What Is the APPI?
Japan's Act on Protection of Personal Information (APPI) aims to protect individual rights while considering the usefulness of personal information (Article 1).
Enacted in 2003 and significantly amended in 2015, the April 2022 amendments further strengthened individual rights protection.
Key Definitions
Personal Information
Information about a living individual that can identify a specific person, such as name, date of birth, and address (Article 2(1)). Personal identification codes (My Number, biometric data) are also included.
Personal Data
Personal information that constitutes a personal information database (Article 16(3)). Typically, information managed in a computer-searchable format.
Sensitive Personal Information
Information requiring special care, such as race, beliefs, medical history, criminal records, and disabilities (Article 2(3)). Consent is mandatory for collection.
Key Obligations for Businesses
Specify and Notify Purpose of Use
Businesses must specify the purpose of use as clearly as possible (Article 17) and notify or publicize it upon collection (Article 21).
Prohibition of Use Beyond Purpose
Personal information cannot be used beyond the specified purpose (Article 18). Use beyond scope requires individual consent.
Security Control Measures
Businesses must implement measures to prevent leakage, loss, and damage of personal data (Article 23).
Specific measures: - Organizational measures (appointing responsible persons, establishing rules) - Human measures (employee training, confidentiality agreements) - Physical measures (access control to facilities, secure document storage) - Technical measures (access controls, encryption, log management)
Restrictions on Third-Party Transfers
Transferring personal data to third parties generally requires individual consent (Article 27).
Exceptions: - Required by law - Necessary to protect life, body, or property - Outsourcing (within the original purpose of use) - Business succession
Cross-Border Transfers
Additional requirements apply when transferring personal data to a third party in a foreign country (Article 28). Information about the destination country's data protection system must be provided to the individual.
Key Points of the 2022 Amendments
Mandatory Breach Notification
Certain data breaches now require reporting to the Personal Information Protection Commission (PPC) and notification to affected individuals (Article 26).
Reportable cases: - Leakage of sensitive personal information - Leakage due to unauthorized access - Leakage with risk of financial damage - Leakage affecting more than 1,000 individuals
Strengthened Individual Rights
- Expanded grounds for use cessation and deletion requests (Article 35)
- Disclosure requests now cover digital data
- Individuals can specify the disclosure format (e.g., electronic records)
Pseudonymized Information
A new category of "pseudonymized information" (Article 2(5)) allows relaxed obligations for internal analysis purposes when data is processed to prevent individual identification.
Increased Penalties
- Unauthorized provision of personal data databases: up to 1 year imprisonment or ¥500,000 fine
- Corporate fines: raised to maximum ¥100 million (previously ¥500,000)
Handling Cookies and Web Browsing Data
While cookies and access logs may not constitute personal information on their own, they are regulated as personally referable information (Article 26-2).
When providing personally referable information to a third party who will link it with personal data, consent is required.
Penalties for Violations
| Violation | Penalty |
|---|---|
| Violating PPC orders | Up to 1 year imprisonment or ¥1 million fine |
| Providing database for wrongful profit | Up to 1 year imprisonment or ¥500,000 fine |
| Corporate fine (order violation) | Up to ¥100 million |
| Reporting obligation violation | Up to ¥500,000 fine |
Administrative Sanctions
The PPC takes graduated measures: recommendation (Article 148) → order (Article 149) → criminal prosecution.
Reputational Risk
Beyond legal penalties, data breaches severely damage corporate credibility. Media coverage can lead to customer attrition and business losses far exceeding the fine amounts.
Summary
The APPI applies to all businesses handling personal information regardless of size. With significantly strengthened penalties in the 2022 amendments and the new mandatory breach notification requirement, building a robust information management framework is more important than ever.