Japan Act on the Protection of Personal Information (APPI): An Overview

Japan has had data privacy laws for two decades. The APPI has notable differences from the GDPR, and was most recently amended in 2020.

Table of contents by Usercentrics 15 mins to read Feb 1, 2023

Introduction to the APPI

While the European Union’s GDPR is perhaps the best known of the international privacy laws, it is by no means the first. Japan’s Act on the Protection of Personal Information (Act No. 57 of 2003), or APPI, was passed in 2003, 15 years before the GDPR came into effect.

The APPI is no artifact, however. Like Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), which came into effect in 2000, it has been overhauled and updated multiple times to reflect changing society and technology. In fact, there is now a legal requirement for it to be updated regularly, the most recent round of amendments having passed in 2020.

Japan’s data privacy law bears some similarities to laws like the GDPR or Brazil’s LGPD. But there are similarities to the state-level laws in the United States as well, particularly with regards to its extraterritorial scope and various consent requirements regulating handling of specific categories of personal information.

What is Japan’s Act on the Protection of Personal Information?

Japan’s APPI is a federal personal information protection law to regulate the handling of personal information by individuals and organizations, including government agencies, businesses, and nonprofits. The Act is overseen by the Personal Information Protection Commission (PPC), an independent administrative body founded in 2005, after the APPI had been in effect for two years.

The APPI requires organizations that want to collect personal information to obtain consent from individuals prior to collecting, using, or sharing it, but only in some cases, like if the information is sensitive or is to be transferred to a third party or outside of Japan. More in line with laws in the US, in many cases the APPI does not require consent for collection or use for personal information that is not sensitive or meets other criteria.

The Act has some requirements for security measures to be taken to protect all personal information that has been collected. But overall it is less rigid about things like specific required actions in the case of a data breach than many laws are. The most recent amended APPI is changing that, and it’s likely that such requirements will continue to evolve.

Scope of the Act on the Protection of Personal Information

The original version of the APPI, which came into effect in 2003, applied only to business operators that, during the preceding six months, had a database with personal information of at least 5,000 identifiable individuals.

With the most recent amendment, however, that limitation has been removed. All business operators that process personal information for commercial purposes are subject to the APPI, regardless of how many individuals’ personal information they process.

Extraterritoriality of the Act on the Protection of Personal Information

The APPI applies to any “personal information controllers” (PIC) that collect or use the personal information of Japanese citizens. It does not matter if the company or other organization is based in Japan or not, as the law applies extraterritorially. The APPI does specifically apply to the processing of personal information for business or commercial purposes, and there are a variety of exempt groups and uses, including government, journalism, etc.

Cross-border data transfers

The most recent amendments to the APPI in 2020 introduced additional regulation of cross-border transfers of information. Businesses subject to the scope of the Japanese law now have to obtain individuals’ informed opt-in consent prior to transferring their personal information outside of Japan, or, along with the foreign entity receiving the personal information, establish a “personal information protection system”.

As part of the personal information protection system, the business transferring personal information outside of Japan must execute a contract with the receiving entity in the foreign country. This provides guarantees of compliance with security and data protection measures, which get laid out in the contract, and in accordance with APPI requirements.

If personal information is transferred again to a third party in the foreign country, the originating PIC must ensure that any third party complies with the PIC’s and original security and privacy measures.

Definitions and relevant parties

Data subject

An individual who is the subject (and often source) of personal information.

Personal information

Under Japan’s data privacy law, personal information (same as “personal data” in some other laws) includes any information that can be used to identify a living individual, either via a single data point or from combined data points. It includes information in both digital and physical forms, and both manually processed or information subject to automated processing.

Examples include data like name, email address, or date of birth, but it also applies to information containing or linked to an “Individual Identification Code”, a separate category that includes numbers, codes, or symbols that are generated by computer and used for identification. This could include a wide range of information, from a unique identifier like a database ID for an individual’s record, to a fingerprint scan.

Opt-in consent is not required before PICs collect this type of information, unless it is to be transferred cross-border. However, PICs must provide notice about what information is collected and for what purpose. They must also enable consent choice.

Sensitive personal information

Like a number of other recent privacy laws, the APPI has added clarification in its most recent amendment for sensitive personal information, also referred to as “special care-required personal information”. This refers to personal information that could be used for discrimination or to cause other harm if misused. This includes information like race, medical or health information, criminal record, credit history, etc.

The APPI’s definition leans more toward social and ethnic information than some other laws, and does not include details like financial, biometric and/or location information.

Personal-related information

Introduced in the most recent amendment, personal related information is related to an individual, but not identifying enough to be considered personal information on its own (but could be if combined with other data), and not generic enough to be considered pseudonymous/anonymous information.

Opt-in consent is not required before entities collect personal-related information either. However PICs must provide notice about what information is collected and for what purpose. They must also enable consent choices.

Personal data

Personal information that is contained in a database (“Personal Information Database”, electronic or otherwise) that enables the personal information in it to easily be retrieved.

Pseudonymously processed information

Personal information that has been processed in a way that prevents the data subject from being identified (solely based on that data). Different from “anonymized information” where the generally accepted understanding is that even in combination with other information, the data subject could not be identified. With pseudonymously processed information a data subject could be identified if that data was combined with other information.

Personal information controllers (PIC)

A business operator that uses a Personal Information Database for business operations. Also sometimes shown as “business operator handling personal information”.

Interestingly, “data processor”, while a common term in other privacy laws, is not specifically defined in the APPI. It does, however, refer to entities entrusted with handling of personal data on behalf of the PIC within a specific scope of use to achieve a specific, defined purpose, e.g. advertising, mailing services, etc.

Conditions for valid consent Japan’s Act on the Protection of Personal Information

The personal information controller must notify data subjects of the “purpose of utilization” prior to the collection of personal information. The PIC must obtain consent prior to collection if the personal information is sensitive, will be transferred cross-border, and/or if the data is to be transferred to a third party, though there are some exceptions to that requirement.

These requirements place the APPI a bit closer to the US laws than the EU’s GDPR, for example, for not requiring consent prior to collection of non-sensitive personal information, but rather in many cases, only notification and the option to opt out. The APPI does not use legal bases, like consent or others like legitimate interest, for justification of data collection as the GDPR does.

Recent amendments to the Act on the Protection of Personal Information

2015 amendment of the Act on the Protection of Personal Information

The most notable changes with the 2015 amendment, which came into force in May 2017, were the establishment of the Personal Information Protection Commission (PPC) and the introduction of the requirement that the APPI has to be reviewed every three years. Extraterritorial application of the APPI was expanded as well.

2020 amendment of the Act on the Protection of Personal Information

The 2020 amendment came into effect in 2021-22 and included clarifications about personal information with regards to its ability to identify an individual, i.e. “person-related” rather than personal information, as well as pseudonymous information. It introduced prohibition on PIC using personal information to potentially facilitate illegal or inappropriate acts. It added additional clarification regarding extraterritoriality and introduced the requirement for user consent prior to the transfer of personal information to third parties, and expanded functions of the PPC, as well as introducing stricter penalties for violations.

What are the personal rights under Japan’s Act on Protection of Personal Information?

Data subjects have the right to have their data revised, corrected, amended, or deleted. If a request for revision isn’t addressed within two weeks of being made, a data subject can force this to be done via civil action.

Data subjects have the right to require PICs to stop using their personal data or transferring it to third parties if the PIC is using the data for a purpose other than the one(s) stated or if the data was fraudulently obtained. This right also applies if the PIC no longer needs to use the data, a data breach has occurred, or if there is an allegation of infringement of the data subject’s rights or interests.

This also does not include pseudonymously processed information, and a PIC can refuse a request to cease using personal data unless the request is unreasonable or would be unreasonably costly or difficult, like recalling materials already distributed.

PICs must notify data subjects without delay if their request(s) have been addressed, or, if not, the reasons why, to the best of their ability.

What are the exemptions to Japans Act on Protection of Personal Information?

The Japanese law applies to both individuals and organizations, like commercial businesses, but only with regards to the handling of personal information in the course of doing business. “Business”, then, is defined as repeated activities for a particular purpose, and considered business under social conventions. While often for profit, it does not have to be, and the APPI does include nonprofit entities.

Press, professional writing/journalistic activities, academic, and political activities are all exempt from the APPI, so this would include broadcasters, newspaper publishers or other press organizations, universities or other academic institutions, religious institutions, and political parties. Government organizations, both federal and local, are also exempt, as are administrative agencies.

What are the penalties for noncompliance with Japan’s Act on Protection of Personal Information?

As of the 2020 amendment to the APPI, penalties were increased to a maximum of 1 million yen for individuals (around € 7 ,000) or 100 million yen for businesses (around € 700 ,000), though fines for breaches can vary depending on the violation’s severity, scope, etc.

Revenue-based fines, such as the GDPR outlines (e.g. 4% of a company’s global annual turnover) were considered but not ultimately included because fines have only been marginally covered in the APPI previously.

Who manages enforcement of Japan’s Act on Protection of Personal Information?

Data breach notifications

The requirements of Japan’s APPI with regards to data breaches and protocols are a bit less strict than with many other country’s laws. It is generally left to PICs to decide on specific actions depending on each case, though the law does set out principles of best practices actions for these events. The most recent amendment has added some more legal requirements as well.

Legal requirements or not, poor handling of a data security incident can have a significant effect on a company’s reputation, revenues, partnerships, customer relationships, and more, so the motivation to handle such incidents quickly, thoroughly, and professionally remains valid in any country.

If there is a breach at/by a third party engaged by the PIC, e.g. the data processor, obligations for notification and remediation of the incident fall on the PIC.