MONOLITH LAW OFFICE+81-3-6262-3248Weekdays 10:00-18:00 JST

MONOLITH LAW MAGAZINE

General Corporate

Key Points to Note About the 'Duties of Business Operators' Under the Revised Japanese Personal Information Protection Law in Reiwa 4 (2022)

General Corporate

Key Points to Note About the 'Duties of Business Operators' Under the Revised Japanese Personal Information Protection Law in Reiwa 4 (2022)

The revised Japanese Personal Information Protection Law came into effect in April 2022. The Personal Information Protection Law aims to ensure the proper handling of personal information, while considering its usefulness and protecting the rights and interests of individuals. So, what specifically changes with the implementation of the revised Personal Information Protection Law? In this article, we will explain the nature of individual rights and the responsibilities of businesses.

Amendments and Background of the Japanese Act on the Protection of Personal Information

The Japanese Act on the Protection of Personal Information, which was established in 2003 and fully implemented in 2005, was amended in 2015, ten years after its implementation. The reason for this amendment was that “the development of information and communication technology has made it possible to utilize personal data in ways that were not anticipated at the time of its enactment.” The amended law was fully implemented in 2017.

In this 2017 amendment, a provision was included to “review the content every three years in light of international trends, advancements in information technology, and the status of the creation and development of new industries.”

Relevant provisions in the supplementary provisions of the 2017 Japanese Act on the Protection of Personal Information (excerpt)

Article 12 (Review)

(Omitted)

2 The government shall, with a view to three years after the implementation of this law, consider improvements in light of the status of measures necessary for effectively carrying out the formulation and promotion of basic policies on the protection of personal information and other matters under the jurisdiction of the Personal Information Protection Commission, such as the establishment of a human resource system and the securing of financial resources, and when deemed necessary, take necessary measures based on the results.

3 In addition to the matters stipulated in the preceding paragraph, the government shall, with a view to three years after the implementation of this law, consider the status of the implementation of the new Act on the Protection of Personal Information in light of international trends in the protection of personal information, advancements in information and communication technology, and the status of the creation and development of new industries utilizing personal information, and when deemed necessary, take necessary measures based on the results.

4, 5 (Omitted)

6 The government shall consider the way of legal system for the protection of personal information, including the consolidation and comprehensive regulation of provisions on the protection of personal information and personal information held by administrative agencies and others, based on the status of the implementation of the new Act on the Protection of Personal Information, the status of the implementation of the measures in paragraph 1, and other circumstances.

The 2022 (Reiwa 4) amendment to the Japanese Act on the Protection of Personal Information is the first legal amendment based on this “every three years review provision”.

Related article: What is the Act on the Protection of Personal Information and Personal Information? A Lawyer Explains

Overview of the Amendments to the Japanese Personal Information Protection Law in Reiwa 4 (2022)

The amendments to the Japanese Personal Information Protection Law in 2022 will address the following six points:

  1. The nature of individual rights
  2. The nature of the duties that businesses should uphold
  3. The nature of the system to encourage voluntary efforts by businesses
  4. The nature of data utilization
  5. The nature of penalties
  6. The nature of extraterritorial application and cross-border transfers of the law

In this article, we will explain points 1 and 2 of the amendments.

Related article: Explanation of the ‘Penalties’ in the Amendments to the Japanese Personal Information Protection Law in Reiwa 4 (2022)

The Nature of Individual Rights

The following five points regarding the nature of individual rights have been amended.

Expansion of Individual’s Right to Request Suspension of Use and Deletion (Article 30)

Under the current law, the individual’s right to request suspension of use and deletion was limited to cases of legal violations such as “when personal information is used for purposes other than intended” or “when it was obtained by illegal means”. However, under the revised law, it is now possible to request the suspension of use, deletion, and cessation of provision to third parties even in cases where “the business operator no longer needs to use the retained personal data”, “when a leak occurs”, or “when there is a risk of harm to the rights or legitimate interests of the individual”.

Method of Disclosure of Retained Personal Data (Article 28)

If you are the individual in question, you can request the disclosure of retained personal data from the personal information handling business operator. Upon receiving the request, the personal information handling business operator must disclose the retained personal data as a principle. Under the current law, the disclosure of retained personal data was primarily done in writing. However, there are situations where delivery by writing is not suitable when the amount of information is vast, and furthermore, there are data such as video and audio data that are not suitable for delivery by writing in the first place. Therefore, under the revised law, the individual can request disclosure by a method such as the provision of electromagnetic records, i.e., “disclosure by a method specified by the individual”. The personal information handling business operator is obliged to disclose in the manner requested by the individual.

Companies handling personal information are required to establish a system to respond to disclosure requests by digital data at an early stage.

Disclosure Request by the Individual for Third Party Provision Records (Article 28, Paragraph 5)

Personal information handling business operators must create records prescribed by laws and regulations when providing personal data to third parties, and those who receive third-party provision must also create records prescribed by laws and regulations. These records related to the third-party provision of personal data and the records of confirmation when receiving third-party provision of personal data are collectively referred to as “third-party provision records”.

Under the current law, the individual could not request the disclosure of third-party provision records created by the business operator, but under the revised law, the individual can request the disclosure of third-party provision records, considering the traceability by the individual.

Inclusion of Short-Term Retained Data in Retained Personal Data (Article 2, Paragraph 7)

Under the current law, retained personal data is defined as “personal data that the personal information handling business operator has the authority to disclose, correct, add or delete the content, suspend use, delete, and stop providing to third parties”, “those that harm public interest or other benefits by becoming clear of their existence” or “those that are to be deleted within a period prescribed by Cabinet Order within one year”, excluding “those that are to be deleted within a period prescribed by Cabinet Order within one year”, which was set at six months.

However, even if it is to be deleted in a short period of time, there is a possibility that leaks may occur during the period until deletion, so the revised law includes short-term retained data to be deleted within six months in “retained personal data”.

Limited Scope of Opt-Out Provisions (Article 23, Paragraph 2)

The opt-out provision is a system that “allows personal data to be provided to a third party without the individual’s consent, on the premise that it will be stopped if the individual requests it, after publishing the items of personal data to be provided”, but under the current law, only sensitive personal information was excluded.

Under the revised law, the range of personal data that can be provided to third parties is limited, and “illegally obtained personal data” and “personal data provided by the opt-out provision” are also excluded.

Responsibilities of Business Operators

The responsibilities that business operators should uphold have been amended in two key areas.

Obligation to Report Leaks (Article 22, Paragraph 2)

Under the current law, there is no legal obligation to report leaks, leading to some businesses not taking proactive measures. If a business did not disclose a leak, the Personal Information Protection Commission (Japanese Personal Information Protection Commission) might not be aware of the incident and may not be able to respond appropriately. The revised law now mandates reporting to the Personal Information Protection Commission and notification to the individual concerned when a leak occurs and there is a significant risk of harm to the individual’s rights and interests.

The cases subject to the obligation to report leaks include “leaks of sensitive personal information”, “leaks due to unauthorized access”, and “leaks with a risk of financial damage”, regardless of the number of cases, and “large-scale leaks” exceeding 1,000 cases.

Prohibition of Use by Inappropriate Methods (Article 16, Paragraph 2)

With the rapid advancement of data analysis technology, there are growing concerns about the use of personal information that could potentially infringe on individuals’ rights and interests, and consumer concerns are increasing. In response to this, the revised law has clarified that personal information should not be used by inappropriate methods that promote illegal or unfair activities.

“Inappropriate methods that promote illegal or unfair activities” are envisaged to include “providing personal information to a third party engaged in illegal activities” and “aggregating and databasing personal information that is dispersed and made public through court announcements, etc., and publishing it on the Internet, despite the fact that it can be sufficiently foreseen that discrimination may be induced”.

Summary

In this article, we have explained points 1 and 2 of the amendments. Points 3, 4, 5, and 6 will be explained in a separate article.

Related article: Explanation of the ‘Penalty’ in the Revised Japanese Personal Information Protection Law in Reiwa 4 (2022)

Introduction to Our Firm’s Measures

Monolith Law Office is a legal office with high expertise in both IT, particularly the Internet, and law. The recently revised ‘Japanese Personal Information Protection Law’ is attracting attention, and the need for legal checks is increasingly growing. Our firm provides solutions related to intellectual property. Details are provided in the article below.

Managing Attorney: Toki Kawase

The Editor in Chief: Managing Attorney: Toki Kawase

An expert in IT-related legal affairs in Japan who established MONOLITH LAW OFFICE and serves as its managing attorney. Formerly an IT engineer, he has been involved in the management of IT companies. Served as legal counsel to more than 100 companies, ranging from top-tier organizations to seed-stage Startups.

Return to Top