On 24 March 2021, the Japanese government released the effective dates of substantial amendments to the Japanese Act on the Protection of Personal Information (“APPI”) that had been announced in June 2020, requiring companies to take certain additional measures to protect personal data of data subjects.
The amended APPI was enacted on 5 June 2020 and promulgated on 12 June 2020. The revised Act (Act No. 57 of 2003 as amended in 2015) will fully come into effect on 1 April 2022; however, parts of the amendments are effective earlier:
- Effective 1 October 2021, use of the "opt-out" exception for data subjects’ consent will be restricted (e.g. the revised version of the APPI limits the cases where data handlers can use an "opt-out provision" for transfers to third-parties);
- in effect since 12 December 2020 are the amended provisions that raised penalties to fines of up to 100,000,000 JPY (about USD 1 million) in case of violation of an order from the authority or illegitimate use of data.
Other key provisions of the amended APPI that will be effective from April 2022 include the concept of “Pseudonymously Processed Information”, provisions on mandatory breach reporting, “personal-related information” and extraterritorial applicability. The latter grant the Personal Information Protection Commission (“PPC”) authority to request foreign entities which supply goods or services in Japan and handle personal information of individuals in Japan to submit reports or to issue orders in case of violations of the APPI, which can be enforced with a penalty.
Although the guidelines for the new APPI have not been provided yet, the amended Cabinet Order and Commission Rules of the APPI (promulgated on 24 March 2021) stipulates important points. For example, where data breaches “likely harm the rights and interests of individuals”, it will be required to report to the relevant authority in specified time frames and to inform affected individuals timely. Reporting will be required in the following scenario: (1) a leakage of special care required personal data (similar to “sensitive data”) (2) results in a risk of property damage, (3) which is based on an intentional violation of the law such as unauthorized access, and (4) affects at least 1,000 data subjects. Further, the Rules provide conditions for recording obligations and a retention period of generally 3 years relating to data that may be regarded as personal data when a third party receives it and can derive information about a data subject from it (“personal-related information”, e.g., cookies may be included, depending on the situations).
Next steps
We continue to monitor the guidelines on the APPI to be issued by the PPC.
For more details of the amended APPI, please refer to our previous article here [link to our update on 30 March 2020: Hogan Lovells | Update of Japan's privacy law approved by Cabinet - 30 March 2020 (ehoganlovells.com) ]
Authored by Hiroto Imai, Mizue Kakiuchi, and Eva-Marie Koenig.
