Client Alert

Japan: Privacy Updates on Handling Personal Information in the “Digital Market”

19 Aug 2020

This alert summarizes several legislative updates that have potentially far-reaching privacy implications for tech companies doing business in Japan.  These updates relate to the handling of personal information in the so-called “digital market.” 

In Japan, this term means the market of online services such as search providers, social networking services, and electronic commerce, or other value provided to customers through data or digital technology.  

Japan’s Cabinet established the Headquarters for Digital Market Competition to discuss new laws and guidelines affecting the digital market, including:

  1. The amendment to the Personal Information Protection Act (“PIPA”);
  2. New guidelines by the Japan Fair Trade Commission (“JFTC”), which address businesses operating digital platforms; and
  3. The enactment of the Digital Platformer Transaction Transparency Act (“DPTTA”).

Below are descriptions of these important updates, as well as practical considerations that will be of particular interest to tech companies’ privacy officers and departments.

A. PIPA Amendment

The PIPA was amended to provide greater protections to individuals whose data is collected by companies and/or transferred to third parties. [1]  The PIPA amendment includes the following key changes:

  • Overseas transfers of personal data: Those transferring personal data to a third party overseas (“overseas party”) will need to take additional measures, such as informing individuals of how the overseas party will handle their personal information.

The current PIPA already allows the transfer of personal data with individual consent.  Under the PIPA amendment, companies will need to update their consent procedures to provide certain information about the overseas party before obtaining such individual consent.  This includes: (a) information regarding the personal information protection system of the foreign country where the personal data will be sent; (b) the measures that the overseas party will take to protect the personal information; and (c) other information helpful to the individual. The Personal Information Protection Commission (“PPC”) will provide further details at a later date.

If a company transfers personal data to an overseas party and relies on that party’s security measures, the company must be ready to explain, upon individual request, how it ensures that the overseas party will implement those security measures.

  • Transfers of non-identifiable personal data:  A company will be required to confirm individual consent for transfers of non-identifiable personal data to a third party when that third party is able to transform the non-identifiable personal data into a type of legally recognized personal data (e.g., sharing website browsing history collected by using cookies where the third party can then link those cookies to a particular individual).  Companies will need to obtain individual consent prior to transferring such non-identifiable personal data to such third parties. 
  • Reporting of personal data breaches:  Any personal data breaches that pose great risk to individual rights and interests will need to be reported to the PPC and the affected individuals.  The PPC plans to provide further details at a later date, including how and when such notifications must occur, but companies should review their procedures for handling data breaches and for communicating with individuals whose personal data they collect.  

There is no direct penalty for failing to provide these notifications.  However, if this notification requirement is not met, the PPC may issue a recommendation (i.e., a request to take remedial measures) or an order (i.e., a demand to take remedial measures if the business fails to follow a recommendation or there is an urgent need). 

  • Enhanced penalty for violation of a PPC order:  Under the current PIPA, a court may impose the following criminal penalty for violating a PPC order: (1) imprisonment up to six months or (2) a fine up to 0.3 million yen.  Under the PIPA amendment, a court will be able to impose a criminal penalty of (1) imprisonment up to one year or (2) a fine up to one million yen for individuals, and up to one hundred million yen for companies.  
  • Deletion of personal data:  Individuals will be able to request the deletion or suspension of use of their personal data when (1) the data are no longer necessary for the stated use; (2) a data breach occurs that triggers the notification requirement mentioned above; or (3) individual rights or interests are at risk, whether due to unlawful collection or unlawful handling.  Also, individuals will be able to request disclosure, deletion, or correction of personal information, even if the company plans to delete the data within six months (data to be deleted within six months are currently exempted from individual requests). Companies may need to update their procedures for handling individual requests to address these updates.
  • Electronic disclosure of personal data:  Individuals will be able to request that their personal data be disclosed to them in electronic form (currently, such disclosures are generally made in writing). Procedures for responding to individual requests for disclosure should be updated accordingly. 

The PIPA amendment was enacted on June 5, 2020, and published on June 12, 2020.  Some provisions of the amendment will come into effect in December 2020, but most will come into effect by June 2022.  Further details on the PIPA amendment will be provided by ordinance and in the PPC’s rules, which will likely be open to public comment in early 2021. 

B. JFTC Guidelines

A digital platform operator’s interactions with consumers may now give rise to “abuse of superior bargaining position,” which is an existing claim under Japanese antitrust law. 

Published and made effective in December 2019, the Guidelines Concerning Abuse of Superior Bargaining Position in Transactions between Digital Platform Operators and Consumers that Provide Personal Information (“JFTC Guidelines”)[2] clarified that such an abuse could occur if a digital platform operator (“Operator”) uses its superior bargaining position over consumers (who are counterparties to a transaction) to cause those consumers to be unjustifiably disadvantaged, in light of normal business practices. 

The JFTC Guidelines explain that an Operator has a superior bargaining position over consumers when the consumers suffer detrimental treatment from the Operator but are compelled to accept this treatment in order to use the Operator’s services.  An Operator is normally in a superior bargaining position when:

  • No other Operators provide alternative services for the consumers;
  • Even if alternative services exist, it is practically difficult for consumers to stop using the Operator’s service; or
  • The Operator exercises some control over the transaction terms with the consumers, such as price, quality, and quantity.

The JFTC Guidelines explain that the issue of whether consumers are unjustifiably disadvantaged “in light of normal business practices” will be determined on a case-by-case basis.  The JFTC Guidelines further explain that conduct will not necessarily be justified simply because the conduct is consistent with existing business practices; it must also be consistent with the maintenance and promotion of fair competition. 

The JFTC Guidelines identify examples of conduct likely to constitute an abuse of superior bargaining position:

  • Collecting personal information without stating the purpose of use to consumers;
  • Collecting or using personal information against consumers’ will beyond the scope necessary to achieve the purpose of use;
  • Collecting or using personal information without taking the precautions necessary and appropriate for the safe management of personal data; or
  • Causing consumers to provide individual information (including non-personally identifiable information such as website browsing history) or anything else of economic value, in addition to the information provided in exchange for the use of services.

The JFTC has established the Abuse of Superior Bargaining Position Task Force to handle potential abuse cases.  The Task Force will investigate and warn relevant businesses of potential abuses, to facilitate their cooperation in improving their practices and preventing future issues.  The Task Force may also handle potential cases under the JFTC Guidelines.  

The JFTC may enforce these Guidelines by issuing cease-and-desist orders and surcharge payment orders.  Any surcharge will equal one percent of the sales or purchasing amount of the transaction with the affected counterparty.  It is unclear what will happen when personal information is collected and used by an Operator who provides a service free of charge.

Though an abuse of superior bargaining position covers a relatively narrow set of circumstances, it is important to remember that the handling of personal information can be subject to enforcement in Japan under both the PIPA and antitrust law.

C. DPTTA Enactment

The DPTTA is intended to improve the transparency and fairness of digital platforms and provides requirements for “Specified Digital Platformers” who will be designated by the Minister of Economy, Trade and Industry (“METI”).  We anticipate that, at least initially, only large-scale online mall providers and app store providers will be designated as Specified Digital Platformers. 

Under the DPTTA, Specified Digital Platformers must (1) disclose certain terms and conditions to both general users of the digital platform and those who use the digital platform to sell goods and services; (2) establish procedures and systems conforming to METI guidance; and (3) submit an annual report with a self-evaluation.

With respect to (1), Specified Digital Platformers will be required to disclose the following terms and conditions to general users:

  • The key factors for determining the outcome of product and service searches;
  • The type of purchasing data that will be collected and used (including search and viewing history and purchases of goods and services), and the conditions for collection and use of such data by the Specified Digital Platformer; and
    • Any other terms that are required to be disclosed by METI ordinance.

Specified Digital Platformers will also be required to disclose the following information to users who sell goods and services via the platform:

  • The key factors for determining the outcome of product and service searches;
  • The type of sales data that will be collected and used, and the conditions for collection and use of such data by the Specified Digital Platformer;
  • Whether and under what conditions the Specific Digital Platformers can refuse use of the platform;
  • Whether users are required to purchase products or subscribe to fee-based services;
  • Whether and under what conditions users can obtain the sales data retained by the Specified Digital Platformer;
  • How users can submit complaints against the Specified Digital Platformer; and
  • Any other terms that are required to be disclosed by METI ordinance.

If a Specified Digital Platformer fails to disclose these terms described in (1), it may be subject to METI recommendations and orders.  The penalty for breach of a METI order is a fine of up to one million yen.  METI may issue a recommendation for failure to establish the procedures described in (2) above, but orders and criminality penalties are not available remedies.  Failure to file an annual report as described in (3) above may result in a fine of up to 0.5 million yen.

The DPTTA was enacted on May 27, 2020, was published on June 3, 2020, and will come into effect by June 2021.  


[1] https://www.ppc.go.jp/en/news/archives/2020/20200618/

[2] https://www.jftc.go.jp/en/pressreleases/yearly-2019/December/191217_DP.html

Close
Feedback

Disclaimer

Unsolicited e-mails and information sent to Morrison & Foerster will not be considered confidential, may be disclosed to others pursuant to our Privacy Policy, may not receive a response, and do not create an attorney-client relationship with Morrison & Foerster. If you are not already a client of Morrison & Foerster, do not include any confidential information in this message. Also, please note that our attorneys do not seek to practice law in any jurisdiction in which they are not properly authorized to do so.