Continuing our series of regulatory compliance coverage, we're taking a closer look at Japan's Act on the Protection of Personal Information (APPI). Passed in 2003, way before the adoption of GDPR in Europe, Japan's APPI was one of the first data protection regulations in Asia.
Even though Japan was early in the data protection arena, in 2015 the authorities acknowledged that APPI’s requirements could no longer efficiently protect Japanese citizens. This conclusion was reached in the light of a series of major data breaches that hit the nation at that time.
Thus, the regulation was updated in September 2015, with its new requirements coming into force on May 30, 2017, a year before the EU’s General Data Protection Regulation (GDPR).
The revised version of the APPI includes provisions for its extraterritorial application: the separation of sensitive data into a new category of protected information and the establishment of the Personal Information Protection Commission (PPC).
Note: The PPC is an independent agency whose main aim is to ensure the protection of the rights and interests of individuals while taking into consideration the proper and effective use of personal information.
At the start of this year, on January 23rd, Japan became the first country to receive an adequacy decision from the European Commission, thus enabling personal data to flow from the EU to Japan without any further safeguard being necessary. Moreover, this adequacy decision was reciprocated on the same day by the Japanese authorities, showing a mutual recognition of an equivalent level of data protection by the EU and Japan.
For good measure, supplementary rules were put in place for three reasons:
However, it's important to note that this decision doesn’t make the requirements of the GDPR and APPI interchangeable. Therefore, companies doing business in Japan have to comply with the APPI requirements even if their data protection strategies are in line with the GDPR.
Although the APPI is similar to the GDPR in its aim and requirements, there are two major differences between the two:
Japan’s current cybersecurity status, as shown in The Straits Times, highlights the need for effective data protection:
Japan's National Centre of Incident Readiness and Strategy for Cybersecurity detected 212.1 billion instances of suspicious activity last year - an increase of nearly four times from 54.5 billion in 2015.
And this situation won’t go away anytime soon, especially if you consider the fast pace of technological advancements. That’s why it’s important for companies that manage the personal information of their clients to become compliant with the APPI.
The aim of this regulation is to protect the rights and interests of individuals while ensuring due consideration for the use of personal information, by basic principles, for the proper handling of personal information.
In this context, personal information is any piece of information that can identify an individual, including data that can easily be combined with other information to identify a person. The new amendment to the APPI expands what type of data is covered under the Act, including also biometric data such as fingerprints and facial recognition and Personal Identifier Codes, which are unique letters and numbers assigned to an individual (such as a driver’s license or passport number).
APPI applies to all business operators that handle the personal data of individuals in Japan. This concerns not only companies that offer goods and services in Japan and are located within the country but also those organizations with offices outside it. Thus, similarly to the GDPR, the APPI has an extraterritorial reach.
While the initial version of the law applied only to business operators that had 5,000 identifiable individuals in their database on at least one day during the previous six months, the amended APPI applies to all business operators that process personal information for business purposes, even those with small databases of just a few individuals.
Also, entities such as central government organizations, local governments, independent administrative agencies, and local incorporated administrative agencies, are exempt from APPI compliance as they fall under the scope of other regulations.
Consumers can request that a business operator discloses the purpose of use of their personal data, the way in which they can access, correct or suspend that information and where they can submit a complaint concerning the handling of their personal data.
Moreover, they can demand that a company correct or delete incorrect personal information or suspend or delete their personal information altogether if it has been used beyond the initial purpose of use, transferred without prior consent or the personal information was acquired by fraud or other unfair means.
Likewise, Japanese residents have the right to file a lawsuit against business operators that have collected their personal information and failed to answer their APPI based requests within two weeks.
In short, companies that want to become APPI compliant must ensure that they have a privacy policy in place that stipulates the purpose of the use of collected personal information. Moreover, they must take action for the security control of personal data in order to prevent the leakage, loss or damage of the handled data.
Furthermore, organizations handling personal information must “keep the data accurate and up to date within the scope necessary to achieve a utilization purpose, and to delete the personal data without delay when such utilization has become unnecessary.”
When it comes to providing personal data to a third party, a business operator must keep a record of the personal data that contains:
A business operator shall maintain such a record for a period of one or three years from the last date of personal data relating to the record having been provided.
What do you, the "business operator," need to be conscious of when it comes to your visitor management? There are a number of ways our visitor management system can help you:
Unlike the GDPR, companies doing business in Japan are not legally obliged to report a data breach to the PPC under the APPI or inform affected data subjects.
Generally, if the PPC becomes aware of a data breach, they will directly contact the business operator and informally request that it rectify the violation. If the organization fails to do so, then the PPC will issue an administrative order for the company to take action in regard to the data breach.
If the respective company doesn’t comply with the administrative orders, the penalties they will receive vary from fines of up to ¥500,000 (approximately $4,600) to imprisonment of up to one year.
The modern times we live in require privacy laws to be put in place for the protection of consumers’ personal data. It’s essential for companies that want to grow safely and successfully to be proactive in their data privacy policies.
Our recommendation: don't leave security and compliance up to chance. If you need help meeting your compliance needs for your business, don’t hesitate to contact us.
To compliance and beyond!
***
Disclaimer: The information presented above is not legal advice, is not to be acted on as such, may not be current and is subject to change without notice. You should seek professional legal counsel before taking any action.