Japan's Act on the Protection of Personal Information (APPI) becomes effective on April 1, 2022. The APPI strengthens the country's comprehensive personal data privacy code and affects all businesses that collect or process personal information of Japanese residents.

Yugo Nagashima of Frost Brown Todd LLC explores four key developments that affect global business:

  1. “Person Related Information” – a new category of data – with consent required to transfer such data to a person related information handler.
  2. Extra-Territorial Reach – Instead of an adequacy approach (like the EU), Japan requires a business that will handle Japanese personal information outside Japan to have the consent of those persons after a clear description of the data privacy laws of the foreign jurisdiction.
  3. Data Breach Notification – A two-step notification process is mandatory for data breaches, with a low threshold of 1,000 persons triggering mandatory notification.
  4. Pseudonymous Information – Specific definition of pseudonymized data and exemption from data breach notification when pseudonymous data has been hacked.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.