What You Need to Know About Japan’s Amended APPI Law

Japan’s New Privacy Guidelines Attempt to Bridge the Cultural Divide and Give Regulators Teeth with Foreign Companies

On April 1, 2022, amendments to Japan’s Act on Protection of Personal Information (Amended APPI) will come online, offering new guidelines, definitions, and requirements for data incidents and breaches that impact Japanese citizens.

Japan’s data laws have already placed it at the top of the list of countries concerned with protecting individual data rights – it was the first country to negotiate a reciprocal “adequacy” agreement with the EU, meaning data can flow between the EU and the designated “adequate” nation without any further data measures being put in place. 

Japan’s amended APPI – and the pages of supporting documentation released since its passage in 2020 – clarify several points about Japan’s existing laws, including: 

• Rules for transferring personal data and person-related information outside of Japan 
• Mandatory reporting guidelines for data security “incidents” and “breaches” 
• Guidance for creating pseudonymous information that can be considered exempt from certain Amended APPI regulations.

A closer look at Japan’s Amended APPI reporting requirements for data incidents and data breaches.

Japan’s Amended APPI defines “incidents” as events in which data breaches have occurred or are likely to have occurred unless data protection measures such as encryption have been taken, thereby preventing leak or loss of personal data. 

The new guidelines make it mandatory to report incidents to Japan’s Personal Information Protection Commission (PPC) if the incident involves: 

1. Breaches of data including sensitive data
2. Breaches of data including data that may result in economic loss if used improperly (e.g., stolen credit card information, leaked login ID and its password for a web service with payment or settlement services)
3. Breaches with unjust purposes (e.g., personal data were stolen by unauthorized access, personal data were taken as a hostage by ransomware)
4. Number of data subjects subject to Breaches is more than 1,000

According to Japan’s Amended APPI, the impacted business must file two notifications to the PPC—the first promptly after becoming aware of the incident (3-5 calendar days) and the second within 30 calendar days (or 60 if the breach is a result of “unjust purposes”). 

The first report must offer a what-we-know-so-far summary, and the second must give a detailed account of the incident. Any event that triggers a report to the PPC also requires notice to be made to the individual data subjects affected.  

When summarizing the new guidelines, the International Association of Privacy Professionals (IAPP) explains, 

Under the current law, if there is a data breach, the business operator merely has a ‘duty to make an effort’ to submit a report of the data breach to the PPC and notifying affected data subjects is only a recommended course of action. However, the amendments will introduce mandatory obligations to report data breach incidents to PPC and notify the affected data subjects in cases when the data subjects’ rights and interests are likely to be infringed.” 

Japanese companies understood existing data breach laws meant business, while off-shore companies often interpreted words like “Duty” or “Guidance” to mean optional.

While IAPP’s analysis suggests that the Amended APPI fills in some holes in the original legislation, another possible take on the amendments is that they are targeted at foreign companies operating in Japan. 

According to scholar Flora Y. Wang, it is understood culturally by Japanese companies that terms such as “duty” and “guidelines” are enforceable by Japanese courts, while to non-Japanese companies, these terms are read as loose recommendations that do not have teeth. 

Japanese companies understand that the PPC seeks cooperation and will withhold strong enforcement measures as long as a company demonstrates goodwill and an interest in making corrections, while many non-Japanese companies have ignored warnings that only speak to “duty” or “guidance.” 

Japan’s Amended APPI and Other Regulations Simplified

RadarFirst’s incident management platform assists in determining if an incident (a breach or likely breach in this case) has occurred and whether personal information is involved or likely to have been involved – as required by the amended APPI. 

The RadarFirst intelligent incident management platform also determines notification obligations to any regulators – in this case, the PPC – who may have jurisdiction over the breach incident and the data involved, as well as the timelines required and whether or not individuals must be notified.

In the case of Japan’s Amended APPI, where there are at least four criteria that may activate the need for a mandatory report, and where some timelines vary depending on what type of incident occurred, the RadarFirst incident management platform will enable your privacy team to act quickly and confidently, demonstrating goodwill to regulators. 

As mentioned above, Japan favors a cooperative approach to resolving data management issues, and the PPC values a company’s willingness to report quickly and in good faith, working to help companies revise processes. 

The RadarFirst incident management platform also provides a module within the app that generates notification letters to regulators and affected individuals, populating the letters with the appropriate event summaries and data to accurately reflect the incident and meet the requirement of the regulating body. 

Companies doing business in Japan or storing personal data belonging to Japanese citizens will benefit from the confidence of knowing their incident reporting letters address the intricacies and expectations behind these new guidelines.