On June 5, Japan enacted a new set of amendments to its data-privacy law, the Act on the Protection of Personal Information (APPI). These Diet-approved updates are part of the APPI's "every three years" review policy, but the changes go far beyond minor tweaks to existing Japanese privacy law.
Taken as a whole, the 2020 amendments mark a further expansion of the APPI's scope, following in the footsteps of previous expansions. They increase the obligations of companies to be transparent and secure with the personal data of Japanese residents or risk incurring criminal penalties.
The major part of the APPI amendments isn't expected to officially come into effect until spring 2022, although the timeline is subject to change. But if your company does business in Japan, now is the time to educate yourself and make sure your business is compliant.
Why Japan's Data-Privacy Law Needed an Overhaul
In recent years, Japan has suffered a string of highly damaging data breaches, prompting the Japanese government to change its "hands-off" attitude toward data privacy and cybersecurity. Understanding those stories is crucial to understanding how the new amendments will be interpreted and enforced.
A culture of poor cybersecurity
According to The Economist, Japan "lags behind other advanced economies" when it comes to cybersecurity. Many Japanese SMBs have minimal security, and many more use vulnerable legacy technology. (The Economist illustrates this point with this shocking statistic: "Nearly 14m people were still using Windows 7 when Microsoft stopped providing security patches in January .")
Data breaches prompt outrage and change
The APPI was originally passed in 2003 and has been updated several times to require greater protection of personal data. In order to adapt to factors such as the rapid evolution of technology and global standards for protection of personal data, the 2015 Amendments required that new amendments be considered every three years.
While the law was due for amendments in 2020, the contents of those amendments were influenced by a string of high-profile breaches. For instance, in 2019, Japan's Uniqlo retail chain revealed a breach that compromised the data of over 460,000 customers. Stories like this prompted a national outcry and calls to strengthen the APPI's enforcement capabilities.
At the same time, another case was winding its way through the courts, which would help shape the direction of APPI amendments. Benesse, an education tech company, had a data leak, in which an employee for a subsidiary stole and sold the personal data of an estimated 29 million customers, reports the Japan Times. Benesse stated that the leak involved over 35 million records.
After a lengthy legal battle, the courts found that the subsidiary should have known its protections against data exports were not up to date, and Benesse should have provided more appropriate supervision. According to Data Guidance, both parties were found liable "for damages of JPY 3,300 (approx. €27) plus 5% late charges per annum per affected individual." Although Benesse was prosecuted under the old version of APPI before the 2015 Amendments (effected in 2017). Although you can't draw a direct line between this case and the 2020 amendments, it is clear that amendments mean action.
The take-home message of all this context is that businesses can't afford to think of the APPI amendments as needless red tape or a continuation of the status quo. Rather, they're an opportunity to correct serious shortcomings in Japan's cybersecurity culture that could put your company's sensitive and proprietary data at risk.
What's Changing in the APPI Amendments
The 2020 amendments to the APPI make two broad changes: giving individuals more rights over their personal data and increasing the reporting obligations of companies.
Here's a quick rundown of the APPI's scope.
Who the APPI applies to
In principle, any business (whether for-profit or not) that handles the personal information of Japanese residents falls under the law, regardless of where the business is headquartered. The current APPI applies to non-Japanese entities if they acquire the data of Japanese residents and process it in a foreign country, except for certain provisions that are considered not applicable or enforceable to non-Japanese entities. There are limited exceptions for the press, professional writers and academics, religious groups, and political parties. This part of the law is largely unchanged from the previous version.
Under the current version of APPI, the Japanese government can report incidents involving non-Japanese businesses to the foreign business' own regulatory authorities. The 2020 amendments expand that power, and the PPC can demand documents and reports from foreign entities, as well as enter a facility and conduct and audit with a foreign regulatory authority.
How the APPI defines personal information and personal data
The definition of personal information and personal data under the APPI hasn't changed since the 2017 revisions. It defines personal information as any information from which one can deduce the identity of a living individual. Such information includes biometric markers and official identifier numbers. Like the EU's General Data Protection Regulation (GDPR), there's also a special category of "sensitive personal information," which includes race, religion, criminal record, and medical history. Under the 2020 amendment, personal data includes personal data that are to scheduled to be deleted within six months from the date the entity obtained it, which is excluded under the current law.
It's important to note that the 2020 amendment introduces the concept of pseudonymized information, which can only identify individuals when combined with other data. According to the IAPP, pseudonymized information is exempted from parts of the APPI, including the requirement to disclose and stop using personal data. Since pseudonymized information is limited to the internal use by businesses, it is not allowed to be shared with third parties by consent of the individual or through opt-out procedure.
The penalties for noncompliance
The current APPI establishes fines and penalties for violations, but the 2020 amendments make the penalties heavier. The amended APPI stipulates that parties who fail to comply with corrective orders by the Personal Information Protection Commission (PIPC, sometimes abbreviated as just PPC) can be liable for criminal punishment of up to 1 year imprisonment or fines of as much as 1,000,000 Japanese yen (if the party is a business entity, up to 100,000,000 Japanese yen). In addition, the 2020 amendments allow the PIPC to publish the names of operators who don't comply with orders.
In the case of a business or employee using personal information with a purpose to gain profit illegally, this Act is considered criminal and can be punished by up to a year in prison or a fine of as much as 500,000 Japanese yen (if the party is a business entity, up to 100,000,000 Japanese yen).
Individuals can also sue for damages relating to the loss of privacy, which may end up having the biggest financial repercussions for businesses.
In practice, the PIPC usually follows an enforcement pattern of an initial inquiry into allegations, followed by recommendations to correct any violations. The PIPC can pursue legal action against companies who fail to change their behavior after this process.
New rights of individuals under APPI
The 2020 APPI amendments give individuals an expanded right of deletion or suspension of use. According to the law, data subjects can now demand their data be erased "if it has become unnecessary for a personal information handling business operator to utilize retained personal data," if that entity has had a certain data breach or leakage, or "there is a possibility that handling of the retained personal data... would harm the rights or legitimate interests of the principal."
Allowing individuals to demand erasure when there is a possibility of harm stands in contrast to the previous language, which allowed for deletion only when personal data was handled or acquired illegally. In addition, in the prior version of the APPI, any data scheduled to be erased within six months was exempt from the right to erasure. The new version removes the six-month exception.
"The 2020 amendments also give subjects the right to request an electronic copy of their personal data."
New obligations for companies under APPI
As we mentioned earlier, the old APPI guidelines did not include mandatory reporting of data breaches, but the new law does require businesses to report certain "leakage, loss or damage" to the PPIC, which thresholds will be set forth in the rules for the APPI later. However, the language of the requirement is still somewhat murky when it comes to informing individuals that their data has been compromised. The law says this requirement doesn't apply "when it is difficult to inform a principal and when necessary alternative action is taken to protect a principal's rights and interests."
The 2020 amendments include two notable provisions regarding transfer of personal data to a third party. The first expands regulations to transfers in cases where the disclosing party can't use the data to identify specific individuals, but the recipient of the data can.
According to Data Guidance, "Given that provision of online identifiers (such as cookies) to third parties may become subject to consent requirements, this amendment will likely affect targeted advertising and other ad tech practices. The practical impact of the Amendments on businesses, in this respect, is high." However, Data Guidance goes on to say that, because obtaining consent for using cookies is already required under the GDPR, this requirement shouldn't be too onerous for GDPR-compliant companies.
The other unique element regarding third parties concerns transfer of data across national borders. Under the current version of APPI, businesses sharing data outside Japan must obtain the consent of the data subject and share information about the data-privacy systems of the third party and their country. If a business does not obtain prior consent (for example, because the transfer isn't to a third party), they are required to ensure that the recipient of the data has equivalent data protection standards to the APPI or is in a country with equivalent standards. At present, the only foreign countries for which this applies are the UK and the European Union.
The 2020 amendments make several changes to this regulation. They expand the information that must be shared with individuals when obtaining consent (the specific details have yet to be released). They also require that when sharing personal data with operators that have equivalent data protection standards, businesses must ensure that the protection standards are maintained.
Also, under the amended APPI, personal information operators are required to disclose their addresses and the name of the representative director in case the operator is a corporation. In addition, additional information needs to be disclosed for the provision of information through opt-out procedure or in case of joint use of personal information.
Preparing Your Business for APPI Amendments
Like many international data-privacy rules, the text of the APPI doesn't make many specific suggestions for best practices. However, the PIPC has issued guidelines regarding appropriate security measures. The good news is that many of these guidelines are familiar to GDPR-compliant companies, and they start with some basic data housekeeping.
The following guidelines are not intended as legal advice. Contact your legal counsel for specific recommendations for the provision of personal data.
Appoint a Data Protection Officer (DPO)
This isn't a hard and fast requirement, but PIPC guidelines recommend it for companies in which a breach could cause harm, provided the business is large enough. If you're running an international corporation handling sensitive personal information and conducting cross-border data transfers, consider this recommendation a requirement.
Update legacy systems
Given the prevalence of vulnerable legacy technology in Japan, it's essential to take a hard look at your company's internal systems. A failure to do so could lead to costly legal action. For example, in the Benesse case, the company's negligence hinged on the fact that they hadn't updated their processes to prevent the transfer of data to new Android phones. A small oversight with a big consequence.
In addition, staying on top of the latest encryption standards can free your company from some of its legal obligations. Under the current guidelines, businesses are not required to inform the PIPC of a breach, provided the leaked data is encrypted "at a high level."
Implement access controls
The APPI demands that businesses take "necessary and appropriate action for the security control of personal data." The bedrock principle of "necessary and appropriate" security is that you should limit the number of people who can access personal information.
Implementing a sophisticated workforce identity and access management (IAM) system lets you assign permissions for who gets to access sensitive data. Moreover, it creates an immutable record of access, so if there is a breach, you can limit the damage.
If a simple username/password combination is all that it currently takes to access your company's personal information databases, then workforce IAM is a priority.
Data Protection Is Mandatory, With or Without Privacy Laws
In passing the latest APPI amendments, the Japanese government has made it clear that it intends to take a tougher stance on the handling of personal data. But it shouldn't take a Diet approval for businesses to examine their use of personal information or to ensure that they have appropriate security control measures in place.
Hopefully, these amendments will lead to improved outcomes for Japanese companies, citizens, and everyone doing business in Japan.
For further information on how a modern approach to IAM can help protect your company's data and comply with data protection laws, reach out to the team at Auth0.
The Auth0 Identity Platform, a product unit within Okta, takes a modern approach to identity and enables organizations to provide secure access to any application, for any user. Auth0 is a highly customizable platform that is as simple as development teams want, and as flexible as they need. Safeguarding billions of login transactions each month, Auth0 delivers convenience, privacy, and security so customers can focus on innovation. For more information, visit https://auth0.com.