Japan’ Act on the Protection of Personal Information | APPI
The Trust Challenge

Key obligations and consequences

Pointer

The APPI does not use "controller" or "processor". However, a handling operator may be comparable to a controller or a processor in that it is subject to obligations to protect personal information.

Pointer

Obligations will not apply if it will be excessively costly or difficult to discontinue the use of, or to erase, the retained personal data and the handling operator takes necessary alternative measures to protect the rights and interests of the principal.

Pointer

The APPI does not set special rules for the handling of children's personal data, with regards to consent capacity under the APPI, the PPC guidelines clarity that, if minor principal under the age of 18 are not capable of understanding the consequences of consent, the consent of a statutory representative (parent or guardian) must be obtained where the principal's consent is required under the APPI

Pointer

A handling operator is obligated to take necessary and proper measures to prevent leakage, loss, or damage, and for other security control, of personal data (APPI, Article 23).

The Trust Challenge

Key Challenges in brief:

  • With some exceptions prescribed in the APPI (see Section III.ii, 'Restrictions on provision to a third party'), prior consent is required for the transfer of personal information to a third party. However, there was no specific provision regarding international data transfers in the previous APPI. To deal with the globalization of data transfers, the APPI requires the consent of the principal to international transfers of personal data except in the following cases.
  • International personal data transfer to a third party (in a foreign country) that has established a system conforming to the standards set by the PPC rules84 (i.e., proper and reasonable measures taken in accordance with the provisions of the APPI or accreditation as a receiver of personal data according to international standards on the protection of personal information, such as being certified under the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules) for operating in a manner equivalent to that of a business operator handling personal data.
  • International personal data transfer to a third party in a foreign country that is considered, according to the rules of the PPC, to have established a personal information protection system with standards equivalent to those in Japan regarding the protection of an individual's rights and interests. Since 23 January 2019, the EU has been considered a jurisdiction that provides the same level of protection of personal data in Japan. The PPC will review this designation within two years and then continues to review every four years or at any time when the PPC considers it to be necessary.

There is no express provision in the APPI creating an obligation to notify data subjects or data authorities in the event of a data security breach. However, the APPI Guidelines stipulate that actions to be taken in response to data breach, etc. should be set out separately from the Guidelines. The PPC has set out desirable actions as follows

  • Internal report on the data breach, etc. and measures to prevent expansion of the damage.
  • Investigation into any cause of the data breach, etc
  • Confirmation of the scope of those affected by the data breach, etc.
  • Consideration and implementation of preventive measures.
  • Notifications to any person (to whom the personal information belongs) affected by the data breach etc.
  • Prompt public announcement of the facts of the data breach, etc. and preventive measures to be taken
  • Prompt notifications to the PPC about the facts of the data breach, etc. and preventive measures to be taken except for where the data breach, etc. has caused no actual, or only minor, harm (e.g., wrong transmissions of facsimiles or emails that do not include personal data other than names of senders and receivers).

The amendment to the APPI in 2020

  • Entitles a data subject to ask a business operator to stop using personal data when a business operator handling personal information does not need to use personal data any more, the personal data is leaked or the data subject's right or interest may be undermined.
  • Entitles a data subject to ask a business operator handling personal information to disclose a record of the provision of its personal data to any third party.
  • Entitles a data subject to designate a method by which personal data retained by a business operator should be disclosed to the data subject.
  • Consideration and implementation of preventive measures.
  • Notifications to any person (to whom the personal information belongs) affected by the data breach etc.
  • Prompt public announcement of the facts of the data breach, etc. and preventive measures to be taken
  • Prompt notifications to the PPC about the facts of the data breach, etc. and preventive measures to be taken except for where the data breach, etc. has caused no actual, or only minor, harm (e.g., wrong transmissions of facsimiles or emails that do not include personal data other than names of senders and receivers).

PIPEDA does not contain any specific restrictions related to cross-border data flows. However, all transfers of personal information to a third-party processor, whether within Canada or cross-border, are subject to the “accountability” principle under PIPEDA. Specifically, an organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.

Win-Win Situation

Solutions

Our AI-based, patented solution, TurtleShield PI (Privacy Intelligence) discovers all personal and sensitive data in structured and unstructured data systems across on-premises and multi-cloud environments. TurtleShield DI (Data Inventory) enables organizations to inventory & map their entire “Data footprint”, enabling them to protect what matters the most.

Often there are silos within entities or business and IT teams and it is challenging to get a full picture of data going outside organization and which is coming into organization, especially when data is shared with third parties, vendors, business partners and much more. Our TurtleShield PI (Privacy Intelligence) creates a data map based on your “data sharing”, to facilitate you to take action on it.

TurtleShield DM (Data Minimization) helps businesses minimize excess data and adhere to data minimization principle. This is data hygiene control and we are approaching it from a risk reduction and compliance perspective. We scan large data sets to scan for excess data using Machine Learning and find out excess data including personal data. This can eliminate operational inefficiencies and save cost by removing the unwanted data and legal cost of having it with respect to regulatory compliance.

With TurtleShield RTBF (Right to Be Forgotten) provides the businesses the capabilities to comply with mandatory deletion of personal data by providing the capabilities to delete the data on request along with the validation of the deletion.

Search capability in large datasets to fulfill data subject requests in totality and at rapid space. Assumption that data only exists in databases and nowhere else is often not reality as customer data exists in many sources. Using Machine learning and AI we crawl across data sources and predict where PII can exist.

The Trust Challenge

Key Obligations & Consequences

Pointer

The APPI does not use "controller" or "processor". However, a handling operator may be comparable to a controller or a processor in that it is subject to obligations to protect personal information.

Pointer

Obligations will not apply if it will be excessively costly or difficult to discontinue the use of, or to erase, the retained personal data and the handling operator takes necessary alternative measures to protect the rights and interests of the principal.

Pointer

The APPI does not set special rules for the handling of children's personal data, with regards to consent capacity under the APPI, the PPC guidelines clarity that, if minor principal under the age of 18 are not capable of understanding the consequences of consent, the consent of a statutory representative (parent or guardian) must be obtained where the principal's consent is required under the APPI

Pointer

A handling operator is obligated to take necessary and proper measures to prevent leakage, loss, or damage, and for other security control, of personal data (APPI, Article 23).

The Trust Challenge

Key Challenges in brief:

Pointer

International data transfers

  • With some exceptions prescribed in the APPI (see Section III.ii, 'Restrictions on provision to a third party'), prior consent is required for the transfer of personal information to a third party. However, there was no specific provision regarding international data transfers in the previous APPI. To deal with the globalization of data transfers, the APPI requires the consent of the principal to international transfers of personal data except in the following cases.
  • International personal data transfer to a third party (in a foreign country) that has established a system conforming to the standards set by the PPC rules84 (i.e., proper and reasonable measures taken in accordance with the provisions of the APPI or accreditation as a receiver of personal data according to international standards on the protection of personal information, such as being certified under the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules) for operating in a manner equivalent to that of a business operator handling personal data.
  • International personal data transfer to a third party in a foreign country that is considered, according to the rules of the PPC, to have established a personal information protection system with standards equivalent to those in Japan regarding the protection of an individual's rights and interests. Since 23 January 2019, the EU has been considered a jurisdiction that provides the same level of protection of personal data in Japan. The PPC will review this designation within two years and then continues to review every four years or at any time when the PPC considers it to be necessary.
Pointer

Data security breach notification

There is no express provision in the APPI creating an obligation to notify data subjects or data authorities in the event of a data security breach. However, the APPI Guidelines stipulate that actions to be taken in response to data breach, etc. should be set out separately from the Guidelines. The PPC has set out desirable actions as follows.

  • Internal report on the data breach, etc. and measures to prevent expansion of the damage.
  • Investigation into any cause of the data breach, etc
  • Confirmation of the scope of those affected by the data breach, etc.
  • Consideration and implementation of preventive measures.
  • Notifications to any person (to whom the personal information belongs) affected by the data breach etc.
  • Prompt public announcement of the facts of the data breach, etc. and preventive measures to be taken
  • Prompt notifications to the PPC about the facts of the data breach, etc. and preventive measures to be taken except for where the data breach, etc. has caused no actual, or only minor, harm (e.g., wrong transmissions of facsimiles or emails that do not include personal data other than names of senders and receivers).
Pointer

Enhancement of a data subject's right

The amendment to the APPI in 2020.

  • Entitles a data subject to ask a business operator to stop using personal data when a business operator handling personal information does not need to use personal data any more, the personal data is leaked or the data subject's right or interest may be undermined.
  • Entitles a data subject to ask a business operator handling personal information to disclose a record of the provision of its personal data to any third party.
  • Entitles a data subject to designate a method by which personal data retained by a business operator should be disclosed to the data subject.
  • Consideration and implementation of preventive measures.
  • Notifications to any person (to whom the personal information belongs) affected by the data breach etc.
  • Prompt public announcement of the facts of the data breach, etc. and preventive measures to be taken
  • Prompt notifications to the PPC about the facts of the data breach, etc. and preventive measures to be taken except for where the data breach, etc. has caused no actual, or only minor, harm (e.g., wrong transmissions of facsimiles or emails that do not include personal data other than names of senders and receivers).
Win-Win Situation

Solutions

Pointer

Data discovery, inventory and mapping: Our AI-based, patented solution, TurtleShield PI (Privacy Intelligence) discovers all personal and sensitive data in structured and unstructured data systems across on-premises and multi-cloud environments.
TurtleShield DI (Data Inventory) enables organizations to inventory & map their entire “Data footprint”, enabling them to protect what matters the most.

Pointer

Third party Privacy Intelligence (monitors third party sharing): Often there are silos within entities or business and IT teams and it is challenging to get a full picture of data going outside organization and which is coming into organization, especially when data is shared with third parties, vendors, business partners and much more. Our TurtleShield PI (Privacy Intelligence) creates a data map based on your “data sharing”, to facilitate you to take action on it.

Pointer

Data Minimization: TurtleShield DM (Data Minimization) helps businesses minimize excess data and adhere to data minimization principle. This is data hygiene control and we are approaching it from a risk reduction and compliance perspective. We scan large data sets to scan for excess data using Machine Learning and find out excess data including personal data. This can eliminate operational inefficiencies and save cost by removing the unwanted data and legal cost of having it with respect to regulatory compliance.

Pointer

Right to be Forgotten (RTBF) with Assured Deletion: With TurtleShield RTBF (Right to Be Forgotten) provides the businesses the capabilities to comply with mandatory deletion of personal data by providing the capabilities to delete the data on request along with the validation of the deletion.

Pointer

Enable Data subject rights with cost savings and compliance in totality: Search capability in large datasets to fulfill data subject requests in totality and at rapid space. Assumption that data only exists in databases and nowhere else is often not reality as customer data exists in many sources. Using Machine learning and AI we crawl across data sources and predict where PII can exist.

Featured News & Blogs

Be the first to catch our latest updates,
happenings and more.

Follow us