Japan’s Amended APPI Comes into Effect 
Japan’s Amended APPI Comes into Effect...

Japan’s Amended APPI Comes into Effect 

These APPI amendments include data breach reporting, stricter data transfers, and increased data access rights

Andrew Clearwater OneTrust, Chief Trust Officer

clock3 Min Read

Featured Image

The Amendment Act to the current APPI (Act on the Protection of Personal Information) was approved on June 5th, 2020.  

While provisions in relation to penalties came into force on December 12th, 2020, additional requirements were scheduled to become effective on April 1st, 2022.   

The Personal Information Protection Commission (‘PPC’), which oversees and enforces the APPI, has released many revised guidelines in anticipation of the entry into effect, to assist organizations comply with the amended APPI.  

With the amendments to the APPI including increased data breach reporting obligations, stricter data transfer requirements, increased access rights for data subjects, and more, businesses will need to re-examine their existing programs. 

This includes improving processes around international data transfers, consent requests from data subjects for use and/or transfer of personal data, and improved reporting templates.  

Let’s take a more granular look:

What does the APPI April 1 effective date mean for businesses?  

1. Updated Data Transfer Requirements

  • Requirements to inform data subjects of the details of a transfer to a third party located in a foreign country 
  • Broadened vendor review requirements 

2. New Data Breach Reporting Obligations and Thresholds

A report to data subjects or relevant authorities is required for the following scenarios: 

  • Where personal data, including special care-required personal information, is leaked, lost, or damaged 
  • Where personal data, which if leaked will likely result in harm to the property of the individual if such information is used for an improper purpose, is leaked, lost, or damaged 
  • Where the leakage, loss, or damage of personal data occurred for an improper purpose 
  • Where the leakage, loss, or damage to personal data involves or is likely to involve the personal data of 1,000 or more individuals 

A data breach must be reported to the PPC no later than 30 days (or 60 depending on the scenario) after the controller becomes aware of the breach. Data subjects must be notified promptly as well, according to the circumstances. 

3. New Standards on Pseudonymized Personal Information 

The Amended APPI introduces the concept of “pseudonymously processed information”, which bears similarity to that under the GDPR. The aim of inclusion of this concept is to allow businesses to use pseudonymized information internally.  

4. Broadening Access Rights and Extraterritorial Enforcement Options 

Data subject rights are broadened. For example, the Amendments will give data subjects the right to demand disclosure of retained personal data by electronic means.  

Businesses will now also be required to make the following additional information readily available to data subjects:  

  • Business address, name of a representative 
  • Description of updated rights of data subjects 
  • Security management measures in place to protect the subject’s personal data  

The APPI guidelines make up the comprehensive set of privacy laws within which businesses in Japan operate.  

With new privacy regulations, amendments and laws coming into effect across the world, keeping up with the laws and what it means for your business can be a challenge. Make sure to keep your finger on the pulse of privacy laws and regulations. Get regular updates on privacy news worldwide and stay up-to-date, with OneTrust DataGuidance.

Visit OneTrust DataGuidance for more news!

You Might Also Be Interested In

JANUARY 13, 2023

Addressing UK app Code of Practice requirements with OneTrust

JANUARY 12, 2023

Ultimate guide to the EU CSRD ESG regulation for businesses

JANUARY 11, 2023

Continuous improvement: The leading indicator for successful compliance programs

JANUARY 10, 2023

Build trust, promote your program in the Third-Party Risk Exchange

JANUARY 9, 2023

Building trust in a zero trust world

JANUARY 9, 2023

Consent management by the numbers: 2022 DMA report summary

JANUARY 9, 2023

Navigating the California Privacy Rights Act as a HIPAA-compliant business

JANUARY 6, 2023

US state privacy bills on the horizon in 2023

Onetrust All Rights Reserved