Support Centre

Japan

Summary

Law: The Act on the Protection of Personal Information (Act No. 57 of 2003 as amended in 2020) ('APPI')

Regulator: The Personal Information Protection Commission ('PPC')

Summary: General data protection in Japan is governed by the APPI, while the Act on the Use of Numbers to Identify a Specific Individual in the Administrative Procedure ('My Number Act') regulates the use of certain individual social security codes (known as 'My Numbers'). Importantly, amendments to the APPI entered into effect on 1 April 2022, and introduces new obligations associated with data subject rights, breach notification, data transfers, and the processing of pseudonymised data, among other things. In addition, guidelines issued by the PPC, as well as other ministries, set out and clarify data protection requirements.

Furthermore, Japan is a participant of the Asia-Pacific Economic Cooperation Cross Border Privacy Rules system ('APEC CBPR') and has been recognised by the European Commission as providing an adequate level of personal data protection.

News

Insights

December 2022

Japan: 'Personally referable information' under the APPI – is this personal data?

A new concept called 'personally referable information' was introduced into Japanese privacy law by the Act on Protection of Personal Information (Act No. 57 of 2003 as amended in 2015) ('APPI') and came into effect from April 2022. But what is it? Kensaku Takase and Yuki Kondo, from Baker McKenzie, provide clarity on what 'personally referable information' is and what it means for companies.

June 2022

EU - Japan: GDPR v. APPI

In this report, OneTrust DataGuidance provides a means of analyzing and comparing data protection requirements and recommendations under the General Data Protection Regulation (GDPR) and the Act on the Protection of Personal Information (Act No. 57 of 2003 as amended in 2020) (APPI).

The report examines and compares the scope, main definitions, legal bases, data controller and processor obligations, data subject rights, and enforcement capacities of the APPI and the Regulations with the  GDPR.

You can access the latest version of the report here.

April 2022

Japan: Pseudonymization under the 2020 Amendments to APPI

The recent Amendments to the Act on the Protection of Personal Information (Act No. 57 of 2003 as amended in 2015) ('APPI'), which were introduced in 2020 ('the 2020 Amendments'), came into force on 1 April 2022. The 2020 Amendments introduce a new concept of 'pseudonymization' to Japanese privacy law and rules on how such information should be handled. Kensaku Takase and Hayato Higa, from Baker McKenzie's Tokyo IP Tech practice group, outline how pseudonymized information can be utilized under the APPI and the rules businesses need to be aware of in order to remain compliant with the amendments.

April 2022

Japan: Cybersecurity

March 2022

International: Handling children's personal data in the APAC region - Part one

The processing of children's personal data, from collection to destruction, generally carries with it special considerations. Indeed, the level of protection afforded to children is often higher, due to in part their capacity to understand the consequences of providing their information and the potential risks associated with their use or misuse. In part one of this series, OneTrust DataGuidance considers the rules in the APAC region which govern children's personal data, featuring perspectives from Australia, China, India, and Japan.

For insight into handling children's personal data in New Zealand, the Philippines, and Singapore, please see part two here.

December 2021

Japan: Data Protection in the Financial Sector

October 2021

Japan: Amended APPI guidelines

Forthcoming changes to the Act on the Protection of Personal Information ('APPI') have necessitated changes to the accompanying guidance issued by Japan's Personal Information Protection Commission ('PPC'). Hiroyuki Masuda, Lawyer at One Asia Lawyers, discusses some of the most important changes made in this regard.

June 2021

Japan: An overview of Vendor Privacy Contracts

May 2021

International: Diversity and inclusion surveys in APAC

Diversity and inclusion programmes are becoming increasingly popular across the globe due to a growth in awareness and a demand for organisations to support values, such as equity and inclusion. While actively engaging in diversity and inclusion initiatives may help organisations to better understand, manage, and develop the business, it is not always clear what data can, and cannot, be included in diversity monitoring surveys or what the rules are for such data collection.

The legal requirements surrounding information relating to an individual's race, gender, ethnicity, sexuality, and health differ from country to country, with some classifying such data as 'sensitive data', while others view it under the umbrella of 'personal information'.

OneTrust DataGuidance Research has consulted with a number of legal experts operating within the Asia Pacific region in order to uncover the requirements for the collection and use of employee data for diversity and inclusion surveys. The countries covered in this Insight article include Australia, China, Singapore, Japan, Hong Kong, and India.

Company

Our Policies

Your Rights

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
© OneTrust, LLC. All Rights Reserved.
The materials herein are for informational purposes only and do not constitute legal advice.
Feedback