Explanation of the 'Penalties' in the Revised Personal Information Protection Law in Reiwa 4 (2022)

The revised Japanese Personal Information Protection Law came into effect in April 2022. Following our explanation on the ‘Responsibilities of Business Operators’ under the 2022 revised Japanese Personal Information Protection Law, this time we will discuss the proper use of data and penalties.

Overview of the Amendments to the Japanese Personal Information Protection Act in Reiwa 4 (2022)

The 2022 amendments to the Japanese Personal Information Protection Act address the following six points:

1. The nature of individual rights
2. The nature of the duties that businesses must uphold
3. The nature of the system to encourage voluntary efforts by businesses
4. The nature of data utilization
5. The nature of penalties
6. The nature of extraterritorial application and cross-border transfers of the law

In the article “Explanation of key points regarding ‘business responsibilities’ in the 2022 Amendments to the Japanese Personal Information Protection Act“, we explained points (1) and (2) of the amendments. In this article, we will explain points (3), (4), (5), and (6).

Related article: What is the Japanese Personal Information Protection Act and personal information? A lawyer explains

Approach to Encouraging Voluntary Initiatives by Businesses

As business operations diversify and IT technology advances, the importance of private organizations establishing their own rules for handling personal data in specific fields and actively providing guidance to target businesses is increasing.

Under the Japanese Personal Information Protection Act, in addition to the Personal Information Protection Commission, information protection is achieved through the use of private organizations, and a certification system is in place. Organizations such as corporations that handle complaints about the handling of personal information and provide information on the proper handling of personal information to businesses can receive certification from the Personal Information Protection Commission and become a “Certified Personal Information Protection Organization”. However, under the revised law, the certification system now allows for the certification of organizations targeting specific sectors (departments) of companies (Article 47, Paragraph 2). By recognizing certification at the business unit level, this is an initiative to further promote the use of certified organizations and advance the protection of personal information by organizations specializing in specific businesses.

Approach to Data Utilization

There have been two major changes regarding the approach to data utilization.

Establishment of ‘Pseudonym Processed Information’ and Relaxation of Obligations (Article 2, Paragraph 9)

Under the current law, information that has simply been pseudonymized is still considered ‘personal information’, and businesses are obliged to handle it as such. However, there is a growing need to utilize this ‘pseudonymized personal information’ for more detailed analysis using relatively simple processing methods, while ensuring a certain level of safety and maintaining the usefulness of the data to the same extent as the original personal information.

In response to this, the revised law has established ‘pseudonym processed information’, which is created by removing names and other identifiers, and has relaxed obligations such as responding to disclosure and suspension of use requests, on the condition that it is limited to internal analysis.

The established pseudonym processed information refers to ‘information about an individual obtained by processing personal information so that a specific individual cannot be identified unless it is matched with other information’. For example, it is information that has been processed from ‘name, age, date, time, amount, store’ to ‘temporary ID, age, date, time, amount, store’. Anticipated uses include ‘internal analysis for purposes not initially intended or for new purposes that are difficult to determine’ (such as research in the medical and pharmaceutical fields, fraud detection, sales forecasting, and machine learning model training), and ‘processing and storing personal information that has achieved its purpose of use as pseudonym processed information for potential future statistical analysis’.

As for the method of creating pseudonym processed information, the minimum discipline required is to:

• Remove all or part of the description that can identify a specific individual (e.g., name) (including replacement)
• Remove all personal identification codes
• Remove descriptions that could cause financial damage if misused (e.g., credit card numbers)

These measures are required.

Obligation to Confirm Information that is Expected to Become Personal Data at the Recipient (Article 26-2)

Under the current law, even if information that does not qualify as personal data at the provider is expected to become personal data at the recipient, it is not subject to regulation. However, the revised law obligates the provider to confirm that the consent of the individual has been obtained, etc., for the provision to a third party of information that does not qualify as personal data at the provider but is expected to become personal data at the recipient.

With the development and spread of technology that accumulates a large amount of user data and instantly combines it into personal data, schemes that provide non-personal information to third parties while knowing in advance that it will become personal data at the recipient are becoming rampant, evading the spirit of the Personal Information Protection Law. This is because of concerns that methods of collecting personal information without the involvement of the individual will become widespread.

About Penalties

The nature of penalties has been revised in the following two points.

Increased statutory penalties for violations of orders by the Committee and false reports to the Committee (Article 83, Article 87, etc.)

As the number of cases violating the law increases, the number of cases where reports are collected and inspections are conducted is also increasing. In order to enhance the effectiveness of report collection and inspections, which are the starting point for understanding the actual situation of businesses, the statutory penalties have been increased in the revised law.

Under the current law, the penalty for “violating orders from the Personal Information Protection Committee” was imprisonment for up to 6 months or a fine of up to 300,000 yen, but under the revised law, it has been changed to imprisonment for up to 1 year or a fine of up to 1 million yen. The penalty for “illegal provision of personal information databases, etc.” remains the same, with imprisonment for up to 1 year or a fine of up to 500,000 yen. However, the penalty for “false reporting to the Personal Information Protection Committee,” which was a fine of up to 300,000 yen under the current law, has been changed to a fine of up to 500,000 yen under the revised law.

Increase in fines for corporations (Article 84, Article 85, etc.)

Under the current law, the amount of fines for corporations was the same as the statutory penalties for individuals. However, considering the disparity in financial resources between corporations and individuals, the revised law has increased the maximum amount of fines for corporations (corporate heavy penalties) for violations of orders, etc. The judgment is that even if a fine of the same amount as the individual is imposed on the corporation, sufficient deterrent effect cannot be expected as a penalty.

Under the current law, the penalty for “violating orders from the Personal Information Protection Committee” by a corporation was a fine of up to 300,000 yen, the same as for individuals, but under the revised law, it has been changed to a fine of up to 100 million yen. The penalty for “illegal provision of personal information databases, etc.” was a fine of up to 500,000 yen under the current law, the same as for individuals, but under the revised law, it has been changed to a fine of up to 100 million yen. However, the penalty for “false reporting to the Personal Information Protection Committee,” which was a fine of up to 300,000 yen under the current law, the same as for individuals, remains the same under the revised law, with a fine of up to 500,000 yen.

Extraterritorial Application of Law and Cross-Border Transfers

The approach to the extraterritorial application of law and cross-border transfers has been amended in the following two points.

Strengthening Extraterritorial Application (Article 75 of the Japanese Personal Information Protection Act)

Under the current law, the powers that can be exercised against foreign operators subject to extraterritorial application were limited to non-compulsory powers such as guidance, advice, and recommendations. However, there was a risk that the Personal Information Protection Commission could not adequately address incidents such as leaks occurring overseas. Therefore, the amended law has made foreign operators handling personal information related to the provision of goods or pharmaceutical affairs in Japan subject to reporting collection and orders secured by penalties, thereby strengthening the exercise of the Personal Information Protection Commission’s powers.

Enhancement of Information Provision to Individuals Regarding the Handling of Personal Information by the Transferee Operator (Article 78 of the Japanese Personal Information Protection Act)

As some countries have started to implement state-controlled regulations and opportunities for cross-border transfers of personal information are expanding, differences in systems between countries and regions are making the predictability for individuals and data handling operators unstable, raising concerns from the perspective of protecting the rights and interests of individuals.

In response to this, when providing personal data to a third party overseas, it is required to enhance the provision of information to the individual regarding the handling of personal information by the transferee operator. As a requirement for providing personal data to a third party overseas, the requirement that was “the individual’s consent” under the current law has been obligated to “provide information to the individual at the time of obtaining consent, such as the name of the country to which the data is transferred and the presence or absence of a system for protecting personal information in the country to which the data is transferred”. The requirement that was “an operator who has established a system that conforms to the standards” has been obligated to “regularly check the handling situation of the transferee operator and provide related information upon request from the individual”.

Summary: Key Points of Personal Information in 2022 revised Personal Information Protection Law

The 2022 amendment to the Japanese Personal Information Protection Law, the first legal revision based on the “triennial review provision”, has led to the expansion of usage suspension and deletion, prohibition of inappropriate use, enhancement of information provision related to cross-border transfers, and the establishment of “pseudonym processed information”. This has aimed to strengthen the protection and utilization of individual rights and interests, respond to new risks associated with the increase in cross-border data circulation, and adapt to the era of AI and big data.

Introduction to Our Firm’s Measures

Monolith Law Office is a legal office with high expertise in both IT, particularly the internet, and law. The recently revised ‘Japanese Personal Information Protection Law’ is attracting attention, and the need for legal checks is increasingly growing. Our firm provides solutions related to intellectual property. Details are provided in the article below.