Japan data protection law (APPI): Everything you need to know

If you are a business that collects the personal information of Japanese data subjects to provide them with your goods and services and you transfer their data out of Japan, you will have to comply with the privacy laws applicable in Japan. In this article, we will help you understand Japan’s data protection law requirements, how you can comply with these requirements, and the potential risks you face for non-compliance.

Japan's data privacy law in a nutshell

• General Guidelines on the APPI
• Guidelines on the APPI (for Transfers to Third Parties in Foreign Countries)

While the guidelines by the Personal Information Protection Commission are not fully comprehensive, you should take them into account when you design your data protection law compliance program.

In addition to these guidelines, there are also sector-specific guidelines for particular data processing that may be relevant for you.

If you operate in the medical sector, for example, guidelines by the Ministry of Health, Labor and Welfare can clarify your obligations when you process sensitive data. One such guideline is the Guidance for the Appropriate Handling of Personal Information by Medical or Care-related Service Providers.

Does Japan's data privacy law apply to you?

If you are based in Japan and handle the personal data of data subjects, you must comply with the APPI requirements.

If you are a foreign organization, you will be subject to the APPI if the following three criteria are met:

Personal scope

The APPI applies if you are a business that handles the personal information of Japanese data subjects.

Territorial scope

If you collect the personal data of a data subject for the purpose of providing your products and services and handle the personal data of data subjects in a foreign country, you will be subject to the APPI requirements.

Material scope

The APPI applies to the “handling” of personal data. Handling refers to the collection, retention, use, transfer, and otherwise handling of personal information.

What are Japan's data privacy key requirements, and how to comply?

A business that handles personal information is called “Personal Information Controller (“PIC”). Since there are far too many compliance requirements than we can cover in this blog post, we will focus on the most important ones and how you can comply:

• Before handling personal data, you must identify a specific purpose for the use of personal information (“purpose of use”). You must inform data subjects of this specific purpose and cannot make any changes without consent.
• You must identify and rely on a legal base before collecting and handling personal data. These legal bases include “consent”, “contract” “legal obligation”, “public interest” and “interest of data subject”.
• When you handle sensitive data, such as data related to race, religion, and medical records, you need prior consent as a rule.

• You should only use personal information to the extent such use is necessary to achieve the stated purpose.
• You must delete personal information as soon as that information is no longer needed to achieve the specified purpose.
• You must implement appropriate measures to ensure that personal information is accurate and kept up-to-date.
• You should put in place necessary and appropriate measures to prevent unauthorized access to and use of personal information; including physical security measures.
• You should not get involved in the processing of personal data for illegal acts or purposes.
• You must exercise necessary controls over your employees to ensure that they handle personal data properly. These controls include implementing access controls and providing your staff with security training.
• As a rule, you must obtain the consent of data subjects before transferring personal data to third parties and to overseas recipients. However, there are certain exceptions to this rule.
• When you suffer a data breach, you need to inform the Japan Data Protection Authority (“PPC) by filling out this form, as well the data subjects impacted by the breach.

Do you need to collect consent for cookies in Japan?

The APPI does not set out specific rules for cookies, and cookies are not considered personal information. However, you may need to obtain consent for placing cookies on users’ browsers when the following condition is met:

If you transfer cookies to a third-party recipient, such as third-party vendors that place personalization and advertisement cookies on your website, and this cookie can be used to identify an individual, this cookie is “person-related information.”

For these cookies, you will need consent from data subjects because you may collect person-related information.

In the Rikunabi case, a job-seeking platform used cookies to record students’ browsing history and to profile them based on this information, then transferring personal data to third-party job advertisers. For instance, it calculated the likelihood of a student declining a job offer. The PPC ruled that these cookies were “person-related information” and the website had to ask for students’ consent.

In short, cookies are not considered “personal information” in Japan. However, certain third-party cookies may allow third parties to identify data subjects, and therefore, you may need consent from the data subjects, particularly for advertisement and personalization purposes.

The Rikunabi case shows that the regulatory authority may come after you when you fail to obtain consent from data subjects.

June 2023 update to Japan's Telecommunications Business Act

Earlier this year, Japan's Telecommunications Business Act (TBA) has been updated, defining 4 types of telecommunications services that are now subject to cookie regulations :

• Telecommunication services mediating the communication of others, which includes services such as e-mail, messaging applications, web conferencing systems, and other services.
• Telecommunications services recording information from a user and making that user available for communication by others, which can include social network services (SNS), electronic bulletin boards, live streaming services, and other content services.
• Telecommunications services providing information on unlimited websites in response to a search request, which includes general search services.
• Other telecommunications services transmitting information in response to requests from unspecified users, which can refer to search services related to employment or career change.

Requirements under the Telecommunications Business Act

Businesses that the TBA applies to are required to take one of the following measures to transmit cookie information (or other user-specific data) to a third party:

(i) notify users about any transmission of their data or make that information readily available,
(ii) obtain consent from users,
or (iii) provide users the ability to opt out.

Exemptions of the Telecommunications Business Act

Under the TBA, data that is necessary for the proper functioning of a telecommunications service is exempted from the cookies requirements.

Penalties for non-compliance with data privacy laws in Japan

If the Personal Information Protection Commission (PPC) finds that a data controller (PIC) violated the APPI requirements, it can impose the following sanctions and penalties:

• Requiring the PIC to submit a report,
• Carry out on-site inspection,
• Order a PIC to take action to remedy the violation,
• In case of failure to comply with orders from the authority, the responsible individuals may face imprisonment for up to 1 year.

GDPR vs Japan's data protection law

While there are certain similarities between Europe's General Data Protection Regulation (EU GDPR) and Japan's Data Protection Law, the two laws fundamentally differ from each other in various ways:

• The GDPR requires data controllers to appoint a data protection officer (DPO) when they fulfill certain criteria. The APPI, on the contrary, does not contain a requirement to appoint a data protection officer. However, the APPI recommends that businesses appoint a person in charge of handling personal information. This is similar to the DPO position to a certain extent.
• Under the GDPR, you must notify the authorities within 72 hours after a data breach. The APPI, however, does not set specific time limits.
• The GDPR may require you to carry out data protection impact assessments when there is a high risk to the rights and freedoms of data subjects. The APPI, however, does not contain such a requirement.
• In Japan, there is no specific regulation on cookies. In the EU, there is the E-privacy Directive that requires businesses to obtain prior consent for cookies from data subjects.
• In the EU GDPR, you may rely on legitimate interest ground to lawfully process the personal information of data subjects. The APPI does not include this legal basis.
• GDPR provides data subjects with the “right to data portability” and “right to object to direct marketing and profiling”. The APPI, however, does not equip data subjects with these rights.

You might be wondering why so many data privacy regulations are emerging around the world for the past few years. To learn more, explore our research piece about the accelerated pace of consumer data regulation and customer preference activity:

How Didomi can help you comply with data protection laws in Japan

If you want to satisfy all Japan Data Protection Law (APPI) requirements and safely handle Japanese people’s data, you must start by relying on a legal basis to justify your data processing activities. Consent is the most common legal basis, and it can justify the use of third-party advertising, personalization, and profiling cookies, alongside social media plugins.

For instance, if you use Facebook pixel, Twitter share button, or other similar technologies on your website, you are better off asking for consent before collecting any personal data.

Therefore, you must obtain consent as specified by the APPI Law and be able to prove that you obtained consent lawfully. With a Consent management platform, you can collect consent in an APPI-compliant manner and keep a record of all consent obtained.

More than ever, privacy has become a priority for brands and for businesses operating in Japan, which means complying with the APPI requirements. Talk to an expert to find out how our solutions can help you turn data privacy into a business opportunity, and how Didomi focuses on addressing regulations and assisting companies around the world:

Frequently asked questions (FAQ)

Does Japan have data privacy laws?

Yes. The main data protection law in Japan is the Act on the Protection of Personal Information (APPI), Act No. 57 of 2003.

Who does Japan's APPI apply to?

The APPI applies to businesses based in Japan that handle the personal data of data subjects. It also applies to foreign organizations under certain criteria (see details in the article)

What are the key requirements for compliance with Japan's data privacy law?

The key APPI requirements include obtaining consent, identifying a specific purpose for data use, using legal bases for data processing, ensuring data accuracy, implementing security measures, and informing the data protection authority in case of a data breach, among others.

What are the potential penalties for non-compliance with data privacy laws in Japan?

Non-compliance with data privacy laws in Japan can result in penalties such as submitting a report, on-site inspection, orders to remedy violations, and, in case of failure to comply, imprisonment for up to 1 year.

How does Japan's data protection law compare to the GDPR?

While there are certain similarities between Japan's data protection law and the GDPR, they differ in various ways, including the requirement for a data protection officer, notification timelines for data breaches, and the presence of specific regulations on cookies and legitimate interest.

Do I have to appoint a Data Protection Officer (DPO) under Japan's APPI?

While the APPI does not explicitly state businesses must appoint a DPO, it recommends appointing a person in charge of handling personal information, which can be perceived as a similar role.