For global healthcare companies that process personal information in Japan and/or import personal information from Japan, there are new requirements that must be considered in preparing data transfer or processing agreements, as well as internal and external privacy policies.
The Act on the Protection of Personal Information (APPI) of Japan is subject to review every three years in order to take into consideration international trends, development of telecommunications technologies, and emergence and development of relevant new industries, with such review resulting in an amendment in 2020. An additional amendment was enacted in 2021 in order to further unify the requirements for the protection of personal information in the public and private sectors.
The 2020 and 2021 amendments relating to the private sector became effective on or prior to April 1, 2022, with these key features most likely to impact global businesses:
Under the APPI, business operators must not provide personal data to any third party outside of Japan. However, if (1) the subject individual has consented to such provision; (2) there is a need to protect a human life, body, or fortune, and it is difficult to obtain the individual’s consent; (3) the recipient third party is located within the European Union or United Kingdom; or (4) the transferee third party has established systems equivalent to those required to protect the personal data under the APPI (equivalent measures), such provision of personal data may be permitted.
Under the 2021 amendment, an individual’s consent to cross-border transfer of personal data must be obtained in writing (or by electronic measures) and on an informed basis. The individual must receive advance notice of (1) the name of destination country, (2) information regarding the system for the protection of personal information in the destination country, and (3) the particulars of measures taken by the transferee party. Such information must be provided to the individual at his or her request if the transferor relies on the “equivalent measures” exemption discussed above.
The 2020 amendment clarified obligations to report on data breaches to the Personal Information Protection Committee (PIPC), the government agency that oversees enforcement of the APPI, and to notify the concerned individuals.
In particular, actual or potential data breaches (1) involving “special care-required information” (e.g., information relating to medical history, criminal records, physical/intellectual/mental disabilities, results of medical checkups), (2) caused by any unauthorized access, (3) resulting in financial damage, or (4) concerning more than 1,000 individuals would require a report to the PIPC and a notification to the affected individuals.
Under the APPI, cookie information used to identify computer(s) used for internet browsing does not fall within the definition of Personal Information, since it would not directly identify any individual. There was no express restriction on the use of cookie information under the APPI before the 2020 amendment introduced the term “Personally Referable Information,” which encompasses information that does not directly identify individuals, including cookie information, information regarding internet browsing history, and the location of an individual.
Under the 2020 amendment, if Personally Referable Information is provided to a third party that is anticipated to use the same as personally identifiable information by collating it with other information or otherwise, the individual’s consent to such use must be obtained.
Under the APPI, information that is generated from personal information but is not capable of identifying any specific individual or restoring the personal information is defined as “Anonymously Processed Information” (API). API may be used for purposes other than those that the individual consented to or for which the individual received notification. API is not subject to data breach reporting or notification obligations, and is not subject to the individual’s right to access.
The 2020 amendment introduced the term “Pseudonymously Processed Information,” which is defined as information that is generated from personal information but is not capable of identifying any specific individual unless it is collated with other information. Pseudonymously Processed Information can be used for the purpose of internal analysis, but transfer to third parties is generally prohibited. As with API, Pseudonymously Processed Information is not subject to data breach reporting or notification obligations and is not subject to the individual’s right to access.
Under the 2021 amendment, government-run hospitals and universities are subject to the same rules that apply to privately run hospitals and universities. Data maintained by government-run institutions may be more easily transferred to, or shared with, private sector companies in the form of API.
For global healthcare companies that process personal information in Japan and/or import personal information from Japan, the new requirements to provide individuals with information in connection with cross-border transfers will have a significant impact.
The new requirements must be considered in preparing data transfer or processing agreements, as well as internal and external privacy policies, and require further review of existing agreements and policies in order to ensure compliance. It should also be noted that any data breach involving “special care-required information,” including medical history, requires a report to the Japanese government (PIPC) and a notification to the concerned individuals.
Businesses obtaining personal data from government-run hospitals or universities in Japan should review their contracts in light of the APPI provisions that are now applicable to those hospitals and universities.
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following:
W. Reece Hirsch