Japan’s Amended APPI Comes into Effect 
Japan’s Amended APPI Comes into Effect...

Japan’s Amended APPI Comes into Effect 

These APPI amendments include data breach reporting, stricter data transfers, and increased data access rights

Andrew Clearwater OneTrust, Chief Trust Officer

clock3 Min Read

Featured Image

The Amendment Act to the current APPI (Act on the Protection of Personal Information) was approved on June 5th, 2020.  

While provisions in relation to penalties came into force on December 12th, 2020, additional requirements were scheduled to become effective on April 1st, 2022.   

The Personal Information Protection Commission (‘PPC’), which oversees and enforces the APPI, has released many revised guidelines in anticipation of the entry into effect, to assist organizations comply with the amended APPI.  

With the amendments to the APPI including increased data breach reporting obligations, stricter data transfer requirements, increased access rights for data subjects, and more, businesses will need to re-examine their existing programs. 

This includes improving processes around international data transfers, consent requests from data subjects for use and/or transfer of personal data, and improved reporting templates.  

Let’s take a more granular look:

What does the APPI April 1 effective date mean for businesses?  

1. Updated Data Transfer Requirements

  • Requirements to inform data subjects of the details of a transfer to a third party located in a foreign country 
  • Broadened vendor review requirements 

2. New Data Breach Reporting Obligations and Thresholds

A report to data subjects or relevant authorities is required for the following scenarios: 

  • Where personal data, including special care-required personal information, is leaked, lost, or damaged 
  • Where personal data, which if leaked will likely result in harm to the property of the individual if such information is used for an improper purpose, is leaked, lost, or damaged 
  • Where the leakage, loss, or damage of personal data occurred for an improper purpose 
  • Where the leakage, loss, or damage to personal data involves or is likely to involve the personal data of 1,000 or more individuals 

A data breach must be reported to the PPC no later than 30 days (or 60 depending on the scenario) after the controller becomes aware of the breach. Data subjects must be notified promptly as well, according to the circumstances. 

3. New Standards on Pseudonymized Personal Information 

The Amended APPI introduces the concept of “pseudonymously processed information”, which bears similarity to that under the GDPR. The aim of inclusion of this concept is to allow businesses to use pseudonymized information internally.  

4. Broadening Access Rights and Extraterritorial Enforcement Options 

Data subject rights are broadened. For example, the Amendments will give data subjects the right to demand disclosure of retained personal data by electronic means.  

Businesses will now also be required to make the following additional information readily available to data subjects:  

  • Business address, name of a representative 
  • Description of updated rights of data subjects 
  • Security management measures in place to protect the subject’s personal data  

The APPI guidelines make up the comprehensive set of privacy laws within which businesses in Japan operate.  

With new privacy regulations, amendments and laws coming into effect across the world, keeping up with the laws and what it means for your business can be a challenge. Make sure to keep your finger on the pulse of privacy laws and regulations. Get regular updates on privacy news worldwide and stay up-to-date, with OneTrust DataGuidance.

Visit OneTrust DataGuidance for more news!

You Might Also Be Interested In


JUN 08, 2022

The New Digital and Data Strategy in the EU and UK: DMA, DSA and the UK Online Safety Bill

MAY 18, 2022
Consent and Preferences

IAB TCF 2.0 Checklist for Publishers

JUN 01, 2022
Privacy Automation

From Data Compliance to Data Intelligence

JUN 01, 2022

7 Ways Trusted Brands Promote Their Security, Privacy, Ethics, and ESG Programs

JUN 01, 2022
Regulations

Thailand Personal Data Protection Act Takes Effect

MAY 16, 2022
Third-Party Risk

OneTrust is a Leader in Third-Party Risk Management Platforms

MAY 26, 2022
GRC

How successful security teams manage risk to build trust and drive growth

JUN 02, 2022
Privacy Automation

OneTrust and Microsoft Come Together to Automate Employee Rights Requests

BackToTop
Onetrust All Rights Reserved