Japan APPI Privacy Act
Japan’s Act on Protection of Personal Information currently in force (“Current APPI”) dates back to 2003. It was originally enacted on May 30, 2003, and came into effect in 2005. Ten years later, the National Diet passed extensive reforms to modernize the Current APPI in September, 2015. Although the Amended Act on Protection of Personal Information (“Amended APPI”) came into effect on May 30, 2017.
The updated APPI was instrumental into providing the foundation for both adequacy and free trade agreements and with the EU .
Announced in Brussels, 23 January 2019
“The Commission has adopted today its adequacy decision on Japan, allowing personal data to flow freely between the two economies on the basis of strong protection guarantees.
This is the last step in the procedure launched in September 2018, which included the opinion of the European Data Protection Board (EDPB) and the agreement from a committee composed of representatives of the EU Member States. Together with its equivalent decision adopted today by Japan, it will start applying as of today”.
Věra Jourová, Commissioner for Justice, Consumers and Gender Equality said: “This adequacy decision creates the world’s largest area of safe data flows. Europeans’ data will benefit from high privacy standards when their data is transferred to Japan. Our companies will also benefit from a privileged access to a 127 million consumers’ market. Investing in privacy pays off; this arrangement will serve as an example for future partnerships in this key area and help setting global standards.”
The groundbreaking adequacy agreement was not without the agreement of extra safeguards in the form of guarantees, these we based on the three commitments below.
- A set of rules (Supplementary Rules) that will bridge several differences between the two data protection systems. These additional safeguards will strengthen, for example, the protection of sensitive data, the exercise of individual rights and the conditions under which EU data can be further transferred from Japan to another third country. These Supplementary Rules will be binding on Japanese companies importing data from the EU and enforceable by the Japanese independent data protection authority (PPC) and courts.
- The Japanese government also gave assurances to the Commission regarding safeguards concerning the access of Japanese public authorities for criminal law enforcement and national security purposes, ensuring that any such use of personal data would be limited to what is necessary and proportionate and subject to independent oversight and effective redress mechanisms.
- A complaint-handling mechanism to investigate and resolve complaints from Europeans regarding access to their data by Japanese public authorities. This new mechanism will be administered and supervised by the Japanese independent data protection authority.
The adequacy decisions also complement the EU-Japan Economic Partnership Agreement– which will enter into force in February 2019. European companies will benefit from free data flows with a key commercial partner, as well as from privileged access to the 127 million Japanese consumers. The EU and Japan affirm that, in the digital era, promoting high privacy and personal data protection standards and facilitating international trade must and can go hand in hand.
The Japanese adequacy decision is the first to be made after the introduction of the EU General Data Protection Regulation, which imposes stricter standards than those under the previous Directive.
It is also the first country-wide adequacy decision to be adopted since the fall of Safe Harbor and the Edward Snowden debacle. For that reason, it is not surprising that assurances relating to government access for law enforcement and national security feature strongly in the adequacy decision and the accompanying press release
The EU Commission has an existing “adequacy list” of countries it has recognized in the past as having an adequate level of personal data protection to the EU. However, Japan was not one of those recognized countries.
Japan’s reformed privacy law came into full force May 30, 2017. Along with a significant number of changes, the new law also introduced a similar adequacy list concept. The mutual recognition will add Japan to EU adequacy list and make the EU Japan’s first “adequacy listed” jurisdiction. Even so, there remains a large number of differences between the privacy laws of the EU and Japan.
However, particularly with Japan’s recent reforms, the significance of the differences is less. In particular, the establishment of the Personal Information Protection Commission in Japan, which is dedicated to the establishment and enforcement of privacy regulations, significantly enhances Japan’s privacy law system.
What does this mean if my organisation shares data with a Japanese organisation?
Organisations in the EU can now share personal data with organisations in Japan, without needing to through the processes outlined in Chapter 28 (6-8) of the GDPR. SCC or model clause contracts.
In practice, this means that EU organisations will no longer need to use the Commission’s standard contractual clauses or adopt binding corporate rules. This will simplify the process for data exchanges within multinational organisations and businesses in the EU that use data processors in Japan. As part of the additional safeguards that have been adopted by Japan, data subjects in the EU will also benefit from new rights and processes for dealing with complaints.Japan has also adopted a decision regarding the adequacy of EU data protection law, which will simplify the process for Japanese organisations wishing to transfer personal data to the EU, potentially providing easier access to the Japanese market for businesses in the EU.
Let’s look under the hood of the updated APPI and its definitions and how they compare with the GDPR:
APPI: To protect the rights and interests of individuals while ensuring due consideration for the usefulness of personal information by basic principles for the proper handling of personal information.
GDPR: To enable the free movement of personal data within the Union while protecting fundamental rights and freedoms of natural persons and, in particular, their right to the protection of personal data.
APPI: Applies to the use of a personal information for business. The APPI has a very broad and open concept of data processing.
GDPR: Applies to the processing of personal data wholly or partly by automated means, within the scope of Union law.
APPI: The APPI does not have express provisions dealing with jurisdiction and territoriality.
GDPR: Applies to processing that takes place in the Union or by a processor who has an establishment in the Union within the context of activities in the Union or to processing activities that are related to the offering of goods and services to (or behavioral monitoring of) data subjects in the Union.
“Personal Information” means the following two categories of information.
- Information about a living individual which can identify a specific individual by the description contained in the information, such as name, date of birth or other description (including voice or behavior information), including information which can easily be combined with other information so as to enable the identification of that individual; and
- Information that contains Personal Identifier Codes. “Personal Identifier Codes” means either (a) letters, numbers, marks or other codes for use with computers converted from a person’s bodily information which may identify the person, or (b) letters, numbers, marks or other codes on cards or other documents which are unique to the user or purchaser, and may identify the person. Apart from “Personal Information”, “Personal Data” is separately defined to cover information stored in a business operator’s database.
Personal Data is defined as Personal Information constituting the business operator’s “Personal Information Database”. A “Personal Information Database” in turn is defined as:
(i) an assembly of information systematically arranged in such a way that specific personal information can be retrieved by a computer; or
(ii) an assembly of information in accordance with certain rules, and that has a table of contents, index or other means to facilitate the retrieval. Accordingly, once “Personal Information” is stored into a “Personal Information Database”, such Personal Information becomes “Personal Data” under the APPI.
Sensitive Personal Data
APPI: Personal Information that needs special care (“Sensitive Data”) is defined to include race, religion, social status medical history, criminal history and the fact that the person suffered damages by a crime.
GDPR: Special categories of data that are considered particularly sensitive are personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
APPI: There is no concept of a “Data Controller” under Japanese law. However, the APPI uses the term “business operator,” which essentially refers to the entity responsible for the proper handling of all “Personal Information.” This is similar to the concept of data controller under EU law.
GDPR: Means the natural or legal person, public authority, agency or other body, which, alone or jointly with others, determines the purposes and means of the processing of personal data.
APPI: There is no concept of a “Data Processor” under Japanese law. As such, handling of personal data under the APPI should pertain to how a “business operator” treats and manages the personal information or personal data in its possession.
GDPR: Means a natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller.
APPI: A business operator handling personal information shall not handle personal information beyond the scope necessary for achieving the purpose of use unless the business operator has obtained prior consent of data subjects. Purpose of use must promptly be notified to data subjects or publicly announced once a business operator acquires Personal Information, unless the purpose of use has already publicly announced.
GDPR: Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
APPI: A business operator handling personal information must endeavor to keep the content of personal data accurate and up to date, within the scope necessary for achieving the purpose of use.
GDPR: Personal data should be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which they are processed, is erased or rectified without delay. Personal data should be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
APPI: Japan does not recognize the concept of a data processor. Accountability lies with the business operator, which is similar to a data controller under EU law.
GDPR: The controller shall be responsible for and be able to demonstrate compliance with the principles of the processing of personal data under the GDPR. The controller and the processor shall designate a data protection officer where processing requires regular and systematic monitoring of data subjects on a large scale or the core activities of the controller or the processor consist of processing on a large scale of special (sensitive) categories of data or personal data relating to criminal convictions and offenses.
Access and Correction
APPI: The data subject may request the business operator to disclose, correct, add or delete the retained personal data.
GDPR: The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning them are being processed, and to access the personal data and information about the processing, including what categories of data are processed, the recipients of the data, and rights to erasure and rectification of the personal data, the right to lodge a complaint with a DPA, the source of the data, whether the data was subject to automated profiling (and if so, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject).
Transfer of Personal Data to Another country
APPI: The APPI provides that Personal Data may not be transferred to a foreign country unless:
(i) the data subject has given specific advance consent to the transfer of the data subject’s Personal Data to the entity in a foreign country;
(ii) the country in which the recipient is located has a legal system that is deemed equivalent to the Japanese personal data protection system, designated by the Japanese data protection authority; or
(iii) the recipient undertakes adequate precautionary measures for the protection of Personal Data, as specified by the Japanese data protection authority.
GDPR: Personal data may only be transferred to third countries where the EU has considered the laws to provide adequate protection or where protected by binding corporate rules, approved model clauses, binding agreements combined with an approved code of conduct or approved certification.
By performing a detailed mapping exercise at article level between the updated APPI and GDPR Relentless Privacy and Compliance the aim of which is to help our clients determine how much duplication of operational effort may be avoided as they maintain or attain GDPR baseline compliance and help them focus on operational strategy execution.