Sunday, February 26, 2017
Japan Tightening Data Protection Law in May
Last year, as Japan’s 2003 Act on the Protection of Personal Information fell increasingly behind advancing technology and international privacy standards, the Diet passed a number of significant amendments to the Act to bring it up to date. While many details of how the amendments will be translated into practice remain to be fleshed out by the newly-established Privacy Protection Commission, their relevance for international businesses is quite clear. Most prominently, while any extra-territorial applicability of the Act had been conspicuously missing, this will no longer be the case, with the Act now explicitly applying to any business that processes the data of Japanese citizens. Secondly, the current exemption from coverage by the Act for businesses that process the data of less than 5,000 individuals will disappear. Thirdly, the definition of personal data will be expanded to bring it into line with European standards, including the introduction of the concept of “sensitive” information requiring a higher level of protection. Fourthly, data transfers will require the express consent of the individual unless a business relies upon one the “opt-out” exemptions specified in the amendments and notifies the Privacy Protection Commission accordingly. Finally, “opt-out” exemptions will not be available unless the data transfer is made to a country having an adequate and similar level of protection; such transfers will require both express consent and special contractual safeguards. The new amendments come into effect on May 30, 2017.