The data protection regime in Japan is likely to change shortly as a number of provisions to the Act on Protection of Personal Information (APPI) will come into force on the 30th May 2017.
Of interest to international businesses will be that:-
- APPI will have an extra territorial effect in that it will apply to businesses anywhere if they are processing personal data of Japanese citizens;
- The current exemption which states that the law does not apply where businesses are processing databases of less than 5000 individuals will disappear ,and therefore smaller businesses will be impacted;
- The definition of personal data is being expanded to include IP addresses, vocalisations and biometrics as well as unique identifiers used in health and credit card businesses. Sensitive personal data is brought into line with the current definitions in the EU and under the General Data Protection Regulation.
- Restrictions on data transfers will apply unless there is express consent or the business has exercised the right to rely on an opt-out exception.
Opt-out exceptions are available provided that the business notifies the Japanese Data Protection Commission and notifications commence from the 1st March 2017.
For any business that operates internationally or is part of a group with Japanese headquarters these changes are important.