Published August 25, 2021.
Japan’s wide-ranging Act on the Protection of Personal Information (APPI) was passed in 2003 and amended in 2015 and again in 2020.
Not unlike many other data privacy laws, its purpose is to protect an individual’s rights and interests while also considering the utility of personal information. It applies to personal information controllers (PIC) in Japan, no matter if the PIC is a person or an entity and it only applies when the information is handled in the course of business operations.
With the 2020 amendment requiring end-user consent for the transfer of personal data to third parties, Cookiebot CMP is the optimal solution if you are looking for help to ensure that your website is not in violation of the APPI Japan.
Japan’s wide-ranging Act on the Protection of Personal Information (APPI) was passed in 2003, amended in 2015 and again in 2020, with the latter going into effect in 2021/2022. The overhaul in 2015 came after a series of high-profile data breaches had shocked Japan, making it clear that the APPI’s requirements no longer met the present-day needs.
The 2015 overhaul brought with it the establishment of the Personal Information Protection Commission (PPC), which is an independent agency that protects the rights and interest of individuals while encouraging the appropriate and effective use of personal information.
Not unlike many other data privacy laws, its purpose is to protect individuals’ rights and interests, while at the same time supporting that personal information is valuable and often necessary data in order to conduct absolutely normal and legal day-to-day business operations.
The APPI in Japan is applicable to personal information controllers (PIC) in Japan, no matter if the PIC is a person or an entity. It only applies when a PIC handles personal information in the course of their business, and ‘business’ is therefore explicitly defined as activities which can be conducted repeatedly for a specific purpose and are thus regarded as business operations under the given social conventions.
Japan’s APPI applies to companies that offer goods and services in Japan, whether they are located in the country or abroad. This means that Japan’s APPI, just like the EU’s GDPR and Thailand’s PDPA, has both territorial and extraterritorial scope.
The original 2003 version of Japan’s data protection law only applied to business operators with at least 5,000 identifiable individuals in their database during the previous six months. The latest amendment to the APPI on the other hand, removed this restriction and broadened its reach. This means it now includes all business operators that process personal information for business purposes no matter the number of individuals.
Exempt from the Japanese APPI’s application are central government organizations, local governments, local incorporated administrative agencies and independent administrative agencies.
Regarding consent, a PIC must notify the data subject of the purpose of utilization prior to the collection of personal information and obtain consent before acquiring sensitive information. When it comes to the transfer of personal data to third parties, it is prohibited to do so without the prior consent of the data subject unless an exception applies.
The fines for breaching the APPI Japan vary, but with the 2020 amendment the penalty was increased from up to 500,000 yen to up to 100 million yen. With the 2020 amendment, revenue-based fines as we know them from the EU’s GDPR were considered but ultimately abandoned, primarily because fines are rarely mentioned in the APPI Japan.
Japan's APPI aims to protect the privacy rights of the data subject.
Try Cookiebot CMP free for 30 days – or forever if you have a small website.
Cookiebot consent management platform (CMP) is a world-leading solution that helps you provide transparency and control over all the cookies – and similar tracking – on your website.
Implement Cookiebot CMP to make sure that your website complies with all the major privacy laws around the world, including Japan’s APPI, Thailand’s PDPA, Brazil’s LGPD, South Africa’s POPIA, EU’s GDPR, UK’s GDPR and South Korea’s PIPA.
Our unrivaled website scanner detects all cookies and trackers, delivering an exhaustive report on all personal data processing cookies and trackers on your website.
Cookiebot CMP is an optimal solution for making your domain fully compliant without the need for you to get into any complicated technical implementation.
Implement Cookiebot CMP to comply with Japan's APPI.
How exactly does Cookiebot CMP work, you might wonder?
Simply put, Cookiebot CMP is a plug-and-play compliance solution that helps automate the complete APPI cookie compliance procedure. This includes everything, from automatically detecting all the cookies on your website and thereby controlling them, to actually collecting consents from end-users.
Cookiebot CMP offers you a detailed scan report including details about your website’s cookies such as purpose, provider, duration and what third parties it shares end-user data with.
Finally, Cookiebot CMP helps you to safely store all end-user consents, and to renew them on a regular basis.
Consent banner by Cookiebot CMP for APPI compliance in Japan
Cookiebot CMP works to make end-user privacy protection an integrated part of each individual website, and by offering you a comprehensive overview of all cookies on your website, Cookiebot CMP ensures compliance with the APPI in Japan along with many other data privacy regulations around the world.
With the quick overview of the Japanese APPI fresh in mind, the blog post will now take a closer look at Japan’s data privacy law’s key characteristics. Hopefully this will help you understand what it means for you and your website.
The APPI in Japan is applicable to personal information controllers (PIC) in Japan, no matter if the PIC is a person or an entity. Before the first amendment there were an exception for PIC’s handling the personal information of less than 5,000 individuals, but after the amendment there is no minimum requirement of individuals. However, the General Guidelines of the APPI Japan ‘relax’ the standards of security measures for ‘small or medium sized business operators.
The APPI in Japan only applies when a PIC handles personal information in the course of their business operations. A ‘business’ in the APPI Japan is therefore explicitly defined as activities which can be conducted repeatedly for a specific purpose and are thus regarded as a business under the given social conventions. It does not distinguish between profit or nonprofit businesses.
Exceptions to the above definition are broadcasting institutions, newspaper publishers, professional writers, religious bodies, political parties and universities, which are not included in the scope.
Japan’s APPI has both territorial and extraterritorial scope. This means that not only is it applicable to companies that offer goods and services in Japan with a location within the country, but it also applies to companies located outside of the country of Japan who offer the same goods and services to people located in Japan.
The Personal Information Protection Commission Japan (PPC) is the primary regulator under the APPI. This section will quickly outline their main responsibilities, duties and powers.
Try Cookiebot CMP free for 30 days – or forever if you have a small website
Japans Act on the Protection of Personal Information (APPI) operates with a set of key definitions. To get the full understanding of the Japanese APPI it is important to familiarize yourself with them, since they are the foundation of the data privacy law.
Unlike other data privacy laws, the APPI in Japan has a lot of definitions, but to keep it short and to the point, these are the five key definitions we will focus on.
Personal information is information that can identify an existing individual in Japan, either by itself or in combination with other information.
Personal information includes numbers found in passports, driver’s licenses, social security ID’s and resident’s cards. It also includes personal identifier codes such as characters, symbols or numbers for computer use which represent certain detailed personal physical characteristics. This contains for example DNA, fingerprints and facial appearance.
Sensitive information was not added to Japan’s APPI until 2017, but they include information relating to race, disabilities, medical records and treatments, criminal records, creed and religion.
A data controller is not defined explicitly in Japan’s APPI, but a personal information controller (PIC) is. It is a business operator using a personal information database for its business and are therefore comparable with a data controller.
A data processor is, just like a data controller, not defined by Japan’s APPI either. Due to it being a familiar concept in other data privacy regulations, and because it is, despite not being explicitly explained, still relevant, it will be presented here. It is an entity which have been entrusted by a PIC to handle personal data within the scope necessary for the achievement of the purpose of utilization.
Anonymized information is information regarding an individual which has been processed by deleting or replacing information, so it is unusable to identify an individual. An anonymized information controller is a business operator handling the anonymized information
It is important to know and recognize the key definitions to understand Japan's APPI.
As explained above, we differentiate between a data controller (in this case a PIC) and a data processor. The responsibilities they have and the rights they possess will be explained in detail here.
Even though it is not a general requirement that a PIC has to be registered under the APPI, they still have some rights and responsibilities. For example, they have to make certain things easily accessible, including the name of the PIC, the purpose of any utilization of personal information, information about how the data subject can correct their personal data and where to complain about the PIC.
Besides this, a PIC must:
The Japanese APPI does not impose any direct obligations on data processors. On the other hand, it is important that the PIC exercise the necessary and appropriate supervision over any third parties delegated to handle personal data.
For that reason, it is important that there are agreements between the PIC and a potential data processor. This ensures that the data processor provides the appropriate security measures, while also giving the PIC the power to instruct and investigate the data processor in association with its handling of personal data assigned to it.
The data subjects have the right receive the personal data held about them. If requested, the PIC must disclose in writing (unless the data subject has agreed to receive it electronically) and without any delay the information gathered about the data subject. There are only a couple of exceptions to this right. These are instances that would result in:
Additionally, the data subjects have the right to revise, correct, amend or delete their personal data. They are also entitled to get their data deleted if it is being used for another purpose than originally stated or if the data was acquired by unlawful means.
The data subjects are also entitled to access a PIC’s record of data transfers to third parties under the 2020 amendments. The 2020 amendment also requires end-user consent for the transfer of personal data to a third party. This will for example occur every time a Google or Facebook cookie is activated on a website, making Cookiebot CMP an optimal solution to ensure that your website is not in violation of the APPI Japan.
The 2020 amendment requires end-user consent for the transfer of personal data to a third party.
The fines for breaching the APPI Japan vary, but with the 2020 amendment they were increased from up to 500,000 yen to up to 100 million yen. With the 2020 amendment, revenue-based fines as known from the EU’s GDPR were considered but ultimately abandoned, primarily because fines are rarely invoked in the APPI Japan.
Japan’s Act on the Protection of Personal Information (APPI) is one of the many data privacy laws around the world. Its purpose is to protect an individual’s right and interests while also considering the utility of personal information.
It applies to personal information controllers (PIC) in Japan, no matter if the PIC is a person or an entity. It only applies when a PIC handles personal information in the course of their business.
Japan’s APPI was first approved in 2003 and has since been amended several times, with the latest one coming into full effect in 2022.
The latest amendment requires end-user consent for the transfer of personal data to a third party. Cookiebot CMP enables compliance with most of the world’s major data privacy laws, including Japan’s APPI, to make sure that your website is not in violation of the APPI Japan.
The Japanese Act on Protection of Personal Information (APPI) is a data privacy law. Just like the EU’s GDPR, its purpose is to protect the privacy rights of the data subjects, by making sure that companies or organizations do not abuse data about their users. The APPI Japan helps ensure that this works successfully.
To comply with Japan’s APPI on your website you are required to notify the data subjects about the purpose of utilization before collecting any personal information, to obtain consent from the data subjects before acquiring any sensitive information about them and not to collect personal information in ways that can be seen as unlawful or fraudulent.
It is also important that you give the users the option to access and correct their personal data whenever they wish to.
Japan’s APPI is applicable to a personal information controller (PIC) in Japan. It does not matter if the PIC is a person or an entity. It is only applicable when the PIC handles personal information in the course of their business. To clarify this, the Japanese APPI defines ‘business’ as activities which can be conducted repeatedly for a specific purpose and are thus regarded as a business under the given social conventions.
Japan’s APPI applies not only to companies that offer goods and services in Japan with offices located within the country. It also applies to those who handle data about people living in Japan from offices outside of Japan. By doing so the APPI in Japan has both territorial and extraterritorial scope, not unlike the EU’s GDPR.
There are different penalties in order to stop people breaching the Japanese APPI. One of them is a fine, which with the 2020 amendment was increased from up to 500,000 yen to up to 100 million yen.
With the implementation of the 2020 amendment, it was also discussed whether or not business revenue-based penalties, as known from the EU’s GDPR, should be a part of the APPI but ultimately it was not implemented.
By using a consent management platform like Cookiebot CMP you can reveal all cookies and trackers that currently process personal information on your website. It also shows you where in the world your domain sends data to.