Data Protection in Japan: All You Need to Know about APPI
Japan’s first foray into data protection legislation came with the adoption of the Act on the Protection of Personal Information (APPI) in 2003. APPI was one of the first data protection regulations in Asia. It received a major overhaul in September 2015 after a series of high profile data breaches shook Japan, making it clear APPI’s requirements no longer met present day needs. The amended APPI came into force on 30 May 2017, one year ahead of the EU General Data Protection Regulation.
The update brought with it the establishment of the Personal Information Protection Commission (PPC), an independent agency that, among others, protects the rights and interests of individuals and promotes proper and effective use of personal information.
Who does APPI apply to?
APPI applies to all business operators that handle the personal data of individuals in Japan. This refers both to companies that offer goods and services in Japan and are located within the country and those with offices outside it. Therefore, similarly to the GDPR, APPI now has an extraterritorial reach.
While the previous version of the law applied only to business operators that had 5,000 identifiable individuals in their database on at least one day during the previous six months, the amended APPI removed this restriction, broadening its reach to include all business operators that process personal information for business purposes, even those with small databases of a few individuals.
Central government organizations, local governments, independent administrative agencies and local incorporated administrative agencies, which fall under the scope of other regulations, are exempt from APPI compliance.
What type of data is protected under APPI?
APPI distinguishes between two categories of protected data: personal information and “special care-required” personal information. The first refers to personally identifiable information (PII) such as name, date of birth, email address or biometric data. APPI’s recent update clarified that personal information also includes numeric references that can be used to identify a specific individual such as driver’s license numbers or passport numbers.
“Special care-required” personal information is a new category introduced under the amended APPI that refers to data that can be the basis for discrimination or prejudice. Medical history, marital status, race, religious beliefs and criminal records, among others, fall under this category. Business operators are restricted in the processing of such information and always need the prior consent of the individual concerned.
The law also specifies that anonymized data, because it has been stripped of information that could be used to identify individuals, does not need to follow the same strict processing rules as personal information. For example, companies do not need to ask for user consent to transfer the data, but do have to publically announce it and ensure that the third party receiving it is aware that the data is anonymized. The reason behind these stipulations is big data: in this way businesses can continue to use information for statistical analysis.
Rights of data subjects
Under APPI, data subjects can request that a business operator disclose the purpose of use of their personal data, how they can access, correct or suspend it and where they can submit complaints concerning the handling of their personal information.
They can also demand that an organization correct or delete incorrect personal information or suspend or delete their personal information if it has been used in excess of the purpose of use, transferred without prior consent or the personal information was acquired by fraud or other unfair means.
Data subjects in Japan have the right to sue business operators that have collected their personal information if they fail to answer their APPI-based requests within two weeks.
Responsibilities of business operators
Organizations falling under the scope of APPI have to also set up structures and processes to promptly handle data subjects’ requests.
Data transfers under APPI
The APPI amendment introduced restrictions to data transfers outside of Japan: they can only take place if the overseas recipients are located in countries that have an adequate level of data protection equal to Japan, contractual agreements that ensure compliance with data protection standards in Japan have been signed with the overseas recipients or the data subject whose personal information is to be transferred has given prior consent for such transfers.
For data transfers to third-parties within Japan, companies must either obtain prior consent from the data subject for the transfer or notify the individual in advance about the possibility of opting-out. If the transfer of personal information is within the public interest, prior consent is not necessary. This includes cases that involve national security, legal matters or public health concerns.
External service providers that process data on behalf of a business operator are not considered third parties if they are located within Japan. Business operators can therefore transfer data to them at their own discretion, provided the processing the third party will be conducting falls under the scope of the purpose of use for which the personal information was collected.
Penalties for Data Breaches
Unlike many regulations of its kind, the APPI does not include mandatory data breach notifications. The PPC will directly contact a business contractor if it becomes aware of a data breach and will informally request that it rectify the violation. If the organization fails to do so, then the PPC will issue an administrative order that is a formal request for the company to take action in regards to the data breach.
If the administrative orders are also ignored, the business operator then faces fines of up to ¥500,000 (approximately $4,600) or imprisonment of up to one year.
Frequently Asked Questions
Although the APPI is similar to the GDPR in its aim and requirements, there are several major differences between the two regulations. GDPR differentiates between data controllers and data processors, while APPI uses the broader term of business operators to refer to companies handling personal data. Companies doing business in Japan are not legally obligated to report a data breach to the PPC under the APPI or inform affected data subjects. Under the GDPR, companies have only 72 hours to notify their national data protection authority of a data breach after becoming aware of it. APPI and GDPR also differ in terms of penalties. The GDPR’s fines can be up to €20 million, while APPI’s financial penalties go up to ¥500,000 (approximately €4,100).
Japan was the first country to earn an adequacy decision from the European Commission (EC) after the GDPR came into force. The adequacy decision is mutual and means that the EU and Japan recognize each other's data protection regimes as providing adequate protection for personal data. However, the decision does not make the requirements of the GDPR and APPI interchangeable, therefore companies doing business in Japan must look into APPI compliance even if their data protection strategies are in line with the GDPR.
Japanese businesses collecting and processing personal information as well as businesses around the world offering services and products to Japanese data subjects must implement cybersecurity measures and physical safeguards that guarantee the security of the personal information they process. Organizations should look at vulnerabilities and threats coming both from the inside and the outside. Traditional cybersecurity solutions like firewalls and antiviruses are an indispensable part of a comprehensive data protection strategy, focusing on outside threats, while solutions such as Data Loss Prevention (DLP) provide the tools to reduce the risks of insider threats.
DLP solutions can help companies on their way to compliance with APPI by offering effective tools for the control and monitoring of personal and special care-required data. Organizations can protect data more efficiently with the help of a DLP software, by knowing where the data they process is and how it is being used. DLP solutions can monitor and control where sensitive data is being transferred by employees, scan the computers for sensitive data, and offer remediation actions, as well as restrict the use of USB and peripheral ports.
Download our free ebook on
A comprehensive guide for all businesses on how to ensure GDPR compliance and how Endpoint Protector DLP can help in the process.