Japan’s Act on the Protection of Personal Information (APPI)

Japan’s Act on the Protection of Personal Information or APPI for short is a Japanese data privacy law that was recently amended in 2020. Originally passed in 2003, a large reason for the current amendment of the APPI was a string of highly damaging data breaches that have occurred within the country in recent years. Part of the reason for this rise in cybercrime was the “hands-off” attitude that the Japanese government has taken in regard to the country’s data protection and cybersecurity measures in the past. To illustrate this point, The Economist has been quoted as saying “Japan “lags behind other advanced economies” when it comes to cybersecurity. Many Japanese SMBs have minimal security, and many more use vulnerable legacy technology. “Nearly 14m people were still using Windows 7 when Microsoft stopped providing security patches in January 2020”.

What is the scope and application of the APPI?

In principle, the APPI applies to any business entity or organization that handles or processes the personal information of Japanese citizens, irrespective of where a particular business or organization is physically located. To this end, the APPI also applies to non-Japanese business entities and organizations, permitting said businesses or organizations both acquire and process the personal information of Japanese citizens in another country. However, there are some exceptions to the jurisdiction of the APPI, as some provisions of the law solely apply to businesses and organizations operating within Japan. Moreover, there are types of Japanese businesses and individuals who are also exempt from the APPI, including the press, political parties, religious groups, and professional writers and academics.

What are the requirements of businesses and organizations under the APPI?

Similar to many other privacy laws around the world such as the EU’s General Data Protection Regulation or GDPR and Australia’s Consumer Data Right or CDR that define the processing of personal information or data in the context of the term “data controller”, the APPI instead uses the term “personal information controller” or PIC for short. As such, the APPI defines PIC to mean “a business operator using a personal information database for its business and is a similar concept to a data controller. The APPI places several requirements on PICs who collect the personal information of Japanese citizens.

Under the APPI, personal information is defined as “any information from which one can deduce the identity of a living individual. Such information includes biometric markers and official identifier numbers”. Furthermore, the APPI also protects the “sensitive information” of Japanese citizens, and defines sensitive information to include “race, religion, criminal record, and medical history”. Conversely, pseudonymized information is not covered by the APPI, as such information is limited to internal use by businesses and organizations and as such, cannot be shared with third parties.

In terms of compliance, businesses and organizations both inside and outside of Japan must ensure that they adhere to the following measures when processing both the personal information and sensitive personal information of Japanese citizens:

• Collection and personal use information– Under the APPI, PCIs are prohibited from collecting personal information by unlawful or fraudulent means, must notify data subjects in regards to the intended utilization of their personal information at the time of collection, unless this information has already been made publicly available to data subjects in a manner that is readily accessible, and obtain consent from data subjects before collecting their personal information.
• Public announcements– PICs are responsible for providing their name to data subjects, the purpose of utilization for all personal information that is retained, the procedure for data subjects can undergo to correct their personal information, and how data controllers can go about filing a complaint against a PIC who mishandles their personal information.
• Use of personal information– A PIC is only permitted to use the personal information of a data subject to the extent that is necessary to achieve the purposes that were stated at the time in which said information was collected. PICs are also prohibited from using the personal information of a data subject in a manner that may facilitate potentially illegal or inappropriate acts.
• Personal data management and security– PICs are responsible for ensuring that the personal information in their possession is accurate and up to date in accordance with the purpose for which it was collected, to take appropriate security measures to prevent the unauthorized access or loss of said data, exercise appropriate and necessary supervision over both employees who have access to and handle personal information, as well as any other associated third parties who may also have access to or will handle this information. Specific examples suggested by the provisions of the APPI include establishing basic data protection principles, setting out internal controls and rules, developing physical, technological, and staffing security measures, and appointing a data protection officer or DPO to oversee this security infrastructure.

What are the rights of Japanese citizens under the APPI?

The APPI provides Japanese citizens various rights in regards to the personal information they provide to PICs. These rights include:

• The right to request a copy of any personal information that a PIC retains in relation to a data subject.
• The right to request that a PIC correct, revise, amend, or delete personal information that a PIC retains in relation to a data subject.
• The right to request access to a PIC’s records in relation to data transfers to third parties.
• The right to access personal information that a PIC intends to delete within a six-month time frame. Under previous versions of the APPI, personal information that was set for deletion within this six-month period was exempt from the law.
• The right to request that a PIC cease the use or transfer of a data subject’s personal information if the PIC in question no longer has use for said information in accordance with the purpose for which it was collected, a data breach has occurred, or it is determined that the manner in which a PIC is handling the personal information of data subject has a likelihood of resulting in the infringement of said data subjects rights.

What are the penalties for violating the APPI?

While the APPI has previously levied monetary fines and criminal penalties against PICs who have been found to be in violation of the law, the 2020 amendment to the APPI has steepened these penalties. The Personal Information Protection Commission or PIPC for short oversees and enforces the APPI, and PICs who fail to comply with the law face monetary fines of up to 100,000,000 Japanese yen ($907,715), as well a criminal punishment of up to 1 year in prison. Additionally, the law also grants Japanese citizens the private right of action to bring forth lawsuits against PICs who violate their rights.

As Japan has experienced an increased level of cybercrime and data breaches in recent years, providing enhanced and modernized data protection rights for citizens was a much-needed development within their legal sphere. To this end, Japan has joined the list of a multitude of countries that have either amended previous data privacy laws, or passed new laws altogether in the face of a new information-sharing landscape that has never been seen before in history. While having lax data security laws in place may have been acceptable in previous generations, the rise of online communication and in turn commerce has necessitated the need for laws such as Japan’s APPI all around the globe.