Author: Laura Parri Royo, Marketing Director
Our latest article in the data protection law series focuses on Japan. Another country to have recently significantly updated its data protection framework, Japan has issued strict amendments to its Act on the Protection of Personal Information (APPI). These amendments strengthen personal data protection levels and align Japan’s regulations more closely with international standards. The changes became fully operational on April 1, 2022 and they include some very interesting clauses.
Debriefing Japan’s Data protection law
If you are involved with processing any data concerning Japanese citizens or businesses, you will need to comply. The key changes to the amended APPI are as follows:
Expanded geographical scope
As hinted already, overseas businesses that have any involvement with handling personal information pertaining to Japanese residents must now comply with the amended APPI. This is a significant change. It means that even if a company doesn’t actually have a physical presence in Japan but they offer goods or services to individuals in Japan, they will need to comply with the APPI.
Enhanced individual rights
The new regulations give individuals in Japan much greater control over the ways their personal data can be stored or used. Japanese consumers now have the right to request deletion or cessation of use. This applies to any data that is being used by any company, if the individual believes it is being handled improperly or is no longer necessary for the stated purpose.
Stricter consent requirements
Companies who want to store or use data from Japanese individuals must now obtain specific consent from the individuals. They also need to obtain consent before transferring their personal data to third parties in foreign countries that might have less stringent data protection standards. This is an important enhancement to the privacy laws and will ensure that Japanese residents‘ data remains protected, even if it is processed abroad.
Pseudonymously processed information
This is an interesting new concept within the amended APPI and is very relevant for ‘big data’ mining applications. „Pseudonymously processed information“ is a special category of data that makes big data analysis possible without the need for individual consent, provided that certain safeguards are in place. By using a pseudonym, the data is partially anonymised so individuals cannot be identifiable, and it can then be interrogated without breaching any privacy protections.
How should companies prepare to comply with the APPI regulations?
To prepare for compliance with the amended APPI, companies should take the following steps:
| Recommended steps | Description |
| Complete a data mapping exercise | Do a comprehensive inventory of personal data collected, processed, and stored, to understand the scope of APPI applicability for their organisation. |
| Check privacy policies | Ensure any existing privacy policies are up to date and reflect the new requirements. These policies need to include information on cross-border data transfers and individual rights to deletion and cessation. |
| Check data consent processes | New, robust data consent mechanisms need to be in place. This is especially important for international data transfers and for when sensitive personal information is being handled. |
| Employ a data protection officer | The new APPI regulations are extensive and it may be advisable to appoint a dedicated data management specialist like TJC Group. Our experts understand international data privacy regulations and can work with your internal team to oversee data privacy compliance efforts. |
| Create a data breach response strategy | If your company experiences a data breach, this needs to be reported to regulators within 72 hours. What should the process be? Part of APPI compliance preparations should include developing and implementing a data breach response plan that includes notification procedures for affected individuals and the Personal Information Protection Commission (PPC). |
What are the implications of APPI for data management?
Japan’s amended APPI regulations have significant implications for data management best practices.
- Consent for cross-border data flows
Companies must carefully assess their international data transfer practices because the new regulations require explicit consent if data is processed overseas. For example, if a Japanese e-commerce company transfers any customer data to a cloud service provider in the United States, they would need to ensure that appropriate safeguards are in place and this would also include obtaining specific consent from customers.
- Introduce ‘data minimisation’ policies
The new regulations encourage data minimisation principles whereby only a minimal amount of data is collected and retained. Organisations should be clear about why they need customer data and only collect and retain personal data that is necessary for their stated purposes. For instance, a fitness app company should only collect health data from subscribers if it is directly relevant to providing its services.
- Introduce enhanced security measures
The new APPI regulations bring increased penalties for data breaches. Companies need to protect themselves from the financial and reputational damage of non-compliance by implementing stronger security measures. This might include encrypting sensitive data, implementing multi-factor authentication, and regularly conducting security audits to ensure their data is as secure as possible.
- Operate with transparency and accountability
Just like every other data privacy law, APPI requires that organisations are transparent about their data handling practices. This means being open and honest, making it as straightforward as possible for consumers to find out how their data is being used. They also need to be fully accountable for the ways the data is being used and provide clear and easily accessible information on how to request their data to be deleted.
How does Japan’s APPI differ from other global data privacy laws?
There are some interesting and unique characteristics of the amended Act on the Protection of Personal Information (APPI) in Japan. They reflect Japan’s cultural values around data privacy and data protection and could provide food for thought for other countries to consider.
Of these, the most significant is the ‘pseudonymously processed information’ category. By including this in the regulations, the APPI acknowledges the growing importance of big data analysis for AI and strategic business planning, but also respects the rights of individuals in an increasingly data-driven world.
The APPI also has specific provisions for „anonymously processed information,“ which allows for broader use of data that has been irreversibly de-identified so that the individual source can never be identified. These are two very forward-thinking policies.
Another interesting feature of the APPI is that it allows individuals to „opt-out“ of sharing their personal information with third parties, which is a special feature of Japan’s laws.
In addition, the APPI uses different classifications for the parties involved, using the term „personal information handling business operator“ instead of differentiating between data controllers and processors like the GDPR data privacy law does.
Conclusion
At TJC Group we always welcome changes to data privacy regulations that enhance consumer protections. The amended APPI laws represent a significant step forward in Japan’s data protection regime. It aligns well with other global privacy standards like the EU’s GDPR, but also has some unique Japanese characteristics. Companies operating in or targeting the Japanese market must adapt their data management practices to ensure compliance with these new regulations. By doing so, they will avoid potential penalties and also build trust with their Japanese customers and partners in today’s increasingly data-driven world.
At TJC Group, we help companies ensure data privacy is fully enforced in SAP systems. The intricacies of both SAP systems and data protection regulations coupled with the high volume of data processes in today’s economy makes it hard for IT and compliance teams to handle such complex projects. If you feel the need for support, reach out to us. Read more about SAP ILM and data protection compliance in this article: Understanding the key components of SAP ILM.
References:
- Data guidance. Japan – Data Protection Overview
- https://www.ppc.go.jp/en/
Data privacy series
This article is part of the data privacy series. Check out other articles that might be of your interest:
- Data privacy: Your absolute guide to its importance, regulations, and more
- GDPR in the EU | A comprehensive guide to knowing all about it
- Decrypting the Digital Personal Data Protection (DPDP) Act, 2023 of India
- Quebec’s Data Privacy Law 25: What is it and how to comply with it
- Data protection laws in Argentina (coming soon)
- New Zealand: The Privacy Act 2020 (coming soon)
- California Consumer Privacy Act (CCPA): Everything you need to know (coming soon)
- All about The New Jersey Data Protection Act (NJDPA) (coming soon)
- All about South Korea data protection law (PIPA): Everything you need to know (coming soon)
- Data protection laws in Middle East (coming soon)
