Data protection laws are a matter of concern for most countries, and Japan is no exception. Japan first introduced its data privacy law in 2003. However, this law soon became outdated due to globalization and technological advancements. As a result, the nation suffered serious data breaches, from the Uniqlo retail chain breach to the Mitsubishi data breach and even to automotive giant Honda. All of these cases prompted new reforms and extensive amendments to the data privacy laws in Japan.
In recent years, data breaches and privacy violations in Japan often attract severe repercussions from the state and society. A perfect example is the Benesse heist, where an employee of the e-learning company stole and sold the personal data of about 29 million customers. The company paid heavily for this breach, losing over 900,000 customers and paying a large fine in the process. The Japanese authorities faulted their data protection compliance efforts and imposed heavy penalties.
With the current legislative measures, whether indigenous or not, businesses in Japan cannot afford to be nonchalant about complying with data privacy laws. Otherwise, they risk losing sensitive data and customer trust, which could lead to substantial financial losses through penalties. But the good news is that every company can run a successful business in Japan without talking with relevant authorities. This article will explain how to stay compliant with Japanese data protection and privacy laws.
Key Japanese data privacy and protection laws
The primary legislation governing Japan’s data protection is the Act on the Protection of Personal Information (APPI), passed in 2003. Several amendments have been made to the Act in the last few years. One of the supplemental provisions made in 2017 requires that the Act be reviewed three times a year.
In addition, the government of Japan made further amendments in one of the 2020 reviews. These were enacted on June 12 of the same year but only came into effect on April 1, 2022.
The Act established the Personal Information Protection Commission (PPC) as the regulatory body responsible for supervising compliance with the Act. The PPC provided guidelines for interpreting certain terms used in the APPI and instances of how they can be applied. A breach of any obligation spelled out in the procedures will be deemed to be a breach of the APPI itself.
The PPC provides general guidelines and several specific ones to regulate, among others:
- Transfers to third parties in foreign countries.
- Checking and recording transfers to third parties.
- Appropriate handling of specific personal information.
- Security measures concerning specific personal data.
- Appropriate handling of specific personal information in financial businesses.
Japan’s data protection law regarding international data transfer
Following the recent amendments to the APPI, the existing requirements for the international transfer of personal data provide that consent must be sought and obtained from the subject by the company dealing with personal information before transferring data outside the country.
Furthermore, when the consent of the data subject is being sought, a company handling personal information must provide the subject with the following:
- The name of the country to which the information is transferred;
- The laws of that country regulating data protection;
- Any measure to be taken by the receiver of such personal information.
There is an exception, however, where such a foreign third party is in a country with a personal information protection framework that meets the adequacy requirements of the PPC, for example, countries certified under the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules (AECBPR).
Currently, the European Union, with its General Data Protection Regulation, is considered a jurisdiction with equivalent standards of data protection as required in Japan. As such, cross-border data transfers to EU member countries do not usually require companies to obtain consent from the subject.
In such cases where a company transfers personal information without obtaining consent because the receiving country has set up a PPC-compliant system, such a business still has the responsibility to:
- Monitor how such information is being managed and any change in the personal protection law of the country where the receiver is located.
- Take necessary actions if any problem is found with handling personal information.
However, these countries’ exceptions are subject to review by the PPC every four years or at any such time as they deem necessary.
To whom do Japan’s data privacy laws apply?
The Japanese data privacy laws apply to any organization that handles the personal information of Japanese residents, notwithstanding where such companies are based. All companies, individuals, corporations, public authorities, or other organizations in Japan that work with personal data are affected by the provisions of the Japanese data protection law.
The APPI also applies to non-Japanese organizations insofar as they involve acquiring the personal data of Japanese residents. Global SaaS companies that carry out operations in Japan come within reach of the Japanese data protection law. For example, the regulations will apply to a data-service company headquartered in Canada but whose website is accessible by residents in Japan.
In cases where enforcement of Japan’s data privacy law proves difficult with foreign organizations, the Japanese government is empowered by the APPI to report cases of non-compliance to the appropriate regulatory authorities in that foreign country and obtain reports from them.
How can businesses become APPI-compliant?
Amendments to the APPI have radically changed the obligations of businesses toward data security concerning the transfer of data across national borders. Under the APPI, companies undertaking data transfers outside Japan must obtain the data subject’s consent and share information about the data-privacy systems of the third party and their country. Suppose a business does not obtain prior consent. In that case, they must ensure that the data recipient has equivalent data protection standards to the APPI or is in a country with equivalent standards. The only foreign countries deemed to have such comparable standards are the UK and European Union member countries.
To become compliant with Japanese data privacy laws, companies must create an updated privacy policy stipulating the purpose of the information collected. They must also maintain prescribed cybersecurity measures and set up physical restrictions to prevent information theft.
How to stay compliant with Japanese data protection laws
Data protection laws of countries generally do not make recommendations for best practices, but the guidelines issued by the PPC do provide useful clues on how individuals and organizations can meet Japan’s data privacy requirements. Here are some steps companies can take to stay compliant with Japan’s data protection laws:
Outsource data protection services
The PPC guidelines recommend that large international companies handling sensitive personal data and transfers across the border should employ the services of data protection personnel to verify their compliance with APPI rules.
Constantly review the privacy policy
The global data landscape is constantly evolving. As such, the APPI is subject to regular reviews. Companies should regularly update their internal policies to reflect these changes. Little oversights can result in drastic consequences.
Set up access controls
It is essential to limit the number of people who have access to personal data to maintain security.
InCountry and data compliance
It is already established that compliance with data privacy rules is tedious work because:
- Data privacy laws are broad and complex; and
- They are in constant flux.
Also, employing data protection services and constantly reviewing privacy policies to match the APPI can put constraints on a company’s resources.
InCountry provides an all-inclusive solution to the problem of compliance with data protection regulations.
Currently, InCountry offers data residency-as-a-service to companies in 90-plus countries worldwide and counting to help them with data compliance. InCountry stays ahead of the latest data privacy trends and is the best bet for real-time data compliance.
InCountry’s Salesforce data residency solution helps organizations remain fully compliant in data transfer across countries.
How InCountry helps with data privacy
InCountry uses highly-specialized technology to maintain strict data privacy in different countries. For example:
- InCountry uses the two most secure data centers in each country to store data for clients.
- InCountry SDK offers secure communication between data stores using high-level encryption that no one else can access.
- InCountry Border keeps data within the country without any changes.
InCountry follows the highest standards to provide the best services and is ready to help your company stay compliant with Japanese data protection laws.