In June 2020, the Japanese government enacted an amendment to the APPI. The new amended APPI will come into effect on April 1, 2022. Like other data privacy laws worldwide, the APPI aims to protect the personal data of Japanese citizens.
With another revision occurring previously in 2015, it's critical for organizations utilizing personal data in Japan to revise their understanding and practices to ensure complete compliance with the latest APPI.
The APPI or the Act on the Protection of Personal Information was first adopted in 2003. Indeed, it was one of the first data protection regulations in Asia. Rather than replacing the Act, as other legislatures opted to do, Japan overhauled the law in September 2015, following numerous high profile data breaches.
The new 2015 overhaul introduced the Personal Information Protection Commission (PIPC) – an independent agency tasked with protecting the rights and interests of individuals relating to data privacy. It also encourages appropriate and effective personal data use.
Like other data protection legislation, such as the GDPR, the APPI applies to all companies that offer goods and services in Japan, irrespective of their true location. This is known as an extraterritorial scope.
The 2003 version of the law was only applicable to an organization with at least 5,000 identifiable individuals in their database during the prior six months. However, recent amendments now mean the Act applies to all organizations processing personal information for business purposes, regardless of the number of individuals.
The 2020 amended APPI won't become effective until spring 2022, but that doesn't mean businesses shouldn't be making preparations.
There are four key changes to be aware of:
1. Data breach notification
Organizations are obligated to inform both the Personal Information Protection Commission (PIPC) and data subjects of any data breach that risks harm to the rights and interests of data subjects.
According to the amendment, that includes:
2. Pseudonymized data
Here, organizations that handle pseudonymized data will not need to comply with certain obligations, like data subject requests to cease using personal data.
To pseudonymize data, personal information must not contain:
3. Provision of data to third parties
Previously, the data subject must be notified of the provision of personal data to third parties. Now, under the amended APPI, organizations must confirm that a recipient has received consent from the data subject prior to the transfer.
Consent must be documented, alongside the date of provision, the recipient's name and address, and the categories of information provided. These records must be kept for three years.
4. International transfers
Before conducting a cross-border transfer to third parties outside Japan, the data subject must be informed. The information provided must include:
When an organization (the data exporter) conducts a cross-border transfer, it should:
Enshrined in the APPI are several citizens' rights regarding their personal data. These include:
According to the APPI, data subjects can contact the PIPC to inform them of a violation. The PIPC will then contact the organization and request they rectify the situation. Failure to do so will then result in subsequent actions and penalties.
Currently, the PIPC can enforce penalties up to 100,000,000 Japanese yen ($907,715) or a criminal punishment of up to 1 year in prison.
Moreover, under the private right to action, Japanese citizens can sue organizations that violate their data rights.
With a recent spike in cybercrime and a series of high-profile data breaches, the amendment to the APPI brings Japan into line with other data privacy regulations worldwide. For example, cases like the "Rikunabi scandal" in which the personal data of 7,893 registered students was provided to customer companies without the students' consent are no longer permissible.
Instead, the new stringent guidelines heavily penalize data handling misconduct, creating a set of rigid rules for organizations to follow. Those rules apply to any organization handling the data of Japanese citizens irrespective of their location.
Hopefully, you are now aware of the new requirements if you were yet to familiarize yourself with the amended 2020 APPI. The amendment requires end-user consent when transferring personal data to third parties.
For further information, please refer to the PIPC website.