Blog

Japan’s Act on Personal Information Protection – What Businesses Must Do

Richard Marley
May 17, 2022
7 minutes read
6180

New and emerging ways to bypass verification checks have allowed fraudulent entities to breach the sensitive personal data of clients in businesses and financial institutions. In June 2020, Japan amended its Act on the Protection of Personal Information (APPI) with a deadline of 1st April 2022 for businesses to adopt the new regulations.

Prominent updates to the Act include a new process for sending and receiving personal information to and from third parties and businesses outside the country. Japan-based businesses now face a new challenge as new requirements are introduced that need to be fulfilled in case of data breaches.

The Act on the Protection of Personal Information (APPI)

Japan’s Act on the Protection of Personal Information (APPI) was first introduced in 2003 with the aim to protect the personal information of individuals (customers of businesses, banks, and other financial institutions) in the country. Since its introduction, the Act has seen two amendments in 2015 and 2020. Compliance with the APPI is monitored by the Personal Information Protection Commission, which is Japan’s primary regulatory body to investigate and enforce supervision, assessment, and mitigation of concerns that arise in businesses and financial institutions.

As per the APPI, personal data that can be processed or stored only with the consent of the individual are classified into two main types. The first is the basic personal information like name, date of birth, contact numbers, and personal identification codes. The second type of sensitive data is ‘special care required’ information, which includes medical records, information about race or inheritance, and criminal history. Although biometric data is not explicitly mentioned in any of the two types, it is likely that it will be included in the ‘special-care required’ information. Moreover, the APPI allows individuals to question the purpose of processing their personal information and also gives them the right to amend or delete it.

What’s in it for Businesses

Like the EU’s General Data Protection Regulation (GDPR) obliges businesses in the region to protect personal information, businesses operating within Japan are obliged to comply with the Act on the Protection of Personal Information no matter what their status or revenue is. Initially, the Act didn’t require businesses to protect or state the reason for collecting and processing personal information. However, the amendments made to the Act in 2015 added compliance requirements that subjected businesses of all sizes to protect their customers’ personal information.

Furthermore, businesses operating outside Japan and are linked to the Japanese market are also obliged to comply with APPI. This implies that businesses operating overseas but gathering personal information from clients in Japan are also required to comply with the new regulations. That being said, government institutions, educational institutes, and the administrative sector are not obliged to adhere to these regulations. The amendments made to the APPI in 2020 further broadened the scope of businesses that fall under the rules. In simple terms, changes have been made to the rules that govern the transfer of personal information to third parties and the notifications in case of data breaches.

Transfering Personal Information to Third Parties

Up until 2020, businesses based in Japan were allowed to send personal data to third parties without the consent of the customer. The customer was provided the details of the transfer of their personal information. However, since 1st April, 2022, corporations are obliged to request the customer for permission to send their personal information to third parties. In cases where national security, public interests, or legal matters are involved, there can exceptions to the new regulations and personal information can be transferred. Businesses are allowed to proceed with the transfer of personal data without the consent of the customer only if they notify them before the transfer. Moreover, this condition is not applicable in the case where ‘special-care required’ personal data is in question.

Transfering Personal-Related Information to a Third Party

Personal Related Information (PRI) is a section that was added to APPI along with the other amendments made in 2020. The new category of personal information include the data that is related to the personal matters of the customer, including their transaction history, purchase history, or web browsing information. The PRI category doesn’t include basic personal information like the name or date of birth of the customer. Before the 2020 amendments to the APPI, the PPC was not authorised to regulate the transfer of personal information to third parties outside the boundaries of Japan. Now, the PPC has been provided authority to oversee these processes. Businesses must now provide proof that the foreign third party takes “equivalent action”, or has the same level of personal information protection as Japan. The third party must also be in Japan’s list of adequacy decisions provided by the PPC.

Similarly, the transfer of this kind of information to foreign entities requires businesses to notify customers about the destination before sending it. This includes the name of the country, the quality of the data protection measures in the country, and the additional measures that will be taken to secure the data.

How Businesses can Comply with the APPI

In a requirement similar to those of China’s Personal Information Protection Law (PIPL), Japan-based businesses are obliged to keep a record of the transfer of personal information to third parties. Businesses must ask for permission before sending their customer’s personal data to any third party unless the transfer is for a regulatory action, or when sending the data is the only available option to protect a person’s life or assets.

Up until the latest amendments were not made, the APPI followed a moderate sanctions regime against businesses that failed to comply. For instance, the maximum penalty for a business used to be ¥500,000 (approx. $3,900). After the amendments, businesses can now be penalised with up to ¥100 million (approx. $781,500). Moreover, those in charge of these businesses could face charges of one-year imprisonment and fines of up to ¥1 million (approx. $7,815).

Key Takeaways

Considering the latest changes to the data protection law of Japan, it is clear that the safekeeping of customers’ personal information is quite important for Japanese businesses. Being one of the most successful economies in the world, the country makes significant efforts to maximise the measures to protect sensitive data. On the corporate level, businesses must also take steps to ensure compliance with the updated API.

To do so, businesses need to incorporate AI-driven verification solutions into their system. Shufti Pro’s robust identity verification solution can be easily embedded within an online business platforms all the features that help them comply with regulatory obligations while ensuring that the customer’s data is safe.

Here are the key benefits of Shufti Pro’s ID verification services:

Verifies the real identity of the customers in less than a second
Generate results with 98.76% accuracy
Screens customers against 1700+ global watchlists and PEP lists
Helps comply with regulatory obligations and secures businesses from sanctions

Want to learn more about ID verification services for businesses?

Talk to us

Disclaimer: No warranty is herein provided that the information contained in this document is accurate, up-to-date, and/or complete. In no circumstance(s), does such information constitute legal or any other advice. Any person who intends to use, rely, pass-on, or re-publish the information contained herein in any way is solely responsible for the same. We suggest to verify the information and/or obtain expert advice independently if required.

Latest News

News
Danish Gambling Operator Reports Tipwin to the Police for AML Failings
The Act on the Protection of Personal Information (APPI)
What’s in it for Businesses
How Businesses can Comply with the APPI
Key Takeaways
Then danish gambling operator Spillemyndigheden has reported Tipwin to the police for violating the Danish Money Laundering act

According to the sources, Spillemyndigheden, the government office based in Odense, Denmark, has reported to the police that the business has failed to create risk assessments of retail bets with a lack of written policies on its retail offerings.

It is also worth mentioning that the operator also lacks complete business procedures and controls for the offerings based on land or in regards to money laundering until 25 May 2022.

In the official statement of the regulator to the police, it stated all the shortcomings of Tipwin in compliance with the anti-money laundering standards. It stated: “Spillemyndigheden notes that the rules on risk assessment, policies and business procedures are absolutely fundamental in the Money Laundering Act. By failing to prepare a risk assessment, Tipwin has not had a useful tool that has provided an overview and understanding of where and to what extent Tipwin is exposed to money laundering or terrorist financing, and what measures are in place are necessary to mitigate the risks involved.”

This clearly states that the german based gambling operator, Tipwin is exposed to the illicit crimes of money laundering and terrorist financing and has failed to comply with the AML regulations. The Danish regulator also focused on the lack of preparation from the operator on assessments of risks which are fundamental components of the anti-money laundering act.

Spillemyndigheden also added: “Preparing a risk assessment of the company’s business model is a very fundamental means of limiting the risk of money laundering. Tipwin has thus also not had policies and operational procedures that stem from the risk assessment. By failing to prepare a risk assessment, the Gambling Authority has therefore handed over the case to the police investigation.”

The authority also launched an injunction on the breach of rules and procedures in regard to the online casino and betting operations. With the main emphasis on money laundering, the regulator released a statement last month which reminded businesses in the industry of the obligations. It mentioned the regulations most firms are complied with, which are in order to prohibit the financial interactions with individuals, groups, legal bodies or countries.

In addition, Spillemyndigheden issued a 3 months deadline to Tipwin to sort out the situation.

Suggested Read: Danish Gaming Regulator Sanctions Unibet Over AML Violations

Japan’s Act on Personal Information Protection – What Businesses Must Do

The Act on the Protection of Personal Information (APPI)

What’s in it for Businesses

Transfering Personal Information to Third Parties

Transfering Personal-Related Information to a Third Party

How Businesses can Comply with the APPI

Key Takeaways

Crown and Star Casinos – A Stain on Australia’s Reputation

Australia’s Anti-Money Laundering Regime

How Casinos and Businesses Can Secure their Operations

What Shufti Pro Offers

Let’s prove your

customer’s identity

with Shuftipro.

Let’s prove your customer’s

identity with Shuftipro.