Apr 29, 2022
6 min read

How to Comply with Japan’s Updated Act on the Protection of Personal Information

On June 5th, 2020, Japan amended its Act on the Protection of Personal Information (APPI) for the second time. The deadline for businesses to adapt the new regulations was April 1st, 2022.

The main changes include a new procedure for transmitting of personal data to third parties and overseas, as well as notification requirements in the event of data breaches. In this article, we provide an overview of the APPI, an explanation of the latest amendments, and ways to follow them.

What’s the Act on the Protection of Personal Information about?

The Act on the Protection of Personal Information (APPI) was published in 2003 and was amended twice since then, in 2015 and 2020. The goal of the APPI is to protect the personal information of individuals in Japan.

The main regulatory body that ensures the fulfillment of the APPI is the Personal Information Protection Commission (PPC). The PPC is also Japan’s primary investigatory and enforcement institution for supervision, regulatory compliance and assessments, as well as mitigation of complaints.

The APPI focuses on two types of data that can be processed only with the subject’s consent:

  • personal information including name, date of birth, contact and personal identifier codes;
  • special-care required information including sensitive information, such as medical history, race, criminal record, and so on.

There is no definition of biometrics, but this would likely fall within the scope of special-care required information.

According to the APPI, subjects can request information about the purposes of personal data processing and have the right to modify and delete it.

Who’s affected?

In general, all businesses that operate in Japan and handle personal data must comply with the APPI, regardless of their size or income. While the original version of the act didn’t subject businesses operating with a small number of data subjects, the 2015 amendments expanded compliance requirements to all businesses.

The act also applies extraterritorially to foreign businesses that have a Japan market link. This means that businesses operating outside of Japan but collecting data from subjects in Japan must also comply with the APPI.

The only exceptions are governmental organizations, administrative agencies, and educational institutions.

Do you want to stay compliant with the latest amendments in Japan? Contact Sumsub today.

The 2020 amendments

The 2020 amendments to the APPI widened the scope of data subjects’ rights regarding data protection. The main changes for businesses relate to transfers of information to third parties and data breach notifications.

Transfer of personal information to third parties

  • Before: until the implementation of the 2020 amendments, businesses could transfer personal data without requesting the subject’s consent. Instead, businesses just had to provide information about the transfer to the data subjects, while data subjects could opt-out of the transfer afterwards.After: from April 1st, 2022, businesses need to acquire consent from data subjects in order to transfer their personal data. There are exceptions to this rule in cases when the transfer of personal information is a matter of national security, legal matters, or public interests. Businesses may avoid obtaining consent if they notify the subject of third party details prior to data transferring. This option does not apply in cases where special care-required personal information is to be transferred. The required set of details on third parties is provided in the ‘How to comply’ section of this article.

Transfer of Personal Related Information to a third party

Before: the APPI didn’t have a Personal Related Information section.

After: the latest amendments include a new type of personal information called Personal Related Information (PRI). PRI refers to information that is related to personal matters. Such information may include purchase history or web browsing history. PRI doesn’t include personal data, such as name or date of birth.

Now, businesses need to acquire consent from subjects before transferring such information to third parties (if this information can be used with other information acquired by the third party to identify a subject).

Transfer of pseudonymous information to a third party

Before: the APPI didn’t have a pseudonymous information section.

After: the new version of the APPI introduced a pseudonymous information section. This type of information doesn’t disclose the subject’s identity, but it can still be cross-compared with other information to establish identity.

Pseudonymous information is personal information that was encrypted to protect subjects. The new version of the APPI ensures that this type of information can’t be transferred to a third party without the subject’s consent or when the reason for transferring it doesn’t fall under the list of exceptions.

Transferring information to a third party outside Japan

Before: the PPC didn’t have the authority to regulate information transfer operations to third parties operating outside Japan.

After: the amendments have changed the procedure of transferring information to third parties outside Japan, giving the PPC authority to supervise such procedures. To initiate such transfers, businesses must ensure that the receiving foreign third party:

  • has a level of protection equivalent to that of Japan (referred as “equivalent action”);
  • is part of the list of Japan’s adequacy decisions (analogous to the EU version) provided by the PPC, which is periodically updated .

When transferring such information to foreign countries, businesses need to notify data subjects about the intended destination. This includes:

  • the name of the destination country;
  • an explanation of the data protection system in the country;
  • measures that the receiving third party will take to protect their data.

Sumsub can help your business to verify your customers. Contact us today.

Subjects’ data rights

Before: subjects could request access to, change, or delete the data they provided. However, this rule only applied for long-term data, which was supposed to be used for six months or longer. Subjects could modify or delete their data only in cases when it was:

  • collected by improper means;
  • used for purposes beyond the ones agreed while collecting data.

After: subjects are now entitled to access and modify short-term data as well. After the introduction of the latest amendments, subjects can also request to modify or delete their data if there’s a possibility that the provided data may negatively affect them.

Data breach notifications

Before: it was only a recommendation to notify subjects about data breaches.

After: businesses need to notify the PPC, as well as the subjects whose data was leaked, about data breach incidents. If a business can’t reach affected subjects through regular means, it has to find an alternative solution.

Businesses now have to notify the PPC twice: 1) through a short notification that must be made immediately when the breach occurs; 2) through a secondary report that should be submitted later and include extensive information regarding the incident.

EU and UK transfers derogations

To ensure smooth mutual data transfers between the EU and Japan, additional rules are imposed on Japan-located businesses with an EU or UK market link. This concerns ensuring the same levels of protection as in the EU GDPR and UK GDPR, where this regulation is stricter than the APPI.

When received in Japan, special categories of data from the EU and the UK should be processed in accordance with the APPI rules for special care-required personal information.

The text of the supplementary rules is available here.

How to comply

Before processing the subject’s data, businesses should document, map and analyze whether there are any transfers to third parties.

While transferring the subject’s data, businesses can’t provide personal information to a third party without first obtaining the consent of the subject, except in cases:

  • based on laws and regulations;
  • when it’s necessary to protect human life or property and when it’s difficult to obtain the consent of the principal;
  • when there’s a particular need to protect public and children’s health;
  • cases when cooperation is necessary in relation to a central governmental organization or local government, or to a person to whom they have entrusted the execution of affairs provided for by laws and regulations.

Businesses need to provide details to the data subject about third parties before transferring their information to them. Third party details include:

  • name;
  • purpose of data transfer;
  • categories of personal data;
  • methods of obtaining personal data and providing it to a third party;
  • method of obtaining the request of the subject;
  • other issues stipulated by the PPC rules as necessary to protect the rights and interests of a subject.

These details should be communicated to the data subject and, if applicable, to the PPC.

In cases where information about the third party gets changed, businesses must inform the subjects about this or create conditions for data subjects to easily access this information. Businesses should also report these changes to the authorities.

Fines and penalties

The previous version of the APPI used moderate sanctions against non-compliant businesses. While previously the maximum fine for a business was ¥500,000 (approx. $3,900), now businesses can face a fine of up to ¥100 million (approx. $781,500). Meanwhile, representatives of these businesses can face up to one year of imprisonment and a fine of up to ¥1 million (approximately $7,815).

Key takeaways

The latest APPI amendments show that data protection is of special importance to Japan, especially when Japanese citizens’ information is provided overseas. Therefore, businesses should pay special attention to the amended version of the APPI and ensure that they stay compliant with data transfer requirements. To do so, businesses need to thoroughly understand their processing activities and employ technologies to protect themselves from data breaches. Businesses also need to ensure that they obtain consent while transferring data to a third party.

Let Sumsub supplement your compliance process. Contact us today.