Hiroyasu Kageshima delivered a lecture on the amended Personal Information Protection Act.

Sanno Park Tower 12F (Reception) and 14F,
11-1, Nagatacho 2-chome, Chiyoda-ku,
Tokyo 100-6114, Japan

Tokyo Metro Ginza Line: G06 Tameike-sanno Station, Exit 7 (directly accessible through the second basement)

Tokyo Metro Nanboku Line: N06 Tameike-sanno Station, Exit 7 (directly accessible through the second basement)

Tokyo Metro Chiyoda Line: C07 Kokkai-gijido-mae Station, Exit 5 (3 minutes’ walk)

Tokyo Metro Marunouchi Line: M14 Kokkai-gijido-mae Station, Exit 5 (10 minutes’ walk through Chiyoda Line platform)

Key Points of the Amended Personal Information Act and Practical Measures That Should Be Taken by Companies

What needs to be addressed under the guidelines released in August 2021? [Free forms and sample rules will be provided.]

The 2020 Amendment to the Personal Information Protection Act takes effect on April 1, 2022. The Amendment sets forth a number of matters that need to be addressed, such as changes in how to state the purpose of use of personal information as well as requirements to disclose security control measures in privacy policies, etc., and to provide data subjects with digital means to request disclosure, enhanced provisions concerning requests for suspension of use, etc., tighter regulations for the cross-border transfers of personal data, and an obligation to acquire consent to the provision of “individual-linked information” using cookies, etc. On the other hand, a new concept of pseudonymized information, a system that is useful for data utilization, will also be established. In this seminar, the lecturer clearly explains the influences of the amended Act on business operations with free sample privacy policies, company regulations and data transfer contracts to be distributed.

* Recorded on August 16, 2021.

Contents

1. Tighter regulations regarding the “use” of personal information
(1) Prohibition on inappropriate use
– What is “inappropriate use” as described in the guidelines?
(2) To what extent does “specifying the purpose of use as explicitly as possible” extend?
– Descriptions of the privacy policy for displaying ads based on profiling
(3) Disclosure of matters concerning retained personal data
– Matters that should be added to the privacy policy
– Sample descriptions of security control measures
– Descriptions when personal information is stored in the cloud or in overseas servers

2. Strengthened rights of individuals
(1) Abolition of exception regarding data that are held only for a short period of time
(2) Digital disclosure
– What if a data subject requests the disclosure of his/her entire data?
– In what situation are you required to disclose?
(3) Disclosure of tracing records
(4) Enhanced provisions concerning suspension of use/deletion, etc.
– Situations where suspension of use/deletion is required

3. Tightened regulations on exchanges of information connected to cookies, etc.
(1) Cookies and “individual-linked information”
(2) Acquisition of attribute information from a public DMP and new regulations

4. Pseudonymized information
– What is pseudonymized information?
– Related regulations
– In what situations can it be used?

5. Global handling of personal data
(1) Outline of the regulations on cross-border transfers
(2) Transfer to persons having established an appropriate system with “a memorandum,” etc.
(3) Provision of information upon transfer with consent

6. Other revisions
(1) Obligation to report leakage, etc.
(2) Strengthened penalties – The amount of penalties has been raised to 100 million yen (effective from December 2020)