Overview of Practical Impact of Japan's APPI Amendments
Since 2005, the Act on the Protection of Personal Information (‘APPI’) in Japan has been amended twice. The first amendment was enacted in 2015 with the changes coming into force in 2017, and the latest Amendments were introduced in June 2020. It is expected that the current Amendments will come into force no later than June 2022. This webinar looks at the practical impact of the new Amendments. Our expert speaks provide a detailed analysis of the APPI, and look at specific changes to data subject rights, cross-border transfers, and data breach reporting.
Data subject rights
Data subject rights have been expanded under amendments to the APPI. In comparison to the current law, data subjects can now exercise their rights in response to a severe data breach, if their personal data no longer needs to be processed, or if their ‘rights or legitimate interest’ are likely to be affected. However, as our speakers point out, companies should be aware that certain exceptions apply. For example, a request can be refused if it would result in huge expense, or if an organisation can provide alternative means to protect the interests of the data subject.
Data retention period
Organisations should note that short-term data will now be subject to access requests from data subjects. Under the existing law, any data which was to be erased after six months was not ‘Retained Personal Data’ and therefore not subject to data subject requests. The amendments abolish this rule, and data subjects can exercise their rights regardless of the retention period.
Mandatory breach reporting
Whereas under the current law organisations should ‘duly make an effort’ to report a breach to the Personal Information Commission (‘PPC’), and it is recommended that the affected data subjects be notified, this was not mandatory. The amendments will mean organisations will be required to report a data breach to the PCC, and to data subjects if the rights and interests of subjects are infringed.
The 2020 amendments will bring about some significant changes to penalties. In comparison to the GDPR, there are no administrative fines, however criminal penalties have been increased. For example, the charge for submitting a false report is now 500,000 yen (approx. €4,000). Additionally, the penalty for violating an order from the PCC can bring fines of 100 million yen (approx. €800,000).
How OneTrust DataGuidance helps
OneTrust DataGuidance™ is the industry’s most in-depth and up-to-date source of privacy and security research, powered by a contributor network of over 500 lawyers, 40 in-house legal researchers, and 14 full time in-house translators. OneTrust DataGuidance™ offers solutions for your research, planning, benchmarking, and training.
OneTrust DataGuidance provides comprehensive guides to documents privacy legislation in Japan. Beyond detailed Guidance Notes which cover topics from Data Transfers to Data Breach requirements, OneTrust DataGuidance also provides a comparison of the GDPR to the APPI.
OneTrust DataGuidance solutions are integrated directly into OneTrust products, enabling organisations to leverage OneTrust to drive compliance with hundreds of global privacy and security laws and frameworks. This approach provides the only solution that gives privacy departments the tools they need to efficiently monitor and manage the complex and changing world of privacy management.