Japan’s Act on the Protection of Personal Information (APPI) was one of the earliest privacy laws to be enacted, coming into play in 2003. The Act was designed to protect the rights and interests of individuals while ensuring due consideration for the use of personal information by basic principles for the proper handling of personal information. Fourteen years later, Japan issued a notable and extensive amendment to the Act in May 2017, just one year before the GDPR’s effective date.
The amendment was a reflection of the global trend of increased data privacy regulation, specifically the EU’s GDPR. The Japanese government and European Commission reached a joint agreement that they would work side by side to provide their citizens with a higher level of data privacy. In July of 2017, the two also agreed that they would work to whitelist each other by early 2018, spotlighting the growing role of data privacy in international business relations.
In this post, we’ll look at the foundations of the new APPI and how it impacts Japan’s relationship with the EU. If you’d like to read more on how it aligns with the GDPR and other notable privacy laws, download our new white paper.
Who does the APPI apply to?
While the GDPR and APPI do align in a few areas, they differ a good bit here. The GDPR applies to both data controllers and data processors, but the APPI does not recognize the concept of a data processor. Instead, the business operator (i.e., the data controller in GDPR terminology) is held responsible for any breaches or misuses of data.
In addition, APPI only applies to the processing of personal information for business purposes, while the GDPR makes no such limitations. The GDPR covers organizations that process EU citizens’ and residents’ data outside of the EU; however, the APPI doesn’t get into specifics around jurisdictions or territories.
What does the APPI consider to be personal information?
The APPI has a long list of definitions for personal information, but the basics align closely to the GDPR’s definition of personal data. We dive into these more in our white paper, but the key takeaway is that the APPI has distinct definitions for personal information and personal data. Personal information is any piece of information that can identify an individual, including data that can easily be combined with other information to identify a person. When personal information is stored in a personal information database, it then becomes personal data.
The new amendment to the APPI expands what data is covered under the Act. Biometric data like fingerprints and facial recognition are now included along with Personal Identifier Codes, which are unique letters and numbers assigned to an individual (like a driver’s license or passport number).
How does the APPI handle consent?
Once again, the APPI and the GDPR diverge here. Prior to the 2017 amendment, the APPI allowed business operators to transfer personal data to third parties without requiring consent from the data subjects, under something called an “opt-out” arrangement. Data subjects would agree to these opt-out arrangements when they were first offered services or products and give companies the ability to pass along their data without obtaining their consent.
The new amendment will require Japanese companies to make some changes around opt-out arrangements. Now, companies are required to receive approval from Japan’s Personal Information Protection Committee before using opt-out arrangements. And once approved, companies must anonymize the data prior to transfer.
While Japan is taking some measures to tighten requirements in this area, it still differs greatly from the GPDR. The GDPR would not allow for broad opt-out arrangement like this, as it requires companies to clearly and proactively notify data subjects of all processing activities involving their data.
What are the penalties of the APPI?
The APPI’s penalty structure varies from the GDPR and the Philippines’ DPA, but there are repercussions for the misuse of data. Those who misuse personal information for unlawful gain face imprisonment for at least a year and/or a fine of 500,000 yen.
How does whitelisting between the EU and Japan work?
Although the GPDR and APPI differ in some areas, the EU and Japan are united in their mission to better protect their residents’ data. Both the GDPR and APPI agree that personal data should only be transferred to foreign countries that have legal systems equal to their own or if the third party has adequate precautionary measures in place. If these conditions are met, the country is whitelisted, and data can be transferred back and forth with no issues.
Currently, Japan has placed the EU on its whitelist; however, the EU has yet to do the same for Japan. But the two are working together to get Japan on the EU’s whitelist this year. Data privacy is becoming a key component of international business, and companies hoping to do business around the globe will have to align with many different sets of privacy regulations. The good news is that, because of its scope, the GDPR is becoming the de facto international standard, and other countries are quickly moving to align their privacy laws to the GDPR’s requirements. For businesses, this means that aligning with this new wave of privacy regulations should be more streamlined – compliance with one should mean compliance with many.
Download our new white paper, which lines the APPI and GDPR up side-by-side, and see where they overlap and where they differ. Having a better understanding of their alignment is a good first step to compliance.
Disclaimer: Focal Point Data Risk, LLC is not a law firm and does not provide legal advice. This content is intended for informational purposes only.
Want more data privacy updates like this?
Subscribe to Focal Point's Privacy Pulse below - a once-a-month newsletter with guides, webinars, interesting white papers, and news all focused on data privacy. You can unsubscribe at any time.