In September 2016, Japan passed the “Amended Act on the Protection of Personal Information (APPI)” with implementing regulations released in January, 2017. The final revised law is set to go into effect on Tuesday, May 30, 2017. Key changes under the new law include:
- Establishment of the Personal Information Protection Commission (PPC): The new PPC serves as the central supervisory authority for the APPI. Previous authority was divided across multiple regulatory authorities by sector.
- Establishment of a Legal Framework for Anonymously Processed Information: The revised APPI provides specific guidance on the use of anonymized data (including approved methods for anonymizing data).
- Response to Globalization of Data Flows: New restrictions on international transfers, PPC enforcement and investigative cooperation with foreign enforcement authorities and the extraterritorial application of the APPI have also been included.
The Role of APEC CBPRs in the APPI
Article 24 of the APPI imposes restrictions on the transfer of personal information of Japanese citizens to third parties in foreign countries. Exemptions to these restrictions include when a third party has established a system which meets the Rules of the Commission to “continuously implement equivalent necessary measures.” The regulations for implementing Article 24 specifically call out a company’s APEC Cross Border Privacy Rules (CBPR) certification as satisfying this requirement. Most importantly, the APPI allows either the data controller or the data processor to meet this requirement through CBPR certification. As such, your company’s CBPR certification will permit you to both transfer and receive personal information pursuant to the APPI.
In March, 2016, the Japanese Institute for the Promotion of Digital Economy and Communication (JIPDEC) was approved to serve as an accountability agent under the CBPR system, joining TRUSTe, named the first accountability agent for APEC Cross Border Privacy compliance in June 2013.
The CBPR system was endorsed by APEC member economies in 2012 for businesses established in the APEC region that collect and transfer personally identifiable information from consumers. CBPR implementation has continued to gain momentum recently with South Korea submitting its application to join the system in January, and Singapore and the Philippines announcing their intention to do the same later this year. TRUSTe was named the first accountability agent for the system in June 2013. The next meeting of APEC’s Data Privacy Subgroup will take place in August, in Ho Chi Minh City, Vietnam.
To learn more about obtaining a TRUSTe CBPR certification click here.