The Act on the Protection of Personal Information (APPI) is the main data protection law in Japan that aims to protect the personal data of Japanese individuals. It is enforced by the Personal Information Protection Commission (PPC) and is reviewed every three years for any necessary revisions.
The APPI has undergone several revisions over the years, with the most recent changes taking effect from April 1, 2022. These extend the law's reach to cover pseudonymously processed data, renders mandatory the report of data breaches that meet certain characteristics, and requires businesses to disclose when data is being transferred outside of Japan, ensuring its protection.
The APPI is an early data protection law at a national level, but it has been suggested that it has different approaches compared to other similar laws, such as the General Data Protection Regulation (GDPR).
What is the scope of the APPI?
The APPI focuses on the handling of personal information in a business context, whether by individuals or organizations in Japan.
As such, if you handle personal data in a business context and the individuals whose data you handle are in Japan, then you needs to comply with the APPI, even if it is located outside of Japan. There are some exemptions for handling data in non-business contexts, such as journalism, academic activity, or politics.
By contrast, the GDPR has a wider scope. It applies to organizations that meet any of three criteria: having a presence in the European Union, having data subjects in the EU, or performing processing activities physically in the EU, such as in a data centre
The APPI does not define specific activities related to the ‘handling’ of personal information. It applies to personal information, retained personal data, and personal information databases, which refer to a collection of personal information. The law defines handling as any use of personal information, including collection, storage, and transfer to third parties.
The GDPR, on the other hand, covers all activities related to personal data processing.
Moreover, the GDPR distinguishes between data controllers and data processors, while the APPI does not.
Appears to be the same as APPI which “does not define specific activities related to handling of personal information” or have I got the wrong end of the stick?
What type of information is protected under the APPI?
Ordinary & Special Care Required Data
The APPI distinguishes between two types of Data: ordinary and special care required data. The APPI does not have significant restrictions on the processing of ordinary personal data, but an organisation needs to inform individuals about how and why their data is being used before it gets collected. However, the APPI requires businesses to obtain the data subject's consent before processing any "special care required" data, which includes sensitive information such as criminal records, medical history, marital status, race, and religious beliefs.
The GDPR and the APPI have different approaches to the processing of personal data. The GDPR requires a lawful basis for all processing of personal data, including ordinary personal data and sensitive personal data, whereas the APPI does not.
The APPI's recent revision differentiates between pseudonymously processed and completely anonymized data. Pseudonymous data refers to information that has been stripped of identifying information, such as credit card numbers, and can be used for a purpose other than originally intended. Data subjects cannot access or correct pseudonymous data, and data breaches involving this type of data do not trigger the notification to the authorities. On the other hand, completely anonymized data, which cannot be linked to an individual, is exempt from all APPI measures, but businesses must disclose the types of information they handle in anonymized form.
Similarly, the GDPR does qualify pseudonymized data as personal data subject to protection, unlike anonymized data.
Children Specific Data
The APPI does not provide special protection for children's personal data processing.
A stricter approach under the GDPR is recognised for children, as they are "vulnerable data subjects" who require special protection with regard to their personal data.
What rights are the Data Subjects granted under the APPI compared to the GDPR?
The APPI and the GDPR both establish rights for data subjects, but there are some differences in the specific rights that are granted:
Right to Access: Both laws provide individuals with the right to access their personal data held by businesses.
Right to Rectification: The APPI and the GDPR both grant individuals the right to correct inaccurate personal data. However, under the GDPR, businesses must take reasonable steps to ensure that inaccurate data is rectified or erased.
Right to be Forgotten: The GDPR provides individuals with the "right to be forgotten," which means they can request that businesses erase their personal data under certain circumstances. The APPI does not explicitly grant this right, although individuals can demand that businesses stop handling data obtained in breach of the law.
Right to Object: The GDPR grants individuals the right to object to the processing of their personal data, including for marketing purposes. The APPI does not explicitly grant the right to restrict data handling or object to marketing, as these issues are regulated by separate laws. Additionally, there are restrictions on sending unsolicited emails, as per a different law.
Right to Data Portability: The GDPR grants individuals the right to receive their personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller. The APPI does not explicitly grant this right.
Overall, the GDPR provides individuals with more explicit rights than the APPI, and businesses are required to take more stringent measures to protect personal data under the GDPR.
What restrictions does the APPI impose on International Transfers?
Under the APPI, organisations must obtain explicit consent from the data subject consent to transfer data outside of Japan, whether it is ordinary or sensitive data. However, there is an exception if the PPC determines that the country, where the data is being transferred, has an equivalent level of data protection as Japan.
It is also important to note that even if the transfer is allowed, organizations still have a responsibility to ensure adequate safeguards are in place to protect the data transferred.
What are the Breach Notification Requirements?
The Japanese system does not define a specific timeframe for notifying the Personal Information Protection Commission (PPC) about a breach. However, it is expected that the notification is made as soon as possible after the organization becomes aware of the breach. Additionally, there is no obligation to notify individuals affected by the breach unless it is required under other laws or regulations.
By contrast, under the GDPR specifies that an organization must notify the supervisory authority of a data breach within 72 hours of becoming aware of it unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons.
Penalties of a Breach
A breach of the APPI doesn't typically result in an immediate penalty. Instead, penalties may be imposed if a business fails to comply with an order from the PPC to improve its data practices, particularly after a breach. While institutional penalties are lower than those under the GDPR, individual penalties are more severe. The maximum penalty for a breach is a one-year prison sentence and a fine of one million yen for those responsible, including the individual responsible for the breach, the business director, or the person in charge of APPI compliance. Businesses may be fined up to 100 million yen, and there is a cultural expectation that businesses will compensate data subjects affected by a breach, although data subjects have the right to sue if they are not satisfied with the compensation.
In 2013, around 49 million customers of Benesse Holdings, a japanese education service provider, were impacted by a data breach. The breach involved personal information of children and their parents, such as names, addresses, phone numbers, children's genders and dates of birth, and expected delivery dates of some expecting mothers. An employee of a company that was subcontracted by Benesse's subsidiary downloaded the data onto their personal smartphone and sold it to name-list brokers. Benesse had implemented security measures, but some were ineffective. As a way of apologizing, Benesse offered JPY 500 shopping vouchers (approximately €4) to each customer affected by the incident.
As such, the APPI penalty system places more emphasis on public perception and ethical behaviour rather than punishment. In the event of a data breach, fines are not typically imposed, but the PPC has the authority to direct a business to take remedial measures or implement changes. Failure to comply with these instructions leads to financial penalties.
These penalties are meant to be corrective rather than compensatory - it is generally expected that a business will compensate customers for any harm resulting from a data breach, but this is not mandated by law.
An organisation is already compliant with the GDPR, it is likely to be close to reach compliance with the Act on the Protection of Personal Information (APPI) as well.
Organisations should review their data privacy processes and consent management to ensure that they:
obtain consent when processing sensitive information and when transferring data outside Japan;
notify data subjects in case of any data breaches; and
submit a complete report to the Personal Information Protection Commission within 30 days of any such breach.