Introduction to the APPI
While the European Union’s GDPR is perhaps the best known of the international privacy laws, it is by no means the first. Japan’s Act on the Protection of Personal Information (Act No. 57 of 2003), or APPI, was passed in 2003, 15 years before the GDPR came into effect.
The APPI is no artifact, however. Like Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), which came into effect in 2000, it has been overhauled and updated multiple times to reflect changing society and technology. In fact, there is now a legal requirement for it to be updated regularly, the most recent round of amendments having passed in 2020.
Japan’s data privacy law bears some similarities to laws like the GDPR or Brazil’s LGPD. But there are similarities to the state-level laws in the United States as well, particularly with regards to its extraterritorial scope and various consent requirements regulating handling of specific categories of personal information.
What is Japan’s Act on the Protection of Personal Information?
Japan’s APPI is a federal personal information protection law to regulate the handling of personal information by individuals and organizations, including government agencies, businesses, and nonprofits. The Act is overseen by the Personal Information Protection Commission (PPC), an independent administrative body founded in 2005, after the APPI had been in effect for two years.
The APPI requires organizations that want to collect personal information to obtain consent from individuals prior to collecting, using, or sharing it, but only in some cases, like if the information is sensitive or is to be transferred to a third party or outside of Japan. More in line with laws in the US, in many cases the APPI does not require consent for collection or use for personal information that is not sensitive or meets other criteria.
The Act has some requirements for security measures to be taken to protect all personal information that has been collected. But overall it is less rigid about things like specific required actions in the case of a data breach than many laws are. The most recent amended APPI is changing that, and it’s likely that such requirements will continue to evolve.
Scope of the Act on the Protection of Personal Information
The original version of the APPI, which came into effect in 2003, applied only to business operators that, during the preceding six months, had a database with personal information of at least 5,000 identifiable individuals.
With the most recent amendment, however, that limitation has been removed. All business operators that process personal information for commercial purposes are subject to the APPI, regardless of how many individuals’ personal information they process.
Extraterritoriality of the Act on the Protection of Personal Information
The APPI applies to any “personal information controllers” (PIC) that collect or use the personal information of Japanese citizens. It does not matter if the company or other organization is based in Japan or not, as the law applies extraterritorially. The APPI does specifically apply to the processing of personal information for business or commercial purposes, and there are a variety of exempt groups and uses, including government, journalism, etc.
Cross-border data transfers
The most recent amendments to the APPI in 2020 introduced additional regulation of cross-border transfers of information. Businesses subject to the scope of the Japanese law now have to obtain individuals’ informed opt-in consent prior to transferring their personal information outside of Japan, or, along with the foreign entity receiving the personal information, establish a “personal information protection system”.
As part of the personal information protection system, the business transferring personal information outside of Japan must execute a contract with the receiving entity in the foreign country. This provides guarantees of compliance with security and data protection measures, which get laid out in the contract, and in accordance with APPI requirements.
For opt-in consent to cross-border transfers to be valid, individuals must be informed of:
- privacy and data protection regulations in the country to which personal information is being transferred
- security measures implemented and maintained by the business to ensure protection of personal information
- any other information deemed relevant by the Personal Information Protection Commission (PPC)
If personal information is transferred again to a third party in the foreign country, the originating PIC must ensure that any third party complies with the PIC’s and original security and privacy measures.
Definitions and relevant parties
Data subject
An individual who is the subject (and often source) of personal information.
Personal information
Under Japan’s data privacy law, personal information (same as “personal data” in some other laws) includes any information that can be used to identify a living individual, either via a single data point or from combined data points. It includes information in both digital and physical forms, and both manually processed or information subject to automated processing.
Examples include data like name, email address, or date of birth, but it also applies to information containing or linked to an “Individual Identification Code”, a separate category that includes numbers, codes, or symbols that are generated by computer and used for identification. This could include a wide range of information, from a unique identifier like a database ID for an individual’s record, to a fingerprint scan.
Opt-in consent is not required before PICs collect this type of information, unless it is to be transferred cross-border. However, PICs must provide notice about what information is collected and for what purpose. They must also enable consent choice.
Sensitive personal information
Like a number of other recent privacy laws, the APPI has added clarification in its most recent amendment for sensitive personal information, also referred to as “special care-required personal information”. This refers to personal information that could be used for discrimination or to cause other harm if misused. This includes information like race, medical or health information, criminal record, credit history, etc.
The APPI’s definition leans more toward social and ethnic information than some other laws, and does not include details like financial, biometric and/or location information.
Personal-related information
Introduced in the most recent amendment, personal related information is related to an individual, but not identifying enough to be considered personal information on its own (but could be if combined with other data), and not generic enough to be considered pseudonymous/anonymous information.
Opt-in consent is not required before entities collect personal-related information either. However PICs must provide notice about what information is collected and for what purpose. They must also enable consent choices.
Personal data
Personal information that is contained in a database (“Personal Information Database”, electronic or otherwise) that enables the personal information in it to easily be retrieved.
Pseudonymously processed information
Personal information that has been processed in a way that prevents the data subject from being identified (solely based on that data). Different from “anonymized information” where the generally accepted understanding is that even in combination with other information, the data subject could not be identified. With pseudonymously processed information a data subject could be identified if that data was combined with other information.
Personal information controllers (PIC)
A business operator that uses a Personal Information Database for business operations. Also sometimes shown as “business operator handling personal information”.
Interestingly, “data processor”, while a common term in other privacy laws, is not specifically defined in the APPI. It does, however, refer to entities entrusted with handling of personal data on behalf of the PIC within a specific scope of use to achieve a specific, defined purpose, e.g. advertising, mailing services, etc.
Conditions for valid consent Japan’s Act on the Protection of Personal Information
The personal information controller must notify data subjects of the “purpose of utilization” prior to the collection of personal information. The PIC must obtain consent prior to collection if the personal information is sensitive, will be transferred cross-border, and/or if the data is to be transferred to a third party, though there are some exceptions to that requirement.
These requirements place the APPI a bit closer to the US laws than the EU’s GDPR, for example, for not requiring consent prior to collection of non-sensitive personal information, but rather in many cases, only notification and the option to opt out. The APPI does not use legal bases, like consent or others like legitimate interest, for justification of data collection as the GDPR does.
Recent amendments to the Act on the Protection of Personal Information
2015 amendment of the Act on the Protection of Personal Information
The most notable changes with the 2015 amendment, which came into force in May 2017, were the establishment of the Personal Information Protection Commission (PPC) and the introduction of the requirement that the APPI has to be reviewed every three years. Extraterritorial application of the APPI was expanded as well.
2020 amendment of the Act on the Protection of Personal Information
The 2020 amendment came into effect in 2021-22 and included clarifications about personal information with regards to its ability to identify an individual, i.e. “person-related” rather than personal information, as well as pseudonymous information. It introduced prohibition on PIC using personal information to potentially facilitate illegal or inappropriate acts. It added additional clarification regarding extraterritoriality and introduced the requirement for user consent prior to the transfer of personal information to third parties, and expanded functions of the PPC, as well as introducing stricter penalties for violations.
What are the personal rights under Japan’s Act on Protection of Personal Information?
Data subjects have the right to access the data that personal information controllers have about them, in writing, in a timely manner. This includes the record of data transfers to third parties, but not pseudonymously processed information. Access can be denied if it:
- risks safety or injury to the data subject or any third party or their property
- would cause a material interference with the PIC’s business operations
- would violate any other Japanese law that would prohibit disclosure
- endanger national security or foreign relations
- obstruct criminal investigations
Data subjects have the right to have their data revised, corrected, amended, or deleted. If a request for revision isn’t addressed within two weeks of being made, a data subject can force this to be done via civil action.
Data subjects have the right to require PICs to stop using their personal data or transferring it to third parties if the PIC is using the data for a purpose other than the one(s) stated or if the data was fraudulently obtained. This right also applies if the PIC no longer needs to use the data, a data breach has occurred, or if there is an allegation of infringement of the data subject’s rights or interests.
This also does not include pseudonymously processed information, and a PIC can refuse a request to cease using personal data unless the request is unreasonable or would be unreasonably costly or difficult, like recalling materials already distributed.
PICs must notify data subjects without delay if their request(s) have been addressed, or, if not, the reasons why, to the best of their ability.
What are the exemptions to Japans Act on Protection of Personal Information?
The Japanese law applies to both individuals and organizations, like commercial businesses, but only with regards to the handling of personal information in the course of doing business. “Business”, then, is defined as repeated activities for a particular purpose, and considered business under social conventions. While often for profit, it does not have to be, and the APPI does include nonprofit entities.
Press, professional writing/journalistic activities, academic, and political activities are all exempt from the APPI, so this would include broadcasters, newspaper publishers or other press organizations, universities or other academic institutions, religious institutions, and political parties. Government organizations, both federal and local, are also exempt, as are administrative agencies.
What are the penalties for noncompliance with Japan’s Act on Protection of Personal Information?
As of the 2020 amendment to the APPI, penalties were increased to a maximum of 1 million yen for individuals (around €7,000) or 100 million yen for businesses (around €700,000), though fines for breaches can vary depending on the violation’s severity, scope, etc.
Revenue-based fines, such as the GDPR outlines (e.g. 4% of a company’s global annual turnover) were considered but not ultimately included because fines have only been marginally covered in the APPI previously.
Who manages enforcement of Japan’s Act on Protection of Personal Information?
The Personal Information Protection Commission Japan (PPC) was introduced with the APPI amendment in 2005, and it is the primary advisor, investigator, and enforcer for Japanese data and privacy protection. Its main responsibilities and powers are:
- ensuring appropriate handling of personal information per APPI requirements to protect individuals and their personal information
- receiving reports of data breaches and initiating investigation
- initiating investigations of PIC activities, including of information controllers of anonymized data or individuals
- issuing orders and providing advice to PIC if there is suspicion or allegation of a rights infringement
- requiring PIC to provide reports, documentation, etc. in the course of investigations
- providing information to foreign data protection regulators
- allowing information to be used for overseas criminal investigations in a limited capacity
- delegating investigative powers to a relevant minister in limited circumstances
Data breach notifications
The requirements of Japan’s APPI with regards to data breaches and protocols are a bit less strict than with many other country’s laws. It is generally left to PICs to decide on specific actions depending on each case, though the law does set out principles of best practices actions for these events. The most recent amendment has added some more legal requirements as well.
Legal requirements or not, poor handling of a data security incident can have a significant effect on a company’s reputation, revenues, partnerships, customer relationships, and more, so the motivation to handle such incidents quickly, thoroughly, and professionally remains valid in any country.
If there is a breach at/by a third party engaged by the PIC, e.g. the data processor, obligations for notification and remediation of the incident fall on the PIC.
The APPI has Data Loss Guidelines, covering the event of destruction, damage, or leakage of personal information, or the likelihood of any of those taking place. Again, it’s best practices, rather than legally required, to:
- report the incident within the PIC
- investigate the cause and relevant information about the incident
- identify the PIC’s affected systems
- identify the data subjects affected
- take steps to prevent the damage to data subjects or affect third parties becoming any worse
- plan and implement measures promptly to prevent a recurrence or other incidents due to the security vulnerability that allowed the initial incident
- notify potentially affected data subjects, unless:
- affected data is encrypted at a high level
- information about the incident is made available to data subjects, with the goal of preventing further damage to them or relevant third parties
- publicly announce relevant information about the incident and measures taken to prevent a recurrence
- notify the PPC promptly (done via web form), unless:
- the data involved is encrypted
- the data has been recovered by the PIC prior to being accessed by third parties
- there is no risk of individual identification or harm to data subjects from the affected data
- the incident was internal to the PIC only and no data was leaked externally
- the leakage was insignificant and unlikely to cause harm
Note that with the most recent amendment, breaches must be reported to the Personal Information Protection Commission if the breach included:
- more than 1,000 individuals’ personal information
- sensitive information
- financial information that could result in significant economic losses
- malicious intent, i.e. the attack was for an “unjust purpose” like ransomware
There are also additional specified notification requirements over time for breaches meeting certain requirements.
Data Protection Officers
Unlike some other laws that require appointment of a data protection officer (DPO) under many circumstances, the APPI does not specifically include this or similar requirement. However, doing so may help with requirements of the Act’s General Guidelines, which do require implementing and maintaining adequate security measures for the handling of personal information. A noted example of such a security measure is, “appointment of a person in charge of the handling of Personal Information and the definition of the responsibilities of the person”, which sounds a fair bit like a DPO.
Under the APPI, whether various security measures are mandatory depends on the potential degree of risk or damage that could be suffered by data subjects in the event of a breach, as well as the size and nature of the business and the nature and volume of data handling. This is a common stipulation and these considerations also tend to inform penalties for violations.
Some industries have their own guidelines and qualifications for such roles, as do individual organizations, which are not required by the law or acknowledged with any certification, but are intended to enhance data privacy.
Act on Protection of Personal Information and consent management
The APPI requires notification of data subjects prior to the collection of their personal information. It does not require consent in all cases, but does in several significant ones, and does require an opt-out option even when explicit consent isn’t needed for data collection. Both notification and consent options are what a consent management platform is for.
Users will be clearly informed about how their data will be collected and used, and this information kept up to date. Users will have consent options, and their preferences will be securely stored and can be updated over time. Valuably, these functions are automated, which is extra useful for a law like the APPI that is so frequently updated.
Conclusion
As with a number of other laws, companies that are already GDPR-compliant will be well positioned for APPI compliance, even going beyond what’s required in some ways. Consent may not be required prior to data collection in as many cases, but along with notification it remains important, and should be considered a best practice, even if not a defined legal basis.
The APPI’s cross-border data transfer requirements are more in-depth than with some laws, so if that is relevant, which it is for many companies online, that information should be reviewed carefully.
Good data security practices like up-to-date encryption and systems and limiting data/system access and transfers are always a good idea. While appointing a data protection officer isn’t always required, on many fronts having a qualified data security professional to oversee these operations and initiatives will both help achieve compliance and strengthen PICs’ data protection strategies.
The requirement to review the APPI every three years provides companies with a reliable time table to review data security operations and compliance, both for that law and others. It does create an additional maintenance burden on companies, increasing the value of automated tools like a consent management platform (CMP). Amendments to the APPI in recent years have focused on improvements that are now being seen across industries, like a greater focus on consent.
Do you have questions about what you need to do to comply with the APPI or multiple regulations? Or concerns about how to ensure your organization meets its responsibilities to customers and users? We’re here to help. Talk to one of our experts today.
Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel regarding data privacy and protection issues and operations.