On June 5th, 2020, Japan amended its Act on the Protection of Personal Information (APPI) for the second time. The deadline for businesses to adapt the new regulations was April 1st, 2022.
The main changes include a new procedure for transmitting of personal data to third parties and overseas, as well as notification requirements in the event of data breaches. In this article, we provide an overview of the APPI, an explanation of the latest amendments, and ways to follow them.
The Act on the Protection of Personal Information (APPI) was published in 2003 and was amended twice since then, in 2015 and 2020. The goal of the APPI is to protect the personal information of individuals in Japan.
The main regulatory body that ensures the fulfillment of the APPI is the Personal Information Protection Commission (PPC). The PPC is also Japan’s primary investigatory and enforcement institution for supervision, regulatory compliance and assessments, as well as mitigation of complaints.
The APPI focuses on two types of data that can be processed only with the subject’s consent:
There is no definition of biometrics, but this would likely fall within the scope of special-care required information.
According to the APPI, subjects can request information about the purposes of personal data processing and have the right to modify and delete it.
In general, all businesses that operate in Japan and handle personal data must comply with the APPI, regardless of their size or income. While the original version of the act didn’t subject businesses operating with a small number of data subjects, the 2015 amendments expanded compliance requirements to all businesses.
The act also applies extraterritorially to foreign businesses that have a Japan market link. This means that businesses operating outside of Japan but collecting data from subjects in Japan must also comply with the APPI.
The only exceptions are governmental organizations, administrative agencies, and educational institutions.
The 2020 amendments to the APPI widened the scope of data subjects’ rights regarding data protection. The main changes for businesses relate to transfers of information to third parties and data breach notifications.
Before: the APPI didn’t have a Personal Related Information section.
After: the latest amendments include a new type of personal information called Personal Related Information (PRI). PRI refers to information that is related to personal matters. Such information may include purchase history or web browsing history. PRI doesn’t include personal data, such as name or date of birth.
Now, businesses need to acquire consent from subjects before transferring such information to third parties (if this information can be used with other information acquired by the third party to identify a subject).
Before: the APPI didn’t have a pseudonymous information section.
After: the new version of the APPI introduced a pseudonymous information section. This type of information doesn’t disclose the subject’s identity, but it can still be cross-compared with other information to establish identity.
Pseudonymous information is personal information that was encrypted to protect subjects. The new version of the APPI ensures that this type of information can’t be transferred to a third party without the subject’s consent or when the reason for transferring it doesn’t fall under the list of exceptions.
Before: the PPC didn’t have the authority to regulate information transfer operations to third parties operating outside Japan.
After: the amendments have changed the procedure of transferring information to third parties outside Japan, giving the PPC authority to supervise such procedures. To initiate such transfers, businesses must ensure that the receiving foreign third party:
When transferring such information to foreign countries, businesses need to notify data subjects about the intended destination. This includes:
Before: subjects could request access to, change, or delete the data they provided. However, this rule only applied for long-term data, which was supposed to be used for six months or longer. Subjects could modify or delete their data only in cases when it was:
After: subjects are now entitled to access and modify short-term data as well. After the introduction of the latest amendments, subjects can also request to modify or delete their data if there’s a possibility that the provided data may negatively affect them.
Before: it was only a recommendation to notify subjects about data breaches.
After: businesses need to notify the PPC, as well as the subjects whose data was leaked, about data breach incidents. If a business can’t reach affected subjects through regular means, it has to find an alternative solution.
Businesses now have to notify the PPC twice: 1) through a short notification that must be made immediately when the breach occurs; 2) through a secondary report that should be submitted later and include extensive information regarding the incident.
To ensure smooth mutual data transfers between the EU and Japan, additional rules are imposed on Japan-located businesses with an EU or UK market link. This concerns ensuring the same levels of protection as in the EU GDPR and UK GDPR, where this regulation is stricter than the APPI.
When received in Japan, special categories of data from the EU and the UK should be processed in accordance with the APPI rules for special care-required personal information.
The text of the supplementary rules is available here.
Before processing the subject’s data, businesses should document, map and analyze whether there are any transfers to third parties.
While transferring the subject’s data, businesses can’t provide personal information to a third party without first obtaining the consent of the subject, except in cases:
Businesses need to provide details to the data subject about third parties before transferring their information to them. Third party details include:
These details should be communicated to the data subject and, if applicable, to the PPC.
In cases where information about the third party gets changed, businesses must inform the subjects about this or create conditions for data subjects to easily access this information. Businesses should also report these changes to the authorities.
The previous version of the APPI used moderate sanctions against non-compliant businesses. While previously the maximum fine for a business was ¥500,000 (approx. $3,900), now businesses can face a fine of up to ¥100 million (approx. $781,500). Meanwhile, representatives of these businesses can face up to one year of imprisonment and a fine of up to ¥1 million (approximately $7,815).
The latest APPI amendments show that data protection is of special importance to Japan, especially when Japanese citizens’ information is provided overseas. Therefore, businesses should pay special attention to the amended version of the APPI and ensure that they stay compliant with data transfer requirements. To do so, businesses need to thoroughly understand their processing activities and employ technologies to protect themselves from data breaches. Businesses also need to ensure that they obtain consent while transferring data to a third party.