Earlier today (Sept. 3), Japan’s Diet passed an amendment to the “Act on the Protection of Personal Information,” which has been in effect since April 2005. Under the amendment, which goes into effect in January 2016, Japan will establish a Personal Information Protection Commission. The Commission will be established as an independent authority in attempt to bolster Japan’s expected request for a determination of adequacy by the European Commission.
In addition, Article 24 of the amended law imposes restrictions on the transfer of personal information of Japanese citizens to third parties in foreign countries. Exemptions to these restrictions include express consent of the individual, transfer to foreign countries that the Personal Information Protection Commission determines have measures of protecting personal information equivalent to that of Japan, or where the third party has established a system which meets the Rules of the Commission to “continuously implement equivalent necessary measures.”
The draft rules for implementing Article 24 specifically call out a company’s APEC Cross Border Privacy Rules (CBPR) certification as satisfying this requirement. Japan joined the CBPR system in May 2014. TRUSTe has been an APEC-approved certifier under the CBPR system since 2013.