Japan has made changes to its 2005 Protection of Personal Information (APPI) Act, bringing the bill closer in line with the EU’s General Data Protection Regulation (GDPR).
The latest tweaks, announced this month, cover data breach reporting and the use of facial recognition data gathered from devices such as security cameras.
Breaches should now be reported using an official form, rather than by mail or fax, as before.
When processing image data, the intended use should be stated immediately, while the methods and privacy measures used while processing said images should be made clear.
These additions follow hard on the heels of more significant changes, which will mean tighter controls on the international transfer of data from 2022, helping to bring the law further in line with GDPR.
“Japan has a robust data privacy law with many similarities to the GDPR,” Scott Warren, a partner in the Tokyo office of law firm Squire Patton Boggs, tells The Daily Swig.
“Indeed, Japan is the only country in Asia to have exchanged joint adequacy findings with the EU, finding the laws roughly equivalent.”
Warren added: “What I find interesting is the ways the laws diverge. For example, Japan does not have a breach notification obligation, nor significant penalties on entities failing to meet the standards.
“Japan has recently passed an amendment to the law to rectify some of these and other items, including increasing penalties up to $946,000 – but it will take well over a year for it to be fully implemented.”
While in its current form the APPI applies to any organization obtaining personal information from data subjects located in Japan, this hasn’t been enforceable on foreign businesses.
Now, though, they will have to provide reports concerning the processing of Japanese residents’ personal information – and can be penalized if they fall short.
In addition to the move towards reporting via a specific web form, there is also a new requirement for all breaches to be reported to the victim and the Personal Information Protection Commission (PPC).
It’s not yet clear whether all breaches will need to be reported, but major incidents or those that violate the rights of subjects almost certainly will.
Expanding individual rights
In a GDPR-like move, data subjects will now have the right to request access to their data, and to ask for it to be corrected or deleted, where there’s the possibility that their rights or legitimate interests have been breached.
This also applies to short-term data – previously, the data had to have been held for six months or more.
Currently, there’s no need for a data subject to give their explicit consent when data is transferred to a third party.
This, though, is set to change, and permission will become opt-in. Further, if data has already been transferred on an opt-out basis, it cannot now be transferred to a third party without permission. Any organization receiving data will have to conform to APPI standards.
Organizations that violate these rules now face a potential fine of ¥100 million ($942,000), while falsifying a report to the PPC will cost ¥500,000 ($4,708). Meanwhile, any individual found responsible for a breach could face a fine of up to ¥1 million ($9,420) and a year in prison.
The move brings Japan to the forefront of Asian data protection legislation, says Warren, along with Korea, which has had strong data protection laws for years.
“Elsewhere, we have seen a number of countries pass new data privacy laws, which have various GDPR-type elements in them, though rarely as strenuous,” he says.
“Thailand’s new law is similar in many respects, though its implementation has been delayed. Vietnam’s new law takes various elements of the GDPR, but includes data localization requirements similar to China’s Cybersecurity Law.”
He adds: “I fear many countries in Asia have a way to go.”