Hiroyasu Kageshima delivered a lecture titled “Measures to Address and Practical Commentary on the Amended Personal Information Protection Act”
The outline of the lecture is as follows:
Host: Business Research Institute
Date: Tuesday, December 14, 2021, 1:00 PM – 17:00
Lecturer: Hiroyasu Kageshima
Venue: Seminar room at Business Research Institute or Online
Measures to Address and Practical Commentary on the Amended Personal Information Protection Act
~ Plain explanation of necessary preparations for the enforcement in April 2022 ~
About the Seminar
The amended Personal Information Protection Act was enacted in June 2020 and is scheduled to go into force over the period from spring to June 2022.
This amendment focuses on tightening regulations on the “use” and “provision” of personal information. It encompasses many revisions that have a direct impact on companies’ operations, such as a requirement to notify the “method of processing” personal data, prohibitions on inappropriate use of personal information, a requirement to obtain consent when providing “individual-linked information” using cookies, etc., enhanced provisions concerning requests for suspension of use/deletion of retained personal data, and a duty of explanation when transferring personal data to a foreign country. On the other hand, a new concept of pseudonymized information, a system that contributes to data utilization, will also be established.
In this seminar, the lecturer gives a specific overview of the amendment, focusing mainly on the revisions that have a significant impact on corporate operations.
Program
- Outline of the 2020 Amendment to the Personal Information Protection Act
1) Overall picture
2) Future schedule - Tighter regulations regarding the “use” and provision of personal information
1) Prohibition on inappropriate use
– What is “inappropriate use”?
2) Providing information through privacy policy, etc.
(i) The system for handling personal information and measures in place
– What points of internal systems should be entered in the privacy policy?
(ii) The “method of processing” personal data
– Situations where the “method of processing” personal data must be specified
– How to describe it in the privacy policy - Tightened regulations on exchanges of information connected to cookies, etc.
1) What is DMP (Data Management Platform)?
2) What is “individual-linked information”?
– Cookies and “individual-linked information”
3) Method of obtaining consent
– Acquisition of attribute information from public DMP and explicit consent - Enhanced provisions concerning requests for disclosure/suspension of use, etc.
1) Abolition of exclusion of data that are held only for a short period of time
2) Electronic disclosure
– What if a data subject requests the disclosure of his/her entire data?
3) Enhanced provisions concerning suspension of use/deletion, etc.
– Situations where suspension of use/deletion is required
– Risks involved in the occurrence of leakage - Use and application of data in the form of “pseudonymized information”
– What is pseudonymized information?
– Related regulations
– In what situations can it be used? - Regulations for overseas transfers
1) Whether outsourcing to, and shared use with, an overseas company is permissible
2) Implementing appropriate measures
3) Obtaining consent - Other revisions
1) Outline of other revisions
2) Obligation to report leakage, etc. and to notify the principal
– Situations where reporting and notification to the principal are required
3) Strengthened penalties
– The amount of penalties has been raised to 100 million yen (effective from December 2020)
