What is APPI?
The Act on the Protection of Personal Information (APPI) is Japan’s new data protection law, effective as of April 2022, aiming to protect “an individual’s rights and interests while considering the utility of personal information including that the proper and effective application of personal information contributes to the creation of new industries and the realization of a vibrant economic society and an enriched quality of life for the people of Japan.”
It establishes both the central and the local governments as responsible for “comprehensively developing and implementing necessary measures to ensure the proper handling of personal information” in compliance with the law, and works together with a series of guidelines provided by the PPC (Personal Information Protection Commission), and it sets both criminal as well as non-criminal penalties for those who are in violation.
What is Personal Information and what are other key definitions?
APPI defines ‘personal information’ as information relating to a living individual residing in Japan from which, on its own or combined with any other information, can be used to identify the individual. Some examples include ‘personal identifier codes’ which can consist of “any character, letter, number, symbol or other codes” which when entered into a computer will identify the individual.
It is interesting to note that APPI offers a separate definition for ‘personal data,’ as “personal information constituting a personal information database.”
Sensitive personal information is called here ‘special care-required personal information’ which is defined as “personal information comprising a principal's race, creed, social status, medical history, criminal record, fact of having suffered damage by a crime, or other descriptions etc. prescribed by cabinet order as those of which the handling requires special care so as not to cause unfair discrimination, prejudice or other disadvantages to the principal.”
The data subject here is referred to as a ‘principal’ which is “a specific individual identifiable by personal information,” and the equivalent for ‘data controller’ is what in a verbatim English translation would be ‘personal information handling business operator,’ which is defined as “a person providing a personal information database etc. for use in business.” For the purposes of this article we will refer to data controllers as ‘Personal Information Controllers’ (PIC). Notice that the Japanese law makes no distinction between Controller and Processor which means that data processors are also considered ‘personal information handling business operators.’
One other relevant definition is that of ‘retained personal data’ defined as “personal data which a personal information handling business operator has the authority to disclose, correct, add or delete the contents of, cease the utilization of, erase, and cease the third-party provision of” which excludes those types of data retained by local governments which is data that is “likely to harm the public or other interests if their presence or absence is made known.”
Who has to comply with APPI?
APPI applies to any business that is a PIC of Japanese personal information, that provides a personal information database for commercial use, whether it is located in Japan or not. This means that if your business handles personal information of individuals from Japan in any
way, your business would be subject to APPI. The law covers not just citizens, but all people in Japan, which means anyone located in Japan at the time of collection has their personal information protected under APPI.
It also applies to retained personal data and to PICs who handle personal information that has been anonymously processed.
Who is excluded from APPI compliance?
The law excludes several institutions and person from compliance, including:
- a central government organization;
- a local government;
- an independent incorporated administrative agency;
- a local incorporated administrative agency;
- a broadcasting institution, newspaper publisher, communication agency and other press organization (including an individual engaged in the press as his or her business): a purpose of being provided for use in the press;
- a person who practices writing as a profession: a purpose of being provided for use in writing;
- a university and other organization or group aimed at academic studies, or a person belonging thereto: a purpose of being provided for use in academic studies;
- “a religious body: a purpose of being provided for use in a religious activity;
- a political body: a purpose of being provided for use in a political activity.”
How can I facilitate APPI compliance for my organization?
The legal basis for APPI is consent, unless one of the exceptions in Article 16 applies, such as “cases in which there is a special need to enhance public hygiene or promote fostering healthy children, and when it is difficult to obtain a principal’s consent.”
As mentioned earlier, APPI mandates that the central (federal) government, is responsible for “comprehensively developing and implementing necessary measures to ensure the proper handling of personal information” in compliance with the law, and that the local governments as well are responsible for “developing and implementing necessary measures to ensure the proper handling of personal information based on the characteristics of their local area” in conformity with the law.
Additionally, the law says that “the government shall, considering the nature and utilization method of personal information, take necessary legislative and other action so as to be able to take discreet action for protecting personal information that especially requires ensuring the strict implementation of its proper handling in order to seek enhanced protection of an individual’s rights and interests, and shall take necessary action in collaboration with the governments in other countries to construct an internationally conformable system concerning personal information through fostering cooperation with an international organization and other international framework.”
As a PIC, you need to follow the implemented measures; to do so your organization should follow these eight principles:
- Collection Limitation: limit the collection of personal information to only what is necessary.
- Data Quality: ensure that the data is accurate.
- Purpose Specification: in handling personal information you must specify the purpose for which this will be used.
- Use Limitation: unless exceptions outlined in Article 16 (3) apply, you must obtain consent prior to handling and must restrict data handling to the scope of its initial collection.
- Security Safeguards: you must not use the personal information in such a way that would create a possibility of “fomenting or prompting an unlawful or unfair act.”
- Individual Participation: inform individuals if you hold data about them, provide access to it in a reasonable and timely manner.
- Accountability: you must ensure that you acquire personal information through proper channels and not “by deceit or other improper means.” In the case of special care-required personal information this has to be acquired with prior consent, unless exceptions in Article 17 (2) apply. Report any data breach to both the PPC and the affected individual(s). You have to send out an initial notification about the breach and file a report within 30 days, in certain situations this period might be extended for another 30 days, making it 60 days in total. Last but not least, ensure proper training for any person or persons within your company that handles personal information, as stated in Article 21, and make sure to implement security measures internally - both cybersecurity and physical security ones.
What data access rights does APPI grant?
APPI grants individuals with the following rights as regards their personal information:
- The Right to be Informed: Article 28 says that “a principal may demand of a personal information handling business operator disclosure of retained personal data that can identify him or herself by a method of providing electromagnetic record or other methods.” In addition to this you must inform the principal of the name of the PIC, the purpose for using their personal information, the contact details for persons in charge of handling complaints, and the procedures for data subject access requests.
- The Right to Correct: according to Article 29, “a principal may, when the contents of retained personal data that can identify the principal are not factual, demand of a personal information handling business operator making a correction, addition or deletion (hereinafter referred to as a “correction etc.” in this Article) in regard to the contents of the retained personal data.”
- The Right to Delete: Article 30 gives principals the right to request that their data no longer be used if the data is no longer necessary, if a data breach has occurred, or if processing their personal information may result in the infringement of their rights or lawful interests.
- The Right to Access: principals have a right to request that you as a PIC disclose to them the retained data by which they can be identified.
- The Right to not be Discriminated Against for Exercising Their Rights: although there is no clearly defined right, Article 3 states that “personal information, considering it should be carefully handled under the vision of respecting the personality of an individual, shall be made subject to proper handling.”
- There is no Right to Data Portability defined in the text of the law.
How should your organization address data subject access requests under APPI?
APPI does not offer very many guidelines on addressing data subject access requests.
For example, it makes no mention of a timeframe for answering a request, nor does it offer any instructions on how requests should be submitted.
As a PIC, according to the law, you “may decide on a method of receiving a request or demand pursuant to those prescribed by cabinet order. In this case, a principal shall make a demand
etc. for disclosure etc. in accordance with the method,” and when receiving a request for informing of the utilization purposes, you may “collect a fee in relation to taking such action [...] within a range recognized as reasonable considering actual expenses.”
When receiving a request for access, there is no prescriptive list of what information you have to disclose, and you may refuse to disclose data if one or more of the exceptions listed in the law apply, but you must inform the principal of the reasons for refusal.
If a request to cease utilization or to delete retained personal information is submitted, you are required to do so if the request has “reasonable grounds” although these are not defined.
While every organization should review their internal practices to determine what they believe is reasonable, a best practice may be to model timelines and information disclosures provided in other data privacy regulations such as GDPR or similar.
Enforcement and penalties
The PPC (Personal Information Protection Commission) is the regulatory body in charge of enforcing APPI and checking compliance.
In the case of penalties, a Court can issue both criminal and non-criminal fines. Criminal penalties may vary as follows:
- JPY 1 million (approx. $6915) or imprisonment with work for up to 2 years for violations of Article 72;
- JPY 500,000 (approx. $3460) or imprisonment with work for up to 1 year for a PIC, its employees or former employees that handled personal information with the purpose of obtaining illegal profit;
- JPY 300,000 (approx. $2000) or imprisonment with work for up to 6 months for violations of Article 42 (2) (3)
- JPY 300,000 (approx. $2000) for someone who is in violation of Article 40 (1) or who has responded, obstructed, or refused an inspection, or who has violated Article 56.
Non-criminal fines can go up to JPY 100,000 (approx. $700) for a person in violation of Article 26 (2), Article 55, or who is guilty of submitting a false notification under Article 50 (1).
Data Subject Rights - GDPR vs. APPI
- Right to access data
- Right to correct inaccurate data
- Right to the portability of data
- Right to delete personal information
- Right to information about how entities are sharing your data
- Right to restrict processing
- Right to object to processing
- Right to object to automated processing
- The Right to be Informed
- The Right to Correct
- The Right to Delete
- The Right to Access
- The Right to not be Discriminated Against for Exercising Their Rights
How can Clym help?
Clym believes in striking a balance between digital compliance and your business needs, which is why we offer businesses the following:
- All-in-one platform: One interface combining Privacy and Accessibility compliance with global regulations, at an affordable price;
- Seamless integration into your website;
- Adaptability to your users’ location and applicable regulation;
- Customizable branding;
- Ready Compliance: Covering 30+ data privacy regulations;
- Six preconfigured accessibility profiles, as well as 25+ display adjustments that allow visitors to customise their individual experience.