The Japan Act on the Protection of Personal Information (APPI) is a legal provision designed to protect the personal data of Japanese citizens. The APPI sets out the key obligations for how businesses and organizations must protect, store, and manage the data they collect.
In this guide, we'll take a closer look at what the APPI is and to whom it applies. We'll also provide some actionable tips for how you can ensure your own business complies with the obligations set forth in the APPI.
What is the Japan Act on the Protection of Personal Information (APPI)?
The APPI is Japan's primary data protection legislation that was originally enacted in 2003 and was later amended in 2016 and 2020, with the latest version coming into full force on 1 April 2022.
The APPI establishes the obligations by which all business operators that handle the personal data of individuals in Japan must abide. The APPI applies to both manual and electronic records.
Similar to Europe's General Data Protection Regulation (GDPR), the APPI has extra-territorial reach. This means that the obligations under the APPI apply to any business or organization that processes the personal data of Japanese citizens no matter where the business or organization is located.
How Has the Japan Act on the Protection of Personal Information (APPI) Changed?
The APPI has gone through two major changes since its enactment.
After a series of significant data breaches, the APPI went through a complete overhaul in 2016 (with the amendments taking effect in 2017). Prior to the 2016 amendment, the APPI applied only to business operators that held the data of more than 5,000 persons on any given day within the 6 prior months. This requirement was eliminated by the 2016 amendment.
The 2016 amendment also established a new regulatory body called the Personal Information Protection Commission (PPC). The PPC is an independent agency whose responsibilities include protecting the rights and interests of individuals in Japan and interpreting and applying the APPI.
In 2020, the APPI was amended again with a focus on increasing the severity of penalties for non-compliance. It also included other important amendments such as limiting the information that can be provided to third parties without prior consent and making the notification of data breaches mandatory.
Who Does the Japan Act on the Protection of Personal Information (APPI) Apply to?
Since the purpose of the APPI is to protect the personal information of the people of Japan, it applies to any person or entity that processes the personal data of Japanese citizens.
This includes any business or organization, regardless of where in the world they are located, that processes the personal data of the people of Japan for business purposes.
What is "Personal Information" Under the APPI?
Under the APPI, personal information or personally identifiable information refers to any private information that can be used to identify the data subject such as their name, birth date, address, email address, or biometric data. There are two categories of personal data: personally identifiable information and "special care-required" personal information.
"Special care-required" personal information is a new category of protected data introduced in the 2016 amendments to the APPI. Under Article 2 (3) of the APPI, this is defined (at page 3 here) as any data that could be used to discriminate against an individual such as marital status, race, medical history, religious beliefs, or criminal records:
If you believe that Japanese citizens may visit your website and that you will collect some form of their personal data, then you should ensure your business is compliant with the APPI.
Exemptions Under the APPI
There are two main exceptions under the APPI that you should be aware of: one for data that is anonymously processed and the other for certain categories of people.
Under Article 2 (11) (at page 5 here), the APPI defines "anonymously processed data" as data where any personally identifiable information has been removed so that the data can no longer be used to identify the individual:
The APPI specifies that this anonymously processed information does not need to adhere to the same stringent processing rules as personally identifiable information. For instance, businesses do not need prior consent to transfer this data as is required for other types of data, although they are still required to announce their intention to transfer it publicly.
Article 76 (at page 45 here), of the APPI specifies that certain groups are exempt from many of the obligations under the APPI. This includes the press, professional writers, academics, political parties, and religious groups.
How to Comply with the Japan Act on the Protection of Personal Information (APPI)
The APPI has a number of requirements when it comes to compliance. Below we'll review the main requirements and what you can do to comply.
Specify Your Purpose of Using Personal Information
Pursuant to Article 17 (1) of the APPI (at page 10 here), a business must as far as possible specify the purpose of the data it collects.
In addition, your business must not use the data you process outside of the scope for which it was gathered. If you collect data and wish to use it for another purpose, you must obtain new consent from the data subject.
In order to comply with this provision, include a clause in your Privacy Policy that clearly outlines the purposes for which you collect personal data.
Here is an example of how Whole Foods clearly explains to their users the purposes for collecting their data:
Disclose a User's Right to Disclosure
Pursuant to Article 28 of the APPI (at page 19 here), the data subject can request the disclosure of any personal data that can be used to personally identify them.
In accordance with Article 28 (2), in order to comply with this provision your business must 'without delay' disclose your detained personal data to the data subject. This is why it is important to have the proper structures in place that allow you to locate this data quickly.
There are some exceptions to this rule. Article 28 (2) (i - iii) outlines the three exceptions to the disclosure rule. The most relevant is the one exempting disclosure in cases where it would cause your business serious undue hardship:
Disclose a User's Right to Correction or Deletion of Data
Under the APPI, there are certain instances where a user can request that your business delete or cease to use their personal data, or correct it to make it accurate in cases where it's inaccurate.
Under Article 29 (1) (at page 20 here), a person can request the modification or deletion of their data anytime the data stored is not factually correct.
To comply with this provision, you must correct or delete the data requested except in cases where you are exempt from doing so by any other laws or regulations.
Pursuant to Article 31 of the APPI, if your business can not comply with such a request for deletion or cessation of use, you must notify the data subject of your reasons.
Consent and the Right to Opt Out
Consent is not generally required to process personally identifiable information, as long as you have made your purposes for gathering such data publicly available (such as by posting a Privacy Policy). However, you will need prior consent if you intend to use this data outside of the scope of its intended original use.
Prior consent is always needed to obtain "special care-required" personal information (you can refer back to the 'Who Does the APPI Apply to' section to learn more about the differences between these two types of data).
It is important to note that the opt-out exemption to data transfer is not available for 'special care-required' personal information.
To ensure your business complies with the consent and right to opt-out provisions of the APPI, you must:
- Create a Privacy Policy that clearly outlines the intended purpose of use for the data you collect,
- If you intend to use this data for purposes outside of its original scope, you must obtain prior consent,
- Provide your data subjects with the opportunity to opt out of data transfer, and
- To ensure proper compliance, always choose a method of obtaining consent that requires clear affirmative action such as clicking an opt-in button or selecting from equally prominent yes/no options
Here is an example of Yahoo explaining where the user can opt out of the transfer of their data to third parties:
And here you can see an example of a detailed form provided for users for opt out of the transfer of personal data to third parties:
Disclosing, Sharing or Transferring Personal Information
Pursuant to the APPI, your business must obtain prior consent before transferring personal data to a third party. However, Article 23 of the APPI, defines some exceptions to this requirement:
- If the disclosure is allowed under Japanese law
- If the disclosure is necessary to comply with the Japanese government in executing its legal duties
- If the disclosure is for health or public hygiene purposes, or
- If the data subject was provided with the opportunity to 'opt out' of the transfer
General Accountability Obligations
To comply with the APPI, your business must take the necessary and appropriate steps to protect the personal data you collect. The measures you should take should be based on the nature, scope, and context of the data you collect.
The APPI does provide some guidance here. To summarize, in order to comply with the APPI your business should:
- Have a Privacy Policy
- Have appropriate physical security systems
- Have organizational structures in place designed to protect personal data
- Fully educate all employees on data protection requirements, and
- Carry out routine investigations of your security measures
Reporting Duties
Under the amended APPI, if your business suffers a data breach (including the loss or destruction of data) or you have reason to suspect a possible breach, then you are required to report the breach to the PPC and notify the affected data subjects.
This obligation is required for any breach that involves the personal data of more than 1,000 persons.
In order to comply with the data breach reporting duties under the APPI, you must:
- Submit a timely preliminary report to the PPC notifying them of the breach or potential breach
- Take swift action to prevent or reduce damages to the data subjects or any third-party affected
- Promptly implement measures to reduce the likelihood of future breaches, and
- Submit a secondary report to the PPC outlining the specific cause of the breach and remedies taken
Fines and Penalties for Not Complying with the APPI
Businesses that fail to comply with the APPI face fines of up to ¥100 million (roughly $715,000 USD) while non-compliant individuals can face fines of up ¥1 million (around $7,100 USD) and even imprisonment.
Data subjects may also demand compensation for damages, including mental distress under the Japanese civil code.
Thankfully, the PPC generally allows businesses and individuals to amend their data processing practices before escalating to fines and other penalties.
Summary
The Japan Act on the Protection of Personal Information is a constantly evolving legal provision designed to protect the data of Japanese citizens. Failure to comply with this data protection policy puts your business at risk for hefty fines and other penalties.
In order to ensure compliance with the APPI, follow these tips:
- Ensure that your business has an up-to-date Privacy Policy
- Clearly state your purposes for processing data within your Privacy Policy
- Make sure you have structures in place that allow you to promptly disclose, delete or cease to use the personal data you process
- Implement cybersecurity measures and physical safeguards to ensure the safety of personal data
- Create a clear affirmative action your users can take to opt out of the transfer of data to third parties
- Report any data breaches or suspected breaches to the PPC and take swift action to minimize damages