The Land of the Rising Sun—and Rising Data Protection Requirements

Between January 2016 and September 2017, a series of amendments to Japan’s Act on the Protection of Personal Information (APPI) will go into effect. The amendments, which were promulgated in September 2015, are the first changes since the law went into effect in 2005.

The following provisions will be of interest to American organizations that must handle the private information of Japanese citizens in connection with eDiscovery or internal investigations:

1. Scope: The amendments extend the APPI’s coverage to foreign data controllers that collect the personal information of Japanese residents. Previously, the APPI applied only to entities within Japan.
2. Definition of personal information: Originally, the law defined “personal information” as data that could identify a person by name, date of birth, or “other description contained in such information, including such information as will allow easy reference to other information and will thereby enable the identification of the specific individual.” Now, the definition will expand to include fingerprints, facial recognition data, and numeric identification codes, such as passport numbers and a new personal identification number referred to as “My Number” being used for taxes, health care, and other official purposes.
3. Prohibition on collecting certain types of information: Organizations cannot collect data on certain sensitive topics, including race, religion, medical history, and criminal history, without the data subject’s prior consent.
4. Regulatory body: The amendments create a Personal Information Protection Committee charged with enforcing the law. Previously, each ministry developed guidelines for each business sector, making the law difficult to enforce. The Committee is empowered to conduct on-site inspections and issue recommendations and orders. Organizations must report any disclosure of personal data to third parties to the Committee.
5. Data anonymization: Organizations must ensure adequate safeguards are in place to prevent any identifying information from being restored once data is anonymized. With sufficient precautions, organizations can transfer anonymized data to third parties without data subjects’ consent, so long as they report the disclosure to the Committee and announce it publicly.
6. Data transfers: Organizations cannot transfer data out of Japan without consent from the data subjects or unless it offers an opt-out that must be made publicly available. In addition, the recipient must have adequate data protections in place (as deemed by the Committee) or the recipient’s jurisdiction must have adequate privacy laws. The data controller must document the following information: the date of transfer, the recipient’s name, and other information as the Committee may outline.
7. Liability: The improper transfer or theft of personal data is punishable by imprisonment of up to one year or a fine of up to 500,000 Japanese yen.

Although the complete details of the new regime are not yet available, given the law’s extended scope and definition of personal data, many more organizations will have to comply with the APPI. Now is the time for organizations to review the locations of their data, the types of data they collect, and their data transfer and eDiscovery protocols. Given the lack of a formal data protection regime in the United States, American organizations must ensure their own policies and procedures are sufficient to satisfy the Committee, which will begin operations on January 1, 2016.

Rachel Teisch is vice president, marketing at Conduent. She can be reached at rteisch@conduent.com.