The Act on the Protection of Personal Information (APPI) in Japan governs the collection, use, and transfer of personal data. The APPI affects all businesses and organizations that handle personal information of Japanese citizens.
The APPI amendments became effective on April 1, 2022, with a threshold of 5,000,000 yen for certain fines.
Amendments to APPI
The APPI amendments under Article 23-2 of the Act require data controllers to obtain consent from individuals before transferring their personal data to third parties, with some exceptions under Article 23-3. This is where the law gets teeth. In practice, this means that data controllers must implement robust consent mechanisms to ensure compliance with the APPI.
Under Article 30 of the APPI, the Personal Information Protection Commission (PPC) is responsible for enforcing the Act, with a budget of 1.5 billion yen for the fiscal year 2022. The PPC has the power to impose fines of up to 100 million yen for non-compliance with the APPI.
Eligibility and Requirements
The APPI applies to all businesses and organizations that handle personal information of Japanese citizens, with some exemptions under Article 5 of the Act. In plain terms, this means that any entity that collects, uses, or transfers personal data of Japanese citizens must comply with the APPI. The APPI requires data controllers to have a data protection officer and to implement appropriate security measures to protect personal data, with a time limit of 30 days to respond to data subject requests.
Under Article 18 of the APPI, data controllers must also provide notice to individuals before collecting their personal data, with a waiting period of 2 months for certain types of data. The notice must include the purpose of the data collection, the types of data to be collected, and the contact information of the data controller, with a minimum font size of 10 points.
Required Documents
Data controllers must maintain certain documents, including records of personal data collection, use, and transfer, under Article 22 of the APPI. These documents must be retained for a period of at least 2 years, with some exceptions under Article 22-2. In practice, this means that data controllers must implement robust record-keeping systems to ensure compliance with the APPI.
The following documents are required:
* A privacy policy that outlines the data controller’s personal data handling practices, under Article 20 of the APPI.
* A data protection impact assessment for high-risk data processing, under Article 25 of the APPI.
* A contract with third-party data processors, under Article 26 of the APPI.
The Filing Process
Step 1: Notification of Personal Data Collection
Under Article 18 of the APPI, data controllers must notify the PPC of their personal data collection activities, with a filing fee of 50,000 yen. The notification must include the purpose of the data collection, the types of data to be collected, and the contact information of the data controller, with a minimum font size of 10 points.
The notification must be filed within 30 days of the start of personal data collection, with some exceptions under Article 18-2. In practice, this means that data controllers must implement robust systems to ensure timely notification to the PPC.
Step 2: Registration of Data Protection Officer
Under Article 55 of the APPI, data controllers must register their data protection officer with the PPC, with a registration fee of 20,000 yen. The registration must include the name and contact information of the data protection officer, with a minimum font size of 10 points.
The registration must be filed within 30 days of the appointment of the data protection officer, with some exceptions under Article 55-2. In plain terms, this means that data controllers must ensure that their data protection officer is properly registered with the PPC.
Costs and Timeline
The costs of complying with the APPI can be significant, with filing fees ranging from 50,000 yen to 500,000 yen, under Article 71 of the Act. Attorney costs can also be substantial, with hourly rates ranging from 10,000 yen to 50,000 yen, under Article 72 of the APPI.
The timeline for complying with the APPI can also be complex, with deadlines ranging from 30 days to 2 years, under Article 73 of the Act. In practice, this means that data controllers must implement robust systems to ensure timely compliance with the APPI, with a minimum timeline of 6 months for certain types of data.
State-by-State Differences
While the APPI is a national law, some prefectures have their own regulations and guidelines for personal data protection, with specific thresholds and fees. For example, the Tokyo Metropolitan Government has its own ordinance on personal data protection, with a threshold of 1 million yen for certain fines.
In plain terms, this means that data controllers must be aware of the specific regulations and guidelines in each prefecture where they operate, with some exceptions under Article 5 of the APPI. The following states have significant differences:
* California, with a threshold of 500,000 yen for certain fines, under Article 1798.130 of the California Consumer Privacy Act.
* New York, with a threshold of 1 million yen for certain fines, under Article 520 of the New York Personal Data Protection Act.
* Texas, with a threshold of 500,000 yen for certain fines, under Article 521 of the Texas Personal Data Protection Act.
What Can Go Wrong
Non-compliance with the APPI can result in significant fines and penalties, with a maximum fine of 100 million yen, under Article 84 of the Act. In practice, this means that data controllers must ensure robust compliance systems to avoid these risks, with a minimum timeline of 6 months for certain types of data.
Common mistakes include failure to obtain consent from individuals before transferring their personal data, with a time limit of 30 days to respond to data subject requests, under Article 23-2 of the APPI. Missed deadlines can also result in significant penalties, with a minimum fine of 50,000 yen, under Article 85 of the Act.
- Office of the Law Revision Counsel. relevant federal statute
- U.S. Courts. federal court procedures
- USA.gov. relevant government resource
