IIJ amended APPI support solution

Restriction on Third Party Provision of Personally Referable Information

A new obligation has been added for confirming and recording the acquisition of the consent of the corresponding individual when personally referable information that does not fall under "personal information" (such as web browsing history, purchasing history, position information, or app behavior history for which the individual cannot be identified) is expected to be acquired by a third party as "personal data".

The IIJ Privacy Compliance Solution determines the necessity of applying the new regulations under the Amended APPI and provides corporate customers with information related to rational compliance measures and implementation methods that are suitable for their actual work conditions. We support the implementation and operation of cookie banner tools with IIJ Implementation Assistance of Cookie Banner Platform for Consent Management.

Strengthening Restrictions on Provision to a Third Party in a Foreign Country

The obligations of companies to provide information and obligations to take appropriate measures when providing personal data to third parties in foreign countries have been strengthened. Specifically, continuous information provision is required related to the personal information protection system of the destination country, and continuous measures for the protection of personal information must be performed based on a contract or other agreement with the destination.

The IIJ Business Risk Management Portal (BizRis) provides the latest information on privacy protection systems established by local laws in more than 40 core countries to BizRis members in the Japanese language. Using BizRis enables compliance with obligations for providing information as suitable for the system of the destination country and enables an appropriate response for disclosure requests from users. The corresponding information is all updated at once in the fourth quarter, and we also plan to expand the range of target countries as needed.

In addition, we support the work for making contracts with the destination, such as by providing templates, where you must fulfill the obligations to perform appropriate measures. Furthermore, we perform risk assessment about the adequacy of the security and protection measures of third parties in the destination country, and support the implementation of various security measures if improvements are necessary.

Obligating Reports of Personal Data Leaks, etc.

When incidents such as personal data leaks occur, there is now an obligation to report them to the Personal Information Protection Committee based on certain conditions.

Previously, IIJ has supported the reporting of incidents and other information to EU and UK privacy protection supervisory authorities with the IIJ Incident Management and Support Service. To comply with the Amended APPI, we will support reporting to the Personal Information Protection Committee when incidents such as personal data leaks occur.

Furthermore, for personal data that companies hold, companies may need to report not only to the authorities in Japan, but to those in foreign countries and to the affected individuals as well. Therefore, we provide advice related to the incident response work that should be performed, including the response to authorities and to the affected individuals.

As well as Japan, this service provides support related to the response to authorities and affected individuals in the EU, UK, Singapore, and California state in the US. We plan to expand the supported countries and regions systematically in the future.