Extraterritorial Application of Japan’s Privacy Laws Expanded
January, 2017 - Daniel Hounslow, Bonnie Dixon
Amendments to Japan’s Act on Protection of Personal Information (“APPI”) (“Amendments”) were passed by the Diet on 3rd September 2015; some provisions, mainly those establishing and governing the Personal Information Protection Commission (“Commission”), are in force, and it has now been announced that the remaining provisions will be implemented on 30th May 2017 (“Implementation Date”), though regulations and guidelines setting out the precise scope of some of the revisions have yet to be issued by the Commission. The Amendments are likely to have a significant impact on companies holding personal information in Japan1,2, and expand the extraterritorial application of the APPI.
This note provides a general guide to the Amendments to help companies which may be affected by them to plan for the new regime.
Background
The protection of personal information3 in Japan is regulated under the APPI and numerous subsidiary regulations and guidelines. The Amendments update and enhance the APPI regime to address recent and anticipated technological and business developments in the use and storage of personal information, and, in particular, the use of “Big Data” and data transfers.
The Amendments will be supplemented and clarified by guidelines and regulations from the Commission and relevant ministries and regulators. Guidelines already issued by the Commission provide detailed guidance on the scope and meaning of the provisions of, and certain terms used in the APPI, and examples of their application, though the examples will not expand or limit the scope of the APPI; the guidelines also make it clear that a breach of a guideline which is expressed as an obligation, rather than a recommendation, would be deemed a breach of the APPI. The guidelines are not comprehensive, and additional guidelines may be issued for businesses and industries where there is a need for more stringent protection of personal information4.