Meeting Data Security Compliance around the World

• Page 1: Data Security Compliance
• Page 2: EU Data Security Compliance
• Page 3: Japan Data Security Compliance
• Page 4: Korea Data Security Compliance
• Page 5: Australia Data Security Compliance
• Page 6: U.S. Data Security Compliance

Japan Data Security Compliance

National Legislation:

• Act on the Protection of Personal Information 2005 (APPI) – A Japanese law and regulation laying down the basic principle, establishment of a basic policy by the Government and the matters to serve as a basis for other measures on the protection of personal information. Unlike others, the APPI did not create a data protection agency or provide the government with strong enforcement powers. The legislature thought self- regulation by businesses would be appropriate.
• The bill to amend the APPI (the “APPI Bill”) was submitted and approved by the Diet on 3 September 2015. It permits the transfer of so-called “big data” without obtaining data subject’s consent, establish an independent data protection authority and restrict data transfer to a third country where the level of data protection is insufficient.

Scope of Legislation:

• Any person or entity that possesses and uses for its business in Japan which contains personal information.
• Information handlers that have their residences or offices in Japan, or are non-Japanese companies that conduct businesses in Japan.
• Overseas information handlers who have acquired personal information of data subjects in Japan, even if they deal with such personal information outside of Japan.

Security Methods/Requirements:

• Information handlers are required to implement appropriate control measures in respect of the personal information in their possession to prevent unauthorized disclosure, loss or damage of such personal information. When entrusting a third party with the handling of personal information in whole or in part, the information handler must exercise necessary and appropriate supervision over the third party.
• The guidelines imply that encryption technologies will be required as an appropriate control.

International Transfer of Data:

• An information handler (entity) must obtain prior consent from the data subject to transfer personal data to a recipient in a foreign country, only if that country’s data protection system is considered by the Japanese authority to provide the same level of protection as Japan or when the recipient third party has established a sufficient data protection system. Whether the foreign country has such standards will be determined by the Commission.

Other Details:

• Encryption policy is driven by the Ministry for International Trade and Investment (MITI), and the Ministry of Posts and Telecommunications.
• Cultural acceptance of encryption as the standard for data security is rapidly increasing as Japan treats cryptography as a national economic priority.