IDC Names Securiti a Worldwide Leader in Data PrivacyView
Japan’s data protection law, the Act on the Protection of Personal Information (APPI), adopted in 2003, is one of Asia’s first data protection regulations.
The APPI has evolved over the years and received a significant overhaul in September 2015. The data protection law was further materially revised in 2020 and came into force on April 1st, 2022.
The APPI’s recent amendments contain several new provisions for foreign businesses and pave guidelines regarding how companies conduct business in or with Japan. Key Definitions
Key definitions under the APPI are as follows:
Data Principal or Data Subject means a specific individual identifiable by personal information.
Information on a living person that can be used to identify that person based on their name, date of birth, identification code, or other characteristics.
Information about an individual’s race, creed, social status, medical history, criminal record, and any crimes an individual has been a victim of.
The pseudonymously processed information is defined as information relating to an individual, which cannot identify such an individual unless collated with additional information.
A personal information handling business operator who uses a personal information database for its business is also known as a personal information controller ('PIC').
Personally Referable Information refers to information about a living person that isn't classified as personal information. PRI includes an individual’s web browsing history collected through cookie information, age, gender, email address, purchase history of goods and/or services, location data, or their area of interest.
The Personal Information Protection Commission (PPC) is the primary regulator to enforce the APPI. The PPC has the following powers:
The APPI applies to the handling of personal information and sensitive personal information of Japanese citizens by the respective PIC. APPI distinguishes between two categories of protected data: personal information and “special care-required” personal information. In this case, handling means the collection (acquisition), retention, use, and transfer of personal information. A PIC's obligations with respect to pseudonymously processed information are relaxed in several aspects.
The APPI applies to extraterritorial businesses. If an overseas PIC obtains or handles the personal information of a principal (data subject) in Japan about its provision of goods or services, the APPI would automatically apply to them. This refers to both companies that offer goods and services in Japan and are located within the country and those with offices outside it.
The recent amendments to the APPI resemble the EU’s GDPR, where Japan’s APPI now has an extraterritorial reach. The previous version of Japan’s data privacy law applied only to businesses with 5,000 identifiable individuals in their database on at least one day during the last six months.
The recently amended APPI has removed this limitation. The new rules expand the APPI’s application scope and now include all businesses that process personal information for business purposes, irrespective of their business size.
Note: The PPC can only offer advice to an overseas PIC. Nonetheless, the PPC may provide data to any foreign regulatory authority for its regulatory compliance purposes.
The following organizations are exempted from APPI compliance:
A PIC is required to obtain the principal's consent before acquiring their personal/sensitive personal information. The data subject's consent is required in advance for the following circumstances:
However, the prior consent of the data subject is not required if:
According to the 2020 Amendments to the Act on the Protection of Personal Information, cookies cannot be provided to a third party without prior consent. Additionally, a data provider will have a new requirement under the amended APPI to confirm a data subject's consent if it anticipates the submitted information as personal data. For a detailed understanding of consent requirements under amended APPI, please visit Consent & Cookies under the Japanese Amended APPI.
When a data recipient acquires consent, it must clearly disclose to the data principal the information needed for the individual to make an informed decision about consent, particularly:
As a general principle, the data recipient who has contact with the data principal should collect the consent. However, a data provider may also acquire consent on behalf of the data recipient only if the data principal’s rights and interests are protected in a comparable manner.
The APPI stresses PICs to ensure the utmost security of the principal’s personal data and take the necessary security measures to avoid loss, unauthorized access, or leakage of personal data.
Additionally, the PPC stresses that the PIC must exhibit mandatory supervision over its employees, entities, or any person(s) who handle the personal data. The PPC has the following guidelines for data security:
In case of a data breach, amended APPI requires a report to the PPC and notice to impacted data subjects. If any of the following data breach incidents (including leakage, loss, or destruction of personal information) occurs or is likely to occur, PICs must notify and submit a report to the PPC:
The PPC requires reports to be submitted twice. When a PIC becomes aware of a data breach, it must notify the PPC as soon as possible (preferably within 3-5 days).
After the first report, the PIC must file a second report within 30 days (or 60 days, depending on the type of data breach) of discovering the data breach. In addition to reporting data breaches to the PPC, a PIC must quickly notify each data subject of any events.
Companies may previously transmit data to third parties in Japan without obtaining consent if they gave specific information to the PPC and that the data subject did not opt-out of the transfer of their data after being informed about it. However, the opt-out exception for third-party transfers was limited by the 2020 Amendments.
A cross-border transfer can be permitted based on either the data subject’s consent or the establishment of a personal information protection system. If a business is transferring the personal data of a principal after receiving his/her consent, the business must provide the following information to the principal when obtaining consent:
In the case of a cross-border transfer based on the establishment of a personal information protection system (e.g., execution of a contract with the data importer to take measures equivalent to the APPI), the APPI requires "necessary measures" to ensure the continued proper handling of personal data by the data importer and the provision of information upon the request of data subjects.
For establishing a personal information protection system for cross-border data transfer, a business can rely on the results of the PPC survey for 31 countries. The PPC has published a report outlining the data protection systems for 31 nations and regions on its website. PICs considering transferring personal data to any of these countries should consult the PPC's list and associated outlines and create descriptive language compliance with the report.
If a business or a data exporter does not rely on the consent mechanism for the cross border data transfer, then it must do the following:
Companies could transfer data to third parties without obtaining the consent of the data principal under the previous version of the APPI as long as the company gave the Personal Information Protection Commission (PIPC) specific information and the data subject did not protest, meaning that there was no record of opt-out.
The amended version of the APPI now drastically limits the opt-out exceptions by prohibiting corporations from continuing to transmit personal information following the previous "opt-out" exception and not permitting companies to transfer personal data gathered through deceptive or inappropriate techniques.
If a corporation wants to keep transferring that data, it must now get direct consent from the data subject or find a legal basis that allows it to do so.
The APPI’s extraterritorially applicable requirements include regulations governing the disclosure to third parties. Unless an exception occurs, it is generally illegal to transfer personal data to third parties without the prior authorization of the principal.
Since anonymized information no longer constitutes personal information, it may be transferred to a third party without the consent of the original principal. Still, the recipient must be notified that the information is anonymized information.
Under the APPI, the following entities are not regarded as third parties (meaning that the principal's consent is not required for the transfer of personal data (including sensitive information) to such parties):
Personal data cannot be classified as a transfer to a third party when transferred between a Japanese company and its Japanese branch or between a foreign company and its Japanese branch. This is because the branch and the corporation are the same legal entity in each situation.
Firms operating in Japan, or handling personal information from or situated in Japan, should evaluate and update their privacy policies and procedures to ensure compliance.
The APPI grants the following rights to the data subjects:
The APPI empowers principals with the right to request a PIC to disclose any retained personal information which can help identify them.
Under the APPI, principals have the fundamental right to initiate requests to ensure their personal information is accurate and not incorrect.
Although there is no explicit right to erase the personal data under the APPI, when retained personal information of the principal is mishandled and found to violate the provisions of Article 16 of the APPI, the principal can initiate a request to have their personal data erased.
Under the APPI, principals have a right to demand PICs cease utilizing personal information that can identify them.
If a PIC is found to mishandle the personal information database handled in the course of the business for wrongful gain for themself or a third party, the PIC will be liable to imprisonment for not more than one year. Additionally, the amended APPI toughens the penalties for non-compliance and for violation of a PPC order, and the maximum fine has been significantly raised from JPY500,000 and JPY300,000 to JPY100 million.
To comply with Japan’s APPI, organizations must:
Data is sprawling across multiple data points with little to no safeguards in place. More and more organizations are becoming privacy-conscious of their data handling processes and responsible guardians of their consumers' data, all while automating privacy and security operations for swift action.
With a growing database of users and potential users, organizations need to incorporate robotic automation to operationalize compliance without missing out. While multiple services offer software that enables companies to comply with global privacy regulations, those solutions only go as far as possible with various restrictions or elementary data-driven functions.
Securiti binds reliability, intelligence, and simplicity, working on the PrivacyOps framework to allow end-to-end automation for organizations. Securiti can help you stay compliant with Japan’s APPI and other privacy and security regulations worldwide. See how it works. Request a demo today.
In 2003, Japan adopted a data protection law, the Act on the Protection of Personal Information (APPI), one of Asia’s first data protection regulations. APPI was overhauled in September 2015 and further materially revised in 2020. The revisions came into force on April 1st, 2022.
The APPI protects privacy in Japan and applies to the handling of personal information and sensitive personal information of Japanese citizens by the respective personal information controller (PIC).
Japan's APPI and the EU’s GDPR differ in scope, definitions, and requirements, but they share common principles for protecting personal data.
No, Japan is not part of the European Union, so GDPR does not apply directly. Japan has its own data protection law.
At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.
300 Santana Row
San Jose, CA 95128