The Act on the Protection of Personal Information (APPI) is Japan’s main data protection law, enforced by the Personal Information Protection Commission (PPC). It was originally written in 2003 but is formally reviewed every three years to identify rules that need tightening or clarifying. This often leads to revisions of the law, sometimes substantial.
For example, the 2017 revisions removed an exemption for people and businesses that handled data about 5,000 people or fewer. They also created a new category of “special care” data with extra protection.
The most recent revisions passed Japan’s parliament in 2020 and took effect on 1 April 2022. The main changes are:
The law is enforced by the Personal Information Protection Commission (PPC).
Although the APPI was one of the earliest national data protection laws, it arguably takes a softer touch approach than some similar laws, particularly in its original form.
For example, with most personal data, the APPI emphasizes businesses keeping data secure and informing data subjects about handling, rather than having to get permission or use another legal justification to handle data.
The penalty regime arguably puts more emphasis on public standing and “doing the right thing” than force and punishment. For example, fines rarely follow a breach itself. Instead, the PPC has the power to order a business to take action or make changes after a breach and it’s the failure to comply with this order that leads to financial penalties.
Those penalties are punitive rather than monetary–the idea of the business paying compensation to customers (for example, after a data breach) is a strong cultural expectation rather than something forced by law.
Japan has an established general right to privacy, which the APPI aims to uphold and strengthen. It also specifically gives data subjects the following rights:
There’s no specific right to restrict data handling or to object to either marketing itself or using personal information for marketing. A separate law restricts the ways you can send unsolicited emails.
The APPI addresses individuals or businesses handling the personal information of people in Japan in a business context.
The APPI applies to cases of handling personal information. Handling is interpreted the same way as “processing” in laws such as the GDPR and covers any use of personal information, including collecting, holding, and transferring to a third party.
With the 2020 update, the rules vary slightly where some steps have been taken to anonymize data. Data is classed as “pseudonymously processed” when it has been stripped of any information that directly identifies a person or could cause financial risk if exposed (such as credit card numbers.) Once data is pseudonymous:
The APPI classifies data as completely anonymized if there’s no way it could be linked to an individual, even when combined with other data. Anonymized data is exempt from all the APPI’s measures. However, businesses should publicly detail the types of information they handle in an anonymized form.
The APPI applies to anyone who handles personal information about somebody in Japan in a business context.
For a business based outside of Japan, the rules have changed with the 2020 revision. Under the new rules, the APPI applies if the overseas business handles personal information about somebody in Japan and:
Where both the material and territorial scope apply, you will normally need to comply with the APPI even if you are outside of Japan. The main exemptions are for handling data in a non-business context, such as journalism, academic activity, or politics.
The consent rules vary depending on the type of information and how you handle it.
For ordinary personal information, you don’t need consent to handle the information. Instead, the APPI’s main requirement is that you tell people how and why you will use their data before you collect it.
You do need consent before passing data on to a third party. The limited exceptions to this principle are:
Alternatively, you can work on an opt-out basis. To do so, you must tell the person about the planned transfer, including what data is involved and who will get it. You must then give a reasonable period for the person to opt-out and then only proceed if they don’t exercise the opt-out.
You cannot use the opt-out basis for the special care category detailed below. Unless one of the exceptions applies, you’ll need active consent.
You also need consent before collecting data in the “special care required” category. This covers information including:
If you are unsure if data falls into this category, follow the guiding principle that it’s intended to cover any data that, if exposed, could lead to discrimination or prejudice.
The only exceptions that let you can acquire data from this category without consent are:
There’s no exception for GDPR-style “legitimate interests.”
You will normally need consent to transfer somebody’s data outside of Japan. This applies to both ordinary and “special care required “information
The only exception is if you are transferring it to a country which the PPC has deemed to have an equivalent level of data protection as the APPI.
The only exception is if you are transferring it to a country which the PPC has deemed to have an equivalent level of data protection as the APPI. At the time of writing this is limited to the European Union and the United Kingdom.
While the GDPR has largely remained unchanged since it took force, the APPI has gone under a few major updates since it was first introduced way back in 2003. The most significant update was in 2017 when the law was overhauled with changes to both rules and enforcement to bring it up to par with the then-upcoming GDPR, both to provide data adequacy for cross-border data transfers with the EU, and to bolster the privacy protections and rights of Japanese citizens.
The APPI covers any business that handles the personal data of people who are in Japan. It doesn’t matter where the business is based, or where the processing happens. Since the 2017 review, it no longer matters how many people’s data you handle.
The GDPR applies to any organization that meets any of three criteria:
The GDPR has slightly different rules for data controllers (who decide what processing happens and how) and data processors (who do the processing in line with a data controller’s instructions.) The APPI doesn’t make this distinction.
The APPI now requires businesses that suffer specific types of data breaches to notify both the affected data subjects and the Personal Information Protection Commission, Japan’s data protection enforcement body. Data breaches that require notification are those that:
Businesses must make an initial notification as soon as practical and must then file a full report within 30 days (or within 60 days in “improper cause” situations.)
The GDPR dictates that businesses must report any and all data breaches—unless they are unlikely to risk people’s “rights and freedoms.” Businesses must notify the supervisory authority (the data protection agency in the relevant country) as soon as possible once they discover a breach. If a business takes more than 72 hours to disclose a breach it must explain why to the national data protection authority.
Businesses must also directly tell the data subjects about the breach if it has caused a “high risk” to their rights and freedoms. There are exemptions to this rule if measures to significantly mitigate this risk (such as the breached data being encrypted) are in place, or if businesses can inform people just as effectively through public communications such as a media statement.
Both laws have different rules for ordinary personal data and more sensitive data. This is known as “special care required personal information” under the APPI and “special category data” under the GDPR.
The types of data that fall into these categories are largely similar, with examples including medical history and religious beliefs. Some data is only covered by one law, such as marital status in APPI and details of a person’s sex life under the GDPR. With both laws, the principle is to have stronger protection for data that could lead to prejudice or discrimination.
Unlike the GDPR, the APPI doesn’t have significant restrictions on the processing of ordinary personal data, though data subjects do have the right to ask what data you process and your reasons for doing so.
The APPI does restrict the processing of “special care required” data. Consent is required to process these categories of data. In very limited circumstances you can process this data without consent, such as when fulfilling a contract with the data subject or acting in the public interest. The law doesn’t allow for data processing based on “legitimate interest”.
Under the GDPR, processing (of both ordinary or sensitive personal data) is only lawful when you can point to one of six lawful bases. The most appropriate for businesses are:
Other lawful bases include fulfilling a contract with the data subject, processing acting in the public interest, and protecting somebody’s vital interests (in other words, their life.)
Breaching the APPI does not usually directly lead to a penalty in itself. Instead, penalties follow a failure to comply with an order by the Personal Information Protection Commission to improve your data practices, particularly after a breach. Institutional penalties are also much lower than those put forth by the GDPR, while individual penalties are much harsher. The maximum penalty is now one year in prison and a one million yen fine for any of the following:
The business itself can be fined up to 100 million yen, roughly $900,000 USD. There’s also a cultural expectation that businesses will pay damages to data subjects affected by a breach, though the data subjects do have the right to sue if this doesn’t happen.
The GDPR has two categories of maximum penalties for non-compliance. For lesser offenses, which generally involve procedural failings, the maximum is €10 million or two percent of your worldwide turnover, whichever is bigger. For more serious offenses, which generally involve breaching the GDPR’s key principles, the maximum is €20 million or four percent of your worldwide turnover, whichever is bigger.
If your organization is already GDPR compliant, you aren’t far from compliance with the APPI, but you should review your data privacy processes and consent management to ensure that:
CHEQ offers organizations a solution to help maintain full website compliance with the APPI, GDPR, CCPA, LGPD, and many more laws and frameworks.
With CHEQ Privacy, you can set up customizable consent banners for and give your customers a clear-cut choice on how their data is used, or whether it is collected at all.
You can also use CHEQ Privacy to perform a full audit of your website—up to 5000 pages—so you can understand which cookies and tracking technologies are in use and identify potential security or compliance issues.
Book a demo to see how CHEQ Privacy can help your organization stay compliant with evolving regulations worldwide.
Content Marketing Manager
Jeff is the resident content marketing expert at CHEQ. He has several years of experience as a trained journalist, and more recently in his career found a knack for communicating complex cybersecurity topics in an approachable yet detailed manner.
