RETURN TO MAIN BLOG
Japan has recently updated its 2005 Protection of Personal Information (APPI) Act, aligning it more closely with the European Union’s General Data Protection Regulation (GDPR). The revisions, announced this month, focus on how data breaches and facial recognition data collected from devices like security cameras are handled.
Under the new guidelines, data breaches must now be reported through a designated online form, a change from the previous methods of mail or fax. Additionally, when processing image data, the purposes must be declared upfront, and the methods and privacy protections employed must be transparent.
These changes are part of a broader effort to tighten regulations on international data transfers starting in 2022, pushing Japan’s data protection laws closer to those of the GDPR.
Scott Warren, a partner at the Tokyo office of Squire Patton Boggs, commented to The Daily Swig, “Japan has a comprehensive data privacy framework with many aspects similar to the GDPR. In fact, Japan is the only Asian nation that has established mutual adequacy decisions with the EU, recognizing each other’s data protection laws as comparable.”
Warren also noted, “It’s interesting to see the differences between the two. For instance, Japan lacks mandatory breach notification and significant penalties for non-compliance.”
A recent legislative amendment in Japan seeks to address these discrepancies by imposing higher penalties, potentially reaching up to $946,000. However, full implementation of these changes is expected to take more than a year.
Cross-border Transfers
Previously, the APPI’s enforcement on foreign entities was limited. Now, foreign businesses must report on how they handle the personal information of Japanese residents and face penalties for non-compliance.
In addition to reporting breaches through a specified web form, businesses are now required to notify both the victims and the Personal Information Protection Commission (PPC) of any breaches.
Expanding Individual Rights
Mirroring GDPR provisions, individuals in Japan can now request access to their data and ask for corrections or deletions if they believe their rights or interests have been compromised. This also applies to data stored for less than six months, a departure from the previous six-month requirement.
The requirement for explicit consent from data subjects for third-party data transfers is also being strengthened. Previously handled on an opt-out basis, data transfers now require opt-in consent. Organizations receiving such data must comply with APPI regulations.
Increased Penalties
Violations of these new rules could result in fines of ¥100 million ($942,000). Additionally, falsifying reports to the PPC carries a penalty of ¥500,000 ($4,708), and individuals responsible for breaches could face fines up to ¥1 million ($9,420) and one year in prison.
These updates position Japan at the forefront of data protection in Asia, a status shared with Korea. However, Warren observes that while other Asian countries are adopting GDPR-like laws, the rigor of these regulations varies significantly.
For example, Thailand’s recent data protection law shares similarities with the GDPR, but its implementation has been postponed. Vietnam’s new legislation includes elements from the GDPR but also introduces data localization requirements akin to China’s Cybersecurity Law.
Warren concludes, “Many countries in Asia still have considerable progress to make in data privacy.”