Published August 25, 2021.
Japan’s wide-ranging Act on the Protection of Personal Information (APPI) was passed in 2003 and amended in 2015 and again in 2020.
Not unlike many other data privacy laws, its purpose is to protect an individual’s rights and interests while also considering the utility of personal information. It applies to personal information controllers (PIC) in Japan, no matter if the PIC is a person or an entity and it only applies when the information is handled in the course of business operations.
With the 2020 amendment requiring end-user consent for the transfer of personal data to third parties, Cookiebot CMP is the optimal solution if you are looking for help to ensure that your website is not in violation of the APPI Japan.
APPI in Japan, quick summary
Japan’s data protection law, condensed
Japan’s wide-ranging Act on the Protection of Personal Information (APPI) was passed in 2003, amended in 2015 and again in 2020, with the latter going into effect in 2021/2022. The overhaul in 2015 came after a series of high-profile data breaches had shocked Japan, making it clear that the APPI’s requirements no longer met the present-day needs.
The 2015 overhaul brought with it the establishment of the Personal Information Protection Commission (PPC), which is an independent agency that protects the rights and interest of individuals while encouraging the appropriate and effective use of personal information.
Not unlike many other data privacy laws, its purpose is to protect individuals’ rights and interests, while at the same time supporting that personal information is valuable and often necessary data in order to conduct absolutely normal and legal day-to-day business operations.
The APPI in Japan is applicable to personal information controllers (PIC) in Japan, no matter if the PIC is a person or an entity. It only applies when a PIC handles personal information in the course of their business, and ‘business’ is therefore explicitly defined as activities which can be conducted repeatedly for a specific purpose and are thus regarded as business operations under the given social conventions.
Japan’s APPI applies to companies that offer goods and services in Japan, whether they are located in the country or abroad. This means that Japan’s APPI, just like the EU’s GDPR and Thailand’s PDPA, has both territorial and extraterritorial scope.
The original 2003 version of Japan’s data protection law only applied to business operators with at least 5,000 identifiable individuals in their database during the previous six months. The latest amendment to the APPI on the other hand, removed this restriction and broadened its reach. This means it now includes all business operators that process personal information for business purposes no matter the number of individuals.
Exempt from the Japanese APPI’s application are central government organizations, local governments, local incorporated administrative agencies and independent administrative agencies.
APPI Japan and consent
Regarding consent, a PIC must notify the data subject of the purpose of utilization prior to the collection of personal information and obtain consent before acquiring sensitive information. When it comes to the transfer of personal data to third parties, it is prohibited to do so without the prior consent of the data subject unless an exception applies.
APPI Japan and penalties
The fines for breaching the APPI Japan vary, but with the 2020 amendment the penalty was increased from up to 500,000 yen to up to 100 million yen. With the 2020 amendment, revenue-based fines as we know them from the EU’s GDPR were considered but ultimately abandoned, primarily because fines are rarely mentioned in the APPI Japan.
Japan’s APPI aims to protect the privacy rights of the data subject.
APPI in Japan – timeline
- APPI Japan went into effect in 2003 as one of the first data privacy regulations in the world.
- In 2015, the APPI Japan was amended. The amendment involved substantial revisions and came into effect on May 30, 2017. One of the significant changes that came with the 2015 amendment was the requirement that the legislation be brought up for revision every three years.
- On June 5, 2020, the 2020 amendments to the APPI passed the National Diet of Japan, which is their bicameral legislature.
- On June 12, 2020, the 2020 amendments were propagated.
- On March 24, 2021, the Cabinet of Japan ordered the enforcement of the amended APPI, with the Personal Information Protection Commission (PIPC) issuing enforcement rules on the same day.
- The 2020 amendments will come into effect on April 1, 2022, even though some stricter statuary penalties have already come into effect.
- The transitional measures for providing personal data to third parties through op-out will also come into effect before April 2022. These are scheduled to come into effect on October 1, 2021.
Try Cookiebot CMP free for 30 days – or forever if you have a small website.
APPI in Japan – Quick breakdown
- Japan’s APPI has, not unlike many other major data privacy laws, the purpose of protecting the privacy rights of the data subject.
- APPI Japan applies to personal information controllers (PIC) in Japan. It does not matter whether the PIC is a single person or an entity like an organization and it only applies whenever a PIC handles personal information in the course of their business.
- APPI Japan therefore defines ‘Business’ as activities which can be conducted repeatedly for a specific purpose and are thus regarded as a business under the given social conventions.
- APPI Japan has territorial scope, meaning if a company is located within the country of Japan and offer goods and services in Japan, the Japanese APPI is applicable.
- APPI Japan has extraterritorial scope as well, meaning the same thing applies to companies who offer goods and services in Japan, but have offices outside of the country.
- APPI Japan points out the importance of the PIC notifying the data subject of the purpose of utilization before collecting any personal information and obtain its explicit consent prior to acquiring sensitive information.
- APPI Japan prohibits the transfer of personal data to third parties unless you get prior consent of the data subject.
- APPI Japan have varying fines for breaching the APPI. They can go all the way up to 100 million yen, which is a big increase from the 500,000 yen it was prior to the 2020 amendment.
APPI Japan compliance with Cookiebot CMP
Cookiebot consent management platform (CMP) is a world-leading solution that helps you provide transparency and control over all the cookies – and similar tracking – on your website.
Implement Cookiebot CMP to make sure that your website complies with all the major privacy laws around the world, including Japan’s APPI, Thailand’s PDPA, Brazil’s LGPD, South Africa’s POPIA, EU’s GDPR, UK’s GDPR and South Korea’s PIPA.
Our unrivaled website scanner detects all cookies and trackers, delivering an exhaustive report on all personal data processing cookies and trackers on your website.
Cookiebot CMP is an optimal solution for making your domain fully compliant without the need for you to get into any complicated technical implementation.
Implement Cookiebot CMP to comply with Japan’s APPI.
What is Cookiebot CMP?
How exactly does Cookiebot CMP work, you might wonder?
Simply put, Cookiebot CMP is a plug-and-play compliance solution that helps automate the complete APPI cookie compliance procedure. This includes everything, from automatically detecting all the cookies on your website and thereby controlling them, to actually collecting consents from end-users.
Cookiebot CMP offers you a detailed scan report including details about your website’s cookies such as purpose, provider, duration and what third parties it shares end-user data with.
Finally, Cookiebot CMP helps you to safely store all end-user consents, and to renew them on a regular basis.
Consent banner by Cookiebot CMP for APPI compliance in Japan
Cookiebot CMP works to make end-user privacy protection an integrated part of each individual website, and by offering you a comprehensive overview of all cookies on your website, Cookiebot CMP ensures compliance with the APPI in Japan along with many other data privacy regulations around the world.
APPI – Japan’s Act on Protection of Personal Information, in detail
With the quick overview of the Japanese APPI fresh in mind, the blog post will now take a closer look at Japan’s data privacy law’s key characteristics. Hopefully this will help you understand what it means for you and your website.
Scope of application of the APPI in Japan
The APPI in Japan is applicable to personal information controllers (PIC) in Japan, no matter if the PIC is a person or an entity. Before the first amendment there were an exception for PIC’s handling the personal information of less than 5,000 individuals, but after the amendment there is no minimum requirement of individuals. However, the General Guidelines of the APPI Japan ‘relax’ the standards of security measures for ‘small or medium sized business operators.
The APPI in Japan only applies when a PIC handles personal information in the course of their business operations. A ‘business’ in the APPI Japan is therefore explicitly defined as activities which can be conducted repeatedly for a specific purpose and are thus regarded as a business under the given social conventions. It does not distinguish between profit or nonprofit businesses.
Exceptions to the above definition are broadcasting institutions, newspaper publishers, professional writers, religious bodies, political parties and universities, which are not included in the scope.
Japan’s APPI has both territorial and extraterritorial scope. This means that not only is it applicable to companies that offer goods and services in Japan with a location within the country, but it also applies to companies located outside of the country of Japan who offer the same goods and services to people located in Japan.
The PPC’s responsibilities
The Personal Information Protection Commission Japan (PPC) is the primary regulator under the APPI. This section will quickly outline their main responsibilities, duties and powers.
- PPC Japan ensures the appropriate handling of personal information and specific personal information so as to protect the rights and interests of the individuals.
- PPC Japan has the primary advisory, enforcement and investigatory powers under the APPI Japan. This includes the power to investigate the activities of a PIC. It also includes the power to investigate an anonymized information controller or a person handling specific personal information.
- PPC Japan renders advice to and make orders against the above-mentioned people if they suspect that an infringement of any individual’s interests or rights is forthcoming.
- PPC Japan is able to provide information to foreign data protection regulators.
- PPC Japan can in limited circumstances allow information to be used for criminal investigations overseas.
- PPC Japan can also in limited circumstances delegate its investigatory powers to the relevant minister. This does not include its advisory or enforcement powers, however.
Try Cookiebot CMP free for 30 days – or forever if you have a small website
APPI Japan – key definitions
Japans Act on the Protection of Personal Information (APPI) operates with a set of key definitions. To get the full understanding of the Japanese APPI it is important to familiarize yourself with them, since they are the foundation of the data privacy law.
Unlike other data privacy laws, the APPI in Japan has a lot of definitions, but to keep it short and to the point, these are the five key definitions we will focus on.
- Personal information
- Sensitive information
- Data controller
- Data processor
- Anonymized information and anonymized information controller
Personal information is information that can identify an existing individual in Japan, either by itself or in combination with other information.
Personal information includes numbers found in passports, driver’s licenses, social security ID’s and resident’s cards. It also includes personal identifier codes such as characters, symbols or numbers for computer use which represent certain detailed personal physical characteristics. This contains for example DNA, fingerprints and facial appearance.
Sensitive information was not added to Japan’s APPI until 2017, but they include information relating to race, disabilities, medical records and treatments, criminal records, creed and religion.
A data controller is not defined explicitly in Japan’s APPI, but a personal information controller (PIC) is. It is a business operator using a personal information database for its business and are therefore comparable with a data controller.
A data processor is, just like a data controller, not defined by Japan’s APPI either. Due to it being a familiar concept in other data privacy regulations, and because it is, despite not being explicitly explained, still relevant, it will be presented here. It is an entity which have been entrusted by a PIC to handle personal data within the scope necessary for the achievement of the purpose of utilization.
Anonymized information is information regarding an individual which has been processed by deleting or replacing information, so it is unusable to identify an individual. An anonymized information controller is a business operator handling the anonymized information
It is important to know and recognize the key definitions to understand Japan’s APPI.
Rights and responsibilities
As explained above, we differentiate between a data controller (in this case a PIC) and a data processor. The responsibilities they have and the rights they possess will be explained in detail here.
Even though it is not a general requirement that a PIC has to be registered under the APPI, they still have some rights and responsibilities. For example, they have to make certain things easily accessible, including the name of the PIC, the purpose of any utilization of personal information, information about how the data subject can correct their personal data and where to complain about the PIC.
Besides this, a PIC must:
- Not collect personal information in ways that can be seen as unlawful or deceitful.
- Notify the data subject about the purpose of utilization before collecting any personal information. An exception to this is if the PIC in advance has published the purpose of utilization. This has to be done in a manner that is easily accessible.
- Obtain consent from the data subjects before acquiring any sensitive information about them.
The Japanese APPI does not impose any direct obligations on data processors. On the other hand, it is important that the PIC exercise the necessary and appropriate supervision over any third parties delegated to handle personal data.
For that reason, it is important that there are agreements between the PIC and a potential data processor. This ensures that the data processor provides the appropriate security measures, while also giving the PIC the power to instruct and investigate the data processor in association with its handling of personal data assigned to it.
The data subjects have the right receive the personal data held about them. If requested, the PIC must disclose in writing (unless the data subject has agreed to receive it electronically) and without any delay the information gathered about the data subject. There are only a couple of exceptions to this right. These are instances that would result in:
- A violation of other Japanese laws
- Injury to other rights and interests of the data subjects or any third parties
- A material interference with business operations of the PIC.
Additionally, the data subjects have the right to revise, correct, amend or delete their personal data. They are also entitled to get their data deleted if it is being used for another purpose than originally stated or if the data was acquired by unlawful means.
The data subjects are also entitled to access a PIC’s record of data transfers to third parties under the 2020 amendments. The 2020 amendment also requires end-user consent for the transfer of personal data to a third party. This will for example occur every time a Google or Facebook cookie is activated on a website, making Cookiebot CMP an optimal solution to ensure that your website is not in violation of the APPI Japan.
The 2020 amendment requires end-user consent for the transfer of personal data to a third party.
The fines for breaching the APPI Japan vary, but with the 2020 amendment they were increased from up to 500,000 yen to up to 100 million yen. With the 2020 amendment, revenue-based fines as known from the EU’s GDPR were considered but ultimately abandoned, primarily because fines are rarely invoked in the APPI Japan.
Summary of APPI, Japan’s Act on Protection of Personal Information
Japan’s Act on the Protection of Personal Information (APPI) is one of the many data privacy laws around the world. Its purpose is to protect an individual’s right and interests while also considering the utility of personal information.
It applies to personal information controllers (PIC) in Japan, no matter if the PIC is a person or an entity. It only applies when a PIC handles personal information in the course of their business.
Japan’s APPI was first approved in 2003 and has since been amended several times, with the latest one coming into full effect in 2022.
The latest amendment requires end-user consent for the transfer of personal data to a third party. Cookiebot CMP enables compliance with most of the world’s major data privacy laws, including Japan’s APPI, to make sure that your website is not in violation of the APPI Japan.
What is Japan’s APPI?
The Japanese Act on Protection of Personal Information (APPI) is a data privacy law. Just like the EU’s GDPR, its purpose is to protect the privacy rights of the data subjects, by making sure that companies or organizations do not abuse data about their users. The APPI Japan helps ensure that this works successfully.
How can my website be in compliance with Japan’s APPI?
To comply with Japan’s APPI on your website you are required to notify the data subjects about the purpose of utilization before collecting any personal information, to obtain consent from the data subjects before acquiring any sensitive information about them and not to collect personal information in ways that can be seen as unlawful or fraudulent.
It is also important that you give the users the option to access and correct their personal data whenever they wish to.
Who does Japan’s APPI apply to?
Japan’s APPI is applicable to a personal information controller (PIC) in Japan. It does not matter if the PIC is a person or an entity. It is only applicable when the PIC handles personal information in the course of their business. To clarify this, the Japanese APPI defines ‘business’ as activities which can be conducted repeatedly for a specific purpose and are thus regarded as a business under the given social conventions.
Does Japan’s APPI have extraterritorial scope?
Japan’s APPI applies not only to companies that offer goods and services in Japan with offices located within the country. It also applies to those who handle data about people living in Japan from offices outside of Japan. By doing so the APPI in Japan has both territorial and extraterritorial scope, not unlike the EU’s GDPR.
What is the penalty for breaching the Japanese APPI?
There are different penalties in order to stop people breaching the Japanese APPI. One of them is a fine, which with the 2020 amendment was increased from up to 500,000 yen to up to 100 million yen.
With the implementation of the 2020 amendment, it was also discussed whether or not business revenue-based penalties, as known from the EU’s GDPR, should be a part of the APPI but ultimately it was not implemented.
How can I scan my website for cookies and trackers?
By using a consent management platform like Cookiebot CMP you can reveal all cookies and trackers that currently process personal information on your website. It also shows you where in the world your domain sends data to.