What is the APPI?
The Act on the Protection of Personal Information (APPI) is Japan’s main data protection law, enforced by the Personal Information Protection Commission (PPC). It was originally written in 2003 but is formally reviewed every three years to identify rules that need tightening or clarifying. This often leads to revisions of the law, sometimes substantial.
For example, the 2017 revisions removed an exemption for people and businesses that handled data about 5,000 people or fewer. They also created a new category of “special care” data with extra protection.
The most recent revisions passed Japan’s parliament in 2020 and take effect from 1 April 2022. The main changes are:
- To remove any restrictions on the APPI applying outside of Japan.
- To require businesses to disclose when they send data outside of Japan and to take steps to make sure it remains protected.
- To extend the law’s reach to cover pseudonymously processed data.
- To require mandatory of data breaches meeting certain characteristics. These include breaches that involve sensitive data; data covering more than 1,000 people; and suspected cyberattacks or other criminally-motivated breaches.
The law is enforced by the Personal Information Protection Commission (PPC).
What Are the APPI's Goals?
Although the APPI was one of the earliest national data protection laws, it arguably takes a softer touch approach than some similar laws, particularly in its original form.
For example, with most personal data, the APPI’s emphasizes businesses keeping data secure and informing data subjects about handling, rather than having to get permission or use another legal justification to handle data.
The penalty regime arguably puts more emphasis on public standing and “doing the right thing” than force and punishment. For example, fines rarely follow a breach itself. Instead, the PPC has the power to order a business to take actions or make changes after a breach and it’s the failure to comply with this order that leads to financial penalties.
Those penalties are punitive, rather than monetary--the idea of the business paying compensation to customers (for example after a data breach) is a strong cultural expectation rather than something forced by law.
What Rights Does the APPI Establish for Data Subjects?
Japan has an established general right to privacy, which the APPI aims to uphold and strengthen. It also specifically gives data subjects the following rights:
- To access (know about) the personal information a business handles about them and to get a copy of the information.
- To correct any errors in the information. There’s no specific right to have information deleted unless this is the only way to correct an error.
- To demand a business stop handling any data that was obtained in a way that breached the APPI.
- To complain to the PPC about alleged breaches of the APPI.
There’s no specific right to restrict data handling or to object to either marketing itself or using personal information for marketing. A separate law restricts the ways you can send unsolicited emails.
What is the Scope of the APPI?
The APPI addresses individuals or businesses handling the personal information of people in Japan in a business context.
The APPI applies to cases of handling personal information. Handling is interpreted the same way as “processing” in laws such as the GDPR and covers any use of personal information, including collecting, holding, and transferring to a third party.
With the 2020 update, the rules vary slightly where some steps have been taken to anonymize data. Data is classed as “pseudonymously processed” when it has been stripped of any information that directly identifies a person or could cause financial risk if exposed (such as credit card numbers.) Once data is pseudonymous:
- Businesses can use the data for a purpose other than the originally stated reason for handling it.
- The data breach notification rules don’t apply.
- The right of the data subject to access or correct the data don’t apply.
The APPI classifies data as completely anonymized if there’s no way it could be linked to an individual, even when combined with other data. Anonymized data is exempt from all the APPI’s measures. However, businesses should publicly detail the types of information they handle in an anonymized form.
The APPI applies to anyone who handles personal information about somebody in Japan in a business context.
For a business based outside of Japan, the rules have changed with the 2020 revision. Under the new rules, the APPI applies if the overseas business handles personal information about somebody in Japan and:
- that person is their customer; or
- that person is a director or employee of a Japanese company that is a customer of the overseas business.
Does My Organization Need to Comply?
Where both the material and territorial scope apply, you will normally need to comply with the APPI even if you are outside of Japan. The main exemptions are for handling data in a non-business context such as journalism, academic activity, or politics.
What are the Consent Management Requirements of the APPI?
The consent rules vary depending on the type of information and how you handle it.
For ordinary personal information, you don’t need consent to handle the information. Instead, the APPI’s main requirement is that you tell people how and why you will use their data before you collect it.
You do need consent before passing data on to a third party. The limited exceptions to this principle are:
- A law says you must.
- It’s necessary to protect somebody’s health or life and the data subject can’t give consent. (For example, accessing medical records of somebody who is unconscious.)
- For public health reasons.
- It’s necessary for government activity and getting consent would impede that activity.
Alternatively, you can work on an opt-out basis. To so do you must tell the person about the planned transfer, including what data is involved and who will get it. You must then give a reasonable period for the person to opt-out and then only proceed if they don’t exercise the opt-out,
You cannot use the opt-out basis for the special care category detailed below. Unless one of the exceptions applies, you’ll need active consent.
You also need consent before collecting data in the “special care required” category. This covers information including:
- Criminal records.
- Medical history.
- Marital Status.
- Religious Beliefs.
If you are unsure if data falls into this category, follow the guiding principle that it’s intended to cover any data that, if exposed, could lead to discrimination or prejudice.
The only exceptions that let you can acquire data from this category without consent are:
- The same four exceptions that allow third-party transfers (legal requirement, protect life, public health, government activity).
- Either the person or a government body has already made the information public.
There’s no exception for GDPR-style “legitimate interests.”
You will normally need consent to transfer somebody’s data outside of Japan. This applies to both ordinary and “special care required “information
The only exception is if you are transferring it to a country which the PPC has deemed to have an equivalent level of data protection as the APPI. At the time of writing this is limited to the European Union and the United Kingdom.
Want to learn more about the APPI? Check out the blogs below: