Member Article

On April 1, 2022, Japan is set to begin enforcement on the amendment to its Act on the Protection of Personal Information (“APPI”). The APPI was originally adopted in 2003 – making it one of the first data protection regulations. However, with the passing of the EU’s General Data Protection Regulation (“GDPR”) and China’s Personal Information Protection Law (“PIPL”), Japan has now overhauled its own data protection law in order to meet the current privacy climate.

Below are the significant changes to the APPI:

Applicability

Much like the GDPR, the APPI applies to not only businesses operating in Japan, but also personal information handling business operators that control and/or process the personal data of individuals located in Japan.

The Amendment expands the scope of covered businesses even further. The prior version of the APPI indicated that the law only applied to business operators that stored the information of at least 5,000 identifiable individuals on at least one day during the previous six months. Now, there is no minimum limit on the database size.

Categories of Data Protected

The APPI traditionally protected personally identifiable information (“PII”), such as name, date of birth, email address, and biometric data. The Amendment expanded this category by including “Individual Identification Codes” which includes numbers (like a driver’s license), symbols, or codes (e.g. a fingerprint).

The Amendment also introduces a new category of personal information referred to as “special care-required personal information,” which is effectively “sensitive” information. This includes information about an individual’s race, creed, medical history, criminal record, social status, or any other information that may lead to social discrimination. In order to collect or process this information, a business must obtain a user’s prior, opt-in consent.

The Amendment further introduces the concept of pseudonymous information, which relates to an individual but is processed in a manner that does not identify a specific individual unless collated with additional data. Businesses are not obligated to delete pseudonymously processed information derived from personal data, and may retain it for potential future statistical usage.

Finally, the Amendment adds another new category of “personal-related information” which includes information related to an individual that does not fall within the scope of personal (or pseudonymous) information. “Personal-related information” would include information that can be used to identify an individual if connected to other information. Cookies and IP addresses would likely be considered this category of personal information. The Amendment requires the consent of the individual when a third party acquires personal-related information as “personal data.”

Data Transfers

The Amendment has also placed restrictions on data transfers to companies outside of Japan. Similar to the GDPR, the Amendment states that a cross-border data transfer can only take place if either (1) the overseas recipient is located in a country that has an adequate level of data protection equal to Japan and establish a personal information protection system with the cross-border company, or (2) the company obtains the user’s prior opt-in consent.

In order to meet the (1) threshold, there must be a contract between the two companies in place that outlines the “necessary measures” to obligate the receiving party to maintain and process the personal information in compliance with the APPI. In order to provide effective consent to meet the (2) threshold, the transferor is required to provide detailed information of the transfer prior to obtaining consent. This includes (a) what country the recipient is located, (b) information on legislation for the protection of personal information in the recipient’s country, and (c) information on measures taken by the recipient to protect personal information.

Mandatory Data Breach Notification

The Amendment must now report data breaches to the Personal Information Protection Commission (“PPC”) if the breach includes the following: (1) sensitive personal information, (2) personal information that is likely to cause financial or property damage (e.g. credit card information), (3) unauthorized access to a data server or malware infection by a third party, or (4) more than 1,000 affected individuals.

A business is required to “promptly” provide initial notice to the PPC. A second notification is required within 60 days if the breach involved more than 1,000 affected individuals’ personal information, or 30 days if the breach falls within any of the other three above categories.

A third and final notification must provide the PPC a summary of the incident, categories of personal information involved, the total number of affected individuals, the cause of the breach, the extent of damages, and any actions taken by the company since the breach occurred.

The company is also obligated to provide notice to affected individuals as soon as possible – but there is no firm deadline. A company may publish information regarding the breach on the company’s website if notice is practically difficult to make.

Penalties for Non-Compliance

Failure to comply with APPI regulations can result in financial penalties of up to JPY 100 million, or approximately $1,000,000 USD. The penalty could also include imprisonment for up to a year. The PPC may also publicly publish the violation.

Originally published in the Privacy Law Section of the California Lawyers Association. To view the article, click here.