Data is a hot topic in today’s world, important for its influence and value in the highly digital society we live in. It’s also something which many believe need to be protected, as we’ve seen with the array of information privacy laws instituted by governments around the world. In this article, we’ll review Japan’s APPI law and what prominent changes have recently come into effect.
Understanding The APPI Law
The Japan Act on the Protection of Personal Information, often referred to as APPI, is a legal provision designed to protect Japanese citizens’ personal data. The act is a response to the increasing use of information technology in society, and the potential for abuse that it creates. The law sets out specific regulations governing how personal data must be collected, used, and protected. The APPI is similar to documents such as the GDPR in that it also acts as a regulatory guideline for the protection of data, however differs in the way that it is its own separate set of laws which are designed specifically for Japanese citizens.
APPI Japan – Act on Protection of Personal Information
Who It Applies To
The APPI is designed to protect the data privacy of the people of Japan, and as such, applies to any organization that handles the personal information of Japanese residents. Any business, regardless of where they are located, must remain compliant with these rules if they are processing the personal data of Japanese citizens. In this context, personal data is defined as any information that can reveal the identity of a living individual.
Originally adopted in 2003, the APPI has undergone multiple revisions over the years in order to keep up with the changing technological landscape it regulates. Its most recent version has gone into effect as of April 1st, 2022, and includes several new amendments and provisions.
These changes to the APPI seek to introduce some general updates as well as make a few broader changes. The first of these is the rights individuals have over their personal data, the second the obligatory reporting duties of companies, and the third the regulation of cross-border data transfers.
Overview Of Amendments to Japanese APPI
Rights Over Personal Data | APPI
In today’s day and age, data is as good as gold and adversaries are readier than ever to take advantage of it. Personal data is particularly advantageous to these entities for its capacity to easily violate, extort and defraud victims. This is something that lawmakers have taken into account upon making new amendments to the APPI, instituting new wording that redefines the rights individuals have to manage and protect their personal data.
This particularly includes amendments that give individuals a greater right to suspension of use or deletion of information. The changes state that citizens covered by the law can now request that their data be erased.
Guidelines specifically state that this applies to conditions in which “it has become unnecessary for a personal information handling business operator to utilize retained personal data,” if that entity has had a certain data breach or leakage, or “there is a possibility that handling of the retained personal data… would harm the rights or legitimate interests of the principal.”
This amendment is a change from previous versions of the document, where deletion of this data was only provisioned when acquired or handled illegally. Prior versions of the APPI also stated that any data scheduled for erasure within six months was exempt from this right, which has since been removed altogether in these updated guidelines.
An important change to the APPIs guidelines comes in the form of companies’ responsibilities in reporting breaches to personal data. Despite previous copies not requiring it, the latest APPI now mandates businesses to report select data breaches.
This applies if any of the following occur:
- A breach of data including sensitive data
- A breach of data including data that if used improperly, may result in economic loss (like stolen login credentials for online financial services or credit card information)
- A breach with unjust purposes (such as cases in which personal data has been stolen through means of unauthorized access or as a hostage for ransomware)
- A breach’s compromised data subjects is more than 1,000
These conditions apply to a broad range of circumstances, and as such, greatly redefine expectations for most companies under the APPI.
Businesses who experience a breach that meets any of the aforementioned criteria are now mandated to report such incidents to the Personal Information Protection Commission of Japan as well as follow a response protocol.
Guidelines require that organizations follow multiple steps in this process:
- Business operators must report the data breach to the appropriate internal entity within their organization, as well as take measures necessary to prevent any further escalation of damage.
- Investigate the facts relevant to the incident and determine causes.
- Identify the impact and scope of the breach.
- Devise, review and implement measures to prevent breach reoccurrence, such as conducting risk assessments, maintaining an incident response plan, and preserving relevant evidence.
Companies must also notify data subjects after becoming aware of a breach. This is to be done “promptly depending on situation”, which can vary in definition based on the circumstances at hand. Further, the law states that this guideline does not apply to cases in which “it is difficult to inform a principal and when necessary alternative action is taken to protect a principal’s rights and interests”.
What is the regulation of personally referable information within the APPI law?
Under the amended ACt on Protection of Personal Information (APPI), organisations are required to obtain consent from data subjects before collecting and processing their personal data.
Also, when providing information about individuals that are not considered personal data, or in cases of anonymized or pseudonymized data to third parties, and it is presented to the recipient as personal data then the provider must be able to give proof of consent to this data transfer. The amended regulation also requires providing certain information to data subjects about collecting their data.
The following guidelines must be taken into account:
1 What does ‘receive the provided information as personal data‘ mean?
The regulation states that this refers to situations in which the recipient of the data intends to use this information as personal data, for example to enrich other personal data.
In cases where the recipient of the data does not intend to use the personal data to enrich other personal data, then the recipient does not need to give proof of the user’s consent.
2 What does ‘anticipation’ mean in this context?
If the agreement between a data recipient and a data provider clearly states the received information will not be used as personal data, it would not be ‘anticipated’ that the recipient is going to use the information as personal data.
But if it’s suspected that the data recipient will use the information as personal data, then proof of consent is applicable.
3 Informing data subjects when asking for consent
It is required to clearly inform the user when asking for consent. To be more specific,it is required to inform the user:
- about which entity receives the personal data
- about what kind of information is shared
- for which purpose the information is used as personal data
4 The entity that obtains the user consent
The basic rule is that the data recipient, that has direct contact with the user / individual, should obtain the user’s consent.
If the rights of the individual are properly protected then also the data provider is allowed to ask for consent on behalf of the data recipient.
A Consent Management Platform (CMP) like CookieFirst can be used for obtaining consent from website users when you are using third-party tools on your website, like Google Analytics or tracking technology and advertising technology.
Cross-Border Data Transfers & APPI
Amendments to the APPI also include provisions regarding transfer of personal information to third parties. The first notable change comes in the form of an expansion of existing regulations, where guidelines now cover transfers in which the recipient can use the data to identify specific individuals and the disclosing entity cannot.
The other prominent update has to do with national borders and the rules for transferring data across them. Regulations expand upon the information that must be communicated with individuals while obtaining consent, as well as require that businesses ensure protection standards are maintained when sharing data with operators who have equivalent data protection standards.
As technology continues to develop and navigating it becomes increasingly complex, cybersecurity is more important than ever. Japan’s most recent update to the APPI reflects the constant priority that needs to be put on data security in order to protect individuals in these changing conditions.