Japan’s Act on the Protection of Personal Information (APPI) and APEC CBPRs
In September 2016, Japan passed the “Amended Act on the Protection of Personal Information (APPI)” with implementing regulations released in January 2017.
The final revised law went into effect on Tuesday, May 30, 2017.
Key changes under the Japan Act on the Protection of Personal Information
Key changes under the new law include:
- Establishment of the Personal Information Protection Commission (PPC): The new PPC serves as the central supervisory authority for the APPI. Previous authority was divided across multiple regulatory authorities by sector.
- Establishment of a Legal Framework for Anonymously Processed Information: The revised APPI provides specific guidance on using anonymized data (including approved methods for anonymizing data).
- Response to Globalization of Data Flows: New restrictions on international transfers, PPC enforcement and investigative cooperation with foreign enforcement authorities, and the extraterritorial application of the APPI have also been included.
The role of APEC CBPRs in the APPI
Article 24 of the APPI imposes restrictions on the transfer of personal information of Japanese citizens to third parties in foreign countries.
Exemptions to these restrictions include when a third party has established a system that meets the Rules of the Commission to “continuously implement equivalent necessary measures.”
The regulations for implementing Article 24 specifically call out a company’s APEC Cross Border Privacy Rules (CBPR) certification as satisfying this requirement.
Most importantly, the APPI allows the data controller or the data processor to meet this requirement through CBPR certification.
As such, your company’s CBPR certification will permit you to both transfer and receive personal information under the APPI.
In March 2016, the Japanese Institute for the Promotion of Digital Economy and Communication was approved to serve as an accountability agent under the CBPR system.
The Japanese Institute joins TrustArc, who was named the first accountability agent for APEC Cross Border Privacy compliance in June 2013.
The CBPR system was endorsed by APEC member economies in 2012 for businesses established in the APEC region that collect and transfer personally identifiable information from consumers.
CBPR implementation has continued to gain momentum recently, with South Korea submitting its application to join the system in January and Singapore and the Philippines announcing their intention to do the same later this year.
TrustArc was named the first accountability agent for the system in June 2013. The next meeting of APEC’s Data Privacy Subgroup will occur in August in Ho Chi Minh City, Vietnam.
Facilitate the compliant transfer of data among participating APEC economies
APEC CBPR for data controllers
For data controllers, the APEC CBPR Certification represents the requirements for businesses that control the collection, holding, processing, or use of personal data and that are interested in adhering to the voluntary framework to demonstrate its commitment to privacy.
APEC PRP for data processors
If your business operates as a data processor, the APEC PRP Certification represents the requirements you must meet in order to demonstrate your organization’s ability to assist data controllers in meeting relevant privacy compliance obligations.
Learn more about obtaining a TRUSTe CBPR certification.