Data Protection in Japan: All You Need to Know about APPI

February 1, 2019 Compliance
February 1, 2019

Japan’s first foray into data protection legislation came with the adoption of the Act on the Protection of Personal Information (APPI) in 2003. APPI was one of the first data protection regulations in Asia. It received a major overhaul in September 2015 after a series of high profile data breaches shook Japan, making it clear APPI’s requirements no longer met present day needs. The amended APPI came into force on 30 May 2017, one year ahead of the EU General Data Protection Regulation.

The update brought with it the establishment of the Personal Information Protection Commission (PPC), an independent agency that, among others, protects the rights and interests of individuals and promotes proper and effective use of personal information.

Who does APPI apply to?

APPI applies to all business operators that handle the personal data of individuals in Japan. This refers both to companies that offer goods and services in Japan and are located within the country and those with offices outside it. Therefore, similarly to the GDPR, APPI now has an extraterritorial reach.

While the previous version of the law applied only to business operators that had 5,000 identifiable individuals in their database on at least one day during the previous six months, the amended APPI removed this restriction, broadening its reach to include all business operators that process personal information for business purposes, even those with small databases of a few individuals.

Central government organizations, local governments, independent administrative agencies and local incorporated administrative agencies, which fall under the scope of other regulations, are exempt from APPI compliance.

What type of data is protected under APPI?

APPI distinguishes between two categories of protected data: personal information and “special care-required” personal information. The first refers to personally identifiable information (PII) such as name, date of birth, email address or biometric data. APPI’s recent update clarified that personal information also includes numeric references that can be used to identify a specific individual such as driver’s license numbers or passport numbers.

“Special care-required” personal information is a new category introduced under the amended APPI that refers to data that can be the basis for discrimination or prejudice. Medical history, marital status, race, religious beliefs and criminal records, among others, fall under this category. Business operators are restricted in the processing of such information and always need the prior consent of the individual concerned.

The law also specifies that anonymized data, because it has been stripped of information that could be used to identify individuals, does not need to follow the same strict processing rules as personal information. For example, companies do not need to ask for user consent to transfer the data, but do have to publically announce it and ensure that the third party receiving it is aware that the data is anonymized.  The reason behind these stipulations is big data: in this way businesses can continue to use information for statistical analysis.

Rights of data subjects

Under APPI, data subjects can request that a business operator disclose the purpose of use of their personal data, how they can access, correct or suspend it and where they can submit complaints concerning the handling of their personal information.

They can also demand that an organization correct or delete incorrect personal information or suspend or delete their personal information if it has been used in excess of the purpose of use, transferred without prior consent or the personal information was acquired by fraud or other unfair means.

Data subjects in Japan have the right to sue business operators that have collected their personal information if they fail to answer their APPI-based requests within two weeks.

Responsibilities of business operators

Companies looking to become APPI-compliant, must ensure that they have a privacy policy in place that stipulates the purpose of use of collected information. They must apply cybersecurity measures and physical safeguards that guarantee the security of the personal information they process.

Organizations falling under the scope of APPI have to also set up structures and processes to promptly handle data subjects’ requests.

Data transfers under APPI

The APPI amendment introduced restrictions to data transfers outside of Japan: they can only take place if the overseas recipients are located in countries that have an adequate level of data protection equal to Japan, contractual agreements that ensure compliance with data protection standards in Japan have been signed with the overseas recipients or the data subject whose personal information is to be transferred has given prior consent for such transfers.

For data transfers to third-parties within Japan, companies must either obtain prior consent from the data subject for the transfer or notify the individual in advance about the possibility of opting-out. If the transfer of personal information is within the public interest, prior consent is not necessary. This includes cases that involve national security, legal matters or public health concerns.

External service providers that process data on behalf of a business operator are not considered third parties if they are located within Japan. Business operators can therefore transfer data to them at their own discretion, provided the processing the third party will be conducting falls under the scope of the purpose of use for which the personal information was collected.

Penalties for Data Breaches

Unlike many regulations of its kind, the APPI does not include mandatory data breach notifications. The PPC will directly contact a business contractor if it becomes aware of a data breach and will informally request that it rectify the violation. If the organization fails to do so, then the PPC will issue an administrative order that is a formal request for the company to take action in regards to the data breach.

If the administrative orders are also ignored, the business operator then faces fines of up to ¥500,000 (approximately $4,600) or imprisonment of up to one year.

References:
https://www.arqis.com/wp-content/uploads/ZJR_44_13_Kirchhof_Schiebe_7_HB.pdf

Related Posts: