The recent amendments of the Japanese Act on the Protection of Personal Information (AAPI) have implications for healthcare businesses. According to the amendments, companies/health institutions are not allowed to transfer personal data overseas. Transfer of data outside of Japan is only permitted under special circumstances. For example, if the company/institution has received consent from the individual, or if it is impossible to obtain consent, and the data is needed to protect a human life. It has also been clarified that possible and actual data breaches must be notified to the Personal Information Protection Committee (PIPC) as well as affected individuals. In order to reinforce these privacy policies, the maximum penalties for violations of the AAPI have been increased to 95 million yen (about $700,000 USD).
Global medical companies must consider these new requirements if they process and/or import personal information from Japan. They must take steps to ensure that their data transfer preparation or processing agreement complies with these requirements. Data breaches, especially data related to a patient’s medical history, must be reported to the PIPC.
Written by: Ames Gross – President and Founder, Pacific Bridge Medical (PBM)
Mr. Gross founded PBM in 1988 and has helped hundreds of medical companies with regulatory and business development issues in Asia. He is recognized nationally and internationally as a leader in the Asian medical markets. Mr. Gross has a BA degree, Phi Beta Kappa, from the University of Pennsylvania and an MBA from Columbia University.
Source used in the article: https://www.morganlewis.com/pubs/2022/08/how-japans-privacy-act-amendments-affect-global-healthcare-businesses#:~:text=For%20global%20healthcare%20companies%20that,internal%20and%20external%20privacy%20policies.