Japan: Personal Information Protection Commission releases its annual report

In brief

In June 2022, the Personal Information Protection Commission ("PPC"), which is the regulatory authority for the protection of personal information in Japan, published its 2021 annual report ("Report"). While the Report does not supplement the law in any way, it does provide businesses with useful insights on the PPC's thinking and position with respect to various types of processing of personal information under Japanese law.

The PPC's activities for smooth implementation of amendments to the APPI

The main part of the Report starts with an introduction of the PPC's efforts undertaken over the past year towards assisting with the implementation of the amendments to Japan's privacy law (the Act on the Protection of Personal Information (APPI)) that came into effect on 1 April 2022.

The amendments to the APPI introduced several new rules, which had a practical impact on businesses, including the following:

  • Strengthened requirements for cross-border transfers of personal data
  • Mandatory reporting of data breach incidents
  • Restriction on the transfer of "Personally Referable Information"
  • Introduction of new rules on processing pseudonymized information

The PPC's activities in relation to these amendments include its release of updated guidelines. In addition, regarding the new requirements for cross-border transfers of personal data, the PPC published a report on the key differences between the privacy laws of 31 jurisdictions and Japan. While being detailed and somewhat difficult at times to put into practice, the materials attempt to provide practical guidance to businesses.

Warning for processing of personal data in relation to business succession and the operation of e-commerce sites

According to the Report, there were 5846 data breaches involving the leakage of personal data reported to the PPC from 1 April 2021 to 31 March 2022. While the majority (54.9%) of the cases were caused by erroneously sending documents and emails or losing documents and electronic media, notably, the number of incidents caused by unauthorized access amounted to 24.4%, an increase from 17.8% in the same period in the previous year. This shows that the number of data leakage incidents caused by unauthorized access or cyberattacks in Japan is increasing like in many other jurisdictions. This indicates the importance for businesses to implement cybersecurity and other appropriate security measures to protect personal data.

In addition, the Report particularly highlights the improper handling of personal data in relation to business succession (such as M&A) and the operation of e-commerce sites.

Japanese privacy law is primarily based on giving notice to data subjects, rather than requesting consent. For business succession, the Report points out that the PPC observed unlawful processing of personal data where a successor business operator used personal data beyond the scope of the purpose of use notified or made available to the data subjects. Such an excessive use of personal data is expressly prohibited by the APPI. The Report emphasizes that successor companies need to make sure that there are no unlawful changes in the scope of use of personal data.

For the operation of e-commerce sites, the Report points out that there were many cases of unauthorized access to customer personal data. Unauthorized access to an e-commerce site causes serious concern because e-commerce sites often hold credit card information or other payment information, which may have a material adverse impact on data subjects. It is advisable for e-commerce sites to review their security practices, considering the increase of unauthorized access to e-commerce sites and the PPC's observations. Cybersecurity is also a key theme that arises again here.

Pseudonymized information and anonymized information

The Report introduces the PPC's release of an updated version of the report concerning pseudonymized information and anonymized information on 30 March 2022. The report was released to give guidance related to the pseudonymized information system established by the amendments to the APPI on 1 April 2022. In the report, the PPC provides guidance for the creation and use of pseudonymized information and examples of proper use of pseudonymized information.

Anonymized information allows businesses to use big data, particularly for advertising, statistics or marketing activities. According to the Report, the PPC is aware of 664 companies that have publicly announced that they are effectively using the anonymized information system in business as of 31 March 2022. Because the use of data for business (e.g., utilization of real-world data in the medical industry) is attracting more and more attention, it is expected that an increasing number of businesses will use the anonymized information in a near future.

Supervision based on the APPI

According to the Report, as part of the PPC's supervision over processing of personal information, it took the following number of enforcement actions in 2021:

  • Acceptance of reports on cases of data breach incidents: 1042
  • Report orders: 328
  • Guidance and advice: 217
  • Recommendations: 3
  • Cease and desist orders: 1

The cease and desist order was issued to a business operator who illegally publicized the personal data of many persons who faced bankruptcy on its website. Prior to issuing the order, the PPC issued a recommendation to the business operator, but no measures related to the recommendations were taken. The order required the business operator to stop publicizing personal data on its website.

While the number of enforcement actions may appear limited, the fact that the PPC issued the cease and desist order shows that it is willing to enforce the APPI, particularly where it considers there to be serious violations.

Copyright © 2024 Baker & McKenzie. All rights reserved. Ownership: This documentation and content (Content) is a proprietary resource owned exclusively by Baker McKenzie (meaning Baker & McKenzie International and its member firms). The Content is protected under international copyright conventions. Use of this Content does not of itself create a contractual relationship, nor any attorney/client relationship, between Baker McKenzie and any person. Non-reliance and exclusion: All Content is for informational purposes only and may not reflect the most current legal and regulatory developments. All summaries of the laws, regulations and practice are subject to change. The Content is not offered as legal or professional advice for any specific matter. It is not intended to be a substitute for reference to (and compliance with) the detailed provisions of applicable laws, rules, regulations or forms. Legal advice should always be sought before taking any action or refraining from taking any action based on any Content. Baker McKenzie and the editors and the contributing authors do not guarantee the accuracy of the Content and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the Content. The Content may contain links to external websites and external websites may link to the Content. Baker McKenzie is not responsible for the content or operation of any such external sites and disclaims all liability, howsoever occurring, in respect of the content or operation of any such external websites. Attorney Advertising: This Content may qualify as “Attorney Advertising” requiring notice in some jurisdictions. To the extent that this Content may qualify as Attorney Advertising, PRIOR RESULTS DO NOT GUARANTEE A SIMILAR OUTCOME. Reproduction: Reproduction of reasonable portions of the Content is permitted provided that (i) such reproductions are made available free of charge and for non-commercial purposes, (ii) such reproductions are properly attributed to Baker McKenzie, (iii) the portion of the Content being reproduced is not altered or made available in a manner that modifies the Content or presents the Content being reproduced in a false light and (iv) notice is made to the disclaimers included on the Content. The permission to re-copy does not allow for incorporation of any substantial portion of the Content in any work or publication, whether in hard copy, electronic or any other form or for commercial purposes.