This is the material (EN) for the report "Full Revision of the Japanese Personal Information Protection Legislation- Outline of the Bills in 2021" held online on April 9, 2021. Japanese and German versions are also uploaded separately.
2021年4月9日にオンライン開催した報告「日本の個人情報保護法制の全面見直し~2021年(令和3年)法案の概要」の資料(英語版)です。日本語とドイツ語版も別途アップロードしています。
20210507 team datenschutz stammtisch akemi yokota(en)
1. 日本の個人情報保護法制の全面見直し
~2021年(令和3年)法案の概要
Full Revision of the Japanese Personal
Information Protection Legislation
- Outline of the Bills in 2021
09.04.2021 Stammtisch #TeamDatenschutz
Chiba University, Graduate School of Social Sciences
Assis. Prof. Dr. Akemi YOKOTA
akemi@chiba-u.jp
akemi.yokota@gmail.com
2. Profile
Akemi YOKOTA (Chiba University, Graduate School of
Social Sciences, Assis. Prof. Dr. )
• Fachgebiet: Verwaltungsrecht Administrative Law
• Current research topic: basic principles of information
governance law to achieve a new data-driven society.
– 2-year research stay at Johannes Gutenberg University
Mainz since October 2019.
• Main focus: Administration of a digitalized society,
information and administration
p.2
3. Profile
Since October 2016 member of committee on
Impact and Risk Assessment in “The
Conference toward AI Network Society” (MIC,
Goverment of Japan)
Capitel 5 in Robot, AI and Law
Robotto, ê-ai to hô
p.3
4. Table of Contents
• 1. multiple revisions of the Act on the
Protection of Personal Information (APPI)
• 2. the package of 6 bills in connection with the
digital reform in 2021
• 3. main points of the unification of the
Personal Information Protection Law Systems
• 4. my personal opinion
p.4
6. multiple revisions to
the Act on the Protection of Personal Information (APPI)
• 2003: Act on the Protection of Personal Information
(APPI)enacted
• 2015: Personal Information Protection Commission
Japan (PPC) starts
– 2018: "Supplementary Rules" (not legislative revisions)for
mutual " Adequacy Decision" between Japan and the EU
(only for private sector) in 2019
• 2020: Revised (Effective April 2022)
• 2021: Amendment Bills
• Stage 1: Unification of legislation to protect personal information
at the national level (probably Effective April 2022?)
• Stage 2: Unification including local governments (probably
Effective April 2023?)
p.6
7. 2020: Revised (Effective April 2022)
– Revision based on the "every three-year review"
(Medium Revision)
• Strengthening the rights of individuals (data subjects)
• Mandatory reporting of leaks, etc., notification to individuals,
and prohibition of inappropriate use of personal information
• Development of self-regulation and co-regulation
• New provisions regarding "Pseudonymized Information”
• Strengthening of penalties (incl. Announcement of violation
of orders by PPC)
• Stricter restrictions on cross-border transfers
p.7
8. 2021: Amendment Bills
• 2021: two Stages of the reform
• Stage 1: Unification of legislation to protect personal
information at a national level
• Stage 2: Unification including local governments
– As one of the six digital reform bills
– First major revision since 2003
• PPC role extends
• The Shift from segment law to omnibus law
p.8
9. 9
the Personal Information Protection Commission (PPC) in Japan,
Current Legal Framework of the Protection of Personal Information
https://www.ppc.go.jp/files/pdf/280222_Current_Legal_Framework_v2.pdf
10. Current Legal Framework (only Acts and local ordinance level)
of the Protection of Personal Information
• national law
– General issues + Business Operators:
• Act on the Protection of Personal Information (APPI)
– Administrative organs of National Gov.:
• Act on the Protection of Personal Information Held by
Administrative Organs (APPI-AO)
– Incorporated Administrative Organs (ex. national
Univ.):
• Act on the Protection of Personal Information Held by
Incorporated Administrative Agencies, etc. (APPI-IAA)
p.10
11. Current Legal Framework (only Acts and local ordinance level)
of the Protection of Personal Information
• Local ordinances (ca. 2000+)
• even villages have their own ordinance
– administrative organs of local Governments
• ex: prefectural police organizations
• ex: hospitals and universities established by local
governments
p.11
12. 2. the package of 6 bills in
connection with the digital
reform in 2021
12
13. the Package of 6 bills
related to the digital reform in early 2021 (204th period)
• 1)Basic Act on the Formation of a Digital Society (Cabinet Secretary)
• 2)Act for Establishment of the Digital Agency (Cabinet Secretary)
• 3)Act on the Development of Related Laws for the Formation of a
Digital Society (Cabinet Secretary)
• 4)Act on Registration of Deposit Accounts for Payment of Public
Benefits (Cabinet Office)
• 5)Act on Management of Deposit Accounts by Using" My number"
Based on the Intention of Depositors (Cabinet Office)
• 6)Act on Standardization of Local Government Information Systems
(Ministry of Internal Affairs and Communications)
p.13
内閣法制局「第204回国会での内閣提出法律案」 https://www.clb.go.jp/recent-laws/diet_bill/id=3796
14. the Package of 6 bills
related to the digital reform in early 2021 (204th period)
• 1)Basic Act on the Formation of a Digital
Society (Cabinet Secretary)
– complete revision of the “IT Basic Act”
– Basic Philosophy, Basic Policies, Responsibilities of
Governments and Businesses, Establishment of
the Digital Agency, and Formulation of Priority
Plans for the Digital Society
– Basic principles for the formation of a digital
society (10 items)
p.14
内閣法制局「第204回国会での内閣提出法律案」 https://www.clb.go.jp/recent-laws/diet_bill/id=3796
15. the Package of 6 bills
related to the digital reform in early 2021 (204th period)
• 2)Act for Establishment of the Digital Agency
– Directly under the Cabinet
– Integrated coordination function (with advisory authority)
– Integrated development of national information systems
– Standardization and communalization of local digital
infrastructure
– Responsible for “My Number” System
– maintenance of the base registry
– cybersecurity expert team
– Recruitment of digital human resources
p.15
内閣法制局「第204回国会での内閣提出法律案」 https://www.clb.go.jp/recent-laws/diet_bill/id=3796
16. デジタル改革関連法案6本(主管官庁)
• 3)Act on the Development of Related Laws for
the Formation of a Digital Society (Cabinet
Secretary)
– unifying the national acts and local ordinances on the
Protection of Personal Information into a single law
– overall modernization of administrative procedures
• review of the need for seals and issuance of written
documents
• expanding use of My Number
• electronic authentication
p.16
内閣法制局「第204回国会での内閣提出法律案」 https://www.clb.go.jp/recent-laws/diet_bill/id=3796
17. the Package of 6 bills
related to the digital reform in early 2021 (204th period)
• 4)Act on Registration of Deposit Accounts for
Payment of Public Benefits (Cabinet Office)
• 5)Act on Management of Deposit Accounts by
Using" My number" Based on the Intention of
Depositors (Cabinet Office)
• 6)Act on Standardization of Local Government
Information Systems (Ministry of Internal
Affairs and Communications)
p.17
内閣法制局「第204回国会での内閣提出法律案」 https://www.clb.go.jp/recent-laws/diet_bill/id=3796
18. 3. main points of the
unification of the Personal
Information Protection Law
Systems
18
20. 20
A figure revised and translated at the author's responsibility
Competent
authorities
Ministry of Internal Affairs and
Communications(MIC)
PPC
local government
(2000 or more)
Applicable laws APPI-AO APPI-IAA APPI
local ordinances
(2000 or more)
Target
Administrative organs
of
National Gov.
Incorporated
Administrative Organs
Business
Operators
Administrative organs of
local governments
Special provisions
for academic research
purposes
No special provisions APPI completely excluded No special provisions
Definition of
”personal information”
"identify an individual by comparing that
information with other information"
"be readily collated with"
(be unique in each:
some incl. "a dead
person's)
Definition of
"anonymization"
"Anonymized Personal Information"
"Anonymously processed
information"
only a Few have rules
Competent
authorities
PPC
Applicable laws APPI (new)
Content of the
provisions according
to the target
Administrative organs of National Gov.
Administrative organs of local governments
Hospitals (national and
public), Universities
(national and public),
National Research and
Development Agency
Business
Operators
Special provisions
for academic research
purposes
APPI applies, and Refining exceptions for academic
research purposes
Definition of
”personal information”
"be readily collated with"
Definition of
"anonymization"
"Anonymously processed information"
21. 21
A figure revised and translated at the author's responsibility
Competent
authorities
Ministry of Internal Affairs and
Communications(MIC)
PPC
local government
(2000 or more)
Applicable laws APPI-AO APPI-IAA APPI
local ordinances
(2000 or more)
Target
Administrative
organs of
National Gov.
Incorporated
Administrative
Organs
Business
Operators
Administrative
organs of local
governments
Special
provisions
for academic
research
purposes
No special provisions
APPI completely
excluded
No special
provisions
Definition of
”personal
information”
"identify an individual by
comparing that information with
other information"
"be readily collated
with"
(be unique in
each:
some incl. "a dead
person's)
Definition of
"anonymization"
"Anonymized Personal
Information"
"Anonymously
processed
information"
Only a few have
rules
22. 22
A figure revised and translated at the author's responsibility
Competent
authorities
PPC
Applicable laws APPI (new)
Content of the
provisions
according to the
target
Administrative organs of
National Gov.
Administrative organs of local
governments
Hospitals (national
and public),
Universities
(national and
public), National
Research and
Development
Agency
Business
Operators
Special
provisions
for academic
research
purposes
APPI applies, and Refining exceptions
for academic research purposes
Definition of
”personal
information”
"be readily collated with"
Definition of
"anonymization"
"Anonymously processed information"
23. 1)Unifying the national acts and local ordinances on the
Protection of Personal Information into a single law
p.23
What is included in the new APPI
• APPI (Current Edition)
• APPI-AO
• APPI-IAA
+
• uniformed rules applicable to local governments
– The special provisions in the ordinance are limited to
"minimum necessary protection measures.“
Warning: The existing article numbers will shift
significantly.
24. 2) Unification of regulations in medical and academic fields
– Until now: regulations varied between national
goverments, private and local governments
sectors
– New Bill: applies to Private Sector Rules in
principle
• “Actor that continuously engages in joint work using data with
private counterparties in a position similar to the private sector“
• However: provisions for public entities will continue to
apply to the Act on Access to Information and Open
Data
p.24
25. 3) Review of exemptions for academic research
• Currently: no unified regulation for academic
research purposes, especially, no application to
private sector (ethical guidelines apply instead)
– Criticism: "International transfers based on adequacy
decisions are not applicable because of sectorial
exclusion“
• Aims: GDPR Adequacy decisions applicable to
academic research (bill author´s view)
• Future: Personal Information Protection
Commission has surveillance authority
p.25
26. 3) Review of exemptions for academic research
Details of the new regulations:
• Special Provisions for Academic Research Purposes
– Restriction by Purpose of Use
– Restriction on Acquisition of Special Care-required Personal
Information
– Restrictions on third-party provision (detailed requirements)
• Provisions that will also apply to academic research purposes
– safety management measures
– Identification and publication of the purpose of use
– Prohibition of improper use and acquisition
– obligation to report leakage
– Disclosure of retained personal data (national and public sectors only)
p.26
27. 4) Unification of definitions
– Definitions of ”personal information”
• “readily collated with”(APPI) or not (APPI-AO, APPI-IAA)
• Some local ordinances incl. “a dead person’s“
– Definitions of "anonymization“
• Distinguished terms were used
– “Anonymized Personal Information” as non-personal
information in the private sector(APPI)
– Anonymously processed information” as personal
information in the public sector(APPI-AO, APPI-IAA)
• Both are reclassified into regulations for the
private sector (APPI).
p.27
28. 5) Common provisions for local governments
– now: Each local government (“Gemeinde” unit in
Germany) has its own ordinance
• so-called "2000 problems"
– in the future: APPI(as a national law) is applied
• PPC will have the authority to monitor local
government organizations
– the special provisions in the ordinance are limited
to "minimum necessary protection measures."
• some provisions are also introduced in local
governments (ex. Special care-required personal
information)
p.28
30. in my view
• undoubtedly a major revision
– Formally, it can be said that "the PPC oversees
everything in Japan.“
• Not only My Number but also all personal information
at all levels of the national, private and local
governments
– First step in public sector adequacy decision
p.30
31. in my view
• Open-remaining questions
– Is it possible to achieve only by this revision “the
extension of the Adequacy Decision to academic
research purposes"?
– Any backlash from local governments?
– Why is there no debate about discipline in the
police sector?
• Especially important: no discussion of the law
enforcement directive (LED)!
p.31
32. Acknowledgment
• ご清聴ありがとうございました!
– Twitter: @akmykt (日本語)
• Besten Dank für Ihre Aufmerksamkeit!
– Twitter:@akyokota (Deutsch und Englisch)
https://www.slideshare.net/akemiyokota83
Acknowledgment
Thank you Dr. Matthias Lachenmann for helping me to correct the terms.
https://www.bho-legal.com/team-datenschutz-japanisches-
datenschutzrecht/
This work was supported by JSPS KAKENHI Grant Number 19K13491 and
19KK0330.
p.32