Japan Updates Privacy Law

The National Diet of Japan recently passed amendments to the 2003 Personal Information Protection Act (PIPA) that significantly strengthen privacy and data protection in Japan, while also opening the door to allow companies to use and sell anonymous “big data,” subject to certain specific requirements. While some of the amendments begin to take effect on January 1, 2016, most of the changes will roll out over the next two years.

Of the changes, four are particularly important for companies doing business with Japanese citizens. First, the amendments create a centralized regulatory body to enforce PIPA’s privacy protections. Second, the amendments expand the territorial scope of PIPA to apply to foreign data controllers that collect personal information on Japanese residents (which would include international companies doing business with Japanese citizens). Third, the amendments expand PIPA’s definition of “personal information” to include biometric data—like fingerprints and face recognition—and numeric identification codes. Finally, the amendments require the adoption of rules prohibiting businesses from collecting data on sensitive topics such as race, religion, and medical or criminal history.

While the PIPA amendments primarily tighten data privacy protections, they also contain a provision clarifying a previously gray area in Japanese law by explicitly allowing anonymous data farming, also known as “big data.” This process, which strips personal identifiers from data and transfers the anonymous data to third parties, allows companies to sell and use customer information for marketing purposes even without the subject’s consent. To allay privacy concerns over collecting big data, the amendments also expressly require the implementation of adequate safeguards to ensure that anonymized data cannot be restored to obtain identification information.

TIP: Companies subject to the Japanese privacy law’s requirements should keep these amendments in mind, especially the broadened definition of personal information and the detailed security requirements related to “big data.” In particular, international companies doing business with Japan need to be aware of the new extra territorial nature of PIPA, which will apply even if such companies have no actual presence in Japan.