On Sept. 3, 2015, a bill to amend the Act on the Protection of Personal Information (APPI)1, the main privacy law in Japan, was passed by the National Diet. This is the first major amendment to the APPI since the original version of the APPI took effect in 2005. The original APPI focused on regulating information processed on a paper basis, resulting in several gaps between what the APPI could enforce and what actually should be subject to privacy laws in light of changes in information technology. The bill to amend the APPI was introduced to the Diet to bridge the gaps in this borderless information world, where data is flying on an online basis, rather than a paper basis.
Application to Offshore Companies
The original APPI did not specify whether the act applied to offshore companies, and no Supreme Court case has established whether offshore companies are subject to the APPI. As a result, it was commonly thought that the original APPI did not apply to offshore companies. In other words, under the original APPI, technically speaking, offshore companies did not have to observe the APPI unless they had a branch office in Japan.
However, in order to enhance the protection of privacy rights in this borderless era, the amended APPI clearly sets out that it will now apply to offshore companies. Article 75 of the new APPI provides that it will apply to offshore companies “which obtain personal information in connection with provision of goods or services to a person in Japan and process such personal information.” What “in connection with provision of goods or services” means has not yet been clearly defined. Therefore, if we take a broad interpretation, it could mean that any type of online services that people in Japan can access (e.g., any website, any online shopping website and any social networking service) falls under the category of “provision of services to a person in Japan.” It should also be noted that “a person in Japan” is not limited to Japanese citizens.
Restriction on Data Transfer from Japan to Offshore
The amended APPI will provide new restrictions on data transfer from Japan to an offshore third party. In this regard, a group company is also considered a third party.
The original APPI did not provide an offshore restriction, which is separate from an onshore restriction, on data transfer to an offshore third party. This means that, under the original APPI, a data transfer company could send personal data to an offshore company without obtaining prior consent from data subjects, as long as the sending party satisfied the (a) outsourcing, (b) opt-out consent, or (c) the joint-use requirements, each of which exempt a company from obtaining prior consent from data subjects.
Under the amended APPI, for the purpose of data transfer to an offshore third party, the exemptions for (a) outsourcing, (b) opt-out consent and (c) joint-use are available only if:
- a third party receiving personal information is located in a jurisdiction that the Privacy Committee 2 designates as having the same level of protections as Japan in terms of protection of personal information; or
- a third party receiving personal information has established appropriate systems to secure personal information, as designated by the Privacy Committee.
In other words, if neither (i) nor (ii) is satisfied by a receiving offshore party, a data sending party must obtain consent from data subjects to the offshore data transfer, and cannot rely on any of the exemptions.
The Privacy Committee is expected to prepare: (i) a list of the designated jurisdictions, and (ii) standards to specify “appropriate systems to secure personal information,” promptly after its establishment on Jan. 1, 2016.
The effective date of the amendment to the APPI’s application to offshore companies and restrictions on offshore data transfer will be a date set within two years of Sept. 9, 2015. This effective date has not yet been determined by the government. During this grace period, offshore companies should confirm whether the amended APPI will be applicable to their business. Also, from an M&A perspective, buyers should carefully consider whether it will apply to a target company’s business and its compliance obligations.