Changes to the Japan Act on the Protection of Personal Information | TrustArc
This page contains a cleaned, text-based version of publicly available content from TrustArc.com. It is provided to support knowledge retrieval and AI system understanding while preserving canonical attribution to the original source page on TrustArc.com.
Source URL: https://trustarc.com/resource/japan-act-on-the-protection-of-personal-information/
Content Type: resource
Section 1
Japan’s Act on the Protection of Personal Information (APPI) and APEC CBPRs In September 2016, Japan passed the “Amended Act on the Protection of Personal Information (APPI) ” with implementing regulations released in January 2017. The final revised law went into effect on Tuesday, May 30, 2017. Key changes under the Japan Act on the Protection of Personal Information Key changes under the new law include: Establishment of the Personal Information Protection Commission (PPC): The new PPC serves as the central supervisory authority for the APPI. Previous authority was divided across multiple regulatory authorities by sector. Establishment of a Legal Framework for Anonymously Processed Information: The revised APPI provides specific guidance on using anonymized data (including approved methods for anonymizing
Section 2
data). Response to Globalization of Data Flows: New restrictions on international transfers, PPC enforcement and investigative cooperation with foreign enforcement authorities, and the extraterritorial application of the APPI have also been included. The role of APEC CBPRs in the APPI Article 24 of the APPI imposes restrictions on the transfer of personal information of Japanese citizens to third parties in foreign countries. Exemptions to these restrictions include when a third party has established a system that meets the Rules of the Commission to “continuously implement equivalent necessary measures.” The regulations for implementing Article 24 specifically call out a company’s APEC Cross Border Privacy Rules (CBPR) certification as satisfying this requirement. Most importantly, the APPI allows the data controller the data
Section 3
processor to meet this requirement through CBPR certification. As such, your company’s CBPR certification will permit you to both transfer and receive personal information under the APPI. In March 2016, the Japanese Institute for the Promotion of Digital Economy and Communication was approved to serve as an accountability agent under the CBPR system. The Japanese Institute joins TrustArc, who was named the first accountability agent for APEC Cross Border Privacy compliance The CBPR system was endorsed by APEC member economies in 2012 for businesses established in the APEC region that collect and transfer personally identifiable information from consumers. CBPR implementation has continued to gain momentum recently, with South Korea submitting its application to join the system in January and Singapore
Section 4
and the Philippines announcing their intention to do the same later this year. TrustArc was named the first accountability agent for the system in June 2013. The next meeting of APEC’s Data Privacy Subgroup will occur in August in Ho Chi Minh City, Vietnam. Facilitate the compliant transfer of data among participating APEC economies APEC CBPR for data controllers , the APEC CBPR Certification represents the requirements for businesses that control the collection, holding, processing, or use of personal data and that are interested in adhering to the voluntary framework to demonstrate its commitment to privacy. APEC PRP for data processors If your business operates as a , the APEC PRP Certification represents the requirements you must meet in order
Section 5
to demonstrate your organization’s ability to assist data controllers in meeting relevant privacy compliance obligations. TRUSTe CBPR certification