The Japan Act on the Protection of Personal Information, also known as APPI, is an act designed to protect the personal information of Japanese citizens. Anyone who receives the personal data of Japanese citizens must be in full compliance with the Act on the Protection of Personal Information or risk legal action.
This Japan privacy law is relevant for anyone who does business in the Land of the Rising Sun. This guide will explain all you need to know about it.
The Protection of Personal Information Act was initially passed in 2005. This was a significant shift in how personal information is protected. Originally, private business operators were monitored by various ministries and agencies. When breaches occurred, victims would seek restitution via tort law.
The Japan Personal Information Protection Act looked to consolidate everything under the new Personal Information Protection Commission (PPC). The PPC is now required to provide guidelines for all private businesses, with additional guidelines for fields like healthcare, finance, and telecommunications.
The most obvious equivalent is the GDPR laws passed in the European Union (EU). There are many similarities between both laws.
When conducting business in Japan, all businesses must be aware of what constitutes personal information and the amendments passed since 2005.
Personal information applies to any piece of information that could be used to identify a specific citizen. It includes personal names, physical addresses, IP addresses, and government ID numbers. In short, it must pertain to a specific individual to count as personal information.
Amendments have been made twice since the original introduction of the Japan Act on the Protection of Personal Information.
The APPI was updated in both 2015 and 2020, in accordance with major changes in both the business and digital worlds.
The 2015 amendments forced businesses who use an “Opt-Out” method to report this to the PPC, which will then publish it on its website. It also forced businesses to obtain consent from citizens if their data was transferred offshore.
The amendments, however, gave the APPI no power to enforce its mandates on entities located offshore, only to liaise with the equivalent overseas body.
The 2020 amendments, on the other hand, chiefly focused on increasing the severity of penalties for noncompliance. It also gave citizens the right to request the deletion of their data, the mandatory reporting of data breaches, and personal information operators must now disclose their addresses.
In principle, all businesses that obtain and handle the personal information of Japanese residents must comply with the APPI.
There are a few exceptions under the latest incarnation of this Japan privacy law. Exceptions include professional writers, the press, academics, political parties, and religious groups.
Like most major international data privacy rules, the APPI and its latest amendments don’t provide much information on best practices. However, if you’re in compliance with the EU’s GDPR rules, the chances are your business is already largely in compliance.
Let’s take a look at how to become APPI compliant with the latest amendments.
There are many ways to become APPI compliant. Most of these tips are best practices for businesses operating in any jurisdiction, so you may not need to spend significant time and energy on APPI compliance specifically.
Update Encryption Standards – Adopting the latest encryption standards can help you avoid a significant part of the APPI. The law states that when data is encrypted to the highest standards, it’s not a requirement to report leaks and breaches to the regulatory authorities.
Update Legacy Systems – Vulnerable technology could lead to breaches, and thus legal cases. Failing to take into account new technology could inadvertently expose vulnerabilities. Ensure your company has a mechanism for carrying out regular system updates.
Implement Access Controls – The APPI mandates that only those employees necessary should have access to personal data. Implement a cutting-edge Identity and Access Management (IAM) system to limit who has access to data and to investigate breaches swiftly.
Appoint a Data Protection Officer (DPO) – A DPO isn’t a legal requirement, but it’s highly recommended. DPOs are required to constantly check compliance and update company privacy policies as international guidelines evolve.
Restrict Data Transfer – Under the amendments, you must seek the consent of individuals when transferring data. This is a significant change to the law, where implied consent was previously permissible regarding personal information.
One of the major aspects of the Protection of Personal Information Act was the increase in penalties for non-compliance and data breaches.
Under the amendments, offenders can be liable for fines of up to 1,000,000 Yen or 100,000,000 Yen in the case of businesses. Offenders will also have their names publicized by the PPC.
Thankfully, the PPC tends to allow non-compliant businesses to amend their practices before escalating to enforcement action.
In the case of data breaches, businesses are required to inform the PPC unless the data was encrypted at the highest levels.
If you want to learn more about compliance best practices, learn how Delphix provides an API-first data platform enabling teams to find and mask sensitive data for compliance with privacy regulations.