Effective dates for amended Data Privacy law in Japan announced

Hogan Lovells

Hogan Lovells

The Japanese government has released the effective dates of substantial amendments to the Japanese Act on the Protection of Personal Information (“APPI”). The revised Act will fully come into effect on 1 April 2022. Provisions on increased penalties have been in force since December 2020 and restrictions on an “opt-out” exception will be effective from October 2021.

On 24 March 2021, the Japanese government released the effective dates of substantial amendments to the Japanese Act on the Protection of Personal Information (“APPI”) that had been announced in June 2020, requiring companies to take certain additional measures to protect personal data of data subjects.  

The amended APPI was enacted on 5 June 2020 and promulgated on 12 June 2020. The revised Act (Act No. 57 of 2003 as amended in 2015) will fully come into effect on 1 April 2022; however, parts of the amendments are effective earlier:

  • Effective 1 October 2021, use of the "opt-out" exception for data subjects’ consent will be restricted (e.g. the revised version of the APPI limits the cases where data handlers can use an "opt-out provision" for transfers to third-parties);
  • in effect since 12 December 2020 are the amended provisions that raised penalties to fines of up to 100,000,000 JPY (about USD 1 million) in case of violation of an order from the authority or illegitimate use of data.

Other key provisions of the amended APPI that will be effective from April 2022 include the concept of “Pseudonymously Processed Information”, provisions on mandatory breach reporting, “personal-related information” and extraterritorial applicability. The latter grant the Personal Information Protection Commission (“PPC”) authority to request foreign entities which supply goods or services in Japan and handle personal information of individuals in Japan to submit reports or to issue orders in case of violations of the APPI, which can be enforced with a penalty.

Although the guidelines for the new APPI have not been provided yet, the amended Cabinet Order and Commission Rules of the APPI (promulgated on 24 March 2021) stipulates important points. For example, where data breaches “likely harm the rights and interests of individuals”, it will be required to report to the relevant authority in specified time frames and to inform affected individuals timely. Reporting will be required in the following scenario: (1) a leakage of special care required personal data (similar to “sensitive data”) (2) results in a risk of property damage, (3) which is based on an intentional violation of the law such as unauthorized access, and (4) affects at least 1,000 data subjects. Further, the Rules provide conditions for recording obligations and a retention period of generally 3 years relating to data that may be regarded as personal data when a third party receives it and can derive information about a data subject from it (“personal-related information”, e.g., cookies may be included, depending on the situations).

Next steps

We continue to monitor the guidelines on the APPI to be issued by the PPC.
For more details of the amended APPI, please refer to our previous article here [link to our update on 30 March 2020: Hogan Lovells | Update of Japan's privacy law approved by Cabinet - 30 March 2020 (ehoganlovells.com) ]

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Hogan Lovells | Attorney Advertising

Written by:

Hogan Lovells

Hogan Lovells on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.