Japan Amends the Act on the Protection of Personal Information (APPI)

Published On October 23, 2020

Originally enacted in 2003, the Act on the Protection of Personal  Information (‘APPI’) has served as a central component in Japan’s data privacy regulatory framework. The APPI has been regularly reviewed on a three year cyclical basis since its inception, in an attempt to recognize the rights and interests of individuals while also taking into account the usefulness and challenges surrounding personal information in an advanced information and communications society.  The most recent amendments to the APPI in June 2020 have taken a significant step forward in furthering those data protection goals by strengthening the rights of data subjects over their personal information and imposing new obligations on the companies processing that personal information.

Strengthening Data Subject Rights

To start, the updates to the APPI will make it easier for data subjects to request that companies cease use of or erase their data. The previous version of the APPI allowed for requests to cease use of or erase personal data only in limited circumstances. The recent APPI amendments, however, expand on this by allowing for requests in a wider range of circumstances, including:

• when there is a possibility of violating the data subject’s rights or legitimate interests;
• when there is a breach of the APPI by means of transfer to a third party;
• the request speaks to short-term data which is kept for 6 months or less; and
• providing data subjects the ability to request the format of the disclosure of their data (including digital format).

In addition, the revisions to the APPI will change the scope of what is considered personal data. Previously, the APPI had stated that “short-term” personal data that is slated for erasure within six months of acquisition is not considered “retained personal data”. The updates to the APPI have removed this six month carve out – now treating any personal data as “retained personal data” regardless of the intended data retention period.

Restricting the “Opt-out” Exception for Third Party Transfers

The APPI’s amendments will also restrict the use of the “opt-out” exception for third-party transfers. Under the previous version of the APPI, companies could transfer data to third parties without consent so long as they provided certain information to the Personal Information Protection Commission (‘PIPC’) and no objection was raised by the data subject (i.e. no record of “opt-out”). The APPI will now significantly limit this “opt-out” exception by not allowing companies to transfer personal data collected by deceitful or improper means, and preventing companies from continuing to transfer personal information based on the previous “opt-out” exception. If a company wishes to continue transferring that data, it will now have to instead obtain direct consent from the data subject or identify a permissible legal basis for doing so.

Reporting of Data Breaches

The revisions to the APPI set forth additional requirements in regards to how companies report data breaches to the PIPC. If the circumstances surrounding a data breach occurs in a manner that it presents a possible violation to the rights and interests of individuals, organizations will now be required to notify the PIPC as well as affected data subjects. This duty to report to the PIPC will entail a two-step approach where the organization files an initial report to address the situation as soon as possible, followed by a secondary report that outlines the specific causes and remediation measures taken. If providing notice to the impacted data subjects proves difficult, the APPI does allow for organizations to make a public announcement along with setting up an office to handle inquiries.

This represents a significant shift in how companies approach data breach incidents.  The PIPC’s guidelines had previously just recommended companies to report data breaches either to the PIPC or the impacted data subjects. By now making this a legal requirement, the APPI’s data breach framework is brought more in line with the type of responsibilities outlined in the EU General Data Protection Regulation (GDPR) and other jurisdictions across the world.

Pseudonymization Introduced

The APPI will now also recognize the concept of ‘pseudonymized information‘ in regards to personal information collected by companies.  ‘Pseudonymized information’ is data that is processed in a manner that renders the personal information no longer attributable to a specific consumer without the use of additional information, provided that the additional information is kept separately and is subject to technical and organizational measures to ensure that the personal information is not attributed to an identified or identifiable consumer. If properly implemented, organizations would now be able to rely on the pseudonymization of that data in order to ease the disclosure or cessation obligations otherwise imposed on them by the APPI.

Cross-Border Data Transfers

Companies performing cross-border transfers of personal data to third parties will now have to provide certain information to those data subjects that details the protections in place for that transferred information. When the transfer is based on consent, the company transferring that data will need to identify the data protection measures taken by the receiving third party and the existing data protection rules and regulations in the country where that data is exported. If the data is being transferred to third parties with data protection systems that comply with the standards set forth by the PIPC, the entity transferring that data will have to take necessary steps to ensure the third party has continuous security measures in place. If requested by the data subject, that entity will also have to provide information on the necessary actions taken to ensure that third party stays in compliance.

Interestingly, the amendments strengthening the protections associated with cross-border transfers come into effect after the European Commission’s 2019 decision that had deemed Japan an adequate jurisdiction for cross-border data transfers of personal information.

Extraterritorial Enforcement Powers

The updates to the APPI will also give the PIPC an increased extraterritorial reach. The PIPC will now be able to request that foreign companies submit reports on the status of processing activities and issue orders requiring companies take necessary measures to address APPI violations. This represents a huge shift in Japan’s data protection laws – where the PIPC had previously been limited to either issuing guidance or advice on enforcement actions involving foreign companies, or simply making recommendations to take necessary measures to address APPI violations.

Increased Penalties for Non-Compliance

Japanese regulators also worked to address the gap that existed between the sanctions available under the APPI compared to the GDPR and other jurisdiction’s regulatory codes. Previously, a business operator who failed to comply an order of the PIPC could be fined between ¥300,000 to ¥500,000 yen, depending on the nature of the violation. When viewed against the GDPR’s penalty of €20 million or 4% global turnover, the APPI’s penalties for non-compliance were viewed as relatively light.

As a result, the amendments have increased the specific types of fines available – with a maximum fine of up to ¥100 million (around $1 million USD) that can be levied against organizations, while individuals can be punished by up to one year imprisonment or a fine of up to ¥1 million (around $10,000 USD). Submitting false reports to the PIPC can also result in fines of up to ¥500,000 (around $5,000 USD).

Japan’s revisions to the APPI clarify the responsibilities owed to data subjects by strengthening basic data protection principles and identifying specific duties that must be recognized when handling personal information. Companies will need to review their data processing activities along with the related data protection policies and procedures to ensure that their information governance framework is in full compliance with the APPI moving forward.