*The information in this article about Japan's Act on the Protection of Personal Information (APPI) law is not and should not be considered legal advice. Please consult your legal counsel to determine its affect on your company, your data privacy and security policies, and your email program.
Japan's APPI law was originally passed by the Japanese government in 2003 and amended in 2020 to achieve closer alignment to Europe's GDPR. The original effective date for enforcement was in 2005 and the amendment's effective date was in April 2022.
Privacy Act text:
Date the law was originally enforced:
Penalties for violation may include:
- Providing reports of the violation and submit to an on-site inspection by the PPC.
- Imprisonment and fine up to JPY 1000000 for failure to follow PPC orders.
- A fine of JPY 500000 to JPY 100000000 for unauthorized personal data disclosure to a third-party.
Changes to the APPI:
The 2020 amendment came into force on April 1, 2022 and included changes related to:
- Expanding application of APPI to foreign entities that handle personal data for people located in Japan.
- Reporting data breaches and notifying affected people of the breach.
- Establishing the concept of pseudonymized information.
- Regulations for provisioning data to a third-party.
- Strengthening regulations on data transfers, including requiring consent for cross-border transfers.
- Disclosing personal data security management practices to the public.
- Amendments to the APPI may occur. Be sure to consult your legal counsel for details about any amendments to the law.
- The 2020 amendment came into force on April 1, 2022 and included changes related to:
What is the APPI?
The APPI is a data privacy law intended to ensure protection of individual rights and interests of people located in Japan and to ensure that the proper and effective application of personal information contributes to a strong Japanese economic society.
How does it affect me?
The APPI may apply to you if you handle or directly acquire personal data of people located in Japan or if you acquire their personal data indirectly from a third-party.
You may be required to:
Record an individual's consent to collect personal information.
- Consent is required if obtaining personal information directly or if acquiring personal data from a third-party.
- Ensure all personal data is obtained lawfully and without deception.
- Ensure all personal data is accurate and up to date and delete data if it is no longer required for the stated purpose.
- Make the personal data accessible to the person who owns the data.
- Develop processes to handle requests to correct, add, delete or cease using personal data and ensure requests are honored.
- Develop processes to promptly address complaints about how personal information is handled.
- Train and supervise employees in the handling of personal data to ensure it is secure.
- Ensure all personal data is secure from unauthorized use.
- Report data breaches to the PPC and the people affected by the breach.
There may be exceptions to specific parts of the APPI based on your situation. Consult your legal counsel to understand if any exceptions apply to your business.
While the APPI is the primary law to govern data privacy in Japan, there may be other consumer protection laws related to data privacy that may affect you.