The Amended Personal Information Protection Act (the "New PIPA") was promulgated on September 9, 2015, and will fully come into force within two years from then, most likely on May 30, 2017. The New PIPA makes several important amendments to the regulation on personal information under the current Personal Information Protection Act, with respect to issues such as sensitive personal information, Big Data, traceability and cross-border transfer of personal information. If your company runs B-to-C business in Japan or receives personal information from a company in Japan, it is recommended that you keep your eyes on the New PIPA.

1. Portion of the New PIPA that has already come into effect

Since January 1, 2016, the New PIPA has already become partially effective in the following areas.

(1) The Personal Information Protection Committee (the "PPC") was established as an independent supervising authority. The New PIPA extracted various powers to protect personal information from separate competent Ministries, and gathered such power to one authority, the PPC. However, local governments continue to control their regulations under the New PIPA, and criminal cases will continue to be handled by police authorities.

(2) "My Number" system was introduced as well, which sets personal ID numbers for all individual residents in Japan including foreigners, for the purpose of controlling and managing information on taxations and social insurances (similar to social security numbers in US).

The Cabinet issued the Order to Enforce the New PIPA on October 5, 2016, and also decided the new Basic Policy for Protection of Personal Information on October 26, 2016. Guidelines for general rules, providing personal information abroad, providing personal information to third parties, and Big Data will be announced shortly.

2. What will become effective next spring?

First of all, the New PIPA has broadened the scope of businesses to which its regulations on personal information apply. Currently, if a company possesses personal information of less than 5,000 people, such a company is not subject to the regulations provided in the Personal Information Protection Act. However, after the New PIPA becomes effective, the regulations under the New PIPA will apply to all companies in Japan that use personal information in business, regardless of the volume of personal information. Therefore, it is advisable that a company prepares a privacy policy in order to follow the requirements in the New PIPA.

"What's new in the New PIPA" is described in more detail below.

(1) Definition of Personal Information

The New PIPA further clarifies what "personal information" is, in order to protect privacy with certainty. Information that is included in the scope of "personal information" under the new definition is fingerprints data, facial recognitions data, passport numbers, driver's license numbers, and My Numbers, in addition to long-established personal information such as names, addresses, and dates of birth.

In this regard, the government explains that the new definition only limits the gray zone, since the gray zone increased as technologies and public systems developed. This means that the Amendment is not an expansion of scope of personal information, but rather is merely a clarification.

(2) Sensitive Information

Moreover, the New PIPA classifies personal information into two grades of protection with a new category of "sensitive information." This includes race, religion, medical history, and other personal information that could potentially lead to unjustifiable discrimination or prejudice. A prior consent is required to transfer sensitive information to a third party. An opt-out procedure for transferring personal information to third parties is not available for sensitive information.

(3) Big Data

The critical case that led to the amendment regarding Big Data was a 2013 case in which JR East, a railway company, disclosed to another company (Hitachi) all history of use of pre-charged IC cards by passengers, without obtaining prior consent of the passengers.

JR East provided Hitachi with information on rides (dates, times, stations, and fares), genders, ages, and so on but without disclosing the passengers' names, in order to analyze trends of passengers for commercial purposes and to sell the data obtained as a result of the analysis. However, the public heavily criticized JR East for providing such information to another company without prior consent of passengers, because an individual passenger could possibly be identified from history of use of IC cards specified by exact times and places.

In the meantime, Big Data is highly useful for promoting commercial activities from a business point of view. In order to control over-reactions by the public against utilization of Big Data extracted from personal information, the New PIPA established new requirements for producing and handling Big Data properly.

(4) Traceability, Cross-border Transfer, etc.

Under the new PIPA, a company handling Personal Information must: (i) notify the individual of the purpose of use of the personal information promptly upon receipt; (ii) must provide its contact information so that the individual can contact the company in case the individual wishes to correct the personal information; and also (iii) establish a protection system to secure such stored personal information from harm or disclosure.

An individual has a right to claim disclosure, correction or suspension of use of his or her personal information. An individual must make an out-of-court request at least two weeks before going to court.

In order to ensure traceability of an individual's personal information, especially against Meibo-ya (personal information brokers) that sell personal information as business, a company handling personal information must give notice to the individual at the time of providing the personal information to third parties (unless it falls under one of the exceptions, such as when the company is ordered by a court to provide personal information). A company receiving personal information from third parties must also record the history of receipt of personal information. Further, a company that transfers personal information to third parties under the opt-out procedure must report to the PPC.

Regarding cross-border transfer of personal information, if the country to which the personal information is being transferred does not have a system for protecting personal information that is equivalent to that of Japan, in general, a prior consent of the individual becomes necessary. However, the coming guidelines will clarify further conditions for cross-border transfer of personal information to be legitimate (e.g., the company receiving personal information has a privacy policy that is equivalent to the protection level under the New PIPA), in order to achieve smooth cross-border transfer of personal information.

3. Conclusion

As mentioned above, a company that is not subject to personal information regulations under the current law should be prepared for the New PIPA by next spring, for example, by establishing a privacy policy. Also, a company that globally transfers personal information must be careful in following the coming guidelines on cross-border transfer, or otherwise would be required to obtain prior consent from each individual.

Furthermore, please also note that, since the New PIPA still falls short of the EU Directive's standards due to insufficient independent status of the PPC and other issues, EU companies must follow the requirements of the EU data protection directive when transferring personal information to companies in Japan, even after the New PIPA becomes effective.

If you wish to know more about the New PIPA, please see the tentative English translation of the New PIPA, which is available here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.