Japan: APPI revisions seek to support digitalisation
Takuya Hasegawa of Nagashima Ohno & Tsunematsu explain how the proposed amendments to the Act on the Protection of Personal Information will improve the efficiency of data usage throughout Japanese industries
The Japanese government has recently been pursuing an aggressive legislative agenda to ensure Japanese laws are in step with the rapid digitalisation occurring in Japanese society.
On February 9 2021, the Japanese cabinet submitted drafts of six acts related to digitalisation reform to the National Diet, comprised of the Basic Act on the Formation of a Digitalized Society (to replace the Basic Act on the Formation of an Advanced Information and Telecommunications Network Society) and other related statutes. Among them is the draft of the Act on the Amendment of Related Laws for Formation of Digitalized Society (the Act).
The Act itself covers three different goals: amending the Act on the Protection of Personal Information (the APPI); facilitating the data linkage and the usability of social security and tax number; and abolishing the requirement for physical documentation and individual/corporate seals in as many as 48 statutes.
This article focuses on four key proposed amendments to the APPI.
(1) The Act will integrate the Act on the Protection of Personal Information Held by Administrative Organs (the APPIHAO) and the Act on the Protection of Personal Information Held by Incorporated Administrative Agencies (the APPI-IAA) into the APPI. The Act will also begin to regulate municipal governments’ processing of personal information, which is currently regulated under separate municipal regulations. Along with the integration of the APPIHAO and the APPI-IAA, the Personal Information Protection Commission will have supervisory authority regarding data protection over all administrative organs (except for the Board of Audit), incorporated administrative agencies, and municipal governments.
(2) The definition of a personal information handling business operator (a PIHBO) under the APPI will be modified to include certain types of public entities, such as national university corporations, national hospital organisations, and national research and development agencies. This means that a number of the rules under the APPI that regulate private organisations will also apply to these types of public entities.
(3) The APPI currently exempts “universities and any other organizations or groups aimed at academic studies, or any person belonging to such an organization” from fulfilling the obligations of a PIHBO, to the extent they process personal information for academic studies. The Act will remove this categorical exemption and introduce more specific descriptions of requirements for exemptions based on individual obligations of a PIHBO relating to the usage purpose, sensitive personal information and third-party transfer. This revision intends to make the rules for academic organisations under the APPI satisfactory for an adequacy decision under EU’s GDPR.
(4) Fragmented definitions of ‘personal information’ between the APPI, the APPIHAO, and the APPI-IAA will be harmonised. It has been noted that the fragmented definitions have hindered data flow between the private and public sector since the APPI only applies to the former, and the APPIHAO and the APPI-IAA apply to the latter.
The Act comes in the wake of the proposal report from the Task Force on the Review of the Personal Information Protection System, which resulted from a supplementary clause of an amendment to the APPI in 2015 that instructs the government to revise the APPI. If passed, the provisions of the Act will be effective within one year (two years in the case of amendments relating to municipal governments) of promulgation.
Businesses and investors hope that the new law improves the efficiency of data usage throughout Japanese industries and the public sector, while maintaining appropriate protections on personal information.
Associate, Nagashima Ohno & Tsunematsu