Japan’s data protection law, the Act on the Protection of Personal Information (APPI), was first implemented in 2003 and was one of Asia’s first data protection regulations. However, following several high-profile data breaches, the APPI underwent significant changes in 2015, coming into effect on May 30, 2017.
These amendments established the Personal Information Protection Commission (PPC), an independent agency responsible for protecting the rights and interests of individuals and promoting the proper and effective use of personal data. In 2019, Japan became the first country to receive an adequacy decision from the European Commission, which reflects the country’s level of data protection compared to the EU’s legislation. The APPI is reviewed and updated every three years if necessary to address any technical developments, with the first review occurring in 2020 and resulting in further amendments that brought the APPI in line with the EU General Data Protection Regulation.
Ecommerce businesses, including those operating on Shopify, are required to comply with the APPI to protect their customers’ personal data and maintain their trust. Non-compliance with the APPI can have serious consequences, including fines and damage to reputation. Ensuring compliance with the APPI is, therefore, essential for the long-term success of a Shopify store.
Which businesses and organizations must comply with APPI?
APPI applies to all businesses that handle the personal data of individuals in Japan, regardless of their location. This includes businesses that offer goods and services in Japan as well as those with offices outside of the country. Similar to the EU’s General Data Protection Regulation (GDPR), APPI has extraterritorial reach. Before the 2017 amendments, APPI only applied to businesses with at least 5,000 identifiable individuals in their database for at least one day in the previous six months.
However, the 2017 amendments removed this restriction, making APPI applicable to all businesses that process personal data for business purposes, even those with small databases. Specific government organizations, including central government agencies, local governments, and independent administrative agencies, are exempt from APPI compliance.
Which types of personal information are covered by APPI?
The APPI divides protected data into two categories: personal information and “special care-required” personal information. Personal information includes personally identifiable information like names, dates of birth, and email addresses. It also includes numeric references that can be used to identify a specific individual, such as driver’s license numbers or passport numbers. “Special care-required” personal information is data that could be used to discriminate against or prejudice someone. Examples of this type of data include medical history, race, and religious beliefs.
Businesses must get the individual’s prior consent before processing “special care-required” personal information. Anonymized data, which cannot be used to identify individuals, is not subject to the same strict rules as personal information. Pseudonymously processed information, which relates to an individual but cannot identify them without additional data, can be used by businesses for internal purposes such as business analytics and the development of computational models.
Data subjects rights
Under the APPI, individuals have the right to request information about the use of their personal data from businesses that handle it. They can also request access to, correction of, or suspension of their personal information and submit complaints about its handling.
The 2020 amendments to the APPI expanded the circumstances under which individuals can request the deletion or suspension of their personal information, including in cases of potential violations of their rights or legitimate interests and in situations where the information is being transferred to third parties that do not meet APPI requirements. Data subjects may now also request information in both digital and hardcopy formats and have the right to take legal action against businesses that do not respond to their APPI-based requests within two weeks.
Business operators’ obligations under APPI
Required data breach notifications under APPI
Japan has made it a requirement for businesses to notify both the Personal Information Protection Commission (PPC) and affected individuals of data breaches that may compromise their rights and interests. In the event of a breach, companies must file an initial report to the PPC as soon as possible, followed by a secondary report detailing the causes and remediation actions taken.
If direct notification of impacted individuals is impractical, businesses may make a public announcement and establish an office to handle inquiries. These data breach notification requirements are a new addition to the Act on the Protection of Personal Information (APPI) following amendments made in 2020.
Data transfer requirements under APPI
Under the APPI, data transfers to third parties within Japan are now restricted. Previously, companies were able to transfer data without consent as long as certain information was provided to the PPC and the data subject did not choose to opt-out of the transfer. However, the 2020 Amendments eliminated the opt-out exception for third-party transfers. This means that companies can no longer transfer personal data collected through deceitful or improper means or continue to transfer personal information based on the previous opt-out exception. If a company wishes to continue transferring that data, it must obtain direct consent from the data subject.
Exceptions to this rule include situations in which the transfer of personal information is in the public interest, such as for national security, legal matters, or public health concerns. Providers that process data for a business operator are not treated as third parties if they are based in Japan. In these cases, business operators can transfer data to them at their own discretion as long as the processing being conducted falls within the scope of the purpose for which the personal information was collected.
For data transfers outside of Japan, the APPI places restrictions on these transfers. They are only allowed to take place if the overseas recipients are located in countries that provide an adequate level of data protection equivalent to Japan or if contractual agreements have been signed with the overseas recipients to ensure compliance with data protection standards in Japan. Alternatively, transfers can take place if the data subject whose personal information is being transferred has given prior consent for the transfer.
Consequences of data breaches under APPI
Penalties for non-compliance with APPI have been increased under the 2020 amendments. The maximum fine that an organization may incur has been raised to JPY 100 million (approximately $815,000). At the same time, individuals may face imprisonment for up to a year or fines of up to JPY 1 million (approximately $8,150). False reporting to the Personal Information Protection Commission (PPC) is also subject to fines of up to JPY 500,000 (approximately $4,000).
Ensure you have the correct legal notices in place for your online store
Ecommerce store operation involves various legal requirements, including data protection measures and policies. Ensuring that your online business is in compliance with the necessary legal framework is crucial for the successful operation of your Shopify account. This may involve completing specific legal steps.
APPI compliance checklist for Shopify stores
Implement a consent banner that complies with APPI standards
Set up a system for managing data subject requests, including allowing users to view, download, and delete their data
Ensure that tracking scripts and cookies do not start before obtaining user consent
Provide a way for users to withdraw consent
Provide clear and easily accessible information about data protection practices to users
Only share personal data with third parties with user consent or as required by law
Implement internal policies and procedures for handling personal data, and train employees on these policies
Conduct regular audits or reviews of data protection practices to ensure compliance with APPI
If a data breach occurs, notify the Personal Information Protection Commission and affected data subjects as required by law
Ensure that personal data is only transferred to third parties in countries with adequate data protection or with the appropriate contractual agreements in place, or with the consent of the data subject
Implement cybersecurity measures and physical safeguards to protect personal data from unauthorized access, use, or disclosure
Be prepared to handle data subject requests and respond to them in a timely and accurate manner
Comply with all requirements for transferring personal data to external service providers and third parties within Japan
Avoid collecting personal data by deceitful or improper means and obtaining direct consent for data transfers if the previous opt-out exception is no longer valid
Follow all requirements for transferring personal data outside of Japan, including obtaining the consent of the data subject or ensuring that the recipient has an adequate level of data protection
Avoid submitting false reports to the Personal Information Protection Commission
Be aware of the potential fines and penalties for non-compliance with APPI, including the maximum fine of ¥100 million for businesses and fines or imprisonment of up to a year for individuals.
Be APPI compliant
The Pandectes GDPR Compliance is a popular Shopify application that helps eCommerce businesses comply with data protection laws worldwide. The application is designed specifically for businesses that run on Shopify and provides a range of tools and resources to help merchants meet the requirements of the General Data Protection Regulation (GDPR) and other data protection laws. In addition to assisting businesses to comply with data protection laws, the Pandectes GDPR Compliance also provides resources and guidance on best practices for protecting personal data and maintaining compliance on an ongoing basis.
In conclusion, the Act on the Protection of Personal Information (APPI) is Japan’s comprehensive data protection law that applies to all business operators that handle the personal data of individuals in Japan. The law was updated in 2017 and 2020 to bring it in closer alignment with the EU General Data Protection Regulation (GDPR) and to address the latest technical developments in data protection.
Ensuring compliance with APPI is essential for businesses operating in Japan. The Pandectes GDPR Compliance is a popular Shopify application that can help your eCommerce business running on Shopify meet its data protection obligations worldwide.