While the COVID-19 pandemic has forced many organizations to conduct business remotely, this did not interfere with Japan moving forward with updating their privacy law. Recently, the Japanese Cabinet approved a bill to revise the Act on the Protection of Personal Information (APPI), which would broaden a data subject’s powers to exercise control over their data and establish a system to facilitate a company’s internal use of data. 

How do these APPI updates affect companies? 

The new updates to the APPI will require companies to take measures to protect personal data of data subjects, such as introducing a form of pseudonymization. In addition, the APPI will require companies to submit a data breach report to the Personal Information Protection Commission (PPC) and notify data subjects in the event of a data breach.  

What privacy rights does the APPI extend to data subjects?

The new updates to APPI, expand the rights of data subjects such as cessation of use, deletion, and cessation of third-party provisions of retained personal data. The updates make it easier for a data subject to exercise their data privacy rights and broaden the types of retained data. Any data retained for less than six months is included in a data subject right to demand disclosure of data. 

Japan’s privacy law significantly affects both the data subjects (consumers) and data handlers (companies) as penalties are increased. If a data handler fails to comply with the amended privacy updates, the maximum fine on data handlers can reach upwards of 100 million yen, depending on the violation. An increase of penalties is not the only update to the APPI that holds companies responsible for violating privacy rights; for example, expanding the PPC authority to offshore companies will allow the PPC the ability to report privacy violations.