Two international standards that cybersecurity experts must be familiar with when working with countries outside of the US is South Korea’s Personal Information Protection Act (PIPA) and Japan’s Act on Protection of Personal Information (APPI).
South Korea’s PIPA was implemented in 2011 and is similar to the European Union’s General Data Protection Regulation (GDPR) where citizens are entitled to control how their information is collected and used. Sutton explains that PIPA grants six key rights to citizens that organizations are required to comply with: disclosure of what information is collected and how it is used, the ability to opt-out of data collection, separate consent to share personal information with third parties, consent to have their data transferred to another country, the ability to supply copies of any information collected, the ability to request corrections to their information that the company will maintain upon request, and the ability to have their personal information deleted upon request (2018). Companies that fail to comply with PIPA can be severely fined for each infraction, with the typical fine being over $4 million each.
Japan’s APPI was introduced even earlier than PIPA and GDPR. APPI was first introduced in 2003 and updated as recently as May of 2017 with new privacy regulations. While similar to GDPR, Japan’s APPI only applies to businesses that are processing personal information while GDPR does not highlight such limitations (Beyond the GDPR, 2018). Like with PIPA and GDPR, APPI requires organizations to disclose how personal information is used, how consumers can access and correct the data, how consumers can suspend the use of their data, and where consumers can report misuse of their data. Additionally, consumers can demand organizations to delete inaccurate data or delete their data entirely. Any transfer or sharing of consumer data also must be disclosed and cannot be done so without first obtaining consumer consent. Organizations are also held to a two-week time frame to respond to any request they receive from consumers. If an organization fails to comply with a request, the affected consumers can pursue a lawsuit against that organization and Japan’s Personal Information Protections Commission (PPC) can issue an administrative order to comply with the request. If the organization still fails to comply, the business operator can face fines up to 500,000 yen or up to a year’s imprisonment (Coos, 2019).
Beyond the GDPR: What you should know about Japan’s Act on the Protection of Personal Information. Focal Point. Retrieved from https://blog.focal-point.com/beyond-the-gdpr-what-you-should-know-about-japans-act-on-the-protection-of-personal-information
Coos, A. (2019). Data protection in Japan: All you need to know about APPI. Endpoint Protector Retrieved from https://www.endpointprotector.com/blog/data-protection-in-japan-appi/
Sutton, P. (2018). Data protection in South Korea: Why you need to pay attention. Vistra. Retrieved from https://www.radiusworldwide.com/blog/2018/8/data-protection-south-korea-why-you-need-pay-attention
luckyqloo
W7D2..AC.docx
0
