What is the APPI?
The Act on the Protection of Personal Information (APPI) is Japan’s main data protection law, enforced by the Personal Information Protection Commission (PPC). It was originally written in 2003 but is formally reviewed every three years to identify rules that need tightening or clarifying. This often leads to revisions of the law, sometimes substantial.
For example, the 2017 revisions removed an exemption for people and businesses that handled data about 5,000 people or fewer. They also created a new category of “special care” data with extra protection.
The most recent revisions passed Japan’s parliament in 2020 and take effect from 1 April 2022. The main changes are:
- To remove any restrictions on the APPI applying outside of Japan.
- To require businesses to disclose when they send data outside of Japan and to take steps to make sure it remains protected.
- To extend the law’s reach to cover pseudonymously processed data.
- To require mandatory of data breaches meeting certain characteristics. These include breaches that involve sensitive data; data covering more than 1,000 people; and suspected cyberattacks or other criminally-motivated breaches.
The law is enforced by the Personal Information Protection Commission (PPC).
What Are the APPI’s Goals?
Although the APPI was one of the earliest national data protection laws, it arguably takes a softer touch approach than some similar laws, particularly in its original form.
For example, with most personal data, the APPI’s emphasizes businesses keeping data secure and informing data subjects about handling, rather than having to get permission or use another legal justification to handle data.
The penalty regime arguably puts more emphasis on public standing and “doing the right thing” than force and punishment. For example, fines rarely follow a breach itself. Instead, the PPC has the power to order a business to take actions or make changes after a breach and it’s the failure to comply with this order that leads to financial penalties.
Those penalties are punitive, rather than monetary–the idea of the business paying compensation to customers (for example after a data breach) is a strong cultural expectation rather than something forced by law.
What Rights Does the APPI Establish for Data Subjects?
Japan has an established general right to privacy, which the APPI aims to uphold and strengthen. It also specifically gives data subjects the following rights:
- To access (know about) the personal information a business handles about them and to get a copy of the information.
- To correct any errors in the information. There’s no specific right to have information deleted unless this is the only way to correct an error.
- To demand a business stop handling any data that was obtained in a way that breached the APPI.
- To complain to the PPC about alleged breaches of the APPI.
There’s no specific right to restrict data handling or to object to either marketing itself or using personal information for marketing. A separate law restricts the ways you can send unsolicited emails.
What is the Scope of the APPI?
The APPI addresses individuals or businesses handling the personal information of people in Japan in a business context.
The APPI applies to cases of handling personal information. Handling is interpreted the same way as “processing” in laws such as the GDPR and covers any use of personal information, including collecting, holding, and transferring to a third party.
With the 2020 update, the rules vary slightly where some steps have been taken to anonymize data. Data is classed as “pseudonymously processed” when it has been stripped of any information that directly identifies a person or could cause financial risk if exposed (such as credit card numbers.) Once data is pseudonymous:
- Businesses can use the data for a purpose other than the originally stated reason for handling it.
- The data breach notification rules don’t apply.
- The right of the data subject to access or correct the data don’t apply.
The APPI classifies data as completely anonymized if there’s no way it could be linked to an individual, even when combined with other data. Anonymized data is exempt from all the APPI’s measures. However, businesses should publicly detail the types of information they handle in an anonymized form.
The APPI applies to anyone who handles personal information about somebody in Japan in a business context.
For a business based outside of Japan, the rules have changed with the 2020 revision. Under the new rules, the APPI applies if the overseas business handles personal information about somebody in Japan and:
- that person is their customer; or
- that person is a director or employee of a Japanese company that is a customer of the overseas business.
Does My Organization Need to Comply?
Where both the material and territorial scope apply, you will normally need to comply with the APPI even if you are outside of Japan. The main exemptions are for handling data in a non-business context such as journalism, academic activity, or politics.
What are the Consent Management Requirements of the APPI?
The consent rules vary depending on the type of information and how you handle it.
For ordinary personal information, you don’t need consent to handle the information. Instead, the APPI’s main requirement is that you tell people how and why you will use their data before you collect it.
You do need consent before passing data on to a third party. The limited exceptions to this principle are:
- A law says you must.
- It’s necessary to protect somebody’s health or life and the data subject can’t give consent. (For example, accessing medical records of somebody who is unconscious.)
- For public health reasons.
- It’s necessary for government activity and getting consent would impede that activity.
Alternatively, you can work on an opt-out basis. To so do you must tell the person about the planned transfer, including what data is involved and who will get it. You must then give a reasonable period for the person to opt-out and then only proceed if they don’t exercise the opt-out,
You cannot use the opt-out basis for the special care category detailed below. Unless one of the exceptions applies, you’ll need active consent.
You also need consent before collecting data in the “special care required” category. This covers information including:
- Criminal records.
- Medical history.
- Marital Status.
- Religious Beliefs.
If you are unsure if data falls into this category, follow the guiding principle that it’s intended to cover any data that, if exposed, could lead to discrimination or prejudice.
The only exceptions that let you can acquire data from this category without consent are:
- The same four exceptions that allow third-party transfers (legal requirement, protect life, public health, government activity).
- Either the person or a government body has already made the information public.
There’s no exception for GDPR-style “legitimate interests.”
You will normally need consent to transfer somebody’s data outside of Japan. This applies to both ordinary and “special care required “information
The only exception is if you are transferring it to a country which the PPC has deemed to have an equivalent level of data protection as the APPI.
The only exception is if you are transferring it to a country which the PPC has deemed to have an equivalent level of data protection as the APPI. At the time of writing this is limited to the European Union and the United Kingdom.
Key Differences between APPI and GDPR
While the GDPR has largely remained unchanged since it took force, the APPI has gone under a few major updates since it was first introduced way back in 2003. The most significant update was in 2017 when the law was overhauled with changes to both rules and enforcement to bring it up to par with the then-upcoming GDPR, both to provide data adequacy for cross-border data transfers with the EU, and to bolster the privacy protections and rights of Japanese citizens.
The APPI covers any business that handles the personal data of people who are in Japan. It doesn’t matter where the business is based, or where the processing happens. Since the 2017 review, it no longer matters how many people’s data you handle.
The GDPR applies to any organization that meets any of three criteria:
- The organization has a presence (such as a local office or company) in the European Union.
- The data subject (the person the data is about) is in the EU.
- The processing physically happens in the EU, for example in a data center.
The GDPR has slightly different rules for data controllers (who decide what processing happens and how) and data processors (who do the processing in line with a data controller’s instructions.) The APPI doesn’t make this distinction.
Breach Disclosure Rules
The APPI now requires businesses that suffer specific types of data breaches to notify both the affected data subjects and the Personal Information Protection Commission, Japan’s data protection enforcement body. Data breaches that require notification are those that:
- Involve sensitive personal data.
- Pose a risk to property.
- Are likely to have been undertaken deliberately for a malicious or improper purpose (such as a cyberattack.)
- Involve more than 1,000 data subjects.
Businesses must make an initial notification as soon as practical and must then file a full report within 30 days (or within 60 days in “improper cause” situations.)
The GDPR dictates that businesses must report any and all data breaches—unless they are unlikely to risk people’s “rights and freedoms.” Businesses must notify the supervisory authority (the data protection agency in the relevant country) as soon as possible once they discover a breach. If a business takes more than 72 hours to disclose a breach it must explain why to the national data protection authority.
Businesses must also directly tell the data subjects about the breach if it has caused a “high risk” to their rights and freedoms. There are exemptions to this rule if measures to significantly mitigate this risk (such as the breached data being encrypted) are in place, or if businesses can inform people just as effectively through public communications such as a media statement.
Both laws have different rules for ordinary personal data and more sensitive data. This is known as “special care required personal information” under the APPI and “special category data” under the GDPR.
The types of data that fall into these categories are largely similar, with examples including medical history and religious beliefs. Some data is only covered by one law, such as marital status in APPI and details of a person’s sex life under the GDPR. With both laws, the principle is to have stronger protection for data that could lead to prejudice or discrimination.
Consent and Legal Basis for Processing
Unlike the GDPR, the APPI doesn’t have significant restrictions on the processing of ordinary personal data, though data subjects do have the right to ask what data you process and your reasons for doing so.
The APPI does restrict the processing of “special care required” data. Consent is required to process these categories of data. In very limited circumstances you can process this data without consent, such as when fulfilling a contract with the data subject or acting in the public interest. The law doesn’t allow for data processing based on “legitimate interest”.
Under the GDPR, processing (of both ordinary or sensitive personal data) is only lawful when you can point to one of six lawful bases. The most appropriate for businesses are:
- You have the data subject’s consent. (This must be consent in advance of the processing and the data subject has the right to withdraw it.)
- You are pursuing legitimate interests (such as your core business activity) and these outweigh the data subject’s rights. Generally, this only applies for processing the data subject could reasonably have expected you to do and that doesn’t have a significant effect on their privacy.
Other lawful bases include fulfilling a contract with the data subject, processing acting in the public interest, and protecting somebody’s vital interests (in other words, their life.)
Penalties for Noncompliance
Breaching the APPI does not usually directly lead to a penalty in itself. Instead, penalties follow a failure to comply with an order by the Personal Information Protection Commission to improve your data practices, particularly after a breach. Institutional penalties are also much lower than those put forth by the GDPR, while individual penalties are much harsher. The maximum penalty is now one year in prison and a one million yen fine for any of the following:
- An individual who is responsible for the breach.
- The director of the business.
- The person who is responsible for APPI compliance at the business.
The business itself can be fined up to 100 million yen, roughly $900,000 USD. There’s also a cultural expectation that businesses will pay damages to data subjects affected by a breach, though the data subjects do have the right to sue if this doesn’t happen.
The GDPR has two categories of maximum penalties for non-compliance. For lesser offenses, which generally involve procedural failings, the maximum is €10 million or two percent of your worldwide turnover, whichever is bigger. For more serious offenses, which generally involve breaching the GDPR’s key principles, the maximum is €20 million or four percent of your worldwide turnover, whichever is bigger.
If your organization is already GDPR compliant, you aren’t far from compliance with the APPI, but you should review your data privacy processes and consent management to ensure that:
- You gather consent to process sensitive data including marital status.
- You are not relying on “”legitimate interests”” to process sensitive data.
- You are ready to notify data subjects promptly after any breach.
- You are ready to prepare a full report for the Personal Information Protection Commission within 30 days of a breach.
Stay Out of Regulators Crosshairs with Consent Management
CHEQ offers organizations a solution to help maintain full website compliance with the APPI, GDPR, CCPA, LGPD, and many more laws and frameworks.
With CHEQ Privacy, you can set up customizable consent banners for and give your customers a clear-cut choice on how their data is used, or whether it is collected at all.
You can also use CHEQ Privacy to perform a full audit of your website—up to 5000 pages—so you can understand which cookies and tracking technologies are in use and identify potential security or compliance issues.
Request a demo today to see how CHEQ Privacy can help your organization stay compliant with evolving regulations worldwide.