Japanese Act on the Protection of Personal Information (APPI) – a heads up

//Japanese Act on the Protection of Personal Information (APPI) – a heads up

The Act on the Protection of Personal Information (APPI) is one of Japan’s most important laws and the Japanese Parliament recently amended it. In response to the increased processing of personal information in society and various sectors (such as the information technology sector), the Japanese Parliament (also known as the National Diet) recently amended the APPI – the Japanese data protection law. Various questions now arise from these amendments, including:

  • What is the effect of these amendments?
  • When did they come into effect?
  • Do they apply to you?
  • Have they placed more obligations on the processing of personal information?
  • Is the Japanese APPI now on par or the same as other data protection laws around the world such as the GDPR or the POPI Act?

Amendments to the Act on the Protection of Personal Information (APPI)

Do the amendments to the Japanese Personal Information Protection Act help it achieve its purpose of protecting personal information? What obligations does it now impose on organisations after the amendments?

One way to answer these questions is to look at some of the key amendments. The other way is to wait for a test case that will come up in the future, where we may get a more definitive answer from authorities applying the provisions to a real-life situation. One such authority is the newly-established Personal Information Protection Commission (PPC), Japan’s own version of a supervisory authority for data protection. The amendments established the office to start its work on 1 January 2016. The PPC has the power to monitor compliance and to enforce the provisions of the Japanese APPI.

Another key area which the amendments have touched on is cross-border transfers of personal information. A data controller (whom the Japanese APPI refers to as a “personal information handling business operator”) must obtain the consent of a data subject (or principal) before the data controller can give a third party access to that data subject’s personal information. Data controllers can only share the personal information with third parties if the sharing will provide great benefits to the data subjects, or the law requires the sharing. The data subject can either actively provide the information or can give their written consent, or conclude a written contract with the data controller. At all stages, the data controller must ensure that data subject is fully aware of the purpose for which that data controller will process the personal information.

The amendments have also brought about a clearer meaning of what personal information and sensitive personal information (which it refers to as “special care-required personal information”) is. Sensitive personal information now includes race, religion and medical history.

When does the amended Japanese APPI take effect?

Whilst the National Diet enacted the APPI in about 2008, the amendments to the Japanese APPI took effect on 30 May 2017. It will be interesting to see how these organisations respond now that the amendments have become a reality. Failing to comply with the amendments has potentially significant consequences, including fines and even imprisonment. An example of non-compliance that can result in imprisonment or a fine of as much as 300 000 yen, is when a personal information handling business operator ignores an order by the Personal Information Protection Commission to stop processing personal information in a certain way.

Does Japan have adequate data protection laws?

Yes. Japan is the latest non-EU country the commission has found to provide an adequate level of protection. This allows personal data to flow freely between the two economies and creates the world’s largest area of safe data flow.

Actions you can take

  • Find out more about the PPC by reading their website.
  • Read the APPI by downloading and reading a copy.
  • Know how the Japanese APPI affects you by asking us to answer your questions.
  • Know more about the GDPR and global data protection regulation by attending a GDPR workshop.
  • Stay up-to-date with the latest developments by subscribing to our newsletter.

Canadian Data Protection Laws

Don’t confuse APPI with the Canadian data protection laws called PIPA or the other data protection law called the Protection of Personal Information Act (or the POPI Act). Canada’s data protection laws are not the same as the Japanese law. Canada also doesn’t just have one data protection law. It has a national law and different data protection laws throughout various provinces. The national law is the Personal Information Protection and Electronic Documents Act (PIPEDA). Two of the provincial data protection laws (for the provinces of Alberta and British Columbia) are known as the Personal Information Protection Act. These two provincial laws are substantially similar to PIPEDA, but are different from Japan’s data protection law. Even though the two laws have the same acronym as the Japanese data protection law, they are different. Because these two provincial data protection laws are so similar to PIPEDA, they apply to all processing activities that you may carry out for the two provinces. In other words, PIPEDA does not apply in the provinces in those situations. If the processing starts flowing into other provinces that don’t have PIPEDA-equivalent laws, PIPEDA applies.


If you are interested, please complete the form on the right or enquire now. We will contact you to find out more about your requirements and give you a quote.