This alert outlines some key changes made by the PIPA Amendments and offers practical compliance steps for businesses to consider.
Under the PIPA Amendments and amended guidelines, the PIPC must now be notified if a data breach meets the criteria established by the PIPC. Previously, businesses subject to regulatory oversight by the Financial Services Agency (“FSA”) were subject to mandatory reporting requirements to supervising authority while all other businesses were “expected” to notify the PIPC.
The amended PIPC guidelines clarify that notification is required for breaches that involve or are likely to involve: (a) sensitive personal information; (b) personal information that is likely to cause property damage (such as credit card information or ID and passwords used for online purchases); (c) unauthorized access to a data server or malware infection by a third party; or (d) more than 1000 individuals. However, where businesses have deployed advanced encryption measures to protect such information, notification to the PIPC will not be required. According to PIPC’s Q&A regarding the guidelines, it is likely that an advanced encryption is consider to be deployed if (i) cryptographic techniques listed in the e-Government Recommended Ciphers List or ISO/IEC18033, etc., which security has been confirmed by appropriate evaluation organizations, are used and properly implemented, and (ii) decryption measures are properly managed (e.g., appropriate measures are taken to separate the encrypted information from the decryption key and to prevent leakage of the decryption key itself; a function to delete encrypted information or decryption key by remote control is provided; or the key is designed to prevent a third party from exercising the decryption key).
When notification to the PIPC is required, businesses must make both an initial notification (“Sokuho” in Japanese) promptly (within around three to five days from the day on which the organization learned of the data breach incident, subject to case-by-case consideration) and a final notification (“Kakuho” in Japanese) within 30 days (or, in the case of unauthorized access, within 60 days) from the day on which the business learned of the breach. These initial and final notification requirements are included in the current practice, but the PIPA Amendments and amended PIPC guidelines establish these notice requirements as clear rules and clear deadlines for a final notification.
Notice to affected individuals is also required as soon as possible depending on the circumstances, but there is no deadline for this notice. If such notice is practically difficult to make (for example, the business’s contact information is not current so the impacted individual cannot be reached), then it is sufficient for the business to publish information about the breach, including the business’s contact information, on the business’s website.
Since January 2019, when the European Commission issued a decision recognizing PIPA as providing adequate protection, businesses in Japan may receive personal information from or transfer personal information to the member countries of the European Economic Area (EEA) and the United Kingdom without restriction. To transfer personal information to any other country, such transfer requires either consent from the individuals concerned or the establishment of a data transfer agreement (“DTA”) with the receiving organization in the third country. The PIPA Amendments impose new requirements on transfers to these third countries. Specifically, where such transfers are made on the basis of consent, transferors are required to provide detailed information on the transfer prior to obtaining consent from the individuals concerned. Such information includes:
The same notice obligations apply when Personal-Related Information described below (e.g., cookies) is transferred cross-border to a third party and will be transformed into personal information by the third party, in which case, the third party or the transferor on behalf of the third party is responsible for providing the above information and obtaining consent of data subject, and the transferor is responsible for confirming that the consent is obtained by the third party.
However, where personal information will be transferred cross-border on the basis of a DTA, such information need not be provided to individuals but they expressly request the following information must be provided:
In addition, for all cross-border transfers of personal information and non-personal information to non‑EEA countries, transferors must:
To assist business operators in assessing the level of protection in third countries, the government commissioned a survey and has posted its findings on the following countries. Australia, Brazil, Cambodia, Canada, Hong Kong, India, Indonesia, Laos, Malaysia, Mexico, Myanmar, New Zealand, Philippines, Russia, Singapore, Switzerland, Taiwan, Thailand, Turkey, Ukraine, United States (states, as well as Illinois, California, and New York), and Vietnam.
A business that (i) maintains a database containing Personal-Related Information and (ii) knew or should have known that the transferee may use the Personal-Related Information as personal information will be subject to the new requirements. For example, if the transferor (a) knows that the transferee has certain personal information that could be used to identify the individual associated with the Personal‑Related Information, (b) knows the transferee’s intended use of such Personal-Related Information (e.g., for individually targeted advertisements), and (c) transfers both Personal-Related information and IDs that may be associated with personal information, this would likely be deemed a situation where the transferor knew, or should have known, that the transferee could use the Personal‑Related Information as personal information.
The PIPA Amendments make some additional changes with respect to the following:
Publication of measures taken for security control measures. The PIPA Amendments require a business to make available to data subjects (or responds without delay at the request of data subjects) the measures taken in order to ensure the security control of the retained personal data, unless such publication may cause issues in relation to the security control. These measures include organizational security control, human security control, physical security control, and technological security control, as well as perception of external environment in case a business processes personal data outside Japan (i.e., a business needs to take appropriate measures in light of the legislation or system related to the protection of personal information in the foreign country), which a category of security control measures newly described in the PIPC guidelines.
Expanded individual privacy rights. Under the current PIPA, access and correct rights are limited to personal data that is retained longer than six months. The PIPA Amendments expand those rights by revising the definition of retained data to include all personal data, regardless of its retention period. In addition, individuals may request access to the transfer history of their personal data that has been shared with third parties, except when public or other interests may be harmed by such disclosure. Furthermore, individuals may choose how they would like to receive the requested information, including in electronic form. However, if the method of disclosure chosen by the individual requires significant costs, or if disclosure by that method is difficult, then disclosure must be made in writing. If disclosure by a method chosen by the individual is difficult, a business must notify the person to that effect without delay.
Pseudonymized Information. The PIPA Amendments establish a new category of “pseudonymized information,” or personal information which is processed in such a manner that the specific individual cannot be identified without additional information. If a business only holds the pseudonymized information and no longer holds the additional identifying information that was removed (i.e., pseudonymized information is no longer personal information), then its compliance obligations under PIPA are reduced (i.e., obligations applicable to handling of pseudonymized information, which is non‑personal information, are limited to prohibition of transfer to a third party, security control, supervision of employee or contractor, handling of complaint). On the other hand, if a business continues to hold the additional identifying information that was removed, then the pseudonymized information is still treated as personal information, but a change of purposes of use of pseudonymized information does not require consent of data subject which was otherwise required for personal information. Creation of this new category of information is intended to facilitate the internal use of big data without having to satisfy the PIPC’s strict anonymization standards that require irreversible de‑identification.
Use of Opt-Out Consent. Transfers of personal information to third parties within Japan based on opt‑out consent will not be allowed if: (a) the information was collected by inadequate means; or (b) the information was originally transferred to the business from another third party based on opt-out consent.
Increased criminal penalties, etc.. The PIPA Amendments strengthen criminal penalties for failure to comply with PIPA, including increasing the amount of criminal fines and prison time that can be imposed. More specifically, (i) the penalty for violation of an order issued by PIPC was strengthened from, “imprisonment with labor for not more than six months or a fine of not more than 300,000 yen” to, “imprisonment with labor for not more than one year or a fine of not more than 1,000,000 yen”, (ii) the upper limit of the fine for a legal entity for provision or use by stealth of personal information database for the purpose of seeking illegal profits was raised from 500,000 yen to 100 million yen only when applied to a legal entity as opposed to an individual, and (iii) the upper limit of the fine for failure to submit a report or materials requested by the PIPC or false submission of such report was raised from 300,000 yen to 500,000 yen. In addition, in case of (i) above, the PIPA Amendments allow the PIPC to make public announcement regarding the violation of the order. These increases of the criminal penalties are already in effect.