In an effort to modernize its data privacy regulatory regime, Japan recently made changes to its 2005 Protection of Personal Information Act (“APPI”), which now more closely resembles GDPR. These changes, which will be implemented and enforced in the near future, have wide-reaching effects for companies in Japan, and also those collecting, processing and transferring personal information of Japanese residents.
Why Did Japan Update Its Regulation?
Do you remember what the world was like in 2005? Facebook was a year-old website available to only college students, Amazon Web Services didn’t exist, and Alan Greenspan was declaring that financial derivatives were amazing tools that lowered the risks in the market. It’s an understatement to say that the world is a bit different 15 years after Japan originally implemented APPI, and changes were needed, especially given Japan’s place as a leader in the tech world.
The amendment is intended to respond to the increased need to balance the protection and utilization of personal information with the risks arising from domestic and cross-border data transfers. This was done through strengthening the rights of data subjects and the imposition of new obligations on companies that collect and handle personal information, such as:
- the obligation to notify the Personal Information Protection Commission (“PPC”) of certain data breaches (the threshold for reporting obligations has not yet been decided);
- expanding the PPC’s authority to request reports or to investigate offshore;
- introducing the concept of pseudonymisation which allows business operators to utilize personal data more easily; and
- increasing penalties to be imposed on companies for breaches of the APPI and/or administrative orders issued by the PPC.
These additions follow hard on the heels of more significant changes, which will mean tighter controls on the international transfer of data starting in 2022, helping to bring the law further in line with GDPR.
How Are APPI and GDPR Different?
There are a few areas in which APPI and GDPR diverge. Perhaps most significantly, Japan does not have a breach notification obligation, nor significant penalties on entities failing to meet certain standards. Japan recently passed an amendment to the law to remedy some of these and other items, including increasing penalties up to $946,000, but it will take well over a year for the changes to be fully implemented.
How Does APPI Handle Cross-Border Transfers?
While in its current form the APPI applies to any organization obtaining personal information from data subjects located in Japan, this hasn’t been enforceable on foreign businesses. Now, though, they will have to provide reports concerning the processing of Japanese residents’ personal information. The APPI applies to foreign entities if they obtain personal information of data subjects physically located in Japan upon supplying goods or services to such data subjects. Violation of the APPI may lead to the imposition of monetary penalties/fines on these foreign entities.
The APPI also states that transfers of personal data to third parties based offshore require certain disclosures from the transferring company (e.g., what sorts/types of data protection measures will be taken by the receiving party, data protection systems in the country where the receiving party is located, etc.) to the data subject in question, and also take necessary measures to ensure that the recipient of such data continuously takes proper measures to process the data in a manners equivalent to the requirements of the APPI.
What Are The Penalties For Noncompliance?
At the moment, the penalties for violations of the current APPI are relatively immaterial. However, the amended APPI will increase the penalties for non-compliance by imposing penalties of up to JPY 100 million (about $940,000 USD) on companies if representatives, officers, or employees fraudulently use or leak personal data, with additional penalties for data breaches.
What Is The Timing Of The Amended APPI?
The amended APPI will take effect within two years from June 2020, and is expected to be effective around Q1 2022. In the lead up to implementation, the PPC is expected to issue detailed rules and guidance documents regarding the amendment, which we will be tracking to ensure our customers are in compliance.
How Can Clym Help?
Clym provides a cost-effective, scalable and flexible platform to comply with CCPA, GDPR, and other laws as they come online. Contact us today about how your company can implement Clym to help manage your data privacy regulation compliance from a global perspective.