Japan’s data protection law, the Act on the Protection of Personal Information (APPI) is one of the first data protection legislatures in Asia. Adopted in 2003, it was then updated in 2015 to accommodate rules for tackling the growing data breaches in the country. The revised APPI came into force on May 30, 2017. It was once again amended in 2020 to meet the current requirements and is expected to go into effect by April 2022.
Read the full text (tentative English translation) of the amended act here.
We will cover the key highlights from the act that you should know to achieve APPI compliance and how it compares against the EU GDPR.
Who does APPI apply to?
APPI applies to all businesses that handle the personal information of individuals (“principals”) in Japan. Like GDPR, the territorial scope of APPI is wide-reaching. These businesses are referred to as “Personal Information Handling Business Operators” (or Operators). It also applies to businesses established outside Japan if it offers goods and services to people in Japan.
Central government organizations, local governments, independent administrative agencies, and local administrative agencies are not subject to APPI compliance.
Who will enforce APPI?
The APPI (with 2020 Amendments) will be enforced by the Personal Information Protection Commission of Japan (PPC). PPC is the regulatory body established to supervise and monitor compliance with the APPI and has the right to order the businesses subject to APPI for compliance-related reports and enforce sanctions in case of violation.
PPC provides several guidelines related to APPI implementation, some of which have been discussed in the article.
What is personal information under APPI?
Personally identifiable information (PII) like name, email address, biometric data, driver’s license number, and passport number linked to living individual in Japan. This information can be stated, recorded, or expressed using any medium in an electronic format or document.
“Special care-required personal information” was introduced in the amended APPI. It is a type of personal information related to an individual’s “race, creed, social status, medical history, criminal record, the fact of having suffered damage by a crime, or other descriptions, etc.” The Operators must handle them with care and avoid discrimination or prejudice.
The APPI also recognizes anonymized personal information, which is personal information modified by any method so that it cannot be used to identify the principal. They are exempted from consent for statistical use, on the condition that there are adequate security measures to prevent re-identification.
The amended APPI introduced a new type of personal information “pseudonymously processed information”. They are information that cannot be used to identify a principal associated with it without additional information. The PPC has not published any guidelines for regulating such type of information.
Obligations of Business Operators
Under APPI, the Operators have a certain obligation to handle the personal information of principals, such as
- Specify the purpose of utilization of personal information before collecting them.
- Obtain prior explicit consent from users to collect their sensitive information.
- Make easily accessible details such as the name of the Operator, the purpose of utilization of personal information, a method to correct personal information, and where to complain about the Operator.
- Should not use personal information beyond the purpose of utilization.
- Delete personal information if it is no longer necessary for the utilization.
- Do not collect personal information deceitfully or unlawfully.
- Keep personal information accurate and adopt necessary security measures to keep it safe.
Rights of data subjects
Under APPI, principals have the right to access their personal information and an Operator must disclose it in writing or via electronic means if agreed by the principal. They should comply with the request without any delay. Under the 2020 amendments, principals have the right to access the Operator’s record of information transfer to third parties.
The Operator can only deny access if it causes:
- injury to other rights and interests of the principal or any third party;
- a material interference with the Operator’s business operations; or
- violation of other Japanese laws.
Principals also have the right to update, correct, amend, delete, or cessation of their personal information. They can request the cessation of use of their personal information if it is used for a purpose other than the one disclosed, or if it was collected deceitfully or unlawfully. If the cessation request is unreasonable, or it would be costly or difficult to carry out, the Operator must take substitute measures. The Operator must notify the principal within two weeks. In case the cessation is not possible, explain the reason.
Under the 2020 Amendments, the following provisions relating to principal rights will also apply:
- Right to access to the Operator’s record of data transfer to third parties.
- Right to access to personal data even if the Operator will delete it in six months.
- Right to require the Operator to stop using or transferring personal information to third parties if the Operator no longer needs it, in the event of a data breach, or there is an infringement of the principal’s rights and interests.
- The pseudonymously processed information is not subject to the right to access or cessation.
Data transfers under APPI
Like GDPR, the APPI also regulates data transfer within and outside Japan. For data transfer to third parties within Japan. Operators must get prior consent from principals and disclose the purpose of data transfer to principals in case they want to opt-out.
For international data transfers, the rules are even stricter. Operators cannot transfer data outside Japan unless:
- they get prior consent from principals;
- the recipient country has data protection standards equivalent to APPI’s; or
- the recipient third party contractually agrees to maintain data protection measures similar to APPI.
Under the 2020 amendments, there are two conditions imposed by the PPC to further strengthen the regulation of data transfers:
- The transferring Operators must inform the principals of the name of the recipient country and the level of protection offered by that country and the third party if they consent to data transfer. The transfer will be deemed illegal without this disclosure.
- Operators must take necessary action to ensure continuous implementation of APPI-equivalent data protection by the third party. They must also inform principals, upon request, of the action taken.
Data breach notification
Data breach notification was not a mandatory requirement in APPI. However, with the 2020 amendments, Operators are obligated to notify both the PPC and principals of any data breach incident which are harmful to the rights and interests of principals. If the Notification is not required of the operators have taken necessary measures to keep the rights and interests of principals safe.
The high-risk data breaches include any of the following:
- Sensitive (‘special care-required’) personal information
- Unlawful or unauthorized usage leading to financial injury
- Breach caused by wrongful purpose
- Breach that affected more than 1,000 principals.
The breach notification must include:
- the types of the personal information affected
- the number of principals affected
- likely cause of the breach
- possible damage or risks
- whether and how the breach has been disclosed
- measures enforced to prevent further damage or future risks
- additional information for reference
Penalty for violating APPI
The PPC does not fine an Operator for violating APPI before a warning or advice to correct it. If the operator fails to comply, then it may impose penalties of up to JPY 100 million or imprisonment for up to one year.
Principals can approach the courts if the operator fails to comply with APPI requests within two weeks of notice.
APPI vs GDPR infographic
Here are the few notable differences between APPI and GDPR:
How to make your business comply with APPI
Let’s look at some of the best practices to make your business comply with the APPI:
- Collect and use personal information only if necessary and by lawful means.
- Get prior consent for collecting sensitive information.
- Disclose details about your business, and what type of personal information your business utilizes, and its purpose.
- Give users the right to exercise their rights and make them easily accessible.
- Obtain prior consent from users to transfer data to a third party.
- Provide adequate security to personal information when transferring to a third party.
- Notify PPC and users in case of a severe data breach.
- Secure your business’ handling of personal information to protect from data breaches and unauthorized access.
- Appoint a data protection officer (recommended) to monitor and review compliance.
Safe to say that if you are GDPR compliant, you don’t need to do a lot for APPI compliance.