On the Revision of Japanese Personal Information Protection System in 2021
1 Background of the Revision
On May 12, 2021, the “Basic Act on the Formation of a Digital Society” (hereinafter referred to as “The Basic Act”) was enacted at the 204th Diet and promulgated on the 19th of the same month. The main content of this act is a review of the “Act on the Protection of Personal Information” (hereinafter referred to as “APPI”). According to The Basic Act, the Amended APPI will be applied from 2022 for private companies, national government agencies, incorporated administrative agencies, etc., and from 2023 for local governments.
The personal information protection system in Japan was preceded by the establishment of local government ordinances. At the national level, the “Act on Protection of Personal Information Electronically Processed and Held by Administrative Organs” was established in 1988, and “APPI” and the “Act on Protection of Personal Information Held by Administrative Organs” were established in 2003. In Japan’s personal information protection system, the rules to be applied differ depending on the entity that protects personal information.
Behind this revision, there is the progress of digitization of information, the increasing usefulness of personal information, and the government’s policy of promoting digitalization, as shown in the establishment of the “Organization of the Digital Agency”. The Amended APPI has corrected imbalances and inconsistencies in the current legislation that could hinder the active utilization of data between the public and private sectors and across regional areas. In addition, as shown in the fact that the EU’s GDPR (General Data Protection Regulation) adequacy certification was obtained in 2019 regarding the protection of personal information in the private sector, one of the reasons for the revision was the fulfillment of international standards for cross-border data distribution.
2 Details of the Revision
(1) Unification of Personal Information Protection Systems and the Personal Information Protection Commission
Before the revision, there were problems that the laws applied in the public sector and the private sector were different, and that the contents of regulations by ordinance differed in each local government (the so-called “2000 problem”). Moreover, the problem with the public sector remained: APPI obtained the GDPR’s adequacy status in 2019 for the protection of personal information in the private sector, but it could not obtain the adequacy status in the public sector due to the lack of supervision by an independent organization.
Therefore, the Basic Act integrates three acts (APPI, the “Act on the Protection of Personal Information Held by Administrative Organs”, and the “Act on the Protection of Personal Information Held by Incorporated Administrative Agencies”) into one new act: the Amended APPI. It has also decided to set national rules for the personal information protection system of local governments. The national government will develop guidelines to enable local governments to operate the law properly. However, since the ordinances of each local government stipulate their own procedures regarding the protection of personal information and deliberation by the council, it is said that the national guidelines cannot adequately respond in consideration of the accumulated experience in the local governments.
In addition, the Amended APPI has set up a chapter of the “Personal Information Protection Commission” (PIPC) to stipulate the authority of the government to supervise the public sector and the authority of the Personal Information Protection Commission regarding the handling of personal information of local governments (Articles 156 to 160). Unlike the supervisory authority over “a business operator handling personal information”, PIPC’s supervisory authority over the public sector does not include orders that impose legal obligations on the other party, so the ensurance of its effectiveness would be a problem in the future.
(2) Regulations in the medical and academic fields
Under the current personal information protection system, applicable laws regarding hospitals and research institutes in the public sector differed from those applied in the private sector. Therefore, the Amended APPI decided to apply the rules regarding the private sector in principle when the public sector and the private sector jointly use personal information in the academic research field and the medical field.
(3) Exemptions for academic research
The current APPI uniformly exempts the obligation imposed on a business operator handling personal information when academic research institutes handle personal information for academic research purposes (Article 76, Paragraph 1, Item 3). On the other hand, the Administrative Organs’ APPI and the Incorporated Administrative Agencies’ APPI do not exempt academic research institutes. Therefore, under the current system, the procedures for sharing personal information by these institutions are different.
The Amended APPI applies the provisions regarding the obligation of a business operator handling personal information to implement safety management measures and disclosure requests from the individual (Articles 23 and 32). It exempts restrictions based on the purpose of use (Article 18) and restrictions on the acquisition of Special care-required personal information (Article 20 Paragraph 2). Furthermore, it exempts the limitation of provision to third parties (Article 27) for academic research purposes unless there is a risk of unreasonably infringing the rights and interests of individuals.
(4) Unification of definitions of personal information
The current APPI requires that “personal information” be “easy” to collate (Article 2, Paragraph 1). On the other hand, the Administrative Organs’ APPI includes information that is not “easy” to collate in “personal information” with the intention of strengthening discipline in the public sector (Article 2, Paragraph 2).
The Amended APPI has decided to apply the current definition of “personal information” in APPI to the public sector as well.
The current APPI defines “anonymously processed information” as information processed so that a specific individual cannot be identified. On the other hand, the Administrative Organs’ APPI defines such processing information as “anonymized personal information” with higher non-identification.
The Amended APPI unified these into “anonymously processed information”. And it stipulates that the system for handling anonymous information in the public sector should be like that of the private sector. This is to relax regulations in the public sector to promote the utilization of information. In the future, it will be necessary to give special consideration to personal information handled by local governments. This is because, although processed anonymously, the amount of personal information handled by local governments is larger than that of national institutions, and it is necessary to pay attention to the relationship of trust with citizens.