The 2015 overhaul brought with it the establishment of the Personal Information Protection Commission<\/a> (PPC), which is an independent agency that protects the rights and interest of individuals while encouraging the appropriate and effective use of personal information.<\/p>\n\n\n\n Not unlike many other data privacy laws, its purpose is to protect individuals\u2019 rights and interests<\/strong>, while at the same time supporting that personal information is valuable and often necessary data in order to conduct absolutely normal and legal day-to-day business operations.<\/p>\n\n\n\n The APPI in Japan is applicable to personal information controllers (PIC) in Japan<\/strong>, no matter if the PIC is a person or an entity. It only applies when a PIC handles personal information in the course of their business, and \u2018business\u2019 is therefore explicitly defined as activities which can be conducted repeatedly for a specific purpose and are thus regarded as business operations under the given social conventions.<\/p>\n\n\n\n Japan\u2019s APPI applies to companies that offer goods and services<\/strong> in Japan, whether they are located in the country or abroad. This means that Japan\u2019s APPI, just like the EU\u2019s GDPR<\/a> and Thailand\u2019s PDPA<\/a>, has both territorial and extraterritorial scope.<\/p>\n\n\n\n The original 2003 version of Japan\u2019s data protection law only applied to business operators with at least 5,000 identifiable individuals in their database during the previous six months. The latest amendment to the APPI on the other hand, removed this restriction and broadened its reach. This means it now includes all business operators that process personal information for business purposes no matter the number of individuals.<\/strong><\/p>\n\n\n\n Scan your website for free to see all cookies and trackers in use<\/a><\/strong><\/p>\n\n\n\n Exempt from the Japanese APPI\u2019s application are central government organizations, local governments, local incorporated administrative agencies and independent administrative agencies.<\/p>\n\n\n\n Regarding consent, a PIC must notify the data subject of the purpose of utilization<\/strong> prior to the collection of personal information and obtain consent<\/strong> before acquiring sensitive information. When it comes to the transfer of personal data to third parties, it is prohibited to do so without the prior consent of the data subject<\/strong> unless an exception applies.<\/p>\n\n\n\n The fines for breaching the APPI Japan vary, but with the 2020 amendment the penalty was increased from up to 500,000 yen to up to 100 million yen. With the 2020 amendment, revenue-based fines as we know them from the EU\u2019s GDPR were considered but ultimately abandoned, primarily because fines are rarely mentioned in the APPI Japan.<\/p>\n\n\n\n Scan your website for free to see all cookies and trackers in use<\/a><\/strong><\/p>\n\n\n\n Try Cookiebot CMP free for 14 days<\/a>\u00a0<\/strong>\u2013 or forever if you have a small website.<\/p>\n\n\n\n Scan your website to discover what cookies and trackers are in use on your website<\/a><\/strong><\/p>\n\n\n\n Try Cookiebot consent management platform (CMP) for free<\/a><\/strong><\/p>\n\n\n\n Cookiebot consent management platform<\/a> (CMP) is a world-leading solution that helps you provide transparency and control over all the cookies \u2013 and similar tracking \u2013 on your website.<\/strong><\/p>\n\n\n\n Implement Cookiebot CMP to make sure that your website complies with all the major privacy laws around the world, including Japan\u2019s APPI<\/strong>, Thailand\u2019s PDPA<\/a>, Brazil\u2019s LGPD<\/a>, South Africa\u2019s POPIA<\/a>, EU\u2019s GDPR<\/a>, UK\u2019s GDPR<\/a> and South Korea\u2019s PIPA<\/a>.<\/p>\n\n\n\n The APPI in Japan requires consent from the users in Japan, before you can use cookies and trackers as an integral part of your website.<\/strong><\/p>\n\n\n\n Our unrivaled website scanner detects all cookies and trackers, delivering an exhaustive report on all personal data processing cookies and trackers on your website.<\/p>\n\n\n\n Cookiebot CMP<\/a>\u00a0is an optimal solution for making your domain fully compliant without the need for you to get into any complicated technical implementation.<\/p>\n\n\n\n How exactly does\u00a0Cookiebot CMP\u00a0work, you might wonder?<\/p>\n\n\n\n Simply put,\u00a0Cookiebot CMP\u00a0is a plug-and-play compliance solution that helps automate the complete APPI cookie compliance procedure. This includes everything, from automatically detecting all the cookies on your website and thereby controlling them, to actually collecting consents from end-users.<\/p>\n\n\n\n Cookiebot CMP\u00a0offers you a detailed scan report including details about your website\u2019s cookies such as purpose, provider, duration and what third parties it shares end-user data with.<\/p>\n\n\n\n Finally, Cookiebot CMP<\/a> helps you to safely store all end-user consents, and to renew them on a regular basis.<\/strong><\/p>\n\n\n\n Cookiebot CMP<\/a>\u00a0works to make end-user privacy protection an integrated part of each individual website, and by offering you a comprehensive overview of all cookies on your website,\u00a0Cookiebot CMP\u00a0enables compliance with the APPI in Japan along with many other data privacy regulations around the world.<\/p>\n\n\n\n Scan your website to discover what cookies and trackers are in use on your website<\/a><\/strong><\/p>\n\n\n\n Try Cookiebot CMP for APPI compliance in Japan<\/a><\/strong><\/p>\n\n\n\n With the quick overview of the Japanese APPI fresh in mind, the blog post will now take a closer look at Japan\u2019s data privacy law\u2019s key characteristics. Hopefully this will help you understand what it means for you and your website.<\/p>\n\n\n\n The APPI in Japan is applicable to personal information controllers (PIC) in Japan<\/strong>, no matter if the PIC is a person or an entity. Before the first amendment there were an exception for PIC\u2019s handling the personal information of less than 5,000 individuals, but after the amendment there is no minimum requirement of individuals. However, the General Guidelines of the APPI Japan \u2018relax\u2019 the standards of security measures for \u2018small or medium sized business operators.<\/p>\n\n\n\n The APPI in Japan only applies when a PIC handles personal information in the course of their business operations. A \u2018business\u2019 in the APPI Japan is therefore explicitly defined as activities which can be conducted repeatedly for a specific purpose and are thus regarded as a business under the given social conventions<\/strong>. It does not distinguish between profit or nonprofit businesses.<\/p>\n\n\n\n Exceptions to the above definition are broadcasting institutions, newspaper publishers, professional writers, religious bodies, political parties and universities, which are not included in the scope.<\/p>\n\n\n\n Japan\u2019s APPI has both territorial and extraterritorial scope. This means that not only is it applicable to companies that offer goods and services in Japan with a location within the country, but it also applies to companies located outside of the country of Japan who offer the same goods and services to people located in Japan.<\/p>\n\n\n\n The extraterritorial scope is not always stated in data privacy laws, but other examples of this type of scope can be found in the EU\u2019s GDPR<\/a> and Thailand\u2019s PDPA<\/a>.<\/p>\n\n\n\n The Personal Information Protection Commission Japan<\/a> (PPC) is the primary regulator under the APPI. This section will quickly outline their main responsibilities, duties and powers.<\/p>\n\n\n\n These include:<\/p>\n\n\n\n Scan your website to discover what cookies and trackers are in use on your website<\/a><\/strong><\/p>\n\n\n\n Try Cookiebot CMP free for 14 days<\/strong><\/a>\u00a0\u2013 or forever if you have a small website<\/p>\n\n\n\n Japans Act on the Protection of Personal Information (APPI) operates with a set of key definitions. To get the full understanding of the Japanese APPI it is important to familiarize yourself with them, since they are the foundation of the data privacy law.<\/p>\n\n\n\n Unlike other data privacy laws, the APPI in Japan has a lot of definitions, but to keep it short and to the point, these are the five key definitions we will focus on.<\/p>\n\n\n\n Personal information<\/strong> is information that can identify an existing individual in Japan, either by itself or in combination with other information.<\/p>\n\n\n\n Personal information includes numbers found in passports, driver\u2019s licenses, social security ID\u2019s and resident\u2019s cards. It also includes personal identifier codes such as characters, symbols or numbers for computer use which represent certain detailed personal physical characteristics. This contains for example DNA, fingerprints and facial appearance.<\/p>\n\n\n\n Sensitive information<\/strong> was not added to Japan\u2019s APPI until 2017, but they include information relating to race, disabilities, medical records and treatments, criminal records, creed and religion.<\/p>\n\n\n\n A data controller<\/strong> is not defined explicitly in Japan\u2019s APPI, but a personal information controller (PIC) is. It is a business operator using a personal information database for its business and are therefore comparable with a data controller.<\/p>\n\n\n\n A data processor<\/strong> is, just like a data controller, not defined by Japan\u2019s APPI either. Due to it being a familiar concept in other data privacy regulations, and because it is, despite not being explicitly explained, still relevant, it will be presented here. It is an entity which have been entrusted by a PIC to handle personal data within the scope necessary for the achievement of the purpose of utilization.<\/p>\n\n\n\n Anonymized information<\/strong> is information regarding an individual which has been processed by deleting or replacing information, so it is unusable to identify an individual. An anonymized information controller<\/strong> is a business operator handling the anonymized information<\/p>\n\n\n\n As explained above, we differentiate between a data controller (in this case a PIC) and a data processor. The responsibilities they have and the rights they possess will be explained in detail here.<\/p>\n\n\n\n Even though it is not a general requirement that a PIC<\/strong> has to be registered under the APPI, they still have some rights and responsibilities. For example, they have to make certain things easily accessible, including the name of the PIC, the purpose of any utilization of personal information, information about how the data subject can correct their personal data and where to complain about the PIC.<\/p>\n\n\n\n Besides this, a PIC must:<\/p>\n\n\n\n The Japanese APPI does not impose any direct obligations on data processors<\/strong>. On the other hand, it is important that the PIC exercise the necessary and appropriate supervision over any third parties delegated to handle personal data.<\/p>\n\n\n\n For that reason, it is important that there are agreements between the PIC and a potential data processor. This ensures that the data processor provides the appropriate security measures, while also giving the PIC the power to instruct and investigate the data processor in association with its handling of personal data assigned to it.<\/p>\n\n\n\n The data subjects have the right receive the personal data held about them. If requested, the PIC must disclose in writing (unless the data subject has agreed to receive it electronically) and without any delay the information gathered about the data subject. There are only a couple of exceptions to this right. These are instances that would result in:<\/p>\n\n\n\n Additionally, the data subjects have the right to revise, correct, amend or delete their personal data. They are also entitled to get their data deleted if it is being used for another purpose than originally stated or if the data was acquired by unlawful means.<\/p>\n\n\n\n The data subjects are also entitled to access a PIC\u2019s record of data transfers to third parties under the 2020 amendments. The 2020 amendment also requires end-user consent for the transfer of personal data to a third party. This will for example occur every time a Google or Facebook cookie is activated on a website, making\u00a0Cookiebot CMP<\/a>\u00a0an optimal solution to ensure that your website is not in violation of the APPI Japan.<\/p>\n\n\n\n The fines for breaching the APPI Japan vary, but with the 2020 amendment they were increased from up to 500,000 yen to up to 100 million yen. With the 2020 amendment, revenue-based fines as known from the EU\u2019s GDPR were considered but ultimately abandoned, primarily because fines are rarely invoked in the APPI Japan.<\/p>\n\n\n\n Scan your website to discover what cookies and trackers are in use on your website<\/a><\/strong><\/p>\n\n\n\n Try Cookiebot CMP for APPI compliance in Japan<\/a><\/strong><\/p>\n\n\n\n Japan\u2019s Act on the Protection of Personal Information (APPI) is one of the many data privacy laws around the world. Its purpose is to protect an individual\u2019s right and interests while also considering the utility of personal information.<\/p>\n\n\n\n It applies to personal information controllers (PIC) in Japan, no matter if the PIC is a person or an entity. It only applies when a PIC handles personal information in the course of their business.<\/p>\n\n\n\n Japan\u2019s APPI was first approved in 2003 and has since been amended several times, with the latest one coming into full effect in 2022.<\/p>\n\n\n\n The latest amendment requires end-user consent for the transfer of personal data to a third party.\u00a0Cookiebot CMP<\/a>\u00a0enables compliance with most of the world\u2019s major data privacy laws, including Japan\u2019s APPI, to make sure that your website is not in violation of the APPI Japan.<\/p>\n\n\n\nAPPI Japan and consent<\/h3>\n\n\n\n
APPI Japan and penalties<\/h3>\n\n\n\n
![\"Illustration](\"\/media\/4265\/tokyo.jpg?width=450&&mode=max\")
APPI in Japan \u2013 timeline<\/h2>\n\n\n\n
\n
APPI in Japan \u2013 Quick breakdown<\/h2>\n\n\n\n
\n
APPI Japan compliance with Cookiebot CMP<\/h2>\n\n\n\n
![\"Illustration](\"\/media\/4268\/laptop.jpg?width=450&&mode=max\")
What is Cookiebot CMP?<\/h3>\n\n\n\n
![\"Cookieboot](\"\/media\/4333\/consent_en.png?width=500&\")
APPI \u2013 Japan\u2019s Act on Protection of Personal Information, in detail<\/h2>\n\n\n\n
Scope of application of the APPI in Japan<\/h3>\n\n\n\n
The PPC\u2019s responsibilities<\/h3>\n\n\n\n
\n
APPI Japan \u2013 key definitions<\/h3>\n\n\n\n
\n
![\"Illustration](\"\/media\/4269\/gameboy.jpg?width=450&&mode=max\")
Rights and responsibilities<\/h3>\n\n\n\n
\n
Data subjects<\/h3>\n\n\n\n
\n
![\"Bowl](\"\/media\/4267\/ramen.jpg?width=450&&mode=max\")
Sanctions<\/h3>\n\n\n\n
Summary of APPI, Japan\u2019s Act on Protection of Personal Information<\/h2>\n\n\n\n