The lowdown on Japan's APPI amendment

25 May 2017 by Adrienn Toth

On 30th May 2017, Japan's historic Act on the Protection of Personal Information is going to be amended (APPI) .  The APPI in its current form has been unchanged since the early 2000s and is one of Japan's oldest data protection laws. The decision to amend APPI are, like other forthcoming updates to data protection legislation like the the GDPR, is in reaction to rising data volumes, increased data breaches and increased concern over privacy.

What does the amendment change?

1. Creation of the Personal Information Protection Commission: The amended APPI went into partial effect in 2016, creating the Personal Information Protection Commission (PPC) as a central, independent regulatory authority with enforcement powers.

2. Two new classifications: Two information classifications will determine whether data can be transferred and if the owner of that information can give consent to its transfer: sensitive information and anonymised information. Sensitive information (information about a person’s race, creed, social status, medical records, criminal history, etc.) receives enhanced regulatory protection, with the person’s content required before such data can be transmitted. Anonymised information (personal information where there is no possibility of identifying the person) can be transmitted with restrictions but without the express consent of the individual.

3. “Opt-in” is now “opt-out”: The current rules require the user’s permission before personal data can be transferred. Under the amendments, companies can share data without permission if they disclose certain information to the user beforehand, such as the nature and purpose of the personal data being provided, and the way the data is being provided. The company transferring the information must also give the user the option to opt out of the transfer before it occurs. Businesses must disclose to the PPC if they will continue to default to an “opt-out” policy, or change the process transferring information to a third party. The PPC will make these changes known to the public.

4. International data transfer policy: For the first time, the APPI will address international information-sharing. Any company transferring personal records outside Japan’s borders will need the user’s permission, and opting out will not be an option unless the foreign jurisdiction has similar privacy standards.

5. Sanctions for noncompliance: The PPC is enacting a two-tiered criminal penalty measure into the APPI and its guidelines. A negligent violation will bring about an enforcement notice ordering the company to either correct the issue or halt data transfer operations. Failure to comply may result in imprisonment up to six months or a fine up to JPY 300,000. Intentionally stealing or providing personal information for a dishonest purpose may result in a direct penalty of up to one year in prison or a fine up to JPY 500,000.

Companies and law firms who are processing data in Japan will need to be pro-active and vigilant in order to comply with these changes. For truly international companies who are preparing for GDPR, the changes will mesh well with their compliance plans. For smaller companies or those operating only in Japan, it is like to be more of a challenge.