4. Strengthening the rights of the individual with respect to retained personal data
(1) Strengthening the rights of the individual with respect to retained personal data
The exclusion of short-term retained data from retained personal data will be eliminated.
(2) Enhancement of public disclosure of retained personal data
The following items will be added to the list of items that must be kept in a state that is accessible to the individual (including cases in which a response is made without delay in response to the individual’s request).
As a result of this revision, it is expected that many businesses will need to make changes to their “public announcements under the Act on the Protection of Personal Information”.
- Address of the business operator handling the personal information
- Name of its representative, if the business operator handling the personal information is a juridical person (its representative or administrator in the case of an organization that is not a juridical person and has a designated representative or administrator)
- Measures taken for the secure management of retained personal data (excluding those that may impede the secure management of said retained personal data by making them accessible to the individual)
(3) Enhancement of disclosure requests
In principle, disclosure of retained personal data requested by an individual must be made “by providing electromagnetic records, by delivering written documents, or by any other method specified by the business operator handling the personal information”, as requested by the concerned individual.
In cases where disclosure by the method requested by the person in question would involve significant costs or where disclosure by such a method would be difficult, disclosure in writing may be permitted in exceptional cases.
(4) Disclosure of third-party records
The individual will be able to request disclosure of records of provision to third parties of personal data that identifies the concerned individual.
When the above request is received from the concerned individual, the business operator shall, in principle, promptly disclose the information by the method requested by the concerned individual, in the same manner as described in (3) above.
However, as with the disclosure of retained personal data, data specified by a Cabinet Order as that for which disclosure would be detrimental to public interests or other interests is exempt from disclosure.
(5) Expansion of requirements for suspension of use, etc. (including suspension of provision to third parties)
Besides the addition of cases of breaching the “Prohibition of Inappropriate Use” (see 1 above) as grounds on which an individual may request a business operator handling personal information to cease use of or erase retained personal data (“Suspension of Use”), the individual may request the business operator handling personal information to Suspend Use or cease provision to a third party of retained personal data in any of the following cases.
- When there is no longer a need for the business operator handling personal information to use retained personal data that identifies the concerned individual
- In the event of a “Leakage” (see 2 (1) above) involving retained personal data that identifies the concerned individual
- Other cases where there is a risk that the rights or legitimate interests of the concerned individual may be harmed by the handling of retained personal data that identifies the concerned individual
When the business operator receives a request from an individual to Suspend Use or cease provision of retained personal data to a third party on the grounds of (i) through (iii) above and it is found that there is a reason for such request, the business operator must, in principle, take measures without delay to the extent necessary to prevent infringement of the rights and interests of the individual by Suspending Use or ceasing provision to a third party.
However, in cases where it is difficult to take the above measures (e.g., where Suspending Use or ceasing provision to a third party would require significant costs, or where the retained personal data concerned is necessary for legitimate business activities), it is permissible to take alternative measures necessary to protect the rights and interests of the individual.
The following examples are listed in the guidelines for alternative measures.
- When the business operator vows to correct the list when it is reprinted, or pays money, if necessary, because the reprinting and collection of a list that is already on the market would require a large amount of money.
- When the business operator takes the necessary and appropriate preventive measures to ensure that a Leakage will not occur again in the future in the event of a serious Leakage that is the subject of a report to the Personal Information Protection Commission where it is difficult to Suspend Use of the information because the contract with the concerned individual is still in force.
- Where, instead of erasing the retained personal data required to be retained by other laws and regulations without delay, the business operator vows to erase the data after the end of the retention period stipulated by such laws and regulations.
5. Accreditation of organizations for specific fields (divisions) of a company, etc.
With respect to certification of accredited personal information protection organizations, in addition to certification on a company-by-company basis, it will now be possible to limit the scope of business operations to the types of business covered and other business activities.
In addition to business operators handling personal information and business operators handling anonymized information, “business operators handling pseudonymized information” will be added as business operators that may be subject to such certification.
6. Establishment of system for pseudonymized information
A system has been established to relax regulations on restrictions on changes in the purpose of use, reporting Leakages (see 2 above), and responses to requests for disclosure and Suspension of Use (including 4 (3) through (5) above) for information that has been processed in such a way that individuals cannot be identified by it, on the condition that re-identification is prohibited and that the information is limited to internal analysis.
We will not go into detail on the pseudonymized information system in this article. (Please refer to the Personal Information Protection Commission’s guidelines (Pseudonymized Information and Anonymized Information)).
7. Increase in penalties, etc.
The statutory penalties have been increased. In particular, the maximum fine for a violation of an order by the Personal Information Protection Commission and illegal provision of personal information databases, etc., has been significantly increased from JPY 500,000 to JPY 100 million for corporations, etc. (The above was enacted on December 12, 2020.)
The Personal Information Protection Commission will be able to make a public announcement if a business operator that has received an order violates said order.
8. Enhanced extraterritorial application
The limited enumeration of articles subject to extraterritorial application shall be abolished, and the Act on the Protection of Personal Information shall apply to cases where a business operator handling personal information located in a foreign country handles, in relation to the provision of goods or services to a person located in Japan, personal information regarding the person in Japan as the principal, information related to personal information to be acquired as said personal information, or pseudonymized information or anonymized information created using said personal information, in a foreign country.
As a result, the following provisions of the Act on the Protection of Personal Information, which were previously considered to be outside the scope of extraterritorial application, are expected to apply to foreign businesses too.
- The provisions of Article 40 of the Act (the article numbers are based on the amended Act of 2020; the same applies hereinafter) pertaining to on-site inspections by the Personal Information Protection Commission
- The provisions of Article 40.1 of the Act concerning requests for submission of reports or materials necessary for the handling of personal information, etc. by the Personal Information Protection Commission
- The provisions of Article 42.2 of the Act pertaining to orders to take measures pertaining to recommendations by the Personal Information Protection Commission
- The provisions of Article 42.3 of the Act pertaining to orders by the Personal Information Protection Commission to cease violations or take other necessary measures to remedy the violations
- The provisions of Article 45 of the Act pertaining to requests by the minister having jurisdiction over the business
9. Establishment of new provisions on delivery
Requests for a report or submission of materials pursuant to Article 40.1 of the Act on the Protection of Personal Information, recommendations pursuant to Paragraph 1 or orders pursuant to Paragraphs 2 or 3 of Article 42 of the Act shall be made by serving documents.
With respect to such service, certain provisions of the Code of Civil Procedure (including provisions pertaining to service in foreign countries) apply mutatis mutandis, and service via publication by the Personal Information Protection Commission is also possible in certain cases.