In June 2020, the Japanese government enacted an amendment to the APPI. The new amended APPI will come into effect on April 1, 2022. Like other data privacy laws worldwide, the APPI aims to protect the personal data of Japanese citizens.
With another revision occurring previously in 2015, it’s critical for organizations utilizing personal data in Japan to revise their understanding and practices to ensure complete compliance with the latest APPI.
What is the APPI?
The APPI or the Act on the Protection of Personal Information was first adopted in 2003. Indeed, it was one of the first data protection regulations in Asia. Rather than replacing the Act, as other legislatures opted to do, Japan overhauled the law in September 2015, following numerous high profile data breaches.
The new 2015 overhaul introduced the Personal Information Protection Commission (PIPC) – an independent agency tasked with protecting the rights and interests of individuals relating to data privacy. It also encourages appropriate and effective personal data use.
Like other data protection legislation, such as the GDPR, the APPI applies to all companies that offer goods and services in Japan, irrespective of their true location. This is known as an extraterritorial scope.
The 2003 version of the law was only applicable to an organization with at least 5,000 identifiable individuals in their database during the prior six months. However, recent amendments now mean the Act applies to all organizations processing personal information for business purposes, regardless of the number of individuals.
What's new in the 2020 amendment?
The 2020 amended APPI won’t become effective until spring 2022, but that doesn’t mean businesses shouldn’t be making preparations.
There are four key changes to be aware of:
1. Data breach notification
Organizations are obligated to inform both the Personal Information Protection Commission (PIPC) and data subjects of any data breach that risks harm to the rights and interests of data subjects.
According to the amendment, that includes:
- Data breaches involving sensitive personal information
- Data breaches with a risk of property damage
- Data breaches likely committed for improper use, e.g., a cyberattack
- Data breaches involving more than 1,000 data subjects
2. Pseudonymized data
Here, organizations that handle pseudonymized data will not need to comply with certain obligations, like data subject requests to cease using personal data.
To pseudonymize data, personal information must not contain:
- Descriptions of specific individuals, e.g., name or age
- Individual Identification codes
- Descriptions that may cause property damage
3. Provision of data to third parties
Previously, the data subject must be notified of the provision of personal data to third parties. Now, under the amended APPI, organizations must confirm that a recipient has received consent from the data subject prior to the transfer.
Consent must be documented, alongside the date of provision, the recipient’s name and address, and the categories of information provided. These records must be kept for three years.
4. International transfers
Before conducting a cross-border transfer to third parties outside Japan, the data subject must be informed. The information provided must include:
- Name of the country where the data is to be transferred
- The personal information protection system of the destination country
- Data protection measures to be taken by the data importer
When an organization (the data exporter) conducts a cross-border transfer, it should:
- Conduct a periodic confirmation of the status of the personal data and the state of systems affecting the handling of data by the data importer
- Assess mitigation measures in the event a problem arises
- Assess measures to be taken to ensure continued proper data handling
What are Japanese citizens' rights under the APPI?
Enshrined in the APPI are several citizens’ rights regarding their personal data. These include:
- The right to request an organization cease the use or transfer of their personal data if the organization no longer has a valid reason to use the data, a data breach has occurred, or the handling of said data will infringe upon the data subject’s rights.
- The right to access personal data an organization wishes to delete within six months.
- The right to request access to records pertaining to data transfers to third parties
- The right to request an organization correct, revise, amend, or delete personal data relating to the data subject
- The right to request a copy of any personal information relating to the data subject.
Penalties under the APPI
According to the APPI, data subjects can contact the PIPC to inform them of a violation. The PIPC will then contact the organization and request they rectify the situation. Failure to do so will then result in subsequent actions and penalties.
Currently, the PIPC can enforce penalties up to 100,000,000 Japanese yen ($907,715) or a criminal punishment of up to 1 year in prison.
Moreover, under the private right to action, Japanese citizens can sue organizations that violate their data rights.
With a recent spike in cybercrime and a series of high-profile data breaches, the amendment to the APPI brings Japan into line with other data privacy regulations worldwide. For example, cases like the «Rikunabi scandal» in which the personal data of 7,893 registered students was provided to customer companies without the students’ consent are no longer permissible.
Instead, the new stringent guidelines heavily penalize data handling misconduct, creating a set of rigid rules for organizations to follow. Those rules apply to any organization handling the data of Japanese citizens irrespective of their location.
Hopefully, you are now aware of the new requirements if you were yet to familiarize yourself with the amended 2020 APPI. The amendment requires end-user consent when transferring personal data to third parties.
For further information, please refer to the PIPC website.