Data protection laws are evolving rapidly as the world becomes more digitalised, and Japan is working hard to keep its sword sharp, writes Putro Harnowo
n February, Kyodo News reported that the number of personal information leaks from Japanese listed companies in 2021 grew by 30% from the previous year to 137 incidents, which was a record high, based on findings from corporate research agency Tokyo Shoko Research.
When a major Japanese job-seeking platform, Rikunabi, was found to predict a job offer decline rate by using website cookies and other user information without consent in 2019, data privacy was thrust into the limelight in Japan. The company sold the data to various companies for up to JPY5 million (USD47,450).
Although Japan’s Act on the Protection of Personal Information (APPI) is scheduled to be reviewed every three years, the Rikunabi case and a string of other highly damaging data breaches showed the dangers of poorly written laws and loopholes, prompting the Japanese Diet (parliament) to amend the act in June 2020.
The amended APPI came into effect on 1 April 2022, enhancing individual rights and strengthening the obligations of business operators when processing personal data. Some of the changes put Japan’s law closer in line with the EU’s General Data Protection Regulation (GDPR).
“Abstract descriptions of the purpose of using personal information would not be sufficient under the amended APPI, and business operators must carefully describe the purpose of use of personal information,” says Tomoko Fuminaga, a partner at Morgan Lewis & Bockius in Tokyo.
“If an individual cannot reasonably predict or assume how their personal information will be handled from the purpose of use stated and disclosed by business operators, then business operators do not meet the APPI requirements.”
Fuminaga adds that individuals can also request business operators to disclose their personal data in a manner specified by the individuals, in writing or electronically. Individuals may also request to stop using or delete their personal data when it is obtained through deceit or other improper means, when business operators no longer need it, when it is leaked, or when their rights or legitimate interests are at risk.