The APPI JAPAN'S Data Protection LawNew Japan - European Union adequacy agreement announced 2019
What is the APPI
Japan APPI Privacy Act
Japan’s Act on Protection of Personal Information currently in force (“Current APPI”) dates back to 2003. It was originally enacted on May 30, 2003, and came into effect in 2005. Ten years later, the National Diet passed extensive reforms to modernize the Current APPI in September, 2015. Although the Amended Act on Protection of Personal Information (“Amended APPI”) came into effect on May 30, 2017.
The updated APPI was instrumental into providing the foundation for both adequacy and free trade agreements and with the EU .
To protect the rights and interests of individuals while ensuring due consideration for the usefulness of personal information by basic principles for the proper handling of personal information.
Who Does the APPI Apply To
The APPI applies to business operators that hold the personal information of 5,000 or more individuals. Japan has other personal information protection laws that apply to the government and public organizations. The APPI does not provide the details of personal information protection, but establishes basic rules
What is the Scope of the APPI
Online privacy in Japan is primarily governed by a general law, the Act on Protection of Personal Information (APPI), rather than a specialized law on online privacy. The APPI applies to business operators that hold the personal information of 5,000 or more individuals. Japan has other personal information protection laws that apply to the government and public organizations.
The APPI does not provide the details of personal information protection, but establishes basic rules. It requires all business operators handling personal information to specify the purpose for which personal information is utilized. Data subjects can request disclosure of their personal information that the business operators hold.
How Are Data Controllers and Data Processors treated
There is no concept of a “Data Controller” under Japanese law. However, the APPI uses the term “business operator,” which essentially refers to the entity responsible for the proper handling of all “Personal Information.” This is similar to the concept of data controller under EU law.
There is no concept of a “Data Processor” under Japanese law. As such, handling of personal data under the APPI should pertain to how a “business operator” treats and manages the personal information or personal data in its possession.
What are the lawful bases for collection and data processing?
COLLECTION & PROCESSING
Specifying the Purpose of Use
When handling personal information, a business operator must specify to the fullest extent possible the purpose of use of the
personal information (‘Purpose of Use’). Once a business operator has specified the Purpose of Use, it must not then make any
changes to the said purpose which could reasonably be considered to be beyond the scope of what is duly related to the original
Purpose of Use. In addition, when handling personal information, a business operator shall not handle the information beyond the
scope that is necessary for the achievement of the Purpose of Use without a prior consent of the individual. In other words, the
use of the information must be consistent with the stated Purpose of Use.
Public Announcement of the Purpose of Use
The Purpose of Use must be made known to the data subjects when personal information is collected or promptly thereafter and
this can be made by a public announcement (such as posting the purpose on the business operator’s website). When personal
information is obtained by way of a written contract or other document (including a record made in an electronic or magnetic
format, or any other method not recognisable to human senses), the business operator must expressly state the Purpose of Use
prior to the collection.
A business operator must ‘publicly announce’ or ‘expressly show the Purpose of Use’ in a reasonable and appropriate way.
According to the guidelines issued by the PPC, the appropriate method for a website to publicly announce the Purpose of Use of
information collected, is a one click access on the homepage so that the data subject can easily find the Purpose of Use before
submitting the personal information.
What are the penalties?
If the PPC finds any violation or potential violation of the APPI, the PPC may request the business operator handling personal
information to submit a report, conduct on-site inspection and request or order the business operator handling personal
information to take remedial actions. If a business operator handling personal information does not submit the report and
materials, or reports false information they will be subject to a fine of up to JPY 300,000. If a business operator handling personal
information does not follow an order from the PPC they will be subject to a penalty of imprisonment for up to six months or a
fine of up to JPY 300,000.
An unauthorized disclosure of Personal Information, for the benefit of the disclosing party or any third party, will be subject to a
penalty of imprisonment for up to one year or a fine of up to JPY 500,000.
If the party making the disclosure is an entity, the parties subject to this penalty will be the relevant officers, representatives, or
managers responsible for the disclosure as well as the entity, which is subject to the fine specified above.
Relentless Your APPI Partner of Choice
Relentless Privacy and Compliance Services provides quality, cost-effective compliance, assurance and global privacy maturity assessments to companies of all sizes. Unlike traditional compliance firms, we don’t have four or five layers of management. Through the use of technology and our centralized, streamlined structure, we are able to serve our clients in the timeliest manner and with the highest level of efficiency. And because of our unique model and approach, we are able to deliver this exceptional service at highly competitive rates.
We have 20+ years of compliance and assurance experience and are committed to providing a personalized and responsive service.
With a tailor made approach, we work with our clients in executing each project to their specific need and help maximize the long term business value of their compliance and privacy assurance strategies ensuring their global operations remain within the law.
Relentless APPI Service What's Included?
Our APPI Service Includes the Following
- APPI Assessment
- Dedicated Support Consultant
- Unlimited Support Calls
- Unlimited Email Support
- Data Mapping
- Record of Processing Activities
- Subject Access Request Service
- Data Breach Support
The GDPR also introduced new accountability and transparency requirements, meaning that processors must be able to show that they have a lawful basis for each processing operation, and must inform individuals which lawful basis if being relied upon. Furthermore, under GDPR the interpretation of legitimate interests is now broader, encompassing the interests of any third party, including wider societal benefits.