BEFORE YOU GO...

Check how Shufti Pro can verify your customers within seconds

No thanks

Blog

Japan’s Act on Personal Information Protection – What Businesses Must Do

Richard Marley
May 17, 2022
7 minutes read
6212

New and emerging ways to bypass verification checks have allowed fraudulent entities to breach the sensitive personal data of clients in businesses and financial institutions. In June 2020, Japan amended its Act on the Protection of Personal Information (APPI) with a deadline of 1st April 2022 for businesses to adopt the new regulations.

Prominent updates to the Act include a new process for sending and receiving personal information to and from third parties and businesses outside the country. Japan-based businesses now face a new challenge as new requirements are introduced that need to be fulfilled in case of data breaches.

The Act on the Protection of Personal Information (APPI)

Japan’s Act on the Protection of Personal Information (APPI) was first introduced in 2003 with the aim to protect the personal information of individuals (customers of businesses, banks, and other financial institutions) in the country. Since its introduction, the Act has seen two amendments in 2015 and 2020. Compliance with the APPI is monitored by the Personal Information Protection Commission, which is Japan’s primary regulatory body to investigate and enforce supervision, assessment, and mitigation of concerns that arise in businesses and financial institutions.

As per the APPI, personal data that can be processed or stored only with the consent of the individual are classified into two main types. The first is the basic personal information like name, date of birth, contact numbers, and personal identification codes. The second type of sensitive data is ‘special care required’ information, which includes medical records, information about race or inheritance, and criminal history. Although biometric data is not explicitly mentioned in any of the two types, it is likely that it will be included in the ‘special-care required’ information. Moreover, the APPI allows individuals to question the purpose of processing their personal information and also gives them the right to amend or delete it.

What’s in it for Businesses

Like the EU’s General Data Protection Regulation (GDPR) obliges businesses in the region to protect personal information, businesses operating within Japan are obliged to comply with the Act on the Protection of Personal Information no matter what their status or revenue is. Initially, the Act didn’t require businesses to protect or state the reason for collecting and processing personal information. However, the amendments made to the Act in 2015 added compliance requirements that subjected businesses of all sizes to protect their customers’ personal information.

Furthermore, businesses operating outside Japan and are linked to the Japanese market are also obliged to comply with APPI. This implies that businesses operating overseas but gathering personal information from clients in Japan are also required to comply with the new regulations. That being said, government institutions, educational institutes, and the administrative sector are not obliged to adhere to these regulations. The amendments made to the APPI in 2020 further broadened the scope of businesses that fall under the rules. In simple terms, changes have been made to the rules that govern the transfer of personal information to third parties and the notifications in case of data breaches.

Transfering Personal Information to Third Parties

Up until 2020, businesses based in Japan were allowed to send personal data to third parties without the consent of the customer. The customer was provided the details of the transfer of their personal information. However, since 1st April, 2022, corporations are obliged to request the customer for permission to send their personal information to third parties. In cases where national security, public interests, or legal matters are involved, there can exceptions to the new regulations and personal information can be transferred. Businesses are allowed to proceed with the transfer of personal data without the consent of the customer only if they notify them before the transfer. Moreover, this condition is not applicable in the case where ‘special-care required’ personal data is in question.

Transfering Personal-Related Information to a Third Party

Personal Related Information (PRI) is a section that was added to APPI along with the other amendments made in 2020. The new category of personal information include the data that is related to the personal matters of the customer, including their transaction history, purchase history, or web browsing information. The PRI category doesn’t include basic personal information like the name or date of birth of the customer. Before the 2020 amendments to the APPI, the PPC was not authorised to regulate the transfer of personal information to third parties outside the boundaries of Japan. Now, the PPC has been provided authority to oversee these processes. Businesses must now provide proof that the foreign third party takes “equivalent action”, or has the same level of personal information protection as Japan. The third party must also be in Japan’s list of adequacy decisions provided by the PPC.

Similarly, the transfer of this kind of information to foreign entities requires businesses to notify customers about the destination before sending it. This includes the name of the country, the quality of the data protection measures in the country, and the additional measures that will be taken to secure the data.

How Businesses can Comply with the APPI

In a requirement similar to those of China’s Personal Information Protection Law (PIPL), Japan-based businesses are obliged to keep a record of the transfer of personal information to third parties. Businesses must ask for permission before sending their customer’s personal data to any third party unless the transfer is for a regulatory action, or when sending the data is the only available option to protect a person’s life or assets.

Up until the latest amendments were not made, the APPI followed a moderate sanctions regime against businesses that failed to comply. For instance, the maximum penalty for a business used to be ¥500,000 (approx. $3,900). After the amendments, businesses can now be penalised with up to ¥100 million (approx. $781,500). Moreover, those in charge of these businesses could face charges of one-year imprisonment and fines of up to ¥1 million (approx. $7,815).

Key Takeaways

Considering the latest changes to the data protection law of Japan, it is clear that the safekeeping of customers’ personal information is quite important for Japanese businesses. Being one of the most successful economies in the world, the country makes significant efforts to maximise the measures to protect sensitive data. On the corporate level, businesses must also take steps to ensure compliance with the updated API.

To do so, businesses need to incorporate AI-driven verification solutions into their system. Shufti Pro’s robust identity verification solution can be easily embedded within an online business platforms all the features that help them comply with regulatory obligations while ensuring that the customer’s data is safe.

Here are the key benefits of Shufti Pro’s ID verification services:

Verifies the real identity of the customers in less than a second
Generate results with 98.76% accuracy
Screens customers against 1700+ global watchlists and PEP lists
Helps comply with regulatory obligations and secures businesses from sanctions

Want to learn more about ID verification services for businesses?

Talk to us

Disclaimer: No warranty is herein provided that the information contained in this document is accurate, up-to-date, and/or complete. In no circumstance(s), does such information constitute legal or any other advice. Any person who intends to use, rely, pass-on, or re-publish the information contained herein in any way is solely responsible for the same. We suggest to verify the information and/or obtain expert advice independently if required.

Latest News

News
Interpol Seizes $130M Worth of Virtual Assets from Cybercriminals Worldwide
The Act on the Protection of Personal Information (APPI)
What’s in it for Businesses
How Businesses can Comply with the APPI
Key Takeaways
The International Criminal Police Organization Interpol has seized $130 million worth of virtual assets that are linked to money laundering operations and different cybercrimes worldwide.

The “HAECHI III” law enforcement operation, which lasted between June 28 and November 23, 2022, enabled INTERPOL to arrest nearly a thousand suspects.

“In total, the operation resulted in the arrest of 975 individuals and allowed investigators to resolve more than 1,600 cases,” reads Interpol’s announcement. “In addition, almost 2,800 bank and virtual-asset accounts linked to the illicit proceeds of online financial crime were blocked.”

The various cybercrimes that contributed to the aforementioned sum include voice phishing, investment fraud, romance scams, sextortion, and money laundering linked to illegitimate online gambling.

Due to the activity, Interpol also produced 95 alerts and diffusions and identified 16 novel crime trends that would enable law enforcement agencies all around the world to concentrate on their efforts against cybercriminals more effectively.

The latest scams include types of financial fraud and romantic scams that criminals are continually improving to maintain novelty.

Additionally, Interpol noticed an increase in the usage of encrypted messaging applications by scammers to communicate with their victims in investment schemes.

Interpol’s statement also highlights the success of its fresh Anti Money Laundering Rapid Response Protocol (ARRP) mechanism, which was first put to the test during the organization’s prior operation, known as “Operation Jackal.”

Scammers had $1,250,000M returned to them due to ARRP, an Irish firm that was the victim of the Business Email Compromise (BEC). This was the total sum that the business lost to the BEC fraudsters, who ARRP assisted in identifying and seizing.

Since the beginning of ARRP’s pilot testing phase in January 2022, the technology has assisted in the recovery of $120M in cybercriminal proceeds.

Suggested Read: Interpol Warns of the Rise in Romance Scams as Valentine’s Day Approaches

Japan’s Act on Personal Information Protection – What Businesses Must Do

The Act on the Protection of Personal Information (APPI)

What’s in it for Businesses

Transfering Personal Information to Third Parties

Transfering Personal-Related Information to a Third Party

How Businesses can Comply with the APPI

Key Takeaways

Identity Theft – A Looming Threat for Digital Businesses

How Law Enforcement Authorities are Countering Cybercriminals

Gang Members Sentenced to 60 Months in Prison for Identity Theft

Criminals Jailed Over Multi-Million Identity Fraud in Spain

Fighting Identity Fraud Through Customer Risk Assessment

How Customer Risk Assessment Screening is Carried Out

Customer’s Identity

Geography

Industry/Business

What Shufti Pro Offers?

Let’s prove your

customer’s identity

with Shuftipro.

Let’s prove your customer’s

identity with Shuftipro.