This post was also written by Taisuke Kimoto, Matthew N. Peters, and Yumiko Miyauchi.
In recent weeks, Japanese data protection and privacy law has seen developments in two areas:
(1) The Ministry of Economy, Trade and Industry (METI) issuing its first code of practice on privacy notices
(2) The Asia-Pacific Economic Cooperation (APEC) approving Japan’s participation in the APEC Cross Border Privacy Rules (CBPR) system
METI Code of Practice (the Code)
This comes on the back of a period of activity for data protection legislation in Japan. In December 2013, the IT Strategy HQ of the Cabinet Office published an Institutional Review Policy concerning utilization of personal data, with a plan to publish proposed amendments to the Japanese Data Protection Act in June 2014.
The Code is non-binding and therefore there is no penalty for organisations that do not comply with it. However, it sets out what organisations should notify consumers about the collection and use of their personal data, and includes a checklist of what should appear in all consumer privacy notices, particularly:
• A description of the service
• The nature of the personal data collected, and the process of collection
• How the company intends to use the data
• Whether the data will be shared and with whom
• The extent of the consumer’s rights to object to the collection of their data, or have their personal data corrected, and the procedure
• Organization contact details
• How long the data will be retained, and how it will be destroyed
The Code also calls for standardised and clear notices to avoid confusion among consumers. With the Australian Privacy Principles (effective since March 2014) also providing guidance on privacy policy content, Japan is not the only APEC jurisdiction where this has been given priority.
Proposals to revise the Japanese Data Protection Act are expected to be published in June 2014.
The APEC Cross Border Privacy Rules
Beyond domestic data protection standards across the region, on 28 April, Japan became the third APEC nation (after Mexico and the United States) to have its participation in the APEC CBPR System approved. This system is designed to develop global interoperability of organisations’ consumer data protection measures, and to complement the EU’s system of Binding Corporate Rules for international data transfers.
Using a common set of principles, adopted by all 21 APEC countries – for ensuring the protection of cross-border data transfers – Japan will now begin the process of undertaking measures to ensure they can provide certification to any organisation wishing to become CBPR compliant. This begins with a commitment to use an APEC-approved accountability agent, supported by a domestic privacy enforcement authority, in order to meet their obligations under the CBPR System.