In June 2020, the Act to Amend the Personal Information Protection Act (“2020 Amendment Act”) was enacted and promulgated, and the related cabinet orders, regulations, and guidelines, etc. were amended (the full enforcement date was April 1, 2022; of the amendments, the increase in penalties came into effect on December 12, 2020).
Although the amendments of the 2020 Amendment Act cover a very wide range of items, an overview of the major amendments is provided below. This report does not cover the 2021 Amendment Act.
1. Prohibition on inappropriate use
It is expressly prohibited for business operators handling personal information to use the personal information in a manner that may encourage or induce illegal or unjust acts.
2. Obligation to report incidents of leakage, etc. and to notify the individuals concerned
In the event of any of the incidents described in (1) below, the business operator handling personal information is obliged to report to the Personal Information Protection Commission (described in (2) below) and notify the individual concerned (described in (3) below) (the current law at the time only obliged business operators to make an effort).
(1) Reportable incidents
- Leakage, loss, or damage (“Leakage, etc.”) of personal data containing personal information requiring special consideration has occurred or is likely to occur
- Leakage, etc. of personal data that is likely to cause property damage due to unauthorized use has occurred or is likely to occur
- Leakage, etc. of personal data that may have been used for wrongful purposes has occurred or is likely to occur
- Leakage, etc. of personal data involving more than 1,000 individuals has occurred or is likely to occur
However, personal data that has been subjected to advanced encryption or other measures necessary to protect the rights and interests of individuals is exempt from the reporting and notification obligations.
Even if personal data is leaked outside the company, it does not constitute a “leak” if all the data is collected before being viewed by a third party.
(2) Reports to the Personal Information Protection Committee
Reporting items are reported in two stages, preliminary and definitive, as follows.
In principle, reports should be made to the Personal Information Protection Commission, but in some cases, the authority to accept the report may be delegated to the minister with jurisdiction over the business.
a) Preliminary report
As soon as possible (generally within 3 to 5 days) after learning of a reportable incident, in principle, the business operator must report the details that it was aware of at the time of the incident among the reportable items in (c) below by filling in the report form on the website of the Personal Information Protection Committee.
In the event that a reportable incident (see (1) above) occurs with respect to personal data whose handling has been outsourced, the entrusted party is not required to separately report to the Personal Information Protection Commission or notify the individual concerned as long as it promptly notifies the entrusting party (generally within 3 to 5 days), which has the reporting obligation, of the details it was aware of at the time of the event among the reportable items in (c) below, after becoming aware of the incident.
b) Definitive report
The business operator must report all of the matters to be reported in (c) below within 30 days (or within 60 days in the case of (1)(iii) above) from the time it became aware of the incident that is the subject of the report.
If, after using all reasonable efforts during the above period, some matters are not known and it is not possible to report all matters, the business operator must report what it knew at that time and complete the report as soon as it is known.
c) Matters to be reported
- Overview
- Items of personal data that have been or may have been Leaked, etc.
- Number of individuals whose personal data has been or is likely to be Leaked, etc.
- Cause
- Existence or non-existence of secondary damage or the threat thereof, and the details thereof
- Status of implementation of response to the concerned individual(s)
- Status of public disclosure
- Measures to prevent recurrence
- Other items of reference
(3) Notice to the concerned individual
Upon learning of a reportable incident, the business operator must promptly notify the individual of (1), (2), (4), (5), and (9) of the reportable items in (2)(c) above, to the extent necessary to protect the rights and interests of the concerned individual. Examples of notification methods include sending documents by mail or e-mail.
If it is difficult to notify the individual (e.g., if their contact information is unknown), alternative measures (e.g., a public announcement of the case, establishment and public announcement of a contact person for inquiries, etc.) may be taken as necessary to protect the rights and interests of the concerned individual.