Japan: Offering Goods and Services to Data Subjects in Jurisdiction
The Act on the Protection of Personal Information (APPI) in Japan extends its applicability to foreign entities that offer goods or services to individuals in Japan, even if the data processing occurs outside the country.
Text of Relevant Provisions
APPI Art.171:
"This Act also applies in those cases in which, in relation to supplying a good or service to a person in Japan, a business handling personal information, a business handling pseudonymized personal information, a business handling anonymized personal information, or a business handling information related to personal information handles the personal information by which that person in Japan is identifiable, information related to personal information that is to be acquired as that personal information, or pseudonymized personal information or anonymized personal information that has been prepared by using that personal information, in a foreign country."
Original (Japanese):
"この法律は、個人情報取扱事業者、仮名加工情報取扱事業者、匿名加工情報取扱事業者又は個人関連情報取扱事業者が、国内にある者に対する物品又は役務の提供に関連して、国内にある者を本人とする個人情報、当該個人情報として取得されることとなる個人関連情報又は当該個人情報を用いて作成された仮名加工情報若しくは匿名加工情報を、外国において取り扱う場合についても、適用する"
Analysis of Provisions
Article 171 of the APPI establishes the extraterritorial scope of the law. It explicitly states that the Act applies to businesses handling personal information, pseudonymized personal information, anonymized personal information, or information related to personal information when three key conditions are met:
- The business is "supplying a good or service to a person in Japan" ("国内にある者に対する物品又は役務の提供に関連して").
- The information handled is "personal information by which that person in Japan is identifiable" ("国内にある者を本人とする個人情報") or derived from such information.
- The handling of this information occurs "in a foreign country" ("外国において取り扱う場合").
This provision ensures that the APPI's protections extend to Japanese data subjects even when their personal information is processed abroad by foreign entities. The lawmakers' rationale for including this factor is to protect Japanese residents' privacy rights regardless of the geographical location of data processing.
The provision covers various types of data, including personal information, pseudonymized personal information, anonymized personal information, and information related to personal information. This broad scope ensures comprehensive protection for Japanese data subjects.
Implications
The extraterritorial applicability of the APPI has significant implications for businesses:
- Foreign companies offering goods or services to individuals in Japan must comply with the APPI, even if they have no physical presence in Japan.
- The law applies to various forms of data processing, including collection, use, and transfer of personal information related to Japanese data subjects.
- Businesses must ensure compliance with APPI requirements when handling personal data of Japanese residents, regardless of where the data processing occurs.
- Companies need to implement appropriate safeguards and mechanisms to protect personal information of Japanese data subjects, even if their main operations are outside Japan.
- Non-compliance with the APPI could lead to legal consequences for foreign businesses targeting the Japanese market.
- The provision covers not only direct personal information but also derived data such as pseudonymized and anonymized information, requiring businesses to consider the entire data lifecycle in their compliance efforts.
This extraterritorial scope aligns Japan's data protection framework with other comprehensive data protection regimes worldwide, ensuring that Japanese residents' personal information is protected in an increasingly globalized digital economy.