How Japan’s Privacy Act Amendments Affect Global Healthcare Businesses

Morgan Lewis
Contact

Morgan Lewis

For global healthcare companies that process personal information in Japan and/or import personal information from Japan, there are new requirements that must be considered in preparing data transfer or processing agreements, as well as internal and external privacy policies.

The Act on the Protection of Personal Information (APPI) of Japan is subject to review every three years in order to take into consideration international trends, development of telecommunications technologies, and emergence and development of relevant new industries, with such review resulting in an amendment in 2020. An additional amendment was enacted in 2021 in order to further unify the requirements for the protection of personal information in the public and private sectors.

The 2020 and 2021 amendments relating to the private sector became effective on or prior to April 1, 2022, with these key features most likely to impact global businesses:

2020 Amendment

  • Requirement of informed consent for cross-border transfer of personal information
  • Clarification of mandatory report and notification of data breach
  • Introduction of “Personally Referable Information”
  • Introduction of “Pseudonymously Processed Information”
  • Increased criminal penalties

2021 Amendment

  • Government-run hospitals and universities to be subject to the rules applied to the private sector

REQUIREMENT OF INFORMED CONSENT FOR CROSS-BORDER TRANSFERS

Under the APPI, business operators must not provide personal data to any third party outside of Japan. However, if (1) the subject individual has consented to such provision; (2) there is a need to protect a human life, body, or fortune, and it is difficult to obtain the individual’s consent; (3) the recipient third party is located within the European Union or United Kingdom; or (4) the transferee third party has established systems equivalent to those required to protect the personal data under the APPI (equivalent measures), such provision of personal data may be permitted.

Under the 2021 amendment, an individual’s consent to cross-border transfer of personal data must be obtained in writing (or by electronic measures) and on an informed basis. The individual must receive advance notice of (1) the name of destination country, (2) information regarding the system for the protection of personal information in the destination country, and (3) the particulars of measures taken by the transferee party. Such information must be provided to the individual at his or her request if the transferor relies on the “equivalent measures” exemption discussed above.

CLARIFICATION OF MANDATORY REPORT AND NOTIFICATION OF DATA BREACH

The 2020 amendment clarified obligations to report on data breaches to the Personal Information Protection Committee (PIPC), the government agency that oversees enforcement of the APPI, and to notify the concerned individuals.

In particular, actual or potential data breaches (1) involving “special care-required information” (e.g., information relating to medical history, criminal records, physical/intellectual/mental disabilities, results of medical checkups), (2) caused by any unauthorized access, (3) resulting in financial damage, or (4) concerning more than 1,000 individuals would require a report to the PIPC and a notification to the affected individuals.

INTRODUCTION OF PERSONALLY REFERABLE INFORMATION

Under the APPI, cookie information used to identify computer(s) used for internet browsing does not fall within the definition of Personal Information, since it would not directly identify any individual. There was no express restriction on the use of cookie information under the APPI before the 2020 amendment introduced the term “Personally Referable Information,” which encompasses information that does not directly identify individuals, including cookie information, information regarding internet browsing history, and the location of an individual.

Under the 2020 amendment, if Personally Referable Information is provided to a third party that is anticipated to use the same as personally identifiable information by collating it with other information or otherwise, the individual’s consent to such use must be obtained.

INTRODUCTION OF ‘PSEUDONYMOUSLY PROCESSED INFORMATION’

Under the APPI, information that is generated from personal information but is not capable of identifying any specific individual or restoring the personal information is defined as “Anonymously Processed Information” (API). API may be used for purposes other than those that the individual consented to or for which the individual received notification. API is not subject to data breach reporting or notification obligations, and is not subject to the individual’s right to access.

The 2020 amendment introduced the term “Pseudonymously Processed Information,” which is defined as information that is generated from personal information but is not capable of identifying any specific individual unless it is collated with other information. Pseudonymously Processed Information can be used for the purpose of internal analysis, but transfer to third parties is generally prohibited. As with API, Pseudonymously Processed Information is not subject to data breach reporting or notification obligations and is not subject to the individual’s right to access.

INCREASED CRIMINAL PENALTIES

The APPI sets forth criminal penalties for a violation of orders rendered by the PIPC, the unauthorized provision or misappropriation of a database for the purpose of seeking illegal profits, or the failure to report or false reporting to the PIPC. The 2020 amendment increased the maximum fine applicable to a company to 100 million yen (approximately $752,000).

GOVERNMENT-RUN HOSPITALS AND UNIVERSITIES SUBJECT TO PRIVATE SECTOR RULES

Under the 2021 amendment, government-run hospitals and universities are subject to the same rules that apply to privately run hospitals and universities. Data maintained by government-run institutions may be more easily transferred to, or shared with, private sector companies in the form of API.

IMPLICATIONS FOR THE HEALTHCARE INDUSTRY

For global healthcare companies that process personal information in Japan and/or import personal information from Japan, the new requirements to provide individuals with information in connection with cross-border transfers will have a significant impact.

The new requirements must be considered in preparing data transfer or processing agreements, as well as internal and external privacy policies, and require further review of existing agreements and policies in order to ensure compliance. It should also be noted that any data breach involving “special care-required information,” including medical history, requires a report to the Japanese government (PIPC) and a notification to the concerned individuals.

Businesses obtaining personal data from government-run hospitals or universities in Japan should review their contracts in light of the APPI provisions that are now applicable to those hospitals and universities.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Morgan Lewis | Attorney Advertising

Written by:

Morgan Lewis
Contact
more
less

Morgan Lewis on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide