Data Protection in Japan: All You Need to Know about APPI

Japan’s data protection law, the Act on the Protection of Personal Information (APPI), adopted as early as 2003, was one of the first data protection regulations in Asia. It received a major overhaul in September 2015 after a series of high-profile data breaches shook Japan, making it clear that APPI’s requirements no longer met present-day needs. The amended APPI came into force on 30 May 2017, one year ahead of the EU General Data Protection Regulation (GDPR).

The update brought with it the establishment of the Personal Information Protection Commission (PPC), an independent agency that, among others, protects the rights and interests of individuals and promotes the proper and effective use of personal information.

Thanks to the updated law, on 23 January 2019, Japan became the first country to earn an adequacy decision from the European Commission (EC) after the GDPR came into force. These decisions, which govern cross-border data transfers from the EU, reflect the adequacy of a third country’s level of data protection compared to the EU’s legislation.

Supplemental provisions of the APPI amendment stipulate that the law will be reviewed and updated every three years if necessary to ensure that it continues to address the latest technical developments. The first such review came in 2020, and further amendments to the APPI were enacted following a public consultation on 12 June 2020.

The new amendments brought APPI in even closer alignment with the GDPR by expanding the scope of Japanese data subjects’ rights, making data breach notifications mandatory, and limiting the range of personal information that can be provided to third parties. The 2020 Amendments entered into force on 1 April 2022.

Who does APPI apply to?

APPI applies to all business operators that handle the personal data of individuals in Japan. This refers to both companies that offer goods and services in Japan and are located within the country and those with offices outside it. Therefore, similarly to the GDPR, Japan’s privacy law has an extraterritorial reach.

While the earlier version of the APPI applied only to business operators that had 5,000 identifiable individuals in their database on at least one day during the previous six months, the 2017 amended APPI removed this restriction, broadening its reach to include all business operators that process personal information for business purposes, even those with small databases of a few individuals.

Central government organizations, local governments, independent administrative agencies, and local incorporated administrative agencies, which fall under the scope of other regulations, are exempt from APPI compliance.

What type of data is protected under APPI?

APPI distinguishes between two categories of protected data: personal information and “special care-required” personal information. The first refers to personally identifiable information (PII) such as name, date of birth, email address, or biometric data. APPI’s 2017 update clarified that personal data also includes numeric references that can be used to identify a specific individual, such as driver’s license numbers or passport numbers.

“Special care-required” personal information is a new category introduced under the 2017 amended APPI that refers to data that can be the basis for discrimination or prejudice. Medical history, marital status, race, religious beliefs, and criminal records, among others, fall under this category. Business operators are restricted in processing such information and always need the prior consent of the individual concerned.

APPI also specifies that anonymized data, because it has been stripped of information that could be used to identify individuals, does not need to follow the same strict processing rules as personal information. For example, companies do not need to ask for user consent to transfer the data but do have to announce it publicly and ensure that the third party receiving it is aware that the data is anonymized.

The 2020 amendments introduced a new category of data, pseudonymously processed information that relates to an individual but cannot identify them unless collated with additional data. Business operators can use pseudonymously processed information for internal purposes such as business analytics and the development of computational models. They are also not obligated to delete pseudonymously processed information derived from personal data, which is no longer necessary for the original purpose it was collected, but can retain it for potential future statistical analysis usage.

Rights of data subjects

Under APPI, data subjects can request that a business operator disclose the purpose of use of their personal data, how they can access, correct, or suspend it, and where they can submit complaints concerning the handling of their personal information.

The 2017 version of the APPI allowed data subjects to request that their personal information be deleted or to suspend its use only in limited circumstances. The 2020 amendments expanded these rights to allow for requests in a broader range of use cases, including potential violations of the data subject’s rights or legitimate interests and transfers to third parties noncompliant with APPI requirements. Requests can now also address short-term data, which is kept for six months or less.

When it comes to the disclosure of personal information that has been collected about them, data subjects can now request the data in both a digital or hardcopy format. Data subjects in Japan have the right to sue business operators that have collected their personal information if they fail to answer their APPI-based requests within two weeks.

Responsibilities of business operators

Companies looking to become APPI-compliant must ensure that they have a privacy policy that stipulates the purpose of using the collected information. They must apply cybersecurity measures and physical safeguards that guarantee the security of the personal information they process.

Organizations falling under the scope of Japan’s data protection law have to also set up structures and processes to promptly handle data subjects’ requests.

Data breach notifications are now mandatory

One of the biggest changes brought by the 2020 APPI amendments is the introduction of mandatory data breach notifications. Notifying the PPC and impacted data subjects was previously only a recommendation, but now it has become a legal requirement.

If business operators become aware of a data breach that may violate the rights and interests of individuals, they are now obligated to notify the PPC as well as the affected data subjects. They will first need to file an initial report to inform the PPC about the situation as soon as possible and later submit a secondary report to outline the specific causes and remediation actions taken. If notifying impacted data subjects directly proves too difficult, the APPI allows business operators to make a public announcement instead and set up an office to handle inquiries.

Data transfers under APPI

For data transfers to third parties within Japan, companies were previously able to transfer data without consent as long as they provided certain information to the PPC and the data subject did not choose to opt out of the transfer after being notified about it. The 2020 Amendments restricted the use of the opt-out exception for third-party transfers. Companies can no longer transfer personal data collected by deceitful or improper means or continue to transfer personal information based on the previous opt-out exception. If a company wishes to continue transferring that data, it must obtain direct consent from the data subject.

If the transfer of personal information is within the public interest, prior consent is not necessary. This includes cases that involve national security, legal matters, or public health concerns.

External service providers that process data on behalf of a business operator are not considered third parties if they are located within Japan. Business operators can therefore transfer data to them at their own discretion, provided the processing the third party will be conducting falls under the scope of the purpose of use for which the personal information was collected.

The APPI amendment introduced restrictions to data transfers outside of Japan: they can only take place if the overseas recipients are located in countries that have an adequate level of data protection equal to Japan, contractual agreements that ensure compliance with data protection standards in Japan have been signed with the overseas recipients or the data subject whose personal information is to be transferred has given prior consent for such transfers.

Penalties for Data Breaches

The 2020 amendments also brought a significant change to the fines for APPI noncompliance. If the maximum fine a business operator faced after the 2017 APPI update was ¥500,000 (approximately $4,000), that sum has increased significantly under the new amendments. The maximum fine an organization can now incur is ¥100 million (roughly $815,000 USD), while individuals can face imprisonment of up to a year or fines of up ¥1 million (around $8,150 USD). Anyone submitting false reports to the PPC also faces fines of up to ¥500,000 (around $4,000 USD).