Japan's APPI Act - An Insight

Data privacy and compliance concerns are rising on an exponential level. Enterprises as well as government agencies have become extra cautious while dealing with data- it’s security concerns, its collection, sharing and usage, in order to prevent any material, financial, penal and/or reputational damages. Data protection and processing come under various international and federal statutes. Japan’s APPI is one such law whose compliance by an organization would mean that such an entity has a stringent privacy policy adhering to all cybersecurity measures and physical safeguards that are necessary to protect the PII (Personally Identifiable Information) & other sensitive data of an individual.

The Act on the Protection of Personal information (APPI) is the JAPANESE DATA PROTECTION LAW that became a statute in 2003. It is deemed as Asia’s first data protection law. The act saw extensive reforms in 2015 to meet the existing data protection trends as Japan was grappling with a series of high profile data breaches. The law is like the EU’s GDPR in few respects. It covers entities beyond Japan’s national borders as long as they provide goods and services to Japan.

The Amended Act on the Protection of Personal Information (‘Amended APPI’)

When major data breaches and cybercrimes started rocking the world, different countries came up with stringent data protection laws. This made Japan’s existing APPI inadequate to deal with modern-day cybercrimes. Hence, the Amended Act on the Protection of Personal Information had to be introduced in 2017. The Personal Information Protection Commission (PPC) was established as the authority for data protection in Japan.

Data Protected Under APPI

The amended APPI mentions two types of data as protected by the law, namely “Personally Identifiable Information (PII)” and information under the “Special Care Required” category.

a) Personally Identifiable Information

PII refers to all kinds of data that helps in identifying a unique individual. Items covered in this category include, but are not limited to:

• Name
• Address
• Date of Birth
• Email Address
• Biometric Data
• Numeric details such as Driving License Number or Passport Number that may identify a person

b) Special Care Required Information

This category covers personal information that may cause discrimination among individuals. Information covered under this category include, but is not limited to:

• Racial/Ethnic Identification
• Religious Beliefs
• Medical History
• Marital Status
• Criminal Record/s

Companies need to secure the data owner’s permission before transferring any of this data to any third party inside or outside Japan.

Amendments Proposed By the PPC In 2019

The PPC proposed a series of amendments again in 2019, which are laid out as under:

a) Extending the rights of data subjects to suspend or delete data even if a company has not misuse it.

b) Extending the APPI to also cover data that will be deleted within six months.

c) Allowing data subjects to demand the release of acquired data by digital means.

d) Making companies responsible to report data breaches to the PPC and the data subjects. Such breaches would include improper use of collected data beyond the stated purpose.

e) Starting an accreditation system to promote responsible data handling and voluntary reporting by companies.

f) Stricter penalties

On March 10, 2020, the Japanese Cabinet has approved the PPC’s proposal to amend the APPI. The amendment is scheduled to come into force in June 2020.

Key Revisions under Amended APPI

1. Applicable to All Private Entities

The law in its amended version is applicable to all businesses that handle personal data of individuals in Japan. However, the APPI applies only to private business operators. Japan has other laws to cover government agencies and undertakings.

2. No Minimum Limit on Database Size

Before the amendment, APPI applied only to business operators who had 5,000 or more individual databases. Any company with such a database (at least for a day in the previous six months) would be covered under APPI. The amended version has removed this restriction. Now APPI regulations are applicable to all businesses that handle personal information, irrespective of the size of the database.

3. Covers All Private Suppliers

The APPI covers all private suppliers of goods and services to Japan. It applies to companies located within the Japanese territory, as also those located outside. The law is like the EU’s GDPR in this respect. It covers entities beyond Japan’s national borders as long as they provide goods and services to Japan.

APPI Compliance – Key Requirements for Businesses

Companies in the purview of APPI must have an implementable privacy policy. The privacy policy must outline the purpose of possessing the data. All businesses must take adequate measures to ensure the security of online data and to develop mechanisms in place for handling data subjects’ requests.

1. Data Transfer Regulations

The APPI has strict provisions against transferring data within Japan. To transfer data to third parties inside Japan, prior consent of the data subject is necessary. The company must inform the data subjects of their intention so that those who want to opt out can do so.

The norms for transferring data outside Japan are even more stringent. Such transfers can happen only under the following conditions:

• The receiving country practices data protection measures that match Japanese data protection standards.
• The company transferring data must sign a contractual agreement with the overseas third party. The contract must obligate the third party to maintain an adequate level of data protection matching Japan’s standards.
• Data subjects must give prior consent.

2. Anonymized Data

Companies are free to use anonymized data for statistical analysis without the express permission of data subjects. However, all markers that can identify any individual must be stripped first.

The company transferring such data is responsible for the anonymization. The company also has to ensure that the third party receiving the data is aware of the data being anonymized. Further, the company needs to make a public announcement of the data transfer.

3. Rights of Data Subjects

The APPI grants the right to data subjects to ask the purpose for which a company requires their data.

Individuals can ask for access to their personal information to correct or suspend it. Companies are also liable to provide information on where to lodge a complaint if a data subject wants to do so.

Data subjects have the right to suspend their data or demand companies to delete their personal information. These rights accrue if the data has been used for purposes beyond the declared purpose or if the data subject’s consent was secured through fraudulent or unfair means.

Penalties under APPI

The PPC contacts a company on receipt of a complaint and advises the business operator to correct the violation. If the company does not comply, then the PPC issues an administrative order. Individuals can also take a company to court if it fails to respond to APPI-based requests within two weeks.

Failure to comply with APPI regulations can result in financial penalties of up to JPY 100 million, which roughly translates to an approximate of around US$ 900,000. The penalty could also include imprisonment for up to a year.

Exemptions under APPI

• Companies do not need prior permission of data subjects (who had already consented for such data collection) to transfer data to external service providers for data processing. However, the processing can only be for the purpose for which the data was collected.
•  Prior permission is not necessary for the release of data due to legal requirements, or for matters concerning national security.

Erasure Technology for Data Anonymization

Anonymization of individual’s data is one of the key requirements of organizations to attain compliance with APPI. Data anonymization requires stripping of all markers that can identify an individual. Simple deletion of such markers or identifiers cannot ensure failsafe anonymization, as the deleted information can still be extracted and pieced together to surface individuals’ identities. Data erasure technology can facilitate a guaranteed solution for anonymization in line with APPI mandates.

Specialized data erasure software tools such as BitRaser can wipe clean sensitive and confidential information to help businesses fulfill the anonymization needs and thereby attain compliance with APPI and other global standard data protection regulations. BitRaser generates tamper-proof reports and certificate of erasure to serve as audit trails for meeting the regulatory compliance.

End-Note: APPI Amendment Strengthens Data Privacy & Compliance

Compliance with data protection laws and regulations under APPI is a non-negotiable aspect for companies falling under its purview. The law envisages data integrity at all costs by protecting the personal data of an individual. And for companies to ensure that their policies are fully compliant with APPI, they must procure specialized tools that can help in failsafe disposal of confidential data. The current surge in cybercrimes and mass data breaches has made professional media sanitization tools an inevitable need for all businesses. Secure disposal of unwanted sensitive data is a way to ensure that it is not accessed by any malicious source leading to non-compliance.