Amendment to the Act on the Protection of Personal Information – Impact on Foreign Financial Institutions
Japan Regulatory Update:May 17, 2017
On May 30, 2017, amendment to the Act on the Protection of Personal Information and its related rules, regulations and guidelines will take effect. This Client Alert will provide a summary of key changes of the amended act that are particularly relevant to foreign entities. (Japan Regulatory Update:May 17, 2017)
- A. Background and Legal Framework
- B. Key Terms and Concepts under the Amended PIPA
- C. Key Amendments to the PIPA
- D. Conclusion
On May 30, 2017, amendment to the Act on the Protection of Personal Information and its related rules, regulations and guidelines will take effect. This Client Alert will provide a summary of key changes of the amended act that are particularly relevant to foreign entities.
A.Background and Legal Framework
More than a decade has passed since the Act on the Protection of Personal Information of Japan (the “PIPA”) was enacted in 2005. Since then, many legal commentators have argued that the PIPA was in need of major amendments to properly adapt to various changes in the business of personal information, including advances in information technology that permit the transfer and storage of large amounts of data as well as the greater economic value that personal information is deemed to hold.
On September 3, 2015, the PIPA was significantly amended (the “Amended PIPA”)1 and, among other changes, such amendments included a revision to the definition of Personal Information (as defined below) and the imposition of additional rules with respect to the manner by which Personal Information and Personal Data (each as defined below) may be handled or transferred outside of Japan.
In October 2016, the Cabinet of Japan and the PPC (as defined below) promulgated the supplemental rules with respect to the Amended PIPA - the Cabinet Order to Enforce the Act on the Protection of Personal Information and the Ordinance for the Enforcement of the Act on the Protection of Personal Information. In November 2016, the PPC further published the “Guidelines Concerning the Protection of Personal Information” (the “PIPA Guidelines”), which provides specific details regarding certain aspects of the Amended PIPA. Lastly, at the end of February 2017, the Financial Services Agency of Japan (the “Japan FSA”) and the PPC jointly2 published the “Guidelines on the Protection of Personal Information in the Financial Industry” and the “Practical Guidance on Safe Management Measures in connection with the Guidelines on the Protection of Personal Information in the Financial Industry” (collectively, the “Guidelines for the Financial Industry”).
The Amended PIPA, its rules, regulations and the supplemental guidelines will take effect on May 30, 2017. As we anticipate that many foreign fund managers and financial institutions may now be required to comply with the Amended PIPA, this Client Alert will provide a summary of the key changes of the Amended PIPA - particularly as relevant to foreign entities.
2. Currently, each government ministry of Japan that supervises the relevant business industry has regulatory authority over PI Business Operators (as defined below) in such business industry. However, from the date of the full enforcement of the Amended PIPA on May 30, 2017, all such regulatory authority over PI Business Operators will be centralized to the PPC.
B. Key Terms and Concepts under the Amended PIPA
The Amended PIPA makes reference to various terms and concepts which are integral to understand properly the application of the Amended PIPA. For the purposes of this Client Alert, we have set forth the definitions of certain key terms and concepts below.
“Database” means any collection of Personal Information which has been arranged or systematically organized in a manner so it is possible to search for specific Personal Information through use of a computer or other means (e.g., indexed business card binder).
“Personal Data” means any Personal Information contained in a Database.
“Personal Information” means: (i) any information about a living person such as name, date of birth or any other description that can be used to identify a certain individual; or (ii) information containing an individual identification code (e.g., driver’s license number).
“PI Business Operator” (kojin jouho toriatsukai jigyousha) means any operator of a business, whether an individual or a legal entity, that maintains and uses a Database for its business.
“PPC” means the Personal Information Protection Commission of Japan, the newly-formed government body which has the authority to handle matters in Japan with respect to the monitoring and enforcement of the Amended PIPA.
“Subject Individual” means the specific individual who corresponds to the Personal Information.
C. Key Amendments to the PIPA
Numerous provisions of the PIPA were revised through the Amended PIPA, but for the purpose of this Client Alert, we will focus on those amendments which we anticipate will, directly or indirectly, impact the practice of foreign fund managers and financial institutions that engage in some type of business with Japan. Specifically, this Client Alert will provide a summary of two significant changes: (1) the extraterritorial application of the Amended PIPA to PI Business Operators domiciled outside of Japan; and (2) the new restrictions on PI Business Operators in relation to the transfer of Personal Data to a third party located outside of Japan.
1. Extraterritorial Application of the Amended PIPA to PI Business Operators Domiciled Outside of Japan
The first significant change of the Amended PIPA is that it will be directly applicable to entities that are domiciled outside of Japan which obtain Personal Information in relation to the performance of their services.3 For example, this would include offshore financial institutions not domiciled in Japan, but provide certain types of services in Japan and obtain Personal Information in connection with such services – such as banks or insurance companies.
Under the original PIPA, offshore entities were generally exempt from the application of the PIPA due to being domiciled outside of Japan. However, under the Amended PIPA, offshore entities may now be deemed as PI Business Operators and subject to the rules and regulations of the Amended PIPA.
With respect to PI Business Operators, including offshore PI Business Operators, under the Amended PIPA, some of the material obligations that must be complied with include the following:
(1) to specify the purpose of use of Personal Information and notify the same to the Subject Individual or otherwise notify such purpose of use to the public of Japan (e.g., posting on its website);
(2) not to handle the Personal Information beyond the scope necessary for achieving the stated purpose of use as described in (1) above, without obtaining the Subject Individual’s prior consent;
(3) to take appropriate measures for the safe and proper management of the Personal Data;
(4) as a general matter, not to provide the Personal Data to a third party without obtaining the Subject Individual’s prior consent;
(5) to keep certain records if providing the Personal Data to a third party; and
(6) to comply properly to any request from the Subject Individual to disclose the Personal Data that the PI Business Operator holds regarding such Subject Individual.4
In light of the above, offshore entities which provide services in Japan and obtain Personal Information should examine whether they will now be subject to the Amended PIPA and, if so, what amendments may be needed to their existing policies and procedures as a result of the application of the Amended PIPA.
2. Restrictions on Transferring Personal Data to a Third Party Located Outside of Japan
As a result of globalization and technological advances, the transferring of personal information overseas is rapidly increasing. This has created numerous regulatory and jurisdictional issues, as each nation has imposed its own rules and regulations governing the management of personal data.
Under the original PIPA, PI Business Operators were required to obtain the prior consent of the Subject Individual in connection with any transfer of Personal Data of such Subject Individual to a third party, provided, however, there was an exemption from the requirement whereby such transfer of Personal Data was in connection with:5 (i) the delegation of services to a third party; (ii) the succession of business; (iii) joint use between the PI Business Operator and such third party; or (iv) the PI Business Operator is relying on the “Opt-Out” method.6
Under the Amended PIPA, the above exemptions have been modified whereby the transfer of Personal Data is being made to an offshore entity.7 Specifically, under the new regime, when the counterparty is an offshore entity, the PI Business Operator will be required to either obtain the prior consent of the Subject Individual, or confirm that such transfer of Personal Data will fall under one of the exceptions described below, provided, however, it should be noted that this obligation will not apply to a transfer of Personal Data by a PI Business Operator which may have taken place prior to the effective date of the Amended PIPA (i.e., it is not retroactive in nature).
The third party located outside of Japan is located in one of the countries listed in the Personal Information Protection Commission Rules (the “PPC Rules”) as a country deemed to have regulations for protecting Personal Information that are equivalent to the Amended PIPA (a “Recognized Country”).
The third party located outside of Japan has established a system for protecting Personal Data that conforms to the standards set out in the PPC Rules.
The Personal Data is transferred based on the operation of Japanese laws and regulations (e.g., compliance with the Japan Anti-Money Laundering Regulations), or if the transfer of the Personal Data is: (i) necessary to cooperate with a Japanese government, etc. in performing affairs prescribed by the laws and regulations of Japan; and (ii) obtaining the prior consent from the Subject Individual is likely to impede the performance of the affairs, etc. of Japanese government, etc.11
We generally anticipate that most PI Business Operators will be forced to rely on Exception 2 above as Exception 1 is not currently a viable option as of the date of this Client Alert, the PPC has not designated any countries under the PPC Rules as a Recognized Country. This reliance on Exception 2 is material in that the offshore third party that receives the Personal Data will be impacted by the Amended PIPA in that it may be required to comply with certain terms and conditions of the Amended PIPA.
5.It should be noted that in addition to the four exemptions discussed here, there are exemptions based on the operation of law (e.g., compliance with a court order to transfer such Personal Information by a government authority of Japan).
6. Under the original PIPA, a PI Business Operator could “opt-out” of the existing regime with respect to the transfer of Personal Data by making certain disclosures and notices to the public.
7. Article 24 and Article 23, Paragraph 5 of the Amended PIPA.
8. Currently, the PPC Rules has yet to designate any country as such, but the PPC will continuously review and access any country to be designated under the PPC Rules.
9. III-3 of the PIPA Guidelines (for the transferring of Personal Data to a third party located outside of Japan) states that the Cross-Border Privacy Rules system of APEC (the “CBPR”) will satisfy the accreditation requirement. Additionally, III-1 states that as the CBPR requires a third party handling Personal Information to establish the measures to fulfill the same obligations imposed on the provider of such Personal Information, if such provider obtained the relevant accreditation of the CBPR, it can be considered as taking “adequate and reasonable means” as explained in (i).
10.Rule 11 of the PPC Rules.
11.Each item of Article 23, Paragraph 1 of the Amended PIPA.
To promote the adequate use of Personal Data by PI Business Operators while protecting Personal Information, the Amended PIPA sets out various amendments other than those discussed in this Client Alert. With respect to financial instruments dealers under the supervision of the Japan FSA, the Guidelines for the Financial Industry, etc. sets out more stringent measures with respect to the safe management for protecting Personal Data that financial instruments dealers will be required to implement. Taking the opportunity that the amendment to the PIPA provides, we recommend that institutions, especially foreign financial institutions having financial instruments dealer affiliates in Japan, review their existing rules and policies for handling Personal Information within their group companies and make the necessary revisions to conform to the requirements and obligations set out under the Amended PIPA.
As the ways in which Personal Information and Personal Data are handled or transferred to a third party located outside of Japan will vary for each client, DT Legal Japan will be happy to provide support for establishing internal policies and rules, etc. This includes confirming whether the new Amended PIPA will be applicable for you and your group companies.
Please do not hesitate to contact us if you did not receive this Client Alert and you would like us to place you on the mailing list for Japan regulatory updates issued by DT Legal Japan’s Investment Management Group.