Although there is still a possibility that this will change in the future, Mr. Sawaki, counselor of the Personal Information Protection Commission, gave an explanation on the current status of the review of the outline of the revision of the Personal Information Protection Act. The details are as follows.
Report 2: Status of the review of the Personal Information Protection Act, the so-called three-year review system
I. Individual rights regarding personal data
1. Relaxation of requirements for requests to suspend use, delete, or suspend provision to a third party
With a view to strengthening the involvement of individuals in relation to their retained personal data, the requirements for requesting the suspension of use of retained personal data and the suspension of its provision to third parties will be relaxed, and the scope of individuals' rights will be expanded.
Note: Previously this was limited to cases of fraudulent use.
2. Promoting digitalization of disclosure
We will thoroughly publicize the current system regarding disclosure requests and promote its proper operation. In addition, from the perspective of improving the convenience of individuals in the use of their retained personal data obtained through disclosure requests, we will enable individuals to specify the method of disclosure, including the provision of electromagnetic records.
Note: Until now, disclosure has been on paper. This will now be digitized.
3. Expansion of the scope of retained personal data subject to disclosure, etc.
In light of changes in risks due to the advancement of the information society, retained personal data that is subject to requests for disclosure, etc., will not be limited by the retention period, and short-term stored data that will be erased within six months, which is currently excluded, will be included in retained personal data.
4. Strengthening opt-out regulations
In light of the current situation where the circulation of lists makes it difficult for individuals to be involved, the scope of personal data that can be provided to third parties will be limited by opt-out provisions. In addition, the effective involvement of individuals will be increased by allowing individuals to request the disclosure of records of when their personal data is provided to third parties and when it is received from third parties, which is currently required of personal information handling businesses.
II. Obligations that Business Operators Should Observe
1. Mandatory reporting of leaks and notification to individuals
From the perspective of protecting the rights and interests of individuals and ensuring fairness, in order to enable the Personal Information Protection Commission to quickly grasp incidents such as leaks and to enable the individuals themselves to take the necessary measures, personal information handling businesses will be required to promptly report to the Personal Information Protection Commission and notify the individuals in question in the event of a certain type of incident, such as the leak of a certain number of personal data items.
Note: This will be handled through guidelines. It will not be limited to certified personal information organizations.
2. Clarification of the obligation to use appropriately
In light of the changing risks associated with the advancement of the information society, the Act will clarify that businesses handling personal information must not use personal information in an improper manner.
Note: The current law regulates illegal acquisition, but does not explicitly regulate illegal use. The legal system was designed on the premise that it would not violate the rights and interests of individuals, but as more and more outrageous cases emerge, I decided to take the trouble to write about it.
It's causing trouble to society. Even if the formalities are in order, it's no good.
III. Mechanisms to encourage voluntary initiatives by businesses
1. Diversification of the Certified Personal Information Protection Organization System
In light of the diversification of business practices involving personal information handled by businesses and changes in the nature of necessary regulations, the system of certified personal information protection organizations will be expanded to allow the certification of organizations whose activities are limited to specific business activities, in addition to the current system of accepting complaints and providing guidance regarding the overall handling of personal information by target businesses.
Note: Until now, to become a certified personal information protection organization, it had to accept personal information in general. For example, a retailer could not handle only the online portion of the business.
2. Enhancement of disclosure regarding personal data held
In order to enable appropriate understanding and involvement of individuals through enhanced explanations by personal information handling businesses to individuals regarding the personal data they hold, and to encourage appropriate handling of personal information by personal information handling businesses, matters that must be explained to individuals, such as the personal information handling system, the details of measures taken, and methods of processing held personal data, will be added as items to be disclosed pursuant to the law (items to be disclosed by government ordinance).
Note: We should write things that could not be written for the purposes of use so far. Government ordinance?
IV. Measures for data utilization
1. Creation of "Pseudonymized Information"
From the perspective of promoting innovation, "pseudonymized information" will be introduced as a type of personal information that has been processed so that a specific individual cannot be identified without comparing it with other information. Regarding pseudonymized information, certain restrictions will be imposed to limit its use to analysis within business operators that does not involve the identification of individuals, and some restrictions on its handling will be relaxed, subject to the requirement to respond to various requests from individuals (requests for disclosure, correction, suspension of use, etc.), on the premise that the purpose of use of pseudonymized information is specified and made public.
Note: Although it continues to be personal information, it is no longer subject to the obligation to respond to requests from individuals.
2. Clarification of the rules regarding when information becomes personal data at the recipient
As the methods of using information about individuals become more diverse, in order to maintain a balance between the protection of personal information and its appropriate and effective use, regulations will be applied that restrict the provision of personal data to third parties to information that does not qualify as personal data at the provider's location but will clearly become personal data at the recipient's location.
3. Clarification of the application of exceptions to the handling of personal information for public interest purposes
Regarding the handling of personal information for public interest purposes, which are exceptions to the restrictions on purposes of use and provision to third parties, we will promote the use of data that benefits the entire public, for example by adding specific examples to the guidelines and Q&A.
V Penalties
Current statutory penalties will be reviewed as necessary, including the introduction of severe penalties related to corporate punishment provisions.
Send-off
VI. Extraterritorial application of law and cross-border transfers
1. Expansion of the scope of extraterritorial application
In light of the globalization of economic and social activities and the diversification of cross-border transfers, foreign businesses that handle personal information or anonymously processed information related to people in Japan will be subject to report collection and orders from the Personal Information Protection Commission. In addition, if a business does not comply with an order, the Commission will be able to make that fact public.
2. Strengthening restrictions on providing personal data to third parties in foreign countries
As cross-border transfers of personal information become more diverse, from the perspective of enabling appropriate understanding and involvement of individuals and encouraging proper handling of personal information by personal information handling businesses, we will require personal information handling businesses that are the source of the transfer to enhance the provision of information to individuals regarding the handling of personal information at the destination business, including the name of the destination country and the existence of a system for protecting personal information. In addition to providing information when the transfer is based on the individual's consent, we will also require information to be provided upon request by the individual when transferring personal data without the individual's consent, provided that the destination business has in place a system to ensure continued proper handling.
VII Handling of Personal Information Throughout the Public and Private Sectors
1. Unification of legislation relating to administrative agencies, independent administrative institutions, etc. with legislation relating to the private sector
Regarding the personal information protection system for administrative agencies, independent administrative institutions, etc., in light of the criticism that differences in regulations and jurisdictions are causing problems,
The government will proactively and proactively consider specific measures to consolidate and unify regulations concerning the protection of personal information related to administrative corporations and other organizations, and to have the Personal Information Protection Commission assume centralized jurisdiction over these systems, with a sense of schedule.
Note: As for the schedule, we won't take that long because the law will change if we wait three years.
2. Personal information protection systems of local governments
Regarding the handling of personal information held by local governments as currently stipulated by ordinance, we will advance discussions with local governments and other parties on practical issues regarding the state of regulation, including unification by law, and the division of roles between the national and local governments regarding the personal information protection systems of local governments.