Internet and mobile applications have made the cross-border business of selling goods and services no longer technically challenging or complex. Such services, however, inevitably entail the movement of personal information of its users across the borders. This could put foreign companies and startups at the risk of unintentionally violating foreign privacy laws. In this regard, each jurisdiction has its own legislation on whether and to what extent their local rules of data protection shall apply to the foreign business entities. Today, we will explain this issue in the case of Japan.
Japanese Data Protection Law Overview
Data protection legislation of Japan is the Act on the Protection of Personal Information (APPI). APPI aims to provide rules and guidelines for the use and protection of personally identifiable information in Japan.
The Personal Information Protection Commission (the “PPC”) is the Japanese regulatory agency concerning the APPI.
APPI has been amended significantly in 2015 so as to meet the OECD’s eight Privacy Principles. As a result, Japan received the certification as an “adequate” country for EU data protection purposes.
Who the Japanese Data Protection Law Applies to?
2015 amendment explicitly declared that APPI is applicable to a business operator outside of Japan if it obtained personally identifiable information of individuals residing in Japan or anonymized information from Japan while it provides goods or services to the individuals in Japan.
The most common example of foreign business operators subject to the APPI regulation would be an online shopping site that sells and ships products to customers in Japan, and SNS or mobile application services that internet users in Japan can use and download.
One thing to note is that the APPI doesn’t apply to the foreign business operator if it does not collect the personal data directly from Japan but receives such data from the 3rd business operator in Japan who collects and manages the data. The APPI treats such a case as an outbound transfer of personal data, and only the 3rd party that collected the PII for the first place shall become subject to the APPI.
For example, when a Japanese branch or subsidiary transfers the personal data collected in Japan to its head office or parent company outside of Japan, the APPI applies only to the Japanese branch and subsidiary. Thus, the Japanese branch and subsidiary must meet the requirements and its obligation under the APPI in order to transfer the personal data to its head office or the parent company outside of Japan.
Which Parts of the APPI Applies to Foreign Business Operator?
Currently, the following from the APPI is applicable to the foreign companies doing business in Japan.
Article 15 (Specifying a Utilization Purpose)
Article 16 (Restriction due to a Utilization Purpose)
Article 18 (1) (Notification etc. of a Utilization Purpose when Acquiring)
Article 19 (Assurance etc. about the Accuracy of Data Contents)
Article 20 (Security Control Action)
Article 21 (Supervision over Employees)
Article 22 (Supervision over a Trustee)
Article 23 (Restriction on Third Party Provision)
Article 24 (Restriction on Provision to a Third Party in a Foreign Country)
Article 25 (Keeping etc. of a Record on a Third-Party Provision)
Article 27 (Public Disclosure etc. on Matters relating to Retained Personal Data)
Article 28 (Disclosure)
Article 29 (Correction etc.)
Article 30 (Utilization Cease etc.)
Article 31 (Explanation of Reason)
Article 32 (Procedure for Responding to a Demand etc. for Disclosure etc.)
Article 33 (Fee)
Article 34 (Advance Demand)
Article 35 (Personal Information Handling Business Operator’s Dealing with a Complaint)
Article 36 (Production etc. of Anonymously Processed Information)
Article 41 (Guidance and Advice)
Article 42 (1) (Recommendation and Order)
Article 43 (Restriction on the Personal Information Protection Commission’s Exercising the Authority)
Article 76 (Exclusion from Application)
The APPI had been amended again in 2020 again, and the new legislation is going into force in 2021. Violation of the Japanese data protection law could result in severe damage to your business in Japan. That said, it is highly recommended to check and comply with the most recent development of data protection law in Japan and do periodic housekeeping of your data management system.
For further information on the Japanese data protection law and how to comply with it, please reach out to us by clicking here. Our Japanese lawyers in Tokyo and Osaka offices have been serving foreign clients in the field of Japanese data protection and privacy law.
© 2021 All rights reserved.
JAPAN IN LAW 