December 13, 2016
Keidanren
Keidanren
1. Act on the Protection of Personal Information
- The Act on the Protection of Personal Information is a law that seeks to balance protection of the rights and interests of individuals and the usefulness of personal information. The act was enforced in 2005 due in part to an increased risk of infringement on the rights and interests of individuals in connection with the advance of informatization.
- Subsequently, with expectations increasing with respect to the utilization of personal data as a result of rapid changes in external conditions, including the advance of information and communications technology and globalization of business activities, the Amended Act on the Protection of Personal Information was established in 2015. (It fully put into effect on May 30,2017)
- Under the current act, the competent ministers (ministries and agencies with jurisdiction over businesses, etc.) drew up 38 guidelines in 27 sectors and supervise business operators on the basis of them. These guidelines will be revised in accordance with the amended act and integrated, in principle.
2. Main amendments
- Remove gray areas by clarifying the definition of personal information (new definition established for individual identification code, etc.)
- Set rules for utilization of De-identified Information, which is information that has been processed to make it impossible to identify specific individuals
- Stipulate rules related to the provision of personal data to third-parties in a foreign state
- Establish new Personal Information Protection Commission and integrate administration of personal information protection (private sector)
- Ensure traceability as a countermeasure to so-called data brokers (make it mandatory to create confirmation records related to the provision of personal information to third-parties; etc.)
3. Administrative Organs Personal Information Protection Act
- The amended act was established in May 2016. Enforcement is expected during the same period as the private-sector law.
- Introduction of an anonymized information system for administrative organs, incorporated administrative agencies, etc.
Proposals are received from private business operators and appropriately examined by the administrative organ, etc. A usage agreement is concluded with the proposer and the non-personally identifiable information is created and provided. - Regarding the handling of the non-personally identifiable information, the Personal Information Protection Commission holds centralized jurisdiction for both the private and public sectors. Jurisdiction over the law continues to be held by the Ministry of Internal Affairs and Communications.
- Introduction of an anonymized information system for administrative organs, incorporated administrative agencies, etc.
4. Comments Submitted by Keidanren
- Develop rules for promoting the utilization of personal data
- Utilize voluntary, self-imposed rules led by the private sector
- Prevent security management measures for personal data from becoming an excessive administrative burden
- Ensure a sufficient preparation period for private business operators, etc. and make them fully aware of the amended act
- Minimize rules related to specific sectors
- Clarify the scope of Sensitive Personal Information
- Integrate government contact points for private business operators, etc. and standards for reporting, etc.
- Measures for the integrated utilization of public- and private-sector data
5. Issues Going Forward
- Integrated jurisdiction for personal information protection law overall for both the public and private sectors
- From the standpoint of integrated promotion of the utilization of personal information, the Personal Information Protection Commission should be in charge, in a centralized manner, of personal information protection law overall for the public and private sectors.
- Legal measures are also indispensable to the promotion of integrated data distribution and data utilization in a manner that supersedes the differing personal information protection ordinances, etc. of local governments.
- Ensuring smooth cross-border data transfer of personal data
- The mutual and smooth transfer of data with foreign countries such as the US, EU and UK should be made possible.
- The APEC CBPR system (system for making international decisions on the level of personal information protection of business operators in APEC member countries and regions) and other such mechanisms should be promoted.