Japan APPI

Who is excluded from APPI compliance? 

The law excludes several institutions and person from compliance, including:

• a central government organization;
• a local government;
• an independent incorporated administrative agency;
• a local incorporated administrative agency;
• a broadcasting institution, newspaper publisher, communication agency and other press organization (including an individual engaged in the press as his or her business): a purpose of being provided for use in the press;
• a person who practices writing as a profession: a purpose of being provided for use in writing; 
• a university and other organization or group aimed at academic studies, or a person belonging thereto: a purpose of being provided for use in academic studies;
• “a religious body: a purpose of being provided for use in a religious activity;
• a political body: a purpose of being provided for use in a political activity.”
  
  

How can I facilitate APPI compliance for my organization?

The legal basis for APPI is consent, unless one of the exceptions in Article 16 applies, such as “cases in which there is a special need to enhance public hygiene or promote fostering healthy children, and when it is difficult to obtain a principal’s consent.”

As mentioned earlier, APPI mandates that the central (federal) government,  is responsible for “comprehensively developing and implementing necessary measures to ensure the proper handling of personal information” in compliance with the law, and that the local governments as well are responsible for “developing and implementing necessary measures to ensure the proper handling of personal information based on the characteristics of their local area” in conformity with the law.

Additionally, the law says that “the government shall, considering the nature and utilization method of personal information, take necessary legislative and other action so as to be able to take discreet action for protecting personal information that especially requires ensuring the strict implementation of its proper handling in order to seek enhanced protection of an individual’s rights and interests, and shall take necessary action in collaboration with the governments in other countries to construct an internationally conformable system concerning personal information through fostering cooperation with an international organization and other international framework.”

As a PIC, you need to follow the implemented measures; to do so your organization should follow these eight principles: 

1. Collection Limitation: limit the collection of personal information to only what is necessary.
2. Data Quality: ensure that the data is accurate.
3. Purpose Specification: in handling personal information you must specify the purpose for which this will be used.
4. Use Limitation: unless exceptions outlined in Article 16 (3) apply, you must obtain consent prior to handling and must restrict data handling to the scope of its initial collection.
5. Security Safeguards: you must not use the personal information in such a way that would create a possibility of “fomenting or prompting an unlawful or unfair act.”
6. Openness: publish a privacy policy that clearly states the purposes for using personal data, contact information for complaints and questions, and a clear statement that your business is taking any necessary and appropriate steps to ensure the security of the personal information you process. A privacy policy may also cover sensitive personal information, overseas transfers, or anonymized personal information.
7. Individual Participation: inform individuals if you hold data about them, provide access to it in a reasonable and timely manner. 
8. Accountability: you must ensure that you acquire personal information through proper channels and not “by deceit or other improper means.” In the case of special care-required personal information this has to be acquired with prior consent, unless exceptions in Article 17 (2) apply. Report any data breach to both the PPC and the affected individual(s). You have to send out an initial notification about the breach and file a report within 30 days, in certain situations this period might be extended for another 30 days, making it 60 days in total. Last but not least, ensure proper training for any person or persons within your company that handles personal information, as stated in Article 21, and make sure to implement security measures internally - both cybersecurity and physical security ones. 

What data access rights does APPI grant?

APPI grants individuals with the following rights as regards their personal information: 

• The Right to be Informed: Article 28 says that “a principal may demand of a personal information handling business operator disclosure of retained personal data that can identify him or herself by a method of providing electromagnetic record or other methods.” In addition to this you must inform the principal of the name of the PIC, the purpose for using their personal information, the contact details for persons in charge of handling complaints, and the procedures for data subject access requests. 
• The Right to Correct: according to Article 29, “a principal may, when the contents of retained personal data that can identify the principal are not factual, demand of a personal information handling business operator making a correction, addition or deletion (hereinafter referred to as a “correction etc.” in this Article) in regard to the contents of the retained personal data.” 
• The Right to Delete: Article 30 gives principals the right to request that their data no longer be used if the data is no longer necessary, if a data breach has occurred, or if processing their personal information may result in the infringement of their rights or lawful interests. 
• The Right to Access: principals have a right to request that you as a PIC disclose to them the retained data by which they can be identified. 
• The Right to not be Discriminated Against for Exercising Their Rights: although there is no clearly defined right, Article 3 states that “personal information, considering it should be carefully handled under the vision of respecting the personality of an individual, shall be made subject to proper handling.”
• There is no Right to Data Portability defined in the text of the law.
  

   

How should your organization address data subject access requests under APPI?

APPI does not offer very many guidelines on addressing data subject access requests.
For example, it makes no mention of a timeframe for answering a request, nor does it offer any instructions on how requests should be submitted. 

As a PIC, according to the law, you “may decide on a method of receiving a request or demand pursuant to those prescribed by cabinet order. In this case, a principal shall make a demand
etc. for disclosure etc. in accordance with the method,” and when receiving a request for informing of the utilization purposes, you may “collect a fee in relation to taking such action [...] within a range recognized as reasonable considering actual expenses.”

When receiving a request for access, there is no prescriptive list of what information you have to disclose, and you may refuse to disclose data if one or more of the exceptions listed in the law apply, but you must inform the principal of the reasons for refusal.

If a request to cease utilization or to delete retained personal information is submitted, you are required to do so if the request has “reasonable grounds” although these are not defined.  

While every organization should review their internal practices to determine what they believe is reasonable, a best practice may be to model timelines and information disclosures provided in other data privacy regulations such as GDPR or similar.

Enforcement and penalties

The PPC (Personal Information Protection Commission) is the regulatory body in charge of enforcing APPI and checking compliance. 

In the case of penalties, a Court can issue both criminal and non-criminal fines. Criminal penalties may vary as follows: 

• JPY 1 million (approx. $6915) or imprisonment with work for up to 2 years for violations of Article 72;
• JPY 500,000 (approx. $3460) or imprisonment with work for up to 1 year for a PIC, its employees or former employees that handled personal information with the purpose of obtaining illegal profit;
• JPY 300,000 (approx. $2000) or imprisonment with work for up to 6 months for violations of Article 42 (2) (3)
• JPY 300,000 (approx. $2000) for someone who is in violation of Article 40 (1) or who has responded, obstructed, or refused an inspection, or who has violated Article 56.

Non-criminal fines can go up to JPY 100,000 (approx. $700) for a person in violation of Article 26 (2), Article 55, or who is guilty of submitting a false notification under Article 50 (1). 

Data Subject Rights - GDPR vs. APPI