APPI VS GDPR: The Biggest Differences
Japan adopted its Act on the Protection of Personal Information (APPI) in 2003, but by 2015, when a series of major data breaches hit the country, it became clear APPI’s requirements could no longer adequately protect Japanese data subjects. APPI therefore received an update in September 2015, with its new provisions coming into force on 30 May 2017, a year ahead of the EU General Data Protection Regulation (GDPR).
Amendments to the law included provisions for APPI’s extraterritorial application, the separation of sensitive data into a new category of protected information and the establishment of the Personal Information Protection Commission (PPC), an independent agency whose purpose is to protect the rights and interests of individuals and promote proper and effective use of personal information.
Earlier this year, Japan was the first country to receive an adequacy decision from the European Commission since the GDPR came into force. Adequacy decisions are used by the EU to determine if a non-EU country has an adequate level of data protection. The effect of such a decision is that personal data can flow from the EU to that third country without any further safeguard being necessary.
However, the decision does not make the requirements of the GDPR and APPI interchangeable, but governs only cross-border transfers between Japan and the European bloc. Companies doing business in Japan therefore must look into APPI compliance even if their data protection strategies are in line with the GDPR. In today’s blog post, we look at the key differences between the two data protection laws.
Because the APPI was not sufficient in itself to win Japan an adequacy decision from the EU, supplementary rules were put in place to strengthen the protection of sensitive data, the exercise of individual rights and overall ensure that the same guarantees provided by the GDPR for EU personal data will be applicable in Japan. In effect since the adequacy decision was reached on 23 January 2019, these additional safeguards affect only Japanese businesses handling EU personal data.
The PPC itself issued an adequacy decision for the EU, allowing free data flow between Japan and member states of the EEA as long as they comply with the provisions of the GDPR.
While both the GDPR and APPI allow cross-border transfers in case of adequacy decisions or prior consent obtained from data subjects, they differ on a third point. The GDPR also allows for cross-border transfers if binding corporate rules, approved model clauses, binding agreements combined with an approved code of conduct or approved certification, are in place. Meanwhile the APPI relies solely on the PPC’s guidelines: companies can transfer data to another country if the recipient undertakes adequate precautionary measures for the protection of personal data as specified by the PPC.
Data controllers and data processors
APPI does not differentiate between data controllers and data processors, but uses the broader term of business operators to refer to companies handling the personal data that falls under its incidence. This means that APPI does not assign a higher degree of accountability to the data collector like the GDPR does to data controllers, but sees all companies collecting and processing personal information as the same.
Data breach notifications
Companies doing business in Japan are not legally obligated to report a data breach to the PPC under the APPI or inform affected data subjects. The PPC guidelines do recommend that data breaches be notified though. If the PPC becomes aware of a data breach, it can informally request that a company rectify it. If the request is ignored, a formal administrative order to take action will then be sent.
Under the GDPR, companies have only 72 hours to notify their national data protection authority of a data breach after becoming aware of it if it may result in a risk to the rights and freedoms of natural persons. Any delays must be justified.
One of the biggest differences between APPI and the GDPR is their penalties. The GDPR’s fines are by now notorious and have gone a long way to scare companies straight: organizations found to be in breach of the GDPR’s core principles face fines of up to €20 million or 4% of their annual worldwide turnover, whichever is higher.
APPI’s financial penalties are negligible: if companies choose to ignore the PPC’s administrative orders, organizations can be fined up to ¥500,000 (approximately €4,100). However, they also face the possibility of imprisonment of up to one year.