Tech & Sourcing @ Morgan Lewis


New data protection laws are scheduled to go into effect in Japan (May 30) and China (June 1) that significantly change the rules governing the collection, storage, and transfer of personal information in each country.

Amendment to Japan’s Act on the Protection of Personal Information

The amendment to Japan’s Act on the Protection of Personal Information—passed by the National Diet of Japan on September 3, 2015—is scheduled to go into effect on May 30, 2017. The first major amendment to the personal information law since its initial implementation in 2005, the amended law limits permitted transfers of personal information outside of Japan (1) to countries designated as having acceptable data protections, (2) to third parties where actions have been taken to ensure the same level of data protection as within Japan, or (3) with the data subject’s consent.

Other new requirements and clarifications to the law include the following:

  • Establishment of a new Personal Information Protection Commission (PIPC) with authority to investigate and take action against failures to protect personal information
  • A new definition of “sensitive personal information” that requires specific prior consent before being collected—except in certain narrow circumstances
  • Removal of a previous de minimis exception for businesses whose databases contain the personal information of 5,000 or less individuals in the prior six months
  • Exemptions from consent requirements for the transfer and processing of de-identified personal information that cannot be re-identified
  • New requirements for legally effective “opt-out” consents for the processing of personal information, including a requirement to register the text of the opt-out clause with the PIPC
  • New recordkeeping requirements for the transfer of personal information among businesses, including preserving the date of transmission as well as the names of recipients and sources of personal data

Cybersecurity Law of China: Data Localization, Official Reviews

The Cybersecurity Law of China (unofficial translation here) and its implementing regulations— which become effective on June 1, 2017—impose new restrictions on operators of key information infrastructure, network operators, and providers of network products and services. Most significantly, operators of “key information infrastructure”—a term which is not yet clearly defined—must store within China any critical data or personal information collected or generated within China and must pass a security assessment before transmitting that data to any jurisdiction outside of China.

For network operators (a broad category that includes anyone who owns or operates a computer network or provides network services), significant obligations under the new law include requirements to take measures to prevent viruses, attacks, and intrusions; monitor and record network operations; and preserve web logs for no less than six months. Additionally, the law requires network operators to cooperate with and provide technical support and assistance to the public and state security authorities for reasons of national security or criminal investigation.

For providers of network products and services, critical network equipment and specialized network security products must now meet national standards and be certified or meet the requirements of government inspections before being sold or provided. These requirements have raised concerns that the new law may erect barriers to trade by disadvantaging foreign suppliers of network products.

In light of these fast-approaching effective dates, companies should promptly review their agreements and policies regarding personal information to take into account these rule changes and closely monitor the implementation and impact of the new rules on the collection, storage, and transfer of personal data in Japan and China.