Act on the Protection of Personal Information (APPI)

    Japan

    Act on the Protection of Personal Information (APPI)

    Japan’s Act on the Protection of Personal Information (“APPI”) was originally passed in 2005 and was amended in 2016. The APPI went into effect May 2017. The APPI protects the personal information of individuals in Japan by establishing rules for governments and certain business operators to protect an individual’s rights with respect to the acquiring and handling an individual’s personal information.

    The “Personal Information Protection Commission” (“PPC”), the central data protection authority in Japan,  released in December 2016, a tentative English translation of its “Enforcement Rules for the Act on the Protection of Personal Information” (“Enforcement Rules”) which provides further guidance on understanding and complying with the APPI.

     

    Last Updated: July 30, 2019


  • General

    Territorial Scope

    The APPI applies to “personal information handling business operators” (“business operators”) inside Japan, and certain provisions (listed below) also apply to operators in a foreign country that “supply a good or service to a person in Japan.” For APPI to apply to a foreign business operator,  such operator must also acquire personal information of a “principal” (defined below) and such information is “handled” in a foreign country.

    APPI provisions that apply to foreign operators

    Article 15 (Specifying a Utilization Purpose)

    Article 16 (Restriction due to a Utilization Purpose)

    Article 18 (excluding paragraph 2) (Notification of a Utilization Purpose when Acquiring)

    Article 19 – 25 (Accuracy, Security, and Third-Party provisions)

    Article 27 – 36 (Notification, Disclosure, and Principal Requests provisions)

    Article 41 (Guidance and Advice)

    Article 42 (paragraph 1) (Recommendation and Order)

    Article 43 (Restriction on the Personal Information Protecting the Commission’s Excercising the Authority)

    Article 76 (Exclusion from Application)

    The following entities and purposes (whole or in part) are excluded from Chapter 4 (Obligations of a Personal Information Handling Business Operator) of APPI

    • Entities: broadcasting institution, newspaper publisher, communication agency and other press organization (including an individual engaged in the press as his or her business)| Purpose: use in press
    • Entities: a person who practices writing as a profession | Purpose: use in writing
    • Entities: a university and other organization or group aimed at academic studies, or a person belonging thereto | Purpose: use in academic studies
    • Entities: a religious body | Purpose: use in a religious activity
    • Entities: a political body | Purpose: use in a political activity

    The organizations excepted above should still, however, strive to take necessary and appropriate action for the security control of personal data or anonymously processed information.

    Personal Information and Personal Data

    Personal Information

    APPI defines “personal information” to include a number of items, which include:

    1. Descriptions (e.g. name, date of birth, or any and all matters stated or otherwise expressed using voice, movement or other methods in a document, drawing or electromagnetic form
    2. the same applies to whereby a specific individual can be identified
    3. individual identification code (e.g. character, letter, number, symbol or other codes that converts a body part of the individual machine-readable format or that is used to provide services to an individual).

    There are two kinds of personal information, “special care-required personal information” and “anonymously processed information” as are explained in subsequent sections below.

    Personal Data

    “Personal data” is “personal information constituting a personal information database.” In other words, “personal information” inside a databased is considered “personal data.”

    “Retained personal data’ is “personal data” that a business operator has “the authority to disclose, correct, add or delete the contents of, cease the utilization of, erase, and cease the third-party provision of.”

    Who is covered?

    APPI applies to certain government organizations and to two kinds of business operators, “personal information handling business operators” and “anonymously processed information handling business operators”.  Central and local governments are both individually responsible for comprehensively developing and implementing necessary measures to ensure the proper handling of personal information. In certain cases, certain APPI provisions also apply to a “third-party” or a “trustee” /”entrusted person” that handles personal data on behalf of a business operator.

    A  “personal information handling business operator,”  is defined as “a person providing a personal information database for use in business[.]” Central and local governments, as well as certain administrative agencies, are not included in this definition. A personal information database is a “collective body of information comprising personal information” (subject to certain exceptions by cabinet order) that are “systematically organized so as to be able to search for particular personal information using a computer.”

    APPI protects a “principal” which means “a specific individual identifiable by personal information.”

  • Lawfulness, Fairness, and Nondiscrimination

    The APPI permits the use of personal information by a business operator for certain “utilization purposes” (as explained below). As a general requirement, a business operator must not acquire “personal information” by deceit or other improper means.

    A business operator is required to acquire a principal’s consent in the following circumstances:

    • before acquiring “special care-required personal information” (defined below);
    • before personal information is provided by a business operator to a third-party (including a third-party in a foreign country);
    • in the case where a business operator acquires personal information from another business operator because of a merger or other reason (e.g. succession), the acquiring business operator must obtain in advance, a principal’s consent, to handle the personal information beyond the necessary to scope to the achieve the pre-succession utilization purpose of such information

    There are several exception cases where a business operator need not obtain a principal’s consent in advance of handling special care-required personal information:

    • cases based on laws and regulations;
    • cases where there is a need to protect human life, body, or fortune, and when it is difficult to obtain a principal’s consent;
    • cases in which there is a special need to enhance public hygiene or promote fostering healthy children, and when it is difficult to obtain a principal’s consent;
    • cases of government cooperation where obtaining a principal’s consent would interfere with that cooperation;
    • in cases where special care required personal information is open to the public by a principal;
    • other cases by cabinet order.

    “Special-care required personal information” is personal information of the principal that belongs to any one of the following categories:

    • race
    • creed
    • social status
    • medical history
    • criminal record
    • fact of having suffered damage by a crime
    • other descriptions prescribed by cabinet order those of which the handling requires special care so as to not cause unfair discrimination, prejudice, or other disadvantages to the principal.
  • Transparency and Free Access

    Notification

    The APPI requires business operators to provide notice or public disclsosures in particular circmstances.

    1. General requirement: According to the APPI, a business operator must promptly inform a principal of, or disclose to the public, the utilization purpose.
    2. Acquiring personal information from a contract: explicitly state utilization purpose to the principal when acquiring a principal’s personal information from a written contract between the business operator and principal.  This requirement does not apply where there is an urgent need to protect a human life, body or fortune.
    3. Altering a utilization purpose: in case a business operator alters a utilization purpose, a business operator must inform a principal of, or disclose to the public, a post-altered utilization purpose.

    Exceptions

    The above notification requirements do not apply if there is a possibility that informing a principal of, or disclosing to the public, a utilization purpose would:

    1. harm a principal or third party’s life, body, fortune, or other rights and interests.
    2.  harm the rights or legitimate interests of the said business operator;
    3. interfere with the performance of cooperating with a central government organization or local government

    The above notification requirements also do not apply if it “can be recognized from the acquisitional circumstances that a utilization purpose is clear.’

    Public Disclosures for Retained Data 

    A business operator must publicly (“into a state where a principal can know”) disclose certain requirements (listed below) concerning its “retained personal data.” “Retained personal data” is “personal data” which the business operator has “the authority to disclose, correct, add or delete the contents of, cease the utilization of, erase, and cease the third-party provision of.” Retained data cannot be the kind of data that  is likely to harm the public or other interest if their presence or absence is made known nor those set to be deleted with a period of no longer than one year that is prescribed by cabinet order.”

    Requirements for Public Disclosure concerning Retained Personal Data

    • name or title of the business operator;
    • utilization purpose of all retained data;
    • procedures for facilitating a principal’s request or demand; and
    • any other requirements as requires by cabinet order.

    Fees for handling a principal’s disclosure request or demand

    A business operator may collect a fee from a principal that requests to be informed of a utilization purpose of, or demands the disclosure of, retained personal data. The amount of such a fee must be “within a range recognized as reasonable considered actual expenses.” The procedures generally for a principal to make a demand or request should not “impose an excessive burden” on a principal.

    Public Disclosures for Anonymously Processed Information

    A personal information handling business operator when having produced anonymously processed information, must:

    • disclose to the public the categories of information relating to an individual contained in the anonymously processed information

    Both, a “personal information handling business operator” and “anonymously processed information handling business operator” when providing the anonymously processed information to a third party, such business operators individually must :

    • disclose to the public the categories of information relating to an individual contained in the anonymously processed information to be shared with the third party; and
    • state to the third party that the provided information is anonymously processed information
  • Purpose Specification, Use Limitation and Suitability

    Utilization Purpose

    As stated above, the APPI requires a business operator to, subject to certain exceptions, only acquire or handle data pursuant to a “utilization purpose.” The business operator must state a utilization purpose as explicitly as possible and must not alter it unreasonably beyond the scope pre-altered utilization purpose.

    A business operator must not handle a principal’s personal information beyond the necessary scope to achieve a utilization purpose unless it first obtains the principal’s consent. Where a business operator acquires personal information from another business operator because of a merger or other reason (e.g. succession), the acquiring business operator must obtain in advance, a principal’s consent, to handle the personal information beyond the necessary to scope to the achieve the pre-succession utilization purpose of such information

    There are exceptions to these requirements as are listed below.

    Exceptions for when a business operator may handle a principal’s personal information beyond the necessary scope of a utilization purpose, without first obtaining the principal’s consent

    • cases based on laws and regulations;
    • cases where there is a need to protect human life, body, or fortune, and when it is difficult to obtain a principal’s consent;
    • cases in which there is a special need to enhance public hygiene or promote fostering healthy children, and when it is difficult to obtain a principal’s consent; and
    • cases of government cooperation where obtaining a principal’s consent would interfere with that cooperation.
  • Data Minimization, Storage Limitation and Accuracy

    The APPI requires that a business operator strive to keep personal data accurate and up to date within the scope necessary to achieve a utilization purpose and to delete the personal data without delay when such utilization has become unnecessary. A business operator may also be required to correct personal information that a principal demands be corrected.

    Anonymous information

    A personal information handling business operator must, when producing anonymously processed information:

    • process anonymous information in such a way to make it impossible to identify a specific individual and restore the personal information used for the production;
    • prevent the leakage of identifying information (e.g. descriptions, ID codes, etc) from personal information used to produce anonymous information;
    • not collate anonymously processed information with other information in order to identify a principal
  • Security and Prevention

    Generally, the APPI requires both “personal information handling business operators” and “anonymously processed information handling business operators” to take “necessary and appropriate action for the security control of personal data or anonymously processed information.” A business operator must “exercise necessary and appropriate supervision” over employees that handle personal data to ensure security control of such personal data. A  business operator must also similarly supervise a “trustee” (a.k.a “an entrusted person”) who is entrusted (in whole or part) with the handling of personal data. Note that APPI does not explicitly define the terms “trustee” or “an entrusted person”. As with “trustees”

    As stated above, entities that are excluded from Chapter 4 of APPI (e.g. religious, political groups, etc) are still encouraged to take necessary and appropriate security controls.

  • Accountability and Recordkeeping

    The Personal Information Protection Commission (“PPC”) may, to the extent necessary to implement the APPI, require a personal information handling business operator or anonymously processed information handling business operator (to submit necessary information or material relating to the handling of personal information or anonymously processed information, or have PPC officials enter a business office or other necessary place of a personal information handling business operator  to inquire about the handling of personal information or inspect a book, document, and other property.

    According to the APPI and its Enforcement Rules, a business operator must keep a record of “promptly at each time” personal data is provided to a third party. Such a record need not be kept at each time, if the personal data has been provided “continuously or repeatedly to the third party, or if a certainty has been anticipated that personal data will be provided continuously or repeatedly.”

    Such a record of personal data transferred to a third-party must contain:

    • the date on which the personal data was provided;
    • the name (or identification information) of the third party; if data was provided to a “large number of unspecified persons, the fact to that effect”;
    •  the name or identification information of a principal identifiable by the personal data;
    • the categories [of personal data];
    • if, consent was required to be obtained was so obtained before the transfer of data to the third party, state the fact to that effect

    A personal information handling business operator shall maintain such a record for a period of one or three years from the date the record was created.

  • Data Protection Officer

    APPI does not specifically mention a “data protection officer” but does allow for a corporation (or non-corporate body) to appoint “a representative or administrator”  which intends to render the representative services in order to ensure the proper handling of personal information. Additionally, an employee can be entrusted to handle personal information.

  • Privacy Impact Assesments

    The APPI does not require business operators to conduct privacy impact assessments but does require the PPC to administer “specific personal information protection assessments” (see Article 27, paragraph(1) of the “Numbers Use Act).

  • Data Subject Rights

    There are several “rights” for principals under the APPI.

    A principal has a right to:

    • be notified or informed about the utilization purpose for which the business operator is acquiring the principal’s personal information;
    • make a complaint (about a business operator’s handling of personal information) with the relevant central or local government; or
    • make a request or demand with the business operator; or
    • in certain situations file a lawsuit.

    Procedures for Dealing with a Complaint

    A principal may complain to the central or local government about a business operator’s handling of the principal’s personal information. Central governments should take “necessary action to seek the proper and prompt dealing of a complaint.” In addition to the same requirements on central governments, local governments should also strive to mediate dealing with such a complaint. A business operator “shall strive to deal appropriately and promptly” with a complaint [by a principal] about the handling of personal information. Furthermore, a business operator shall strive to implement a “system necessary to achieve” the purpose above.

    Procedures for Responding to a Request or Demand

    A business operator may “decide on a method of receiving a request or demand pursuant those prescribed by cabinet order.” A business operator may request a principal to “present a matter sufficiently to specify retained personal data subject to the demand.” A business operator should “take appropriate action” (e.g. providing information conducive to specify the retain personal data) so that the principal would be able to easily and precisely make a demand for disclosure. The procedures for a principal to make a demand or request should not “impose an excessive burden” on a principal.

    Demand: Disclosure

    A principal may demand of a business operator disclose to the principal the “retained personal data” that can identify him or herself. A business operator should respond to such request (unless an exception applies) without delay.

    Disclosure Exceptions

    • a possibility of harming a principal or third party’s life, body, fortune, or other rights and interests;
    • a possibility of interfering seriously with the business operator’s business; and
    • violation of other laws or regulations.

    Demand: Correction

    If the retained personal data held by the operator is “not factual,” a principal may demand a business operator make “a correction, addition or deletion.” Unless the there is another law or regulation that prescribes special correction procedures, generally, a business operator should conduct a “necessary investigation without delay to the extent necessary to achieve a utilization purpose” and make a correction based on that investigation. A business operator should inform the principal of the operator’s decision to correct (in whole or in part) or not to correct the retained personal data at issue.

    Demand: Utilization Cease (restriction and deletion)

    If the retained personal data that can identify the principal is:

    • being “handled in violation” of the Article 16 ( ); or
    • was acquired in violation of Article 17 ( );
    • is being provided to a third party in violation of Article 23(1) or Article 24.

    The principal to whom the data relates may demand a “utilization cease or deletion” (“utilization cease”) of the personal data. After the business operator receives such a demand, the business operator must determine whether it “has become clear that there is a reason in the demand.” If there is such a reason, the business operator must “fulfill the utilization cease of the said retained personal data to the extent necessary to redress a violation without delay.”

    Exceptions

    • Where a utilization cease requires a “large amount of expenses or other cases where it is difficult to fulfill a utilization cease; and
    • when necessary alternative action is taken to protect a principal’s rights and interest.

    A business operator should inform the principal of the operator’s decision whether or not fulfill a utilization cease (in whole or in part) the retained personal data at issue. Pursuant to Article 31, if the business operator decides not to take action, or take a different action from the said action, the business operator should “strive to explain a reason” to the principal.

    Advanced Demand

    If the principal intends to file a lawsuit pursuant to the above demands, the principal must first issue the demand against the would-be defendant at least two weeks before the principal actually files the complaint.

  • Vendor Management

    The APPI does not specifically address “vendors” per se, but does address (without defining)”third parties.” As stated above, a business operator must ensure that notice is provided to the principal which should include (but not limited to0 whether or not personal information is shared with third parties, the names of such parties, the categories of personal information shared with third parties.

    A business operator must ensure that a third party is responsible for ensuring that third parties take the required action with respect to a principal’s request or demand (e.g. correct, utilization cease, etc.). Furthermore, presumably, a business operator’s security and prevention obligations will flow down to third parties (and “trustees”).

  • Cross-Border Data Transfer and Data Localisation

    A business operator may make three permissible types of transfer of personal data to a foreign state:

    1. obtained prior consent to do so;
    2. The foreign state in a state where regulation on personal information protection is considered to be equivalent to that of Japan;
    3. The third party recipient maintains an internal personal information protection system consistent with standards set by the PPC

    As of this writing, the PPC has not released its list of foreign states with equivalent information protection regulation.

  • Incident & Breach

    The text of APPI does not provide for any mandatory breach notifications or reports to principals or the PPC. The PPC guidelines do suggest that a business operator that is aware of a breach should notify the PPC of such a breach.

  • Enforcement

    To help with the enforcement, PCC may issue accreditation to a corporation (including a non-corporate body which has appointed a representative). Such “accredited personal information protection organization” will

    1. develop guidelines in accordance with the APPI and notify PCC about such guidelines and its modification where applicable,
    2. deal with an APPI complaints about its covered business operator’s handing of personal information, hold consultation, give necessary advice to the petitioner and investigate circumstances surrounding the complaint, as well as inform the covered business operator of the complaint contents and request its expeditious resolution,
    3. provide the business operator with information concerning a matter contributory to ensure the proper handling of personal information as well as rendering services related to ensuring the proper handling of personal information.

    PPC may rescind the accreditation if the accredited organization fail to comply with its duties.

  • DatabreachPedia

    Overview

    In Japan, it is currently not mandatory to report personal data breaches. However, the PPC Guidelines recommend that notification should be made and furthermore, it is the market standard practice to report personal data breaches in Japan. According to the PPC guidelines, if a factual situation demonstrates that the Personal Data which has been disclosed was immediately secured before being seen by any third party or not actually disclosed, (such as the case where the company has encrypted the data or otherwise secured the data in such a way that it has become useless to third parties being in possession of such data), the notice to the PPC or any other relevant authority is not necessary.

    Is it Mandatory to Notify Individuals?

    No, but recommended.

    Is it Mandatory to Notify Regulator?

    No, but recommended.

    Notification Deadline

    Without undue delay.

    Responsible Regulator

    Personal Information Protection Commission (PIPC)
    Private Information Protection Committee Secretariat Personal data leakage report window
    Kasumigaseki Common Gate West Tower 32nd Floor
    Kasumigaseki, Chiyoda-ku, Tokyo, 100-0013

    Phone: 03-6457-9685
    Fax: 03-3597-4560
    Website: https://www.ppc.go.jp/

    Breach Notification Format

    It is recommended to send a voluntary notice to the affected individuals or to publish a statement about the breach (if necessary) that contains the nature of the breach and steps taken to rectify the problem. When handling personal information in the field where the authority of the PIPC is delegated to the Minister of Business affairs, the breach should be notified to the delegating ministries and agencies (e.g. Ministry of Education, Culture, Sports, Science and Technology, or Ministry of Internal Affairs and Communications). Reports to PIPC should be made by fax or post using the PIPC breach notification form.

Want to learn more? Login to the full DataGuidance platform.

About OneTrust


OneTrust is the #1 most widely used privacy, security and third-party risk technology platform trusted by more than 3,000 companies to comply with the CCPA, GDPR, ISO27001 and hundreds of the world’s privacy and security laws. OneTrust's three primary offerings include OneTrust Privacy Management Software, OneTrust PreferenceChoice™ consent and preference management software, and OneTrust Vendorpedia™ third-party risk management software and vendor risk exchange. To learn more, visit OneTrust.com or connect on LinkedIn, Twitter and Facebook.