Japan’s Act on Personal Information Protection – What Businesses Must Do

Richard M. May 17, 2022 7 minute read

01 The Act on the Protection of Personal Information (APPI)
02 What’s in it for Businesses
03 How Businesses can Comply with the APPI
04 Key Takeaways

New and emerging ways to bypass verification checks have allowed fraudulent entities to breach the sensitive personal data of clients in businesses and financial institutions. In June 2020, Japan amended its Act on the Protection of Personal Information (APPI) with a deadline of 1st April 2022 for businesses to adopt the new regulations.

Prominent updates to the Act include a new process for sending and receiving personal information to and from third parties and businesses outside the country. Japan-based businesses now face a new challenge as new requirements are introduced that need to be fulfilled in case of data breaches.

The Act on the Protection of Personal Information (APPI)

Japan’s Act on the Protection of Personal Information (APPI) was first introduced in 2003 with the aim to protect the personal information of individuals (customers of businesses, banks, and other financial institutions) in the country. Since its introduction, the Act has seen two amendments in 2015 and 2020. Compliance with the APPI is monitored by the Personal Information Protection Commission, which is Japan’s primary regulatory body to investigate and enforce supervision, assessment, and mitigation of concerns that arise in businesses and financial institutions.

As per the APPI, personal data that can be processed or stored only with the consent of the individual are classified into two main types. The first is the basic personal information like name, date of birth, contact numbers, and personal identification codes. The second type of sensitive data is ‘special care required’ information, which includes medical records, information about race or inheritance, and criminal history. Although biometric data is not explicitly mentioned in any of the two types, it is likely that it will be included in the ‘special-care required’ information. Moreover, the APPI allows individuals to question the purpose of processing their personal information and also gives them the right to amend or delete it.

What’s in it for Businesses

Like the EU’s General Data Protection Regulation (GDPR) obliges businesses in the region to protect personal information, businesses operating within Japan are obliged to comply with the Act on the Protection of Personal Information no matter what their status or revenue is. Initially, the Act didn’t require businesses to protect or state the reason for collecting and processing personal information. However, the amendments made to the Act in 2015 added compliance requirements that subjected businesses of all sizes to protect their customers’ personal information.

Furthermore, businesses operating outside Japan and are linked to the Japanese market are also obliged to comply with APPI. This implies that businesses operating overseas but gathering personal information from clients in Japan are also required to comply with the new regulations. That being said, government institutions, educational institutes, and the administrative sector are not obliged to adhere to these regulations. The amendments made to the APPI in 2020 further broadened the scope of businesses that fall under the rules. In simple terms, changes have been made to the rules that govern the transfer of personal information to third parties and the notifications in case of data breaches.

Transfering Personal Information to Third Parties

Up until 2020, businesses based in Japan were allowed to send personal data to third parties without the consent of the customer. The customer was provided the details of the transfer of their personal information. However, since 1st April, 2022, corporations are obliged to request the customer for permission to send their personal information to third parties. In cases where national security, public interests, or legal matters are involved, there can exceptions to the new regulations and personal information can be transferred. Businesses are allowed to proceed with the transfer of personal data without the consent of the customer only if they notify them before the transfer. Moreover, this condition is not applicable in the case where ‘special-care required’ personal data is in question.

Transfering Personal-Related Information to a Third Party

Personal Related Information (PRI) is a section that was added to APPI along with the other amendments made in 2020. The new category of personal information include the data that is related to the personal matters of the customer, including their transaction history, purchase history, or web browsing information. The PRI category doesn’t include basic personal information like the name or date of birth of the customer. Before the 2020 amendments to the APPI, the PPC was not authorised to regulate the transfer of personal information to third parties outside the boundaries of Japan. Now, the PPC has been provided authority to oversee these processes. Businesses must now provide proof that the foreign third party takes “equivalent action”, or has the same level of personal information protection as Japan. The third party must also be in Japan’s list of adequacy decisions provided by the PPC.

Similarly, the transfer of this kind of information to foreign entities requires businesses to notify customers about the destination before sending it. This includes the name of the country, the quality of the data protection measures in the country, and the additional measures that will be taken to secure the data.

How Businesses can Comply with the APPI

In a requirement similar to those of China’s Personal Information Protection Law (PIPL), Japan-based businesses are obliged to keep a record of the transfer of personal information to third parties. Businesses must ask for permission before sending their customer’s personal data to any third party unless the transfer is for a regulatory action, or when sending the data is the only available option to protect a person’s life or assets.

Up until the latest amendments were not made, the APPI followed a moderate sanctions regime against businesses that failed to comply. For instance, the maximum penalty for a business used to be ¥500,000 (approx. $3,900). After the amendments, businesses can now be penalised with up to ¥100 million (approx. $781,500). Moreover, those in charge of these businesses could face charges of one-year imprisonment and fines of up to ¥1 million (approx. $7,815).

Key Takeaways

Considering the latest changes to the data protection law of Japan, it is clear that the safekeeping of customers’ personal information is quite important for Japanese businesses. Being one of the most successful economies in the world, the country makes significant efforts to maximise the measures to protect sensitive data. On the corporate level, businesses must also take steps to ensure compliance with the updated API.

To do so, businesses need to incorporate AI-driven verification solutions into their system. Shufti’s robust identity verification solution can be easily embedded within an online business platforms all the features that help them comply with regulatory obligations while ensuring that the customer’s data is safe.

Here are the key benefits of Shufti’s ID verification services: