Act on the Protection of Personal Information (APPI)

What Is the Act on the Protection of Personal Information

The Act on the Protection of Personal Information (APPI) is a Japanese law that establishes rules for the proper handling of personal information. Enacted in 2003 and fully enforced in 2005, it has undergone major amendments in 2015, 2020, and 2023 to keep pace with the advancement of digital society.

This law imposes obligations on businesses that handle personal information (personal information handling business operators), including specifying and publishing the purpose of use, implementing safety management measures, and restricting provision to third parties. The 2015 amendment established the Personal Information Protection Commission, unifying the supervisory framework.

Virtually all web services and apps that individuals use daily handle personal information and are subject to this law's regulations. It's important for users to understand their rights as well.

Key Points of the 2022 Amendment

The amendment enforced in April 2022 was a significant revision that substantially expanded individual rights and strengthened business obligations.

• Mandatory Breach Reporting: Reporting to the Personal Information Protection Commission and notifying affected individuals became legally mandatory for data breaches above a certain scale. What was previously a best-effort obligation was elevated to a legal requirement
• Expanded Individual Rights: Requirements for requesting suspension or deletion of use were relaxed, enabling requests not only for improper acquisition but also when data is no longer needed or when a data breach has occurred
• Introduction of Personal-Related Information: Data like cookie IDs and browsing history that cannot identify individuals alone but can when combined with other information was added as "personal-related information" subject to regulation
• Introduction of Pseudonymized Information: A framework was established to promote the utilization of data processed so that individuals cannot be identified without cross-referencing with other information, for internal analysis purposes
• Strengthened Penalties: The maximum fine for corporations was raised to 100 million yen (previously 500,000 yen)

Definition and Scope of Personal Information

Accurately understanding the definition of "personal information" under the APPI is the foundation for practical decision-making.

• Personal Information: Information relating to a living individual that can identify a specific individual, such as name, date of birth, and address. "Personal identification codes" like facial recognition data and My Number are also included
• Personal Data: Personal information that constitutes a personal information database - systematically organized in a searchable state
• Special Care-Required Personal Information: Information such as race, creed, medical history, criminal record, and disability that may give rise to unjust discrimination or prejudice. Acquisition generally requires the individual's consent
• Personal-Related Information: Cookie IDs, device identifiers, browsing history, purchase history, etc. Not personal information on their own, but consent is required when provided to a third party who links them with personal data

Compared to GDPR, Japan's APPI uses the criterion of "whether an individual can be identified," while GDPR adopts the broader criterion of "whether it relates to an individual." Therefore, IP addresses and cookies qualify as personal data under GDPR but often don't qualify as personal information under Japanese law on their own.

Individual Rights and Practical Utilization

The APPI guarantees not only regulations on businesses but also individual rights. Knowing and exercising these rights as needed contributes to managing your digital footprint.

• Right to Disclosure: You can verify the content of your personal data held by a business. This is the first step in understanding what data has been collected and stored
• Right to Correction, Addition, and Deletion: You can request correction or deletion when the content of retained personal data is factually incorrect
• Right to Request Suspension or Deletion of Use: Requirements were relaxed in the 2022 amendment, enabling requests when data is no longer needed or when a breach has occurred
• Right to Request Cessation of Third-Party Provision: You can request that your data not be provided to third parties

As a practical note, disclosure requests may incur fees (within a reasonable range). The request destination is the contact point listed in each business's privacy policy. If you're unsatisfied with the response, you can consult the Personal Information Protection Commission.

Being mindful of the principle of data minimization and not providing unnecessary personal information when registering for services is also an effective self-defense measure.

To learn more about this topic, see Global Privacy Laws: Comparing GDPR, CCPA, and Japan's APPI.

Common Misconceptions

The Act on the Protection of Personal Information only applies to large companies

Since the 2015 amendment, all businesses that use personal information in their operations are subject to the law, regardless of the volume of personal information handled. Sole proprietors and freelancers also qualify as personal information handling business operators if they manage customer lists or mailing lists.

Cookies are not regulated under the Act on the Protection of Personal Information

While cookies alone often don't qualify as personal information, the 2022 amendment added them as "personal-related information" subject to regulation. When cookie data is provided to a third party who links it with personal data, individual consent is required.

Related Terms

Related Articles