Before GDPR: Japan's Act on the Protection of Personal Information
Continuing our series of regulatory compliance coverage, we're taking a closer look at Japan's Act on the Protection of Personal Information (APPI). Passed in 2003, way before the adoption of GDPR in Europe, Japan's APPI was one of the first data protection regulations in Asia.
Even though Japan was early in the data protection arena, in 2015 the authorities acknowledged that APPI’s requirements could no longer efficiently protect Japanese citizens. This conclusion was reached in the light of a series of major data breaches that hit the nation at that time.
Thus, the regulation was updated in September 2015, with its new requirements coming into force on May 30, 2017, a year before the EU’s General Data Protection Regulation (GDPR).
APPI then, APPI now
The revised version of the APPI includes provisions for its extraterritorial application: the separation of sensitive data into a new category of protected information and the establishment of the Personal Information Protection Commission (PPC).
Note: The PPC is an independent agency whose main aim is to ensure the protection of the rights and interests of individuals while taking into consideration the proper and effective use of personal information.
At the start of this year, on January 23rd, Japan became the first country to receive an adequacy decision from the European Commission, thus enabling personal data to flow from the EU to Japan without any further safeguard being necessary. Moreover, this adequacy decision was reciprocated on the same day by the Japanese authorities, showing a mutual recognition of an equivalent level of data protection by the EU and Japan.
Supplementary rules put in place
For good measure, supplementary rules were put in place for three reasons:
- to strengthen the protection of sensitive data
- for the continued exercising of individual rights, and
- to ensure that the same security level provided by the GDPR for EU personal data, would be respected in Japan.
However, it's important to note that this decision doesn’t make the requirements of the GDPR and APPI interchangeable. Therefore, companies doing business in Japan have to comply with the APPI requirements even if their data protection strategies are in line with the GDPR.
APPI versus GDPR
Although the APPI is similar to the GDPR in its aim and requirements, there are two major differences between the two:
- There is no concept for “Data Controller” under Japanese law: The APPI uses the term “business operator” which refers to the entity responsible for the proper handling of all “Personal Information”. Similarly, the EU’s privacy law comes with a more exhaustive definition for this term, referring to it as “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.”
- There is no concept for “Data Processor” under Japanese law: The handling of personal data under the APPI refers to how a “business operator” manages the personal information or personal data in its possession. On the other hand, GDPR defines a data processor as “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.”
Why is APPI essential for Japan right now?
Japan’s current cybersecurity status, as shown in The Straits Times, highlights the need for effective data protection:
Japan's National Centre of Incident Readiness and Strategy for Cybersecurity detected 212.1 billion instances of suspicious activity last year - an increase of nearly four times from 54.5 billion in 2015.
And this situation won’t go away anytime soon, especially if you consider the fast pace of technological advancements. That’s why it’s important for companies that manage the personal information of their clients to become compliant with the APPI.
The aim of this regulation is to protect the rights and interests of individuals while ensuring due consideration for the use of personal information, by basic principles, for the proper handling of personal information.
In this context, personal information is any piece of information that can identify an individual, including data that can easily be combined with other information to identify a person. The new amendment to the APPI expands what type of data is covered under the Act, including also biometric data such as fingerprints and facial recognition and Personal Identifier Codes, which are unique letters and numbers assigned to an individual (such as a driver’s license or passport number).
Who does APPI apply to?
APPI applies to all business operators that handle the personal data of individuals in Japan. This concerns not only companies that offer goods and services in Japan and are located within the country but also those organizations with offices outside it. Thus, similarly to the GDPR, the APPI has an extraterritorial reach.
While the initial version of the law applied only to business operators that had 5,000 identifiable individuals in their database on at least one day during the previous six months, the amended APPI applies to all business operators that process personal information for business purposes, even those with small databases of just a few individuals.
Also, entities such as central government organizations, local governments, independent administrative agencies, and local incorporated administrative agencies, are exempt from APPI compliance as they fall under the scope of other regulations.
What rights do Japanese residents have under the APPI?
Consumers can request that a business operator discloses the purpose of use of their personal data, the way in which they can access, correct or suspend that information and where they can submit a complaint concerning the handling of their personal data.
Moreover, they can demand that a company correct or delete incorrect personal information or suspend or delete their personal information altogether if it has been used beyond the initial purpose of use, transferred without prior consent or the personal information was acquired by fraud or other unfair means.
Likewise, Japanese residents have the right to file a lawsuit against business operators that have collected their personal information and failed to answer their APPI based requests within two weeks.
What are your company’s responsibilities under the APPI?
Furthermore, organizations handling personal information must “keep the data accurate and up to date within the scope necessary to achieve a utilization purpose, and to delete the personal data without delay when such utilization has become unnecessary.”
When it comes to providing personal data to a third party, a business operator must keep a record of the personal data that contains:
- the date on which the personal data was provided
- the name of the third party
- the name or identification information of a principal identifiable by the personal data
- the categories of personal data
- mention that consent, if required, was obtained before the transfer of data to the third party
A business operator shall maintain such a record for a period of one or three years from the last date of personal data relating to the record having been provided.
How does Proxyclick help you comply with APPI?
What do you, the "business operator," need to be conscious of when it comes to your visitor management? There are a number of ways our visitor management system can help you:
- Provide you a full audit trail in case of APPI audits. This is especially important because the APPI has a very broad and open concept of data processing.
- Comply with "purpose limitation" in by using custom questions to minimize the processing of information beyond the scope necessary for achieving the purpose of use.
- Obtain consent from visitors as to the purpose of use data collected.
- Set custom data retention periods to ensure no information is kept for longer than it is needed upon visitors' request to delete the retained personal data.
What happens if you don’t comply?
Unlike the GDPR, companies doing business in Japan are not legally obliged to report a data breach to the PPC under the APPI or inform affected data subjects.
Generally, if the PPC becomes aware of a data breach, they will directly contact the business operator and informally request that it rectify the violation. If the organization fails to do so, then the PPC will issue an administrative order for the company to take action in regard to the data breach.
If the respective company doesn’t comply with the administrative orders, the penalties they will receive vary from fines of up to ¥500,000 (approximately $4,600) to imprisonment of up to one year.
The modern times we live in require privacy laws to be put in place for the protection of consumers’ personal data. It’s essential for companies that want to grow safely and successfully to be proactive in their data privacy policies.
To compliance and beyond!
Disclaimer: The information presented above is not legal advice, is not to be acted on as such, may not be current and is subject to change without notice. You should seek professional legal counsel before taking any action.