The Personal Information Protection Act (PIPA) is one of Japan’s most important laws and the Japanese Parliament recently amended it. Don’t confuse it with the Canadian data protection laws also called PIPA or the other data protection law called the Protection of Personal Information Act (or the POPI Act). In response to the increased processing of personal information in society and various sectors (such as the information technology sector), the Japanese Parliament (also known as the National Diet) recently amended the law. Various questions now arise from these amendments, including:
- What is the effect of these amendments?
- When do they come into effect?
- Do they apply to you?
- Have they placed more obligations on the processing of personal information?
- Is the Japanese PIPA Act now on par or the same as other data protection laws around the world such as the GDPR or the POPI Act?
Canadian Data Protection Laws
Canada’s data protection laws are not the same as the Japanese law. Canada also doesn’t just have one data protection law. It has a national law and different data protection laws throughout various provinces. The national law is the Personal Information Protection and Electronic Documents Act (PIPEDA). Two of the provincial data protection laws (for the provinces of Alberta and British Columbia) are known as the Personal Information Protection Act. These two provincial laws are substantially similar to PIPEDA, but are different from Japan’s data protection law. Even though the two laws have the same acronym as the Japanese data protection law, they are different.
Because these two provincial data protection laws are so similar to PIPEDA, they apply to all processing activities that you may carry out for the two provinces. In other words, PIPEDA does not apply in the provinces in those situations. If the processing starts flowing into other provinces that don’t have PIPEDA-equivalent laws, PIPEDA applies.
Amendments to the Japanese Personal Information Protection Act (PIPA)
Do the amendments to the Japanese Personal Information Protection Act help it achieve its purpose of protecting personal information? What obligations does it now impose on organisations after the amendments?
One way to answer these questions is to look at some of the key amendments. The other way is to wait for a test case that will come up in the future, where we may get a more definitive answer from authorities applying the provisions to a real life situation. One such authority is the newly-established Personal Information Protection Commission (PIPC), Japan’s own version of a supervisory authority for data protection. The amendments established the office to start its work on the 1st of January 2016. The PIPC has the power to monitor compliance and to enforce the provisions of the Japanese PIPA Act.
Another key area which the amendments have touched on is cross-border transfers of personal information. A data controller (whom the Japanese PIPA Act refers to as a “personal information handling business operator”) must obtain the consent of a data subject (or principal) before the data controller can give a third party access to that data subject’s personal information. Data controllers can only share the personal information with third parties if the sharing will provide great benefits to the data subjects, or the law requires the sharing. The data subject can either actively provide the information or can give their written consent, or conclude a written contract with the data controller. At all stages, the data controller must ensure that data subject is fully aware of the purpose for which that data controller will process the personal information.
The amendments have also brought about a clearer meaning of what personal information and sensitive personal information (which it refers to as “special care-required personal information”) is. Sensitive personal information now includes race, religion and medical history.
When does the Amended Japanese PIPA Act take effect?
The amendments to the Japanese PIPA Act took effect on 30 May 2017. There isn’t a grace period for the amendments, meaning that organisations who are subject to the Japanese PIPA Act must start their compliance now, and not wait.
It will be interesting to see how these organisations respond now that the amendments have become a reality. Failing to comply with the amendments has potentially significant consequences, including fines and even imprisonment. An example of non-compliance that can result in imprisonment or a fine of as much as 300 000 yen, is when a personal information handling business operator ignores an order by the Personal Information Protection Commission to stop processing personal information in a certain way.