If you serve customers in Japan, you need to follow the country’s Act on the Protection of Personal Information (APPI). If you're already compliant with the General Data Protection Regulation (GDPR), you’ll find many of APPI’s measures familiar, though the two laws have a few notable differences. Here’s what you need to know.
Key Differences between APPI and GDPR
While the GDPR has largely remained unchanged since it took force, the APPI has gone under a few major updates since it was first introduced way back in 2003. The most significant update was in 2017 when the law was overhauled with changes to both rules and enforcement to bring it up to par with the then-upcoming GDPR, both to provide data adequacy for cross-border data transfers with the EU, and to bolster the privacy protections and rights of Japanese citizens.
The APPI covers any business that handles the personal data of people who are in Japan. It doesn’t matter where the business is based, or where the processing happens. Since the 2017 review, it no longer matters how many people’s data you handle.
The GDPR applies to any organization that meets any of three criteria:
- The organization has a presence (such as a local office or company) in the European Union.
- The data subject (the person the data is about) is in the EU.
- The processing physically happens in the EU, for example in a data center.
The GDPR has slightly different rules for data controllers (who decide what processing happens and how) and data processors (who do the processing in line with a data controller’s instructions.) The APPI doesn’t make this distinction.
The APPI now requires businesses that suffer specific types of data breaches to notify both the affected data subjects and the Personal Information Protection Commission, Japan's data protection enforcement body. Data breaches that require notification are those that:
- Involve sensitive personal data.
- Pose a risk to property.
- Are likely to have been undertaken deliberately for a malicious or improper purpose (such as a cyberattack.)
- Involve more than 1,000 data subjects.
Businesses must make an initial notification as soon as practical and must then file a full report within 30 days (or within 60 days in “improper cause” situations.)
The GDPR dictates that businesses must report any and all data breaches—unless they are unlikely to risk people’s “rights and freedoms.” Businesses must notify the supervisory authority (the data protection agency in the relevant country) as soon as possible once they discover a breach. If a business takes more than 72 hours to disclose a breach it must explain why to the national data protection authority.
Businesses must also directly tell the data subjects about the breach if it has caused a “high risk” to their rights and freedoms. There are exemptions to this rule if measures to significantly mitigate this risk (such as the breached data being encrypted) are in place, or if businesses can inform people just as effectively through public communications such as a media statement.
Both laws have different rules for ordinary personal data and more sensitive data. This is known as “special care required personal information” under the APPI and “special category data” under the GDPR.
The types of data that fall into these categories are largely similar, with examples including medical history and religious beliefs. Some data is only covered by one law, such as marital status in APPI and details of a person’s sex life under the GDPR. With both laws, the principle is to have stronger protection for data that could lead to prejudice or discrimination.
Consent and Legal Basis for Processing
Unlike the GDPR, the APPI doesn’t have significant restrictions on the processing of ordinary personal data, though data subjects do have the right to ask what data you process and your reasons for doing so.
The APPI does restrict the processing of “special care required” data. Consent is required to process these categories of data. In very limited circumstances you can process this data without consent, such as when fulfilling a contract with the data subject or acting in the public interest. The law doesn’t allow for data processing based on “legitimate interest”.
Under the GDPR, processing (of both ordinary or sensitive personal data) is only lawful when you can point to one of six lawful bases. The most appropriate for businesses are:
- You have the data subject’s consent. (This must be consent in advance of the processing and the data subject has the right to withdraw it.)
- You are pursuing legitimate interests (such as your core business activity) and these outweigh the data subject’s rights. Generally, this only applies for processing the data subject could reasonably have expected you to do and that doesn’t have a significant effect on their privacy.
Other lawful bases include fulfilling a contract with the data subject, processing acting in the public interest, and protecting somebody’s vital interests (in other words, their life.)
Penalties for Noncompliance
Breaching the APPI does not usually directly lead to a penalty in itself. Instead, penalties follow a failure to comply with an order by the Personal Information Protection Commission to improve your data practices, particularly after a breach. Institutional penalties are also much lower than those put forth by the GDPR, while individual penalties are much harsher. The maximum penalty is now one year in prison and a one million yen fine for any of the following:
- An individual who is responsible for the breach.
- The director of the business.
- The person who is responsible for APPI compliance at the business.
The business itself can be fined up to 100 million yen, roughly $900,000 USD. There’s also a cultural expectation that businesses will pay damages to data subjects affected by a breach, though the data subjects do have the right to sue if this doesn't happen.
The GDPR has two categories of maximum penalties for non-compliance. For lesser offenses, which generally involve procedural failings, the maximum is €10 million or two percent of your worldwide turnover, whichever is bigger. For more serious offenses, which generally involve breaching the GDPR’s key principles, the maximum is €20 million or four percent of your worldwide turnover, whichever is bigger.
If your organization is already GDPR compliant, you aren't far from compliance with the APPI, but you should review your data privacy processes and consent management to ensure that:
- You gather consent to process sensitive data including marital status.
- You are not relying on "legitimate interests" to process sensitive data.
- You are ready to notify data subjects promptly after any breach.
- You are ready to prepare a full report for the Personal Information Protection Commission within 30 days of a breach.
Stay Out of Regulators Crosshairs with Ensighten
Ensighten offers organizations a solution to help maintain full website compliance with the APPI, GDPR, CCPA, LGPD, and many more laws and frameworks.
With Ensighten Consent Management Plus (CMP+), you can set up customizable consent banners for and give your customers a clear-cut choice on how their data is used, or whether it is collected at all.
You can also use Ensighten to perform a full audit of your website—up to 5000 pages—so you can understand which cookies and tracking technologies are in use and identify potential security or compliance issues.
Request a demo today to see how Ensighten can help your organization stay compliant with evolving regulations worldwide.