The Amendment Act to the current APPI (Act on the Protection of Personal Information) was approved on June 5th, 2020.
While provisions in relation to penalties came into force on December 12th, 2020, additional requirements were scheduled to become effective on April 1st, 2022.
The Personal Information Protection Commission (‘PPC’), which oversees and enforces the APPI, has released many revised guidelines in anticipation of the entry into effect, to assist organizations comply with the amended APPI.
With the amendments to the APPI including increased data breach reporting obligations, stricter data transfer requirements, increased access rights for data subjects, and more, businesses will need to re-examine their existing programs.
This includes improving processes around international data transfers, consent requests from data subjects for use and/or transfer of personal data, and improved reporting templates.
Let’s take a more granular look:
What does the APPI April 1 effective date mean for businesses?
1. Updated data transfer requirements
- Requirements to inform data subjects of the details of a transfer to a third party located in a foreign country
- Broadened vendor review requirements
2. New data breach reporting obligations and thresholds
A report to data subjects or relevant authorities is required for the following scenarios:
- Where personal data, including special care-required personal information, is leaked, lost, or damaged
- Where personal data, which if leaked will likely result in harm to the property of the individual if such information is used for an improper purpose, is leaked, lost, or damaged
- Where the leakage, loss, or damage of personal data occurred for an improper purpose
- Where the leakage, loss, or damage to personal data involves or is likely to involve the personal data of 1,000 or more individuals
A data breach must be reported to the PPC no later than 30 days (or 60 depending on the scenario) after the controller becomes aware of the breach. Data subjects must be notified promptly as well, according to the circumstances.
3. New standards on pseudonymized personal information
The Amended APPI introduces the concept of “pseudonymously processed information”, which bears similarity to that under the GDPR. The aim of inclusion of this concept is to allow businesses to use pseudonymized information internally.
4. Broadening access rights and extraterritorial enforcement options
Data subject rights are broadened. For example, the Amendments will give data subjects the right to demand disclosure of retained personal data by electronic means.
Businesses will now also be required to make the following additional information readily available to data subjects:
- Business address, name of a representative
- Description of updated rights of data subjects
- Security management measures in place to protect the subject’s personal data
The APPI guidelines make up the comprehensive set of privacy laws within which businesses in Japan operate.
With new privacy regulations, amendments and laws coming into effect across the world, keeping up with the laws and what it means for your business can be a challenge. Make sure to keep your finger on the pulse of privacy laws and regulations. Get regular updates on privacy news worldwide and stay up-to-date, with OneTrust DataGuidance.
