Japan APPI Amendments: What Are They?
Are you wondering what the Japan APPI Amendments are and how they affect you or your business? Well, stress no longer as this article will discuss the Japanese APPI laws and how they protect the personal information of the Japanese people.
Learn how your business can maintain compliance when it comes to data privacy and consent in Japan. Personal information is very important to keep safe as it pertains to all the sensitive information and financial data that your business deals with on a daily basis.
Let’s dive right in.
- The Japanese APPI law plays an important measure in protecting its citizens' personal data from being exploited by businesses.
- The Amendments to Japan’s APPI seek to make the APPI laws stricter to better protect the average citizen.
- The penalties for not complying with APPI laws have increased significantly to 100 million Yen to help curb businesses and individuals stealing or using personal data without any consent.
Overview of Japan’s APPI
The Act on the Protection of Personal Information (APPI) has created necessary measures that help its citizens protect their personal data with the strict data protection law. The personal data protected includes any information that can identify a person explicitly.
The original data protection for personal information laws back in 2003 was not that strict as it was mostly for larger third-party businesses operating out of Japan that wanted to use the personal data of Japanese citizens.
The last Amendment to protect the personal information of Japanese citizens was made in 2020 and has significantly changed the law.
This data protection law is in place to help safeguard people's personal information, as many businesses may want to use that personal data without any consent or to exploit the consumer.
The APPI requires that all businesses that want to collect the sensitive personal data of a Japanese citizen obtain consent before they can start to collect, use and distribute the individual's personal information. The Personal Information Protection Commission administers and oversees this data protection Act.
The Personal Information Protection Commission, or PPC, is an independent administrative firm that was founded back in 2005, just two years after the Japanese APPI laws came into effect to help with data privacy.
Before September 2015, data protection laws were proved ineffective by a series of high-profile cases in which people’s data was breached.
Thus, a major overhaul for APPI compliance and regulation happened, and every few years after that, new compliance measures have been introduced to stop data breaches and data exploitation from happening.
The last amended APPI law that came out was back in 2020, which was implemented to use the personal data of people to help with business analytics and the development of computational programs.
Japan APPI Amendments
Since the creation of the APPI, Japan has created several amendments to make the law stricter and safeguard Japanese citizens.
These amendments pertain to the new data transfer requirements, increased penalties, and new data breach requirements. As a business owner, it is important to know and understand how these personal information laws have changed and what your business must do to stay current.
Included in the 2020 amendments are penalties for abusing and using the private information of data subjects in an ill manner. These penalties have been made stricter.
In the 2017 amendments, businesses only had to pay 500,000 Yen (roughly $3,400) when they were fined for breaking the APPI data protection laws. The 2020 Amendments sought to make the fines bigger to scare any potential businesses from doing deceitful business practices with private data.
The 2020 Amendments implemented a maximum fine of 100 million Yen (roughly $700,000) for businesses that break the APPI laws, along with individual fines of 1,000,00 Yen (roughly $7,000).
This harsh punishment is meant to dissuade businesses from conducting non-compliant practices that could harm the consumer.
Data Breach Requirements
As of 2020 APPI Amendments, businesses that suffer a data breach are to follow the data loss guidelines that PPL has made. Below, we will list the steps that a business is required to take in the event of a data breach:
- When a data breach occurs, the business must report it without unreasonable delay to the PPL if the data breach contains 1,000+ citizen data or includes sensitive data like financial information.
- Notify any individuals who are data subjects that their data may have been breached.
- The business must investigate the cause and any relevant information about the breach.
- The business identifier by which personal information controller is affected.
- The business must learn which data subject’s personal information was affected.
- Take necessary steps to prevent further damage to the confidential data.
- Create a plan to control and prevent any further data breaches due to the security vulnerability.
- Publicly announce the data breach if recommended by the PPL.
These are basic steps that many businesses in Japan must follow in case of a data breach.
Data Transfer Requirements
Your business in Japan can complete data transfers to third-party businesses. However, some guidelines must be met.
The 2020 Amendments restrict data transfers if the personal data was collected in an improper manner. Data transfers now require consent from the data subject, which is usually obtained using an “opt-out” method, which means consumers are able to exit the agreement at any time.
If the data transfer is in the public interest, the business does not need prior consent to share the data. This is for cases such as national emergencies, public health concerns and legal matters requiring personal data.
Data Subject Rights
Under the Act on the Protection of Personal Information (APPI), individuals have the right to ask a business operator why and how their personal data is being used. They can also inquire about how they can access, correct or suspend this information, as well as where complaints regarding its management should be submitted.
The 2017 version of APPI did offer some rights for people to request that their private data be deleted or use ceased under certain situations.
The amendments made in 2020 not only widen these circumstances but extend them even further. They essentially allow Japanese citizens more power over potential breaches involving their rights and [legitimate interests](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/lawful-basis/a-guide-to-lawful-basis/lawful-basis-for-processing/legitimate-interests/#:~:text=The legitimate interests can be,The processing must be necessary.) when using their own data, which includes distribution among third parties if such transfers are against APPI rules.
Additionally, individuals can now request information and take action related to their short-term data, defined as data which is stored for a period of six months or less. These comprehensive changes substantially increase the control individuals have over how businesses handle their personal information per APPI guidelines, offering greater privacy protections than before.
How To Ensure Compliance with the Amended Japan APPI
Your business can ensure compliance with the latest amended Japanese APPI protection laws regarding different topics concerning data privacy and personal data to avoid paying heavy penalties.
Respect Data Subject Rights
The APPI dictates that data subjects can legally request that the business operator state the use of the personal data it is collecting and the intended purpose of it.
The business must also state how the data subject can access, correct and remove the personal data, as well as be able to submit complaints regarding how the business is using and handling the personal information of the data subject.
Businesses must respond to requests for data, also known as DSARs, within two weeks to avoid potential lawsuits.
Setup Consent Mechanisms
The current default consent mechanism is the “opt-out” method, meaning that the business can use the private data of the data subject.
There are exceptions to the opt-out method, though. For example, if you have to transfer the data or process sensitive data, they need explicit opt-in consent, meaning the user explicitly allows the data to be collected.
Businesses are made to disclose and tell individuals and the PPC what personal data it is collecting and what they intend to do with the data.
You must also include time limits for the data you’re using, contact information, information about third-party sharing, and an overview of security measures you’re taking.
Measures To Prevent Breaches
In Japan, your business is required to have adequate data security preventive measures to help quell data breaches. Businesses must also follow certain guidelines that PPC lays out for them to follow.
This includes making employees sign non-disclosure agreements if they handle personal data of people, protecting machines and devices from attacks, whether they are physical or digital, and limiting the number of staff allowed to access the data.
Pseudonymized Personal Information
The added Amendment to the Japanese APPI protection laws introduced that a business can use pseudonymized personal information as a way to process data.
This is a way for a business to collect personal data at reduced risk due to the nature of how pseudonymized personal information works. The personal data will no longer show certain identifying descriptions in the data. This can help protect individuals and their data.
Ensure Consent for Data Transfers
Before any business can disclose the personal information of its data subjects, it must first ensure that it has consent from the PPC or the individual data subject (or it’s in the public’s interest to process the data).
Businesses will now need to convey to the data subjects and PPC that they are completing data transfers when individuals enter their personal information.
The business will only receive consent if the data subject enters their private data into the business itself.
Report Data Breaches Promptly
One of the more important and big changes that came with the 2020 Amendment is the mandatory data breach notification that businesses now have to do.
When a business’s data system has had a data breach, it will now have to notify the PPC and the individuals who have been affected by the data breach if it meets one or more of the requirements:
- Include at least 1,000 people’s personal data
- Include sensitive (or ‘special care’) data
- The breacher may be intending to use the data for malicious intent
- There are financial details involved that could cause major financial problems
Previously, this was a recommendation, and it is now a requirement that you report a breach promptly.
Penalties for Non-Compliance With APPI Japan Data Protection?
As a way to enforce the compliance of businesses to follow and respect the Japanese APPI data protection laws, there are penalties for non-compliant businesses.
As of the last APPI Amendment in 2022, the maximum penalty fine went from 500,000 yen or $3300 from the 2017 APPI updates to 100 million Yen or around $700,000. This staggering cost is only payable by businesses that break the APPI guidelines, but it does not mean the PPC will always use the maximum allocation of fines per incident.
If an individual breaks the Japanese APPI data protection laws, the consequences are different from when a business breaks the data protection law.
While a company may receive a penalty fine of up to 100 million Yen, an individual can receive a fine of up to one million Yen or $7000. They can also face imprisonment of up to a year. If anyone is caught submitting false reports to the PPC, they can face fines of up to 500,000 Yen or $3300.
Even though the PPC has the power to hand out fines to non-compliant businesses, it will first order corrective actions for the businesses or individuals.
The PPC emphasizes that businesses should adjust their data processing before handing out fines to let the businesses change their practices. If the business fails to adjust the way it does its data processing, only then will the fines be placed.
Businesses are also made to compensate any individuals or data subjects for any damages they may have caused due to their wrongdoings with their data handling.
This includes any data breach and data privacy issues. If the business does not give adequate compensation to the individuals they have harmed, these data subjects can seek compensation using civil lawsuits. These lawsuits can force the business to admit accountability for their actions.
Now that you understand the APPI Amendments in Japan and how data protection laws work inside Japan, you may wonder how best to set your business up to remain compliant with Japan's data protection laws.
This is where the experts at Captain Compliance can help you. We can help you break down any fine print and guidelines you need to follow so that you can handle personal data in your business confidently in Japan.
Our services will help your business comply with the APPI laws in Japan. Consider the team at Captain Compliance a set of extra hands to help guide with following the laws and regulations. This can help your business stay on the right side of the law.
If you are ready to tackle the personal data business in Japan, with our team's help, you can navigate the data privacy game easily. Contact us today to get the ball rolling with your APPI compliance.
What is the Main Goal of PPL and The Japanese APPI Laws?
The main goal of the APPI laws in Japan is to safeguard personal information and keep it from being breached. It is mandatory for all businesses to follow these laws.
What are The Risks in the Data Processing business?
Any business dealing with personal information and data knows how risky the industry can be. The constant risk of a data breach while storing their data can play a major role in how you can manage your business.
How Does the APPI Compare To The GDPR?
While both data protection laws have similar laws and regulations, the GDPR is stricter and can even apply to businesses outside of the EU.