The Top Three Data Protection Law Topics in Japan
Related Articles in
Latest Firm's Press
Atsumi & Sakai
2015 amendments to the APPI
The APPI was enacted in 2003 and went through its first major amendment in 2015 (the 2015 amendment). In accordance with the 2015 amendment, the Personal Information Protection Commission (PPC) was established as the supervisory governmental organisation for privacy protection on 1 January 2016, and since then the agency has issued a number of administrative guidelines concerning the APPI. The 2015 amendment was fully enforced in 2017, which led to another noteworthy development with regard to the APPI. The European Commission (EC) recognised the APPI as having an adequate level of data protection by GDPR standards in 2019. This adequacy decision by EC was met with open arms by Japanese companies as it would allow for data transfers from EEA to Japan without additional safeguard measures.
2020 amendment to the APPI
On 10 March 2020, the cabinet submitted a bill to amend the APPI which is expected to be enacted into law in 2020 (the 2020 amendment). Companies will face more stringent obligations under the 2020 amendment. For example, while the current APPI does not stipulate any reporting obligation on data breach, there will be a legal obligation to report certain data breaches after the reform. The penalties for violating orders issued by the PPC will also be harsher. In its preparation for the 2020 amendment, the PPC, being the agency in charge of this amendment, looked to the GDPR for guidance as it viewed the GDPR as the global standard for data protection, and it was important for the APPI to have an adequate level of data protections by the GDPR standard. Although companies outside of Japan will be required to be compliant with APPI after the enforcement of the amendment, there are currently a substantial number of cases where companies outside of Japan do not appropriately process personal information of individuals within the country. Companies, including those non-compliant companies, will definitely need to promptly report to the PPC in the event of data breach taking place outside of Japan. This is because, after the amendment, the PPC will be issuing orders to companies abroad that process personal data of individuals in Japan inappropriately, and will publish those cases on its website.
Digital platform operators and personal information
The JFTC, the primary enforcement agency of the Antimonopoly Act, the main competition law in Japan, published the Guidelines Concerning Abuse of a Superior Bargaining Position in Transaction between Digital Platform Operators and Consumers that Provide Personal Information etc (the Guidelines) on 17 December 2019. An ‘abuse of a superior bargaining position’ is a unilateral conduct prohibited under the Antimonopoly Act, which is analogous to an abuse of dominance. For business operators to be held accountable for the abuse of a superior bargaining position, there needs to be a comparatively superior position vis-àvis a business operator’s counterpart in the transactions between them, not dominance in the market.
With the aim to clarify and enhance the predictability for digital platform operators as to the enforcement of the Antimonopoly Act, the Guidelines provide a non-exhaustive list of conducts by digital platform operators related to the acquisition or use of personal information which can amount to an abuse of superior bargaining position. Such conducts include acquiring personal information without stating the purpose of use to consumers, acquiring or using personal information against consumers’ intention beyond the scope necessary to achieve said purpose of use, and acquiring or using personal data without taking necessary and appropriate precautions for the safe management of personal information.
As the Guidelines concern issues regulated by the APPI, the PPC issued a statement saying that it would co-operate with the JFTC when it discovers facts that can potentially be deemed as an unfair acquisition or use of personal information by a digital platform operator which holds a superior bargaining position. In return, the PPC requested the JFTC to co-operate when it discovers a potential abuse of a superior bargaining position related to the treatment of personal information so that the PPC can evaluate the relevant facts from its perspective. In response, the JFTC agreed to co-operate with the PPC on the abuse of a superior bargaining position between digital platform operators and consumers providing personal information to the extent necessary.
Data compliance in M&A deals
The Information Commissioner’s Office (ICO), the supervisory authority in the UK, announced its intention to impose a fine of more than £99,200,396 on Marriott International, Inc for its infringements of GDPR last year. It was also revealed by the ICO that Marriott failed to conduct sufficient due diligence in its acquisition of Starwood.
Related Articles in
- Compliance with DIFC Data Protection Law 2020 – Deadline 1 October 2020
- An Introduction to Trade Secrets: What They Are and Why They Matter to Your Business
- Cyberbullying and Remote Working – What Employers Need to Know
- Getting Way’Mo Than He Bargained For
Latest Firm's Press
Atsumi & Sakai
WSG Member: Please login to add your comment.