Japan’s Act on the Protection of Personal Information (APPI)

Japan’s Act on the Protection of Personal Information (APPI)

Japan’s Act on the Protection of Personal Information or APPI for short is a Japanese data privacy law that was recently amended in 2020. Originally passed in 2003, a large reason for the current amendment of the APPI was a string of highly damaging data breaches that have occurred within the country in recent years. Part of the reason for this rise in cybercrime was the “hands-off” attitude that the Japanese government has taken in regard to the country’s data protection and cybersecurity measures in the past. To illustrate this point, The Economist has been quoted as saying “Japan “lags behind other advanced economies” when it comes to cybersecurity. Many Japanese SMBs have minimal security, and many more use vulnerable legacy technology. “Nearly 14m people were still using Windows 7 when Microsoft stopped providing security patches in January 2020”.

What is the scope and application of the APPI?

In principle, the APPI applies to any business entity or organization that handles or processes the personal information of Japanese citizens, irrespective of where a particular business or organization is physically located. To this end, the APPI also applies to non-Japanese business entities and organizations, permitting said businesses or organizations both acquire and process the personal information of Japanese citizens in another country. However, there are some exceptions to the jurisdiction of the APPI, as some provisions of the law solely apply to businesses and organizations operating within Japan. Moreover, there are types of Japanese businesses and individuals who are also exempt from the APPI, including the press, political parties, religious groups, and professional writers and academics.

What are the requirements of businesses and organizations under the APPI?

Similar to many other privacy laws around the world such as the EU’s General Data Protection Regulation or GDPR and Australia’s Consumer Data Right or CDR that define the processing of personal information or data in the context of the term “data controller”, the APPI instead uses the term “personal information controller” or PIC for short. As such, the APPI defines PIC to mean “a business operator using a personal information database for its business and is a similar concept to a data controller. The APPI places several requirements on PICs who collect the personal information of Japanese citizens.

Under the APPI, personal information is defined as “any information from which one can deduce the identity of a living individual. Such information includes biometric markers and official identifier numbers”. Furthermore, the APPI also protects the “sensitive information” of Japanese citizens, and defines sensitive information to include “race, religion, criminal record, and medical history”. Conversely, pseudonymized information is not covered by the APPI, as such information is limited to internal use by businesses and organizations and as such, cannot be shared with third parties.

In terms of compliance, businesses and organizations both inside and outside of Japan must ensure that they adhere to the following measures when processing both the personal information and sensitive personal information of Japanese citizens:

What are the rights of Japanese citizens under the APPI?

The APPI provides Japanese citizens various rights in regards to the personal information they provide to PICs. These rights include:

What are the penalties for violating the APPI?

While the APPI has previously levied monetary fines and criminal penalties against PICs who have been found to be in violation of the law, the 2020 amendment to the APPI has steepened these penalties. The Personal Information Protection Commission or PIPC for short oversees and enforces the APPI, and PICs who fail to comply with the law face monetary fines of up to 100,000,000 Japanese yen ($907,715), as well a criminal punishment of up to 1 year in prison. Additionally, the law also grants Japanese citizens the private right of action to bring forth lawsuits against PICs who violate their rights.

As Japan has experienced an increased level of cybercrime and data breaches in recent years, providing enhanced and modernized data protection rights for citizens was a much-needed development within their legal sphere. To this end, Japan has joined the list of a multitude of countries that have either amended previous data privacy laws, or passed new laws altogether in the face of a new information-sharing landscape that has never been seen before in history. While having lax data security laws in place may have been acceptable in previous generations, the rise of online communication and in turn commerce has necessitated the need for laws such as Japan’s APPI all around the globe.

Related Reads