Global Data Protection Laws: Japan

Data ProtectionOver the last few months, we’ve talked extensively about the GDPR – but the GDPR isn’t the only data protection regime on the planet. In Japan, legislators have just enacted changes to the nation’s flagship data privacy regime. Let’s look at how these changes will affect those hoping to do business there.

Japan’s flagship data privacy law is known as the Act on the Protection of Personal Information (APPI). This law was first passed in the 2000s and has since been updated in order to better reflect the changing nature of information privacy. One of the first big changes was introduced at the beginning of 2016, when Japan established a nationwide Personal Information Protection Commission, or PPC.

The PPC fills a role similar to that of the Information Commissioner’s Office of the European Union. Briefly, it’s a central office that regulates information security throughout Japan. It’s given the power to enforce laws and levy fines.

In addition to the establishment of the PPC, four other changes came into effect in the middle of 2017. These include:

  1. New Categories of Protected Data
    Updates to the APPI provide new ways of identifying data and whether it can be transferred.
    Sensitive Information now includes information such as the data subject’s race, criminal status, medical records, and so on. It can be shared, but it requires affirmative, opt-in participation beforehand.

    Anonymized Information, on the other hand, is any information that’s specific to an individual, but not specific enough to identify them by name. This information can be transferred to third parties under certain preconditions but requires no input from the data subject.
  2. Streamlined Information Sharing
    Across the world, new data privacy regimes are making it harder for corporations to share customer data. In japan, the reverse is true. If a company gives their customer certain discloses, they can share that customer’s information freely thereafter. The customer must be free to opt out of data transfers at any moment, however.
  3. Data Across Borders
    Regardless of whether user data is sensitive or anonymized, companies will need to ask a user’s permission before transferring data to another country – unless that country has been recognized as having adequate privacy standards by the PPC. For example, negotiations between Japan and the EU mean that companies will soon be able to freely transfer data between those countries.
  4. Penalties
    If the precepts above aren’t followed, the PPC may order a company to comply, or to stop transferring data altogether. If this injunction is not obeyed, the PPC may level fines and prison sentences. Negligence will result in a prison term of six months, or a fine of ¥300,000 (about $2,800 USD). Intentional theft will result in a year in prison or a fine of ¥500,000 (about $4,700 USD).

Navigate Japanese Data Protection Laws with Safe-T

Data privacy and security will be an important concern for foreign companies wishing to do business in Japan. Like South Korea, Japan is often targeted for cyberattacks by North Korea. For example, An attack against a Japanese cryptocurrency firm recently landed a $529 million payday for North Korean hackers. If your defenses against these attacks are found to be negligent, then finds and penalties from Japan’s PPC may insult to injury.

With robust data protection features and granular privacy controls, Safe-T lets businesses configure their security and privacy policies for different jurisdictions. In addition, our Software-Defined Access product will hide your internet presence from malicious actors, thwarting their attempts at reconnaissance. For more information, contact us for a free trial today! New Call-to-action

*** This is a Security Bloggers Network syndicated blog from Safe-T Blog authored by Julie Shafiki. Read the original post at: