Overview of Japan’s Act on the Protection of Personal Information (APPI)

1. Introduction

Japan’s data protection law, the Act on the Protection of Personal Information (APPI), adopted in 2003, is one of Asia’s first data protection regulations.

The APPI has evolved over the years and received a significant overhaul in September 2015. The data protection law was further materially revised in 2020 and came into force on April 1st, 2022.

The APPI’s recent amendments contain several new provisions for foreign businesses and pave guidelines regarding how companies conduct business in or with Japan. Key Definitions

Key definitions under the APPI are as follows:

1.1 Data Principal

Data Principal or Data Subject means a specific individual identifiable by personal information.

1.2 Personal Information

Information on a living person that can be used to identify that person based on their name, date of birth, identification code, or other characteristics.

1.3 Special Care-required Personal Information (Sensitive Information)

Information about an individual’s race, creed, social status, medical history, criminal record, and any crimes an individual has been a victim of.

1.4 Pseudonymously Processed Information

The pseudonymously processed information is defined as information relating to an individual, which cannot identify such an individual unless collated with additional information.

1.5 Personal Information Handling Business Operators

A personal information handling business operator who uses a personal information database for its business is also known as a personal information controller ('PIC').

1.6 Personally Referable Information (PRI)

Personally Referable Information refers to information about a living person that isn't classified as personal information. PRI includes an individual’s web browsing history collected through cookie information, age, gender, email address, purchase history of goods and/or services, location data, or their area of interest.

2. Who Governs APPI?

The Personal Information Protection Commission (PPC) is the primary regulator to enforce the APPI. The PPC has the following powers:

• The task to ensure the appropriate handling of personal data and specific personal information to protect individuals' rights and interests;
• The ability to investigate, advise, and enforce powers given by the APPI and the My Number Act; and
• It can provide information to foreign data protection regulators and in limited circumstances may allow information to be used for criminal investigations overseas.

3. Who Needs to Comply with the Law

3.1 Personal Scope Material Scope

The APPI applies to the handling of personal information and sensitive personal information of Japanese citizens by the respective PIC. APPI distinguishes between two categories of protected data: personal information and “special care-required” personal information. In this case, handling means the collection (acquisition), retention, use, and transfer of personal information. A PIC's obligations with respect to pseudonymously processed information are relaxed in several aspects.

3.2 Territorial Scope

The APPI applies to extraterritorial businesses. If an overseas PIC obtains or handles the personal information of a principal (data subject) in Japan about its provision of goods or services, the APPI would automatically apply to them. This refers to both companies that offer goods and services in Japan and are located within the country and those with offices outside it.

The recent amendments to the APPI resemble the EU’s GDPR, where Japan’s APPI now has an extraterritorial reach. The previous version of Japan’s data privacy law applied only to businesses with 5,000 identifiable individuals in their database on at least one day during the last six months.

The recently amended APPI has removed this limitation. The new rules expand the APPI’s application scope and now include all businesses that process personal information for business purposes, irrespective of their business size.

Note: The PPC can only offer advice to an overseas PIC. Nonetheless, the PPC may provide data to any foreign regulatory authority for its regulatory compliance purposes.

Which Organizations Are Exempted?

The following organizations are exempted from APPI compliance:

• Central government organizations
• Local governments
• Independent administrative agencies
• Local incorporated administrative agencies
• organizations that fall under the scope of other regulations.

4. Obligations for Organizations Under APPI

4.1 Consent Requirements

A PIC is required to obtain the principal's consent before acquiring their personal/sensitive personal information. The data subject's consent is required in advance for the following circumstances:

1. For the handling of personal data beyond the necessary scope to achieve a specified utilization purpose,
2. Acquiring special-care required personal information (personal information relating to race, creed, social status, medical history, criminal record, etc.) except in certain exceptional circumstances, and
3. Providing personal data to a third party except in certain exceptional circumstances.

However, the prior consent of the data subject is not required if:

• The laws or regulations of Japan authorize the data to be collected without consent;
• Necessary for protecting the life, health, or property of an individual;
• It is necessary for improving public health and sanitation or promoting the sound upbringing of children. The data subject’s consent is challenging to obtain; or
• It is required by public authorities or persons commissioned by public authorities to perform their duties. Getting the data subject's prior consent carries the risk of hindering the performance of those duties (e.g., the disclosure is required by police investigating an unlawful act).

According to the 2020 Amendments to the Act on the Protection of Personal Information, cookies cannot be provided to a third party without prior consent. Additionally, a data provider will have a new requirement under the amended APPI to confirm a data subject's consent if it anticipates the submitted information as personal data. For a detailed understanding of consent requirements under amended APPI, please visit Consent & Cookies under the Japanese Amended APPI.

When a data recipient acquires consent, it must clearly disclose to the data principal the information needed for the individual to make an informed decision about consent, particularly:

• Which organization receives the submitted data as personal data,
• The types of personal information required, and
• The purpose for which the information will be used after it has been acquired as personal data.

As a general principle, the data recipient who has contact with the data principal should collect the consent. However, a data provider may also acquire consent on behalf of the data recipient only if the data principal’s rights and interests are protected in a comparable manner.

4.2 Security Requirements

The APPI stresses PICs to ensure the utmost security of the principal’s personal data and take the necessary security measures to avoid loss, unauthorized access, or leakage of personal data.

Additionally, the PPC stresses that the PIC must exhibit mandatory supervision over its employees, entities, or any person(s) who handle the personal data. The PPC has the following guidelines for data security:

• Have standard operating procedures in place;
• Establish internal rules;
• Organizational security measures (e.g., appointing an individual responsible for handling security;
• Provide security training to the staff;
• Embed physical security measures within the workplace (e.g., area access control, prevent data leakage from portable devices, non-recoverable deletion of data); and
• Adapt technological security measures (e.g., system access control, access authorization (user ID, password, IC card, etc.) control, prevention of unauthorized access (security software installment and upgrading, encryption, access log monitoring), continuous review of system vulnerability, etc.).

4.3 Data Breach Requirement

In case of a data breach, amended APPI requires a report to the PPC and notice to impacted data subjects. If any of the following data breach incidents (including leakage, loss, or destruction of personal information) occurs or is likely to occur, PICs must notify and submit a report to the PPC:

1. Data breach containing special care-required personal information;
2. Data breach that is likely to harm the individuals’ property;
3. Data breach that is caused by malicious actions (for example, in the case of a ransomware attack); or
4. Data breach that involves over 1,000 data subjects.

The PPC requires reports to be submitted twice. When a PIC becomes aware of a data breach, it must notify the PPC as soon as possible (preferably within 3-5 days).

After the first report, the PIC must file a second report within 30 days (or 60 days, depending on the type of data breach) of discovering the data breach. In addition to reporting data breaches to the PPC, a PIC must quickly notify each data subject of any events.

4.4 Cross Border Data Transfer Requirements

Companies may previously transmit data to third parties in Japan without obtaining consent if they gave specific information to the PPC and that the data subject did not opt-out of the transfer of their data after being informed about it. However, the opt-out exception for third-party transfers was limited by the 2020 Amendments.

A cross-border transfer can be permitted based on either the data subject’s consent or the establishment of a personal information protection system. If a business is transferring the personal data of a principal after receiving his/her consent, the business must provide the following information to the principal when obtaining consent:

• The name of the country to which the personal data will be exported;
• The data importer's safeguards to ensure the utmost protection of the principal’s personal information; and
• The prevailing data protection rules and regulations of the country to which the personal data is being exported. In this regard, the following considerations should be made when determining the specifics of the information to be shared with data subjects:

1. Whether the country has laws or regulations to protect personal information;
2. Whether the country has received a GDPR adequacy decision or is a member of the Cross-Border Privacy Rules or other data protection frameworks;
3. Whether the country's privacy laws and regulations are in line with the OECD's Privacy Principles; and
4. Additional data privacy-related policies that can significantly impact the interests of the data subject.

In the case of a cross-border transfer based on the establishment of a personal information protection system (e.g., execution of a contract with the data importer to take measures equivalent to the APPI), the APPI requires "necessary measures" to ensure the continued proper handling of personal data by the data importer and the provision of information upon the request of data subjects.

For establishing a personal information protection system for cross-border data transfer, a business can rely on the results of the PPC survey for 31 countries. The PPC has published a report outlining the data protection systems for 31 nations and regions on its website. PICs considering transferring personal data to any of these countries should consult the PPC's list and associated outlines and create descriptive language compliance with the report.

If a business or a data exporter does not rely on the consent mechanism for the cross border data transfer, then it must do the following:

• Take necessary actions to ensure the safety of data being obtained by the data importer;
• Take periodic updates of the exported data such as its status, how it’s being handled, and whether there is a security system in place in the foreign country regarding the protection of personal information; and
• Outline measures if the personal information of the principal is mishandled, including the termination of the data provided.

4.5 Vendor Assessment/Third Party Processing Requirements

Companies could transfer data to third parties without obtaining the consent of the data principal under the previous version of the APPI as long as the company gave the Personal Information Protection Commission (PIPC) specific information and the data subject did not protest, meaning that there was no record of opt-out.

The amended version of the APPI now drastically limits the opt-out exceptions by prohibiting corporations from continuing to transmit personal information following the previous "opt-out" exception and not permitting companies to transfer personal data gathered through deceptive or inappropriate techniques.

If a corporation wants to keep transferring that data, it must now get direct consent from the data subject or find a legal basis that allows it to do so.

The APPI’s extraterritorially applicable requirements include regulations governing the disclosure to third parties. Unless an exception occurs, it is generally illegal to transfer personal data to third parties without the prior authorization of the principal.

Since anonymized information no longer constitutes personal information, it may be transferred to a third party without the consent of the original principal. Still, the recipient must be notified that the information is anonymized information.

Under the APPI, the following entities are not regarded as third parties (meaning that the principal's consent is not required for the transfer of personal data (including sensitive information) to such parties):

• A personal information/data processor;
• A business that joins the PIC in a merger, a company split, or a business transfer;
• A business that has been designated to use personal data in conjunction with the PIC.

Personal data cannot be classified as a transfer to a third party when transferred between a Japanese company and its Japanese branch or between a foreign company and its Japanese branch. This is because the branch and the corporation are the same legal entity in each situation.

4.6 Privacy Policy

As part of the amendments, before a firm gathers personal information, no opt-in consent is required. Rather, privacy notice and choice, in the shape of a privacy policy that accurately accounts for the purposes for which personal information is gathered. The APPI’s extraterritorially applicable duties include making privacy policies public.

Firms operating in Japan, or handling personal information from or situated in Japan, should evaluate and update their privacy policies and procedures to ensure compliance.

5. Data Subject Rights

The APPI grants the following rights to the data subjects:

5.1 Right to Access

The APPI empowers principals with the right to request a PIC to disclose any retained personal information which can help identify them.

5.2 Right to Correction

Under the APPI, principals have the fundamental right to initiate requests to ensure their personal information is accurate and not incorrect.

5.3 Right to Erasure

Although there is no explicit right to erase the personal data under the APPI, when retained personal information of the principal is mishandled and found to violate the provisions of Article 16 of the APPI, the principal can initiate a request to have their personal data erased.

5.4 Right to Object/ Restrict Processing

Under the APPI, principals have a right to demand PICs cease utilizing personal information that can identify them.

6. Penalties for Non-compliance

If a PIC is found to mishandle the personal information database handled in the course of the business for wrongful gain for themself or a third party, the PIC will be liable to imprisonment for not more than one year. Additionally, the amended APPI toughens the penalties for non-compliance and for violation of a PPC order, and the maximum fine has been significantly raised from JPY500,000 and JPY300,000 to JPY100 million.

7. How an Organization Can Operationalize the APPI

To comply with Japan’s APPI, organizations must:

• Document their data inventories and distinguish personal data and sensitive personal data;
• Develop formal policies and regularly update the organization’s processes, policies, procedures, and systems to comply with the APPI requirements;
• Have detailed cross-border data transfer prerequisites in place to avoid any violations;
• Have a comprehensive data subject requests framework in place;
• Have technical and organizational security measures in place to protect their processing activities; and
• Conduct personal information protection impact assessments, vendors assessments, and other risk assessments;
• Adopt Privacy by Design principles to comply with local and international data protection laws and regulations.

8. How Can Securiti Help

Data is sprawling across multiple data points with little to no safeguards in place. More and more organizations are becoming privacy-conscious of their data handling processes and responsible guardians of their consumers' data, all while automating privacy and security operations for swift action.

With a growing database of users and potential users, organizations need to incorporate robotic automation to operationalize compliance without missing out. While multiple services offer software that enables companies to comply with global privacy regulations, those solutions only go as far as possible with various restrictions or elementary data-driven functions.

Securiti binds reliability, intelligence, and simplicity, working on the PrivacyOps framework to allow end-to-end automation for organizations. Securiti can help you stay compliant with Japan’s APPI and other privacy and security regulations worldwide. See how it works. Request a demo today.