3. Strengthening regulations on provision to third-parties
1. Tighter opt-out regulations
a) Limitations on applicable subjects
In addition to personal information requiring special consideration, the following personal data is excluded from provision to third parties by the opt-out method:
- Personal information acquired through deception or other wrongful means; and
- Personal information provided by other business operators handling personal information through an opt-out method (including information that has been duplicated or processed in whole or in part)
b) Addition of items for notification, publication and reporting
The following items will be added to the list of items that the individual must be notified of or made readily available to the individual in advance, and reported to the Personal Information Protection Commission:
- Name and address of the business operators handling personal information to be provided to a third party, and the name of its representative in the case of a juridical person (the representative or administrator in the case of an unincorporated association with a designated representative or administrator)
- Method of obtaining personal data provided to third parties
- Method of updating personal data provided to third parties
- Scheduled date of commencement of provision of personal data pertaining to said notification to a third party
2. Changes to disclosure items for joint use
The following items will be added to the list of items that the individual must be notified of or made readily available to the individual in advance.
This is a minor revision, but it is expected that many businesses will need to make changes to their “public announcements under the Act on the Protection of Personal Information”.
- Address of the person responsible for the management of said personal data
- Name of its representative, if the above person is a corporation
In addition, there are additional changes in matters that must be notified and announced in advance or without delay when changes are made to the joint use of information.
3. Tighter regulations on cross-border data transfer
a) Enhancement of information provision when obtaining the person’s consent
When providing personal data to a “third party in a foreign country” under the Act on the Protection of Personal Information, the following information must be provided to the individual in advance in order to obtain the individual’s prior consent to such provision.
- Name of the foreign country
- Information on systems for the protection of personal information in the foreign country concerned obtained by appropriate and reasonable methods
- Information on measures taken by the third party to protect personal information
b) Strengthening regulations pertaining to provision to a foreign third party that establishes a standard-compliant system
When providing personal data to a “third party in a foreign country” under the Act on the Protection of Personal Information, if the legality is based on the fact that the recipient has established a system that conforms to the standards for a system necessary for the continuous implementation of measures equivalent to those to be taken by business operators handling personal information, after providing the personal data, the recipient must take the following measures (“Necessary Measures”), and information concerning the “Necessary Measures” must be provided to the individual upon request.
- Periodically confirming (once a year or more frequently), by appropriate and reasonable means, the status of implementation of the corresponding measures by the third party and the existence or non-existence of such foreign systems that may affect the implementation of the relevant equivalent measures, and the details thereof.
- Suspending the provision of personal data to the third party if there is a hindrance to the implementation of the corresponding measures by the third party, or if it becomes difficult to ensure the continued implementation of the corresponding measures, in addition to taking necessary and appropriate measures.
4. Establishment of regulations on provision of information related to personal information to third parties
Even in cases where information that cannot be easily verified by the recipient and that does not fall under the category of personal data is provided to a third party, if the information is expected to become personal data because it is easily verified by the recipient, it will be subject to the same regulations as the provision of personal data to a third party (including cross-border data transfers).
Specifically, the regulations in B. below are imposed based on the definitions in A. below.
a) Definitions
- Personal information
Information on living individuals that does not fall under any of the categories of personal information, pseudonymized information, and anonymized information.
“Information related to personal information” means any information that expresses facts, judgments, or evaluations regarding an individual’s attributes, such as body, property, occupation, title, etc. Statistical information does not constitute “information related to personal information” as long as it excludes any correspondence with a specific individual.
- Databases, etc. of information related to personal information
A collection of information containing information related to personal information that is systematically organized so that specific information related to personal information can be easily retrieved by organizing the information related to personal information contained therein according to certain rules, and that has a table of contents, index, or the like to facilitate retrieval.
- Business operators handling information related to personal information
Persons who use databases, etc. of information related to personal information for business purposes.
However, this excludes national organizations, local governments, incorporated administrative agencies, etc. as defined in the Act on the Protection of Personal Information Held by Incorporated Administrative Agencies, etc., and local incorporated administrative agencies as defined in the Local Incorporated Administrative Agencies Act.
b) Regulatory details
Business operators handling information related to personal information are, in principle, obligated to confirm the following matters and prepare a record thereof in advance when providing such information related to personal information to a third party if such third party is expected to acquire such information related to personal information (limited to that which constitutes a database, etc. of information related to personal information) as personal data.
- The consent of the concerned individual has been obtained to allow the third party to receive the information related to personal information from the business operator handling the information related to personal information and to acquire it as personal data that identifies the concerned individual.
- In the case of provision to a “third party in a foreign country” under the Act on the Protection of Personal Information, the information in (3) A. (i) to (iii) above must have been provided to the concerned individual in advance when the consent of the concerned individual in (1) above was obtained. In the case of provision of information to a foreign third party that establishes a standard-compliant system, the above confirmation of provision of information is not required. However, it is necessary to take the “necessary measures” (personal data can be read as information related to personal information) as described in (3) B. above, and to provide information on the “necessary measures” to the concerned individual upon request.
The third-party recipient must practice the same confirmation and performance obligations as when receiving personal data provided by a third party, but different recordkeeping requirements are stipulated than in the case of provision of personal data to a third party.