APPI came into effect on 1 April 2022, enhancing individual rights and strengthening the obligations of business operators when processing personal data. Some of the changes put Japan’s law closer in line with the EU’s General Data Protection Regulation (GDPR).
“Abstract descriptions of the purpose of using personal information would not be sufficient under the amended APPI, and business operators must carefully describe the purpose of use of personal information,” says Tomoko Fuminaga, a partner at Morgan Lewis & Bockius in Tokyo.
“If an individual cannot reasonably predict or assume how their personal information will be handled from the purpose of use stated and disclosed by business operators, then business operators do not meet the APPI requirements.”
Fuminaga adds that individuals can also request business operators to disclose their personal data in a manner specified by the individuals, in writing or electronically. Individuals may also request to stop using or delete their personal data when it is obtained through deceit or other improper means, when business operators no longer need it, when it is leaked, or when their rights or legitimate interests are at risk.
[ihc-hide-content ihc_mb_type=”show” ihc_mb_who=”4″ ihc_mb_template=”2″ ]
Under the previous version of the APPI, an individual loses the right to delete or modify personal data if it is meant to be retained for less than six months. The amendment removes the six-month threshold.
“Business operators should also note that the exemption available to personal data that are deleted within six months was abolished, and all personal data are now subject to a request to be disclosed or to cease to be used,” says Fuminaga.
The amendments also increase the statutory penalty for violation of the APPI. For example, in the case of a company violating an order of the Personal Information Protection Commission (PPC), a Japanese government commission charged with the protection of personal information, the penalty is a fine of up to JPY100 million, up from JPY300,000 in the pre-amended APPI.
The previous version of the APPI introduced anonymised personal data that did not require consent for transfer to a third party. However, there were strict formal requirements and anonymisation levels for anonymously processed information, making it difficult for business operators to use.
The amended APPI introduced a concept of “pseudonymously processed information”, which removes personal identifiers so the data cannot identify a living individual unless combined with other data. If personal data are stripped of unique personal identifiers such as names, it is likely to become pseudonymous information.
“When the pseudonymously processed information is used only for internal analysis, the requirements for handling personal data, such as responding to a request to disclose or cease to use personal data, are relaxed,” says Fuminaga.
Website cookies
A new definition of “personally referable information”, which refers to data relating to a living individual that is not personal information, pseudonymous information or anonymous information, is also added in the amendment. Personally referable information includes cookie-collected browsing history, a non-personal email address, and location data.
“This new definition intends to cover data that are not personal information, either on its own or when collated with other information that a business holds, but are likely to become personal information when combined with other data maintained by a data transferee,” says Takahiro Nonaka, a partner at Morrison & Foerster in Tokyo.
The amended APPI requires opt-in consent before transferring personally referable information to third parties if the transferor expects the transferee to combine this information with other personal data to create a new set of personal information.
Nonaka explains that if the transferor knows that the transferee has personal information that could be used to identify an associated individual, or knows about the transferee’s intended use of such personally referable information, and transfers both personally referable information and data that may be associated with personal information, this would likely be deemed a situation where the transferor could use the personal related information as personal information.
“In such cases, the transferee, or the transferor on behalf of the transferee, must obtain opt-in consent from the individual,” says Nonaka. “If the transferor is obtaining consent on behalf of the transferee, the APPI amendments require the transferor to identify the transferee when obtaining such consent.”
The transferee must also indicate the purposes for which the information will be used, for example, by posting the purposes of such use in the privacy policy on the transferee’s website. The transferor must confirm that the transferee has obtained consent before transferring the personal related information for both domestic and cross-border transfers.
Therefore, a business that collects cookies or other non-personal information needs to confirm if the collection involves a transfer of such data where a transferee will combine such data with other information to identify a specific individual.
“Behavioural targeting advertising companies that use cookies to identify and advertise to specific individuals are also affected,” says Tomomi Fujikouge, of counsel at DLA Piper in Tokyo.
Notification & extraterritoriality
The amendments also impose new compliance obligations in several key areas including a data breach notification, extraterritorial application, and cross-border data transfers. Fujikouge, of DLA Piper, says that before the amendments to the APPI, except for financial institutions supervised by the Financial Services Agency (FSA), reporting data breaches was not mandatory.
“Following the amendment, it is now mandatory to report a data breach if it meets certain criteria, such as if the data breach was a result of a cyberattack that breaches financial information such as credit card information,” says Fujikouge.
Specifically, the PPC must now be notified if a data breach meets the criteria established in the amended PPC guidelines, including breaches that involve or are likely to involve sensitive personal information, personal information that is likely to cause property damage (such as credit card information or ID and passwords used for online purchases), unauthorised access to a data server or malware infection by a third party, or more than 1,000 individuals.
Reports to the PPC must be submitted twice. A business operator shall, when it becomes aware of data breach incidents, immediately report the incident to the PPC, ideally within three to five days. In addition to the first report, the operator shall file a second report within 30 days, or 60 days depending on the type of data breach, from the day of recognising the data breach.
Similarly to the GDPR, Japan’s amended APPI now has an extraterritorial reach. Since the amendment took effect, Nonaka, of Morrison & Foerster, says that foreign businesses that provide goods or services to Japanese individuals are subject to all obligations and restrictions under the act, including investigations and orders from the PPC.
“Before 1 April, these types of investigations and orders were limited to businesses located in Japan,” says Nonaka. “The APPI amendments also impact businesses in Japan by making significant changes to existing privacy compliance requirements.”
Yuko Zaha, a counsel at O’Melveny in Tokyo, observes that many companies have been revising their privacy policies to meet the requirements under the amended APPI. One of the challenges for companies outside Japan that collect personal information from residents in Japan, and transfer that data internationally, is the requirement to describe to data subjects details of the personal information protection systems of the countries where the data are transferred.
“To ease compliance, Japan’s PPC has also published outlines of the personal information protection systems of a number of foreign countries,” says Zaha. “However, such PPC materials are in Japanese-language only, and so some companies seem to have struggled to understand details about information required to be included in the privacy policy under the amended APPI, unless they have Japan-based employees or legal counsel.”
Nonaka, of Morrison & Foerster, adds that since the EU recognised the APPI as adequate in January 2019, Japanese businesses can receive or transfer personal data to the European Economic Area and the UK without restriction. However, transferring personal data to any other country requires, with some exceptions, either the individual’s consent or the establishment of a data protection scheme, such as a data transfer agreement (DTA), with the receiving organisation in the third country.
“The amended APPI imposes new requirements on transfers to these third countries,” says Nonaka. “Specifically, where such transfers are made on the basis of consent, transferors are required to provide detailed information on the transfer prior to obtaining consent from the individuals concerned.”
Such detailed information includes the transferee’s country, the personal data protection regime in the transferee’s country, and measures taken by the transferee to protect personal data. For cross-border data transfers to non-EU countries relying on a DTA, transferors must periodically confirm the transferee’s data-handling measures and the existence and contents of personal data protection laws in the transferee’s country that may affect the implementation of the handling measures.
“If a business processes personal data outside Japan, including through a contractor, it needs to confirm the legislation or system related to the protection of personal data in that foreign country and take appropriate security control measures,” says Nonaka.
Implication for fintech
Fintech and e-commerce industries, including digital banks and crypto exchanges, should especially be aware of the importance of data security. Stolen, lost or leaked information may result in financial damages and punishment for breaking the data protection law.
“To mitigate damage from a data breach incident, it is important to implement appropriate information management, such as data encryption, and to envision an action plan in the event of a data breach,” says Zaha, of O’Melveny.
Zaha suggests companies that use website cookies and collect information from website visitors should set up a “pop-up” to obtain consent from the data subjects regarding the use of cookies and the possibility of providing the collected information to third parties, as is now general practice under the GDPR.
However, such a mechanism could be challenging for any personal information contained in the blockchain system, as such information cannot be deleted on request. Unfortunately, says Zaha, the amendment does not give a clear solution for this issue.
“Although the amendment’s concept of pseudonymous data may help address this conflict, it also may create another issue because pseudonymous data cannot be provided to a third party under the amended APPI,” she says. “The best way to mitigate the risk of violating the APPI may be not including personal data on the blockchain as much as possible.”
For digital banks and crypto exchanges, Fuminaga, of Morgan Lewis & Bockius, says that the Financial Services Agency’s (FSA) guidelines have provided that these companies are required to comply with the APPI, relevant PPC guidelines, the guidelines concerning personal information protection in financial areas, and practical policy for security control.
Fuminaga says that the APPI regulates business operators to collect and use personal information, which is different from the approach that public blockchains have taken, such as distributed ledger technology.
“Therefore, additional and careful consideration may be necessary to apply the APPI to cryptocurrency exchange companies, such as who should be treated as a business operator, or whether sharing personal data in a public blockchain platform should be interpreted as the provision of personal data to a third party,” she says.
Ensuring protection
Although the amended APPI does not provide any registration or licensing requirements to ensure data protection, Fuminaga, of Morgan Lewis & Bockius, says that the Ministry of Internal Affairs and Communications, the Ministry of Economy, Trade and Industry, and the Information Technology Federation of Japan have established a framework to accredit a business operator that provides trusted personal data management services as a personal data trust bank.
“Under this framework, personal data trust banks are delegated by individuals to manage their personal data, and determine or support in determining the validity to provide their personal data to third parties on behalf of them in accordance with their instructions or pre-designated conditions,” says Fuminaga. “Such individuals may directly or indirectly receive benefits incurred from the data provision or utilisation.”
In August 2018, the Information Technology Federation began accrediting business operators as personal data trust banks and published a guidebook. The accredited business operators as a personal data trust bank can show individuals that their privacy protection and information security measures meet international standards.
Zaha says another way is that more companies are applying for the “PrivacyMark” to show they have adequate data protection systems. The PrivacyMark is operated by the Japan Institute for Promotion of Digital Economy and Community and granted to businesses based on an evaluation of their personal information protection system.
In relation to the international transfer of personal data, Zaha says that the PPC recommends obtaining the Asia-Pacific Economic Co-operation’s (APEC) Cross-Border Privacy Rules (CBPR) certification. However, only three Japanese companies had obtained CBPR certification as of January 2022.
“It is not easy to receive CBPR certification because a company has to answer a number of questions covering principles under the APEC’s privacy framework, and has to submit many materials proving its privacy protection and security system. It also has to pay an application fee and annual administration fee,” she says.
“But if a transferor or recipient has obtained CBPR certification, it will be possible to conduct cross-border transfers of personal data under relaxed requirements.”
In addition, to mitigate damage in the event of data breaches, Zaha recommends implementing a comprehensive system for appropriate data management, including the deletion of data that are no longer necessary, appropriate pseudonymisation and anonymisation, and data encryption.
Nonaka says that advanced encryption is likely to be used if cryptographic techniques are listed in the e-government recommended cyphers list, or ISO/IEC18033 is used and properly implemented, and decryption measures are properly managed, according to the PPC’s guidelines.
In addition to the encryption measures, Nonaka suggests a business should adopt a “zero-trust security model” and “role-based access control”, filtering data browsers, limiting installed applications, preserving backups for possible ransomware attacks, patching known vulnerabilities by keeping software updated, and using appropriate virtual private networks by adding access control mechanisms.
“Also, a business should make sure that its employees comply with internal rules regarding handling personal data, and should periodically conduct related compliance training,” he says.
“It is a matter of course that a business should check and make sure its vendors and business partners establish and preserve data security measures that comply with the expected standards to prevent and mitigate the possibility of cyberattacks.” [/ihc-hide-content]
