Promoting Data Utilization with the Establishment of 'Pseudonym Processed Information' and Other Amendments to the Japanese Personal Information Protection Law in Reiwa 4 (2022)

The laws regarding the handling of personal information are frequently amended and evolve to suit the times. It is essential for businesses handling personal information to quickly catch up with these amendments and establish an internal system accordingly.

There are many points of change in the 2022 amendment of the Japanese Personal Information Protection Act, such as the strengthening of individual rights, changes related to third-party provision including overseas, and the establishment of new categories such as “Pseudonym Processed Information” and “Personal Related Information”. Businesses must correctly understand what amendments have been made and what actions they should take in response.

Therefore, we will explain the newly amended Japanese Personal Information Protection Act, which came into effect on April 1, 2022 (Reiwa 4), and the checkpoints for practical responses by businesses handling personal information.

What is the Personal Information Protection Law?

The “Personal Information Protection Law,” officially known as the “Japanese Law Concerning the Protection of Personal Information,” is a law that aims to balance the usefulness of personal information and the protection of individual rights and interests. It regulates the proper handling of personal information (acquisition, use, storage, management, provision, disclosure, suspension, and deletion methods).

The “Japanese Personal Information Protection Commission” oversees this law, and it sets out the obligations that all administrative agencies and private businesses handling personal information databases, etc., must comply with, as well as the penalties for violations.

History of the Amendments to the Japanese Personal Information Protection Act

The Japanese Personal Information Protection Act was established on May 23, 2003 (Heisei 15) (Law No. 57 of May 30, Heisei 15), and all provisions except for Chapters 4 to 6, which directly involve general companies and include penalties, were enforced immediately. The Act was fully implemented on April 1, 2005 (Heisei 17).

In the 2015 (Heisei 27) amendment, in response to the digitization of society as a whole, provisions were included to review every three years, balancing the “protection of personal information” and “utilization of personal data”, and “harmonization with international systems”.

In the amended law enforced in May 2017 (Heisei 29), new additions to personal data included “personal identification codes”, “sensitive personal information”, and “anonymously processed information”. Furthermore, the establishment of a traceability system, an obligation to make efforts to erase personal data, restrictions on providing to third parties abroad, and the establishment of the Personal Information Protection Commission were implemented. The supervision system was changed from supervision by the competent minister to a unified supervision system by the Personal Information Protection Commission.

Then, on April 1, 2022 (Reiwa 4), the amended Personal Information Protection Act was enforced.

This was promulgated on June 12, 2020 (Reiwa 2), and from the perspective of integrating and unifying the three previous personal information protection-related laws (Personal Information Protection Act, Administrative Organ Personal Information Protection Act, and Independent Administrative Agency Personal Information Protection Act), it has become the most significant amendment to the “Personal Information Protection Law System”.

Not only the unification of the definition of personal information between the public and private sectors, but also various changes were incorporated into the newly established amendment law against the backdrop of the need to respond to the global AI and big data era and strengthen the protection of individual rights and interests.

Specific amendments include the addition of “pseudonym processed information” and “personal related information” to personal data, and the regulations on the handling of personal data held, including overseas, have been strengthened and penalized. In the event of a leak, etc. (leakage, loss, damage), it is obligatory to report to the Personal Information Protection Commission and notify the person.

In other words, foreign operators handling personal information related to individuals in Japan have also become subject to administrative reporting and orders, and penalties have been applied. For penalties, please refer to this article for a detailed explanation.

Related article: Explanation of the ‘Penalty’ in the 2022 (Reiwa 4) Amended Personal Information Protection Act[ja]

Furthermore, on April 1, 2023 (Reiwa 5), in order to correct the imbalance and inconsistency of protection levels due to differences in the provisions and operation of personal information protection ordinances for each local public entity, legal rules in the medical field, and exception provisions in the academic field, the amended law, which unifies regulations under the “Personal Information Protection Commission” in a unified manner between the public and private sectors, will be fully implemented.

Six Key Points of the Revised Personal Information Protection Law in Reiwa 4 (2022)

The Personal Information Protection Law, which was newly revised in Reiwa 2 (2020), aims to establish a system that allows the benefits of technological innovation related to personal information and information related to individuals to permeate both economic growth and the protection of individual rights and interests, considering the following five perspectives in light of changes in social and economic conditions.

1. Protection of individual rights and interests
2. Enhancement of protection and utilization through the benefits of technological innovation
3. International system harmonization and cooperation
4. Response to risks associated with the increase in cross-border data flow
5. Adaptation to the era of AI and big data

Source: Japanese Personal Information Protection Commission ‘About the Reiwa 2 (2020) revision of the Personal Information Protection Law | Promotion of utilization and proper handling of personal information'[ja]

The key points in the revision of the Personal Information Protection Law in Reiwa 4 (2022) are as follows:

1. Expansion of the individual’s right to request
2. Addition of business operator’s duties
3. Promotion of voluntary efforts by business operators
4. Promotion of data utilization
5. Strengthening of penalties
6. Expansion of extraterritorial application, etc.

In order to comply with the ‘Revised Personal Information Protection Law’ enacted on April 1, 2022 (Reiwa 4), personal information handling business operators need to review and revise their management systems for personal information protection, privacy policies, internal regulations, contract contents (terms of use, etc.). Let’s review your company’s personal information management system, referring to the ‘Personal Information Protection Law Guidelines’ and training materials that are updated from time to time by the Personal Information Protection Commission (PPC).

Among the points of revision this time, we have explained in detail about the added duties of business operators in the following article, so please take a look at it as well.

Related article: Explanation of points to note about ‘Business Operator’s Duties’ in the Reiwa 4 (2022) Revised Personal Information Protection Law[ja]

Changes to Individual Rights Regarding Personal Data

In this section, we will explain the expanded rights related to personal data under the recent amendments, and what practical measures need to be taken in response.

Relaxation of Requirements for Requests to Cease Use, Erasure, and Suspension of Third-Party Provision

Before the amendment, requests for the cessation of use, erasure, and suspension of third-party provision of personal information were only possible in cases of unauthorized use or acquisition. However, under the amended law, such requests can also be made if there is a risk of harm to the individual’s rights or legitimate interests. Furthermore, these requests can now be made when there is no longer a need to use the personal information.

Therefore, after the amendment, it is expected that the number of such requests to personal information handling businesses will increase. Businesses will need to secure resources and reorganize manuals, etc., to respond to these requests.

Also, a system that can verify the purpose of use for each piece of personal data will be necessary to determine whether there is no longer a need to use it.

Expansion of Disclosure Requests from the Individual

The scope of “disclosure requests for retained personal data” from the individual has been expanded, and now includes records of third-party provision related to the personal data of personal information handling businesses.

Previously, disclosure requests could only be made in writing, but now disclosure can be chosen by the method specified by the individual (disclosure by providing electromagnetic records). This is expected to increase the number of online disclosure requests to personal information handling businesses. On the business side, technical and organizational efforts are necessary to realize this method of providing electromagnetic records.

Personal information handling businesses must disclose in the manner requested by the individual, unless it is difficult to do so by the specified method, when the individual specifies the method of providing the retained personal data and requests disclosure.

Personal information handling businesses can specify the file format of electromagnetic records (PDF format, Word format, etc.) and the method of providing electromagnetic records (saving electromagnetic records on a recording medium and mailing it, attaching electromagnetic records to an email and sending it, allowing electromagnetic records to be downloaded from a website, etc.). If the disclosure method specified by the individual is difficult, it is sufficient to disclose in a feasible method. However, from the perspective of improving the convenience of the individual, it is desirable to respond in a manner that meets the individual’s wishes as much as possible.

Source: Personal Information Protection Commission ‘Q&A on Guidelines for the Protection of Personal Information Law｜A9－10′[ja]

Expansion of the Scope of Retained Personal Data Subject to Disclosure, etc.

Before the amendment, short-term stored personal data to be erased within six months was not included in “retained personal data”, but under the amended law, it is now subject to “retained personal data” regardless of the storage period.

Therefore, personal information handling businesses that had previously excluded short-term storage as a reason for request exclusion will need to revise their handling.

Strengthening of Opt-Out Regulation: Addition of Notification, Publication, and Reporting Items

The following items have been added to the matters that should be notified to the individual, published, and reported to the Personal Information Protection Commission.

• Name, etc. of the personal information handling business that provides to third parties
• Method of acquiring personal data to be provided to third parties

Previously, if you used the “opt-out method”, there was no problem if you pre-announced to the individual that “we will provide personal information to a third party” and “we will stop providing to third parties if there is a request from the individual”.

With this legal amendment, if you intend to provide personal data to a third party using the “opt-out method”, you must now report to the Personal Information Protection Commission in advance. Also, if you stop opt-out provision, you are now obliged to submit a change report to that effect.

Therefore, businesses that provide to third parties using the “opt-out method” will need to make revisions, etc. to their privacy policy that carries out notifications and publications for that purpose.

Strengthening of Opt-Out Regulation: Prohibition of Double Opt-Out

In addition to “personal information requiring careful handling”, “personal data acquired illegally” has also become subject to regulation and is not subject to the “opt-out method”. A new provision has also been established prohibiting double opt-out, which means that personal data acquired using the “opt-out method” cannot be provided again using the “opt-out method”.

Therefore, personal information handling businesses need to verify how the personal data for which they provide to third parties using the “opt-out method” is acquired and obtained, and take measures to comply with the amended law.

Expansion of Data Utilization Due to the Amended Japanese Personal Information Protection Law

Introduction of Pseudonymized Information

For instance, there may be cases where personal information is processed into “Anonymized Information” or “Pseudonymized Information” for statistical use, etc.

As previously mentioned, “Anonymized Information” is personal data that has been processed so that it cannot identify a specific individual even when compared with other information. The following rules applied to Anonymized Information:

• No need for the individual’s consent for third-party provision
• Prohibition of identification activities
• When creating Anonymized Information, the items of personal data included in the Anonymized Information must be disclosed

On the other hand, the newly established “Pseudonymized Information” in this amendment is processed personal data that can identify an individual when compared with other information. The following rules have been established for Pseudonymized Information:

• There are no restrictions on changing the purpose of use, but the purpose of use after the change must be disclosed
• Prohibition of identification activities and contact with the individual, etc.
• No obligation to respond to requests for disclosure, suspension of use, etc. from the individual
• No obligation to report or notify in case of leakage
• Prohibition of third-party provision

However, it is possible to provide “Pseudonymized Information” if the recipient is a contractor, business successor, or joint user (group companies, joint research, etc.).

If a personal information handling business operator uses “Pseudonymized Information” for processing, etc., it will be necessary to revise the privacy policy in relation to the specification and disclosure of the purpose of use and third-party provision.

Regulation of Personal Related Information as Personal Data at the Recipient

When it is “anticipated” that the recipient will acquire the “personal related information” as “personal data”, the recipient needs to confirm with the provider whether the person’s consent to this effect has been obtained.

Providers of so-called DMPs (Data Management Platforms) or similar services are subject to regulations similar to those for the third-party provision of “personal data”.

Example: When suing an anonymous poster for defamation, the site administrator who holds the IP address provides information to the Internet service provider (such as NTT or mobile phone companies) through a request for disclosure of sender information.

Provisions on Strengthening Cross-Border Regulations and Extraterritorial Application

Previously, when providing personal data to a third party in a foreign country, the requirements were the “consent of the individual”, the recipient being a “business operator who has established a system that conforms to the standards”, and being in a “country with a level equivalent to Japan” such as the EU or the UK.

In the revised law, additional requirements have been added to the first two. Specifically, the following information disclosures have been mandated when obtaining “consent from the individual”:

• Name of the country where the recipient is located
• The system for protecting personal information in the foreign country
• Measures taken by the recipient for the protection of personal information
• Other information that should be referred to by the individual

Also, regarding the confirmation that it is a “business operator who has established a system that conforms to the standards”, it has been made obligatory for the data transfer source to take “necessary measures for the protection of personal information” and to provide this information upon request from the individual.

The necessary measures taken by the transfer source specifically include “management system for proper handling in the recipient” and “response when a risk arises in proper handling in the recipient”.

As there are unique personal information protection systems in foreign countries, including the famous EU’s GDPR (General Data Protection Regulation), the UK, and APEC’s CBPR system member countries, it is necessary to understand and deal with them in advance depending on the business situation.

As information that can serve as an indicator for the “personal information protection system”, if there are no obligations of businesses that comply with the “OECD (Organisation for Economic Co-operation and Development) Privacy Guidelines 8 Principles” or the rights of the individual, you must provide this information to the individual. This is because it shows the essential difference from the Japanese “Personal Information Protection Law”.

It is considered that there are stricter personal information protection systems than Japan in foreign countries, so it is important to investigate and understand them. For more information, please refer to the information provision on international relations by the Personal Information Protection Commission.

In the revised law, the Personal Information Protection Commission can now collect reports, issue orders, and conduct inspections backed by penalties against foreign business operators, and equal footing (equalization of conditions) with domestic business operators has been achieved.

In order to effectively exercise authority against domestic and foreign business operators and ensure proper procedures, the procedures for service (consular service, public notice service, etc.) have been specified. From the relationship with foreign sovereignty, the exercise of public authority within the territory of another country cannot be done unless the other country agrees, so it is a policy to cooperate with foreign authorities as needed (there is no obligation to appoint an agent like GDPR).

Conclusion: Consult a Lawyer for Measures Against the Amendment of the Personal Information Protection Law

We have explained the key points of the amended Personal Information Protection Law in Reiwa 4 (2022) and the practical responses required by businesses. In addition to the amendments discussed here, there are many other issues that businesses handling personal information need to address.

Worldwide, regulations on the use of personal data are advancing. Especially for businesses providing services on the Internet, considering that their websites can be accessed from all over the world, it is necessary to respond in accordance with these regulations.

Businesses need to review their personal information management systems, not only in light of the amendments to the Japanese Personal Information Protection Law, but also in light of global trends. If you are having trouble responding to the amendments to the Personal Information Protection Law, we recommend consulting a lawyer.

Introduction to Our Firm’s Measures

Monolith Law Office is a legal office with high expertise in both IT, particularly the internet, and law. In recent times, the leakage of personal information has become a significant issue. In the unfortunate event that personal information is leaked, it can have a devastating impact on corporate activities. Our firm possesses specialized knowledge in preventing information leakage and in implementing countermeasures. Details are provided in the article below.

Areas of practice at Monolith Law Office: Japanese Personal Information Protection Law-related legal affairs[ja]