The Personal Information Protection Act (PIPA) is one of Japan’s most important laws and the Japanese Parliament recently amended it. Don’t confuse it with the Canadian data protection laws also called PIPA or the other data protection law called the Protection of Personal Information Act (or the POPI Act). In response to the increased processing of personal information in society and various sectors (such as the information technology sector), the Japanese Parliament (also known as the National Diet) recently amended the law. Various questions now arise from these amendments.
- What is the effect of these amendments?
- Do they apply to you?
- Have they placed more obligations on the processing of personal information?
- Is the PIPA Act now on par or the same as other data protection laws around the world such as the GDPR or the POPI Act?
Canadian Data Protection Laws
Canada’s data protection laws are not the same as the Japanese law. Canada also doesn’t just have one data protection law. It has a national law and different data protection laws throughout various provinces. The national law is the Personal Information Protection and Electronic Documents Act (PIPEDA). Two of the provincial data protection laws (for the provinces of Alberta and British Columbia) are known as the Personal Information Protection Act. These two provincial laws are substantially similar to PIPEDA, but are different from Japan’s data protection law. Even though the two laws have the same acronym as the Japanese data protection law, they are different.
Because these two provincial data protection laws are so similar to PIPEDA, they apply to all processing activities that you may carry out for the two provinces. In other words, PIPEDA does not apply in the provinces in those situations. If the processing starts flowing into other provinces that don’t have PIPEDA-equivalent laws, PIPEDA applies.
Changes to the Japanese Personal Information Protection Act (PIPA)?
The amendments to the Personal Information Protection Act of 2003 have raised a very important question: As it stands now, does the PIPA Act achieve its purpose and protect personal information?
One way to answer that is to look at some of the key amendments. The other way is to wait for a test case that will come up in the future, where we may get a more definitive answer from authorities applying the provisions to a real life situation. One such authority is the newly-established Personal Information Protection Commission (PIPC), Japan’s own version of a supervisory authority for data protection. The amendments established the office to start its work on the 1st of January 2016. The PIPC has the power to monitor compliance and to enforce the provisions of the PIPA Act.
Another key area which the amendments have touched on is cross-border transfers of personal information. A data controller (whom the PIPA Act refers to as a “personal information handling business controller”) must obtain the consent of a data subject (or principal) before the data controller can give a third party access to that data subject’s personal information. Data controllers can only share the personal information with third parties if the sharing will provide great benefits to the data subjects, or the law requires the sharing. The data subject can either actively provide the information or can give their written consent, or conclude a written contract with the data controller. At all stages, the data controller must ensure that data subject is fully aware of the purpose for which that data controller will process the personal information.
The amendments have also brought about a clearer meaning of what personal information and sensitive personal information (which it refers to as “special care-required personal information”) Sensitive personal information now includes race, religion and medical history.
It will be interesting to see what impact the PIPA Act will have once the amendments take effect, first on 30 May 2017, and, then, within two years of the date the Japanese Parliament promulgated the amendments to the law.
Actions you can take
- Know more about the GDPR and global data protection regulation by attending a GDPR workshop.
- Know how the Japanese PIPA Act or Canadian data protection laws affect you by asking us answer your questions.