“you [should] have a sound process in place”

Stricter policies, safer data

Amendments to Japan’s Act on the Protection of Personal Information come into force


April 2022 Feature / Text by Gavin Blair

As the proportion of our lives that is digitally recorded, processed, and stored continues to rise, so does the need to protect that data and how it is used. A series of amendments to Japan’s Act on the Protection of Personal Information (APPI) came into effect at the start of this month, significantly altering the landscape for companies that collect data from their customers, business partners, or anyone else they interact with.

The changes take the Japanese regulatory environment closer to the EU’s General Data Protection Regulation (GDPR). However, there are differences, and European companies with operations in Japan now need to be in compliance with the new local regime.

Although amendments enacted in 2020 and 2021 all came into force this month, increased penalties for criminal acts related to data protection were introduced in December 2020. These lifted the maximum fine applicable to organisations from ¥500,000 to ¥100 million, while the maximum penalties for individuals are now a ¥1 million fine and up to one year’s imprisonment. Both individuals and the entities that employ them can be charged over the same misdeed.

One of the significant new changes is that companies are now obligated to issue notifications of serious data breaches, whereas in the past it was only recommended that they did so.

Tobias Schiebe, partner at ARQIS Foreign Law Office, recommends that companies create a clear and comprehensive data breach response plan. This is because they are required to issue a preliminary notification usually within three to five days of someone in the company becoming aware of a breach.

“Then the final report, in principle, within 30 days, and that usually only works if you have a sound process in place,” suggests Schiebe.

Other major changes impact the transfer of personal data outside Japan. Companies relying on consent as the legal basis for transferring data across borders now have to provide a considerable amount of additional information to the individuals concerned, explains Schiebe. This includes informing them about the data protection regulations in the country that the data is transferred to, as well as the data processing security measures there. There is also an obligation to keep the individual abreast of any changes in those rules or the security environment.

“Japan now has maybe one of the most burdensome data protection environments in the world”

In addition, if a firm relies on contracts with data handlers or processers overseas, the company in Japan now must have them audited regularly to ensure they are complying with Japanese data protection standards.

“These don’t apply to transfers to the European Economic Area or the UK as they are considered secure jurisdictions from the perspective of Japan’s Personal Information Protection Commission,” notes Schiebe.

After the last round of APPI updates at the beginning of 2019, Japan became the first country granted reciprocal status by the European Commission on data transfers after the GDPR came into force the previous May.

However, the situation remains complex for companies transferring data to other territories, or to firms that might have a contract with another entity in a third country for data processing or storage. The new amendments extend the reach of Japanese data protection law to such third-party entities if they obtain the personal data of Japanese citizens.

Yoichiro Itakura, partner at Hikari Sogoh Law Offices, says the requirements amount to “a great burden on companies in Japan when they want to transfer data internationally.

“For example, if a company is using Amazon Web Services, then they need to check the data protection regime in Washington State,” points out Itakura, who says he has fielded enquiries from clients about the regimes of numerous countries around the globe. “Japan now has maybe one of the most burdensome data protection environments in the world,” he suggests.

A representative of a European luxury brand in Japan calls the regulatory shift “quite extensive”, and says the company has “reviewed the countries and data privacy regulations of where our vendors are from and put in additional security measures as necessary.

“The new law also requires greater transparency of how personal data is handled, which has caused us to add that information to our privacy policy,” the representative adds.

Individuals now have more rights to get information about how their data is used and where it is transferred to. Ironically, when people requested access to their own personal data before the amendments, the information could only be received in paper form.

“Now, in the 2020s, they have the choice of receiving it in electronic form,” says Itakura with a laugh.

The amended APPI doesn’t, however, grant the right to data portability that is enshrined in the GDPR, which entitles an individual to obtain their data in a format that lets them easily transfer it elsewhere. Other key elements of the GDPR not present in Japan’s new regime are the right to be forgotten (which allows people to have data erased in certain circumstances) and the right to withdraw consent from a data holder.

One other change under the new APPI is an end to the exemption from data protection rules for organisations or companies that only kept personal information for less than six months. Protections and rights now apply immediately after data is collected.

As for companies that might be concerned about accidentally falling foul of the complex new regulations, and even incurring huge fines, Itakura believes they have little to fear. He notes that there is currently no provision for the PPC to issue penalties in cases of administrative missteps or other non-criminal failings.

With new APPI amendments scheduled every three years, new measures for the next batch will likely be announced and enacted in 2023 and 2024, for enforcement in 2025. •