The Amendment to the Act on the Protection of Personal Information of Japan that was promulgated in June 2020 (the “Amended APPI” or “APPI”) (*1) will take effect on April 1, 2022.
The APPI is applicable not only to business operators handling personal information in Japan but also to foreign business operators (even those with no base/entity in Japan) who acquire personal information in relation to the supplying of goods or services to individuals in Japan, even if they handle such personal information in a country outside Japan. For example, the APPI is applicable to foreign data processors who handle the personal data of Japanese users received through a service provided to such Japanese users by a Japanese business operator; since such handling of personal data would be related to the provision of goods or services to Japanese users. After the Amended APPI comes into force, all of the regulations thereunder will be applicable to such business operators outside Japan.
Although compliance with the APPI has a great impact on business operators handling the personal information of individuals in Japan, very few official English translations and explanations are published by the supervisory authority of the APPI, the Personal Information Protection Commission (the “PPC”). Even the English translation of the Amended APPI which is posted on the PPC website (*2) is only a tentative translation (the “Tentative Translation”) and its Article numbers are those from the previous legislative bill and it has not yet reflected the officially promulgated Amended APPI.
The following is an overview of what needs to be considered by business operators handling personal information in terms of complying with the APPI- such as preparing or revising their privacy policies, internal policies on personal information protection and measures taken to protect personal information. As all business operators need to comply with the APPI regardless of the amount of personal information they hold, virtually every business that hires employees in Japan or otherwise handles a certain list of individuals residing in Japan for their business in Japan is required to make certain preparations for the coming into effect of the Amended APPI.
Please note that the Article numbers of the APPI indicated in this article are those of the Amended APPI coming into effect this April, unless specifically noted otherwise.
Under the APPI, “Personal Information” is defined as information: (i) related to a living individual that can be used to identify a specific individual by name, date of birth or other description contained in such information, whether written, recorded or otherwise expressed using voice, movement or other methods in documents, drawings or electronic records; or (ii) containing an individual identification code. Information that, by itself, is not personally identifiable, but which may be easily linked to other information and thereby used to identify a specific individual is also regarded as Personal Information.
“Individual Identification Code” is defined as any character, letter, number, symbol or other code (as prescribed by the Cabinet Order): (i) that is converted from a partial bodily feature of a specific individual so that it may be used with a computer, and that can identify the specific individual, such as fingerprint data or facial recognition data; or (ii) that is officially allocated to an individual, or that is recorded in cards or other documents issued to an individual or by electromagnetic format, and that can identify the applicable individual through the allocation of such code, or the like, so as to differentiate among said applicable individuals, such as a driver’s license or a passport number.
Another important definition under the APPI is “Personal Data,” which is defined as Personal Information comprising a Personal Information Database, which means a collective body of information comprising Personal Information which is systematically organized so as to be able to (manually or electronically) be easily searched for particular Personal Information.
Business operators who handle Personal Information must specify the purposes of use thereof and must not handle such Personal Information without obtaining, in advance, the data subjects’ consent beyond the necessary scope to achieve such purposes. Further, business operators who acquire and use Personal Information must promptly notify the data subjects of, or disclose to the public, the purposes of use thereof, unless they have already been disclosed, such as in their privacy policies.
In this regard, the latest General Guidelines make it clear that a business operator must make available information on how the Personal Information will be processed and on whether the Personal Information obtained will be used to analyze the behavior or interest of the data subject, so that the data subject will be able to predict or imagine how their information will be handled. Some of the examples given are as follows:
Example of Purpose of Use not Sufficiently Identified
Example of Purpose of Use Identified
“Information obtained will be used to distribute advertisements.”
“Information obtained will be used to distribute advertisements with respect to new products and services relevant to the likes and tendencies achieved by analyzing information such as view and purchase history obtained.”
“Information obtained will be transferred to third parties.”
“Information such as behavior history obtained will be analyzed and the results will be scored, and such scores will be provided to third parties”
Business operators who handle Personal Data must take necessary and appropriate security control measures for Personal Data, including preventing any leakage, loss or damage.
According to the General Guidelines, examples of the measures taken by the business operator for the secure handling of Retained Personal Data are as set forth below:
Systems / Measures to be Implemented
Examples of Such Systems and Measures
-Drafting basic policies on the handling of Personal Data in line with the relevant laws, regulations and guidelines
Rules for Handling Personal Data
-Implementation of internal rules on the collection, use, transfer, deletion of Personal Data, the methods thereof and the persons in charge and their duties; and periodic reevaluation of the same
Organizational Security Measures
-Appointment of persons in charge and defining their duties
-Implementation of reporting lines for when any data breach is detected
-Methods of periodic verification and audits
Personnel Security Measures
-Educating employees via periodic training
-Ensuring awareness of confidentiality obligations
Physical Security Measures
-Zoning of areas handling Personal Data
-Measures for prevention of theft
-Deletion and destruction of Personal Data
Technical Security Measures
-Access control
-Measures for the prevention of unauthorized access
Understanding External Environment (*3)(*4)
-Taking security measures in light of the Personal Data regulations of such foreign country if Personal Data is handled in a foreign country
Further, business operators must exercise necessary and appropriate supervision over their employees who handle Personal Data so as to seek the security control of the Personal Data, such as having appropriate internal policies and training.
Similarly, business operators must exercise necessary and appropriate supervision over their outsourcees/subcontractors (entrustees) to which they entrust handling of Personal Data so as to seek the security control thereof, such as appropriately selecting such entrustees, entering into appropriate contracts, and monitoring them, to ensure that they take appropriate security measures.
(*3) This is necessary if Personal Data will be handled in a foreign country- such as foreign branches or employees working abroad remotely and handling Personal Data of the business operator or if Personal Data is stored in a server located in a foreign country.
(*4) Even if Personal Data will be provided to cloud services provided by foreign companies, the transfer of Personal Data to such foreign company will not be deemed a transfer to a third party outside Japan if the cloud service provider does not have access to Personal Data. However, it is necessary to make available the name of the country in which such service provider is located, the country in which the server preserving Personal Data is located, the personal data regulations of such foreign countries and the measures taken by the service providers.
Under the APPI, business operators will be under the obligation to promptly report certain types of data breaches to the PPC and notify the affected data subjects. The threshold of data breaches to be reported or notified are those set forth by the Enforcement Rules as having a great risk of violating the rights and interests of the data subjects, such as those involving Sensitive Personal Information (including those regarding one’s race, medical history and criminal record; please see Section 6 below for more details), those which may cause damage to one’s property, those that may have been caused for illicit or abusive purposes, or those involving the divulgence of Personal Data of more than 1,000 data subjects.
Although the timing in which business operators will need to report or notify depends on the individual case, the General Guidelines provide a rough threshold of within 3-5 days after the day on which any department within a business operator notices the incident as meeting the requirement of a “prompt” report at least on a preliminary reporting basis, and within 30 days (60 days for cases that may have been caused for illicit or abusive purposes) to provide a final report.
As such, business operators must be prepared to be able to provide such reporting and notices within such timeframes by reviewing their internal process for handling data breach incidents and training employees so that they may act in accordance with their internal policies.
In general, business operators must not provide Personal Data to a third party without obtaining prior consent from the data subjects, unless certain exceptions apply (*5) . However, the following situations are not deemed to constitute the provision of Personal Data to third parties under the APPI, and accordingly business operators are not required to obtain the data subjects’ consent for such transfer:
(i) Business operators entrusting (outsourcing) the handling of Personal Data in whole or in part within the scope necessary to achieve the purposes of use of the Personal Data (as specified and notified or disclosed to the relevant data subject);
(ii) Personal Data being provided as part of a business succession caused by an acquisition, merger or other similar reason; or
(iii) Personal Data being jointly used with a specified entity by informing the relevant data subjects (or disclosing it in a manner where the data subjects can become easily aware of such joint use) of certain prescribed facts, such as the fact of such joint use, the categories of the jointly used Personal Data, the scope of the joint users, the joint users’ purpose for such joint use, and the name of the entity responsible from among the entities jointly using Personal Data, its address and the name of its representative.
(*5) For example, pursuant to the laws or regulations or as necessary to protect life, limb and property.
Under the APPI, it is generally prohibited to acquire Sensitive Personal Information (such term is referred to in the Tentative Translation as “special care-required personal information”), which includes race, creed, social status, medical history, criminal record, physical / intellectual / mental / developmental disabilities, medical check-up or other examination results, guidance for improvement of mental/physical conditions, medical care and/or prescriptions, and the fact of arrest, detention or other criminal procedures as a suspect or defendant), without obtaining consent from the relevant data subject in advance. Since it is not required that such consent be explicit, it is deemed that such consent has been obtained if the Sensitive Personal Information is received from the relevant data subjects themselves. On the other hand, for example, collecting Sensitive Personal Information posted on the Internet by an unauthorized person and storing such information as part of the information of the relevant data subject is prohibited.
Further, as explained in Section 14 below, Sensitive Personal Information is not to be provided to third parties by using an opt-out mechanism; however, Sensitive Personal Information may be received by third parties within the scope of entrustment, business transfers (M&As), or joint use, without needing to obtain the consent of the relevant data subject, as stated in Section 5 above.
Under the APPI, when transferring Personal Data to third parties, both the transferor and transferee (recipient) are required to keep records about the transfer (the “Record-Keeping Obligations”). These records are expected to be useful when a data breach occurs by enabling the data subjects to track the route of the data leakage.
Namely, business operators are required to: (i) keep records on the items set forth in the first following chart when they have provided Personal Data to a third party (excluding the cases falling under certain exceptions (based on laws, etc.) and within the scope of entrustment, business transfers, or joint use) stated in Section 5 above, although the record-keeping obligations may be applicable, if Personal Data is transferred outside Japan even within the scope of entrustment, business transfers or joint use); and (ii) confirm and keep records on the items set forth in the second following chart when they have received Personal Data from a third party:
Record-Keeping Obligations upon Provision to Third Parties (for Transferors/Providers)
Provision under Opt-Out Mechanism
Provision by Obtaining Consent of the Relevant Data Subject
Date of Provision
Recipient’s Name, etc.
Relevant Data Subject’s Name, etc.
Categories of Personal Data
Fact that Consent of Relevant Data Subjects Has Been Obtained
Confirmation and Record-Keeping Obligations upon Provision to Third Parties (for Transferees/Recipients)
Provision under Opt-Out Mechanism
Provision by Obtaining Consent of the Relevant Data Subject
Date of Provision
Provider’s Name, Address, Representative’s Name, etc. (Confirmation Obligation)
Circumstances of Acquisition from Provider (Confirmation Obligation)
Relevant Data Subject’s Name, etc.
Categories of Personal Data
Fact of Disclosure by PPC
Fact that Consent of Relevant Data Subjects Has Been Obtained
Further, the transferor and transferee (recipient) must retain such records of transfer for a certain period of time.
The currently in-effect APPI (the “Current APPI”) requires that business operators either disclose or respond without delay to any inquiries made by a data subject with respect to matters such as the name of the business operator, and the purposes of use of the Retained Personal Data, which is defined as Personal Data which a business operator has the authority to disclose, correct, add or delete the contents of, cease the utilization of, erase, and cease the third-party provision of, but excluding Personal Data which is likely to harm the public or other interests if its presence or absence is made known. In this regard, the Amended APPI adds items such as the address and name of the representative of the business operator, more detailed information on the purposes of use of the Retained Personal Data and the security measures implemented by the business operator in handling Retained Personal Data (except for matters which may hinder the security measures by making them known to the data subjects) as further items that need to be made available to data subjects. These regulations are added in order for the data subjects to be able to understand how their Personal Information is being handled.
For such purposes, business operators must provide such information on their website, or in their privacy policies, etc., or otherwise be prepared to respond to any inquiries on the above points in a prompt manner. According to the General Guidelines, a business operator may set forth its basic policies about its security measures on its website, and promptly provide additional relevant details when requested by the data subjects. It is to be noted that a mere statement as a disclosure or response that “the company is taking security measures in line with the General Guidelines” will not be deemed a sufficient disclosure or response.
According to the General Guidelines, the matters that may be made available to the data subjects as measures taken by the business operator for the secure handling of Retained Personal Data are those as stated in Section 3 above.
While data subjects have certain rights under the Current APPI, such as the right to request the disclosure or correction of Retained Personal Data, or the right to request that the utilization, disclosure and transfer of the Retained Personal Data be stopped, the Amended APPI reinforces such rights. Under the Current APPI, business operators are not required to honor such request if they do not possess the Personal Data for more than six (6) months, but such exemption will no longer apply under the Amended APPI, and business operators will need to comply with such requests regardless of the retention period of the Retained Personal Data.
Under the Amended APPI, it will be necessary to accommodate data subjects so that they are able to select the method in which their data will be disclosed from amongst written form, digital records (such as by attaching the digital record and sending the same via email) or other methods designated by the business operator. As such, business operators may provide the available methods of disclosure in their privacy policies.
Under the Amended APPI, records made under the Record-Keeping Obligations are also subject to the rights of data subjects to request disclosure. Therefore, business operators need to be ready to disclose such records in a prompt manner when requested by the data subjects, by confirming the flow under which such requests are processed within the business operator.
While the Current APPI allows data subjects to request a business operator to delete, or cease the utilization or transfer to third parties of the Retained Personal Data only when those actions are being performed in violation of the APPI (*6) , after the Amended APPI takes effect, data subjects may request that their Retained Personal Data be deleted when the business operator no longer needs to use the same. Data subjects may also ask the business operator to delete or stop using their Retained Personal Data if a data breach occurs or there is a possibility that the rights of the data subject may be infringed. Since it is possible that such requests will increase due to the expansion of data subjects’ rights, it will be necessary for business operators to consider how and the extent to which such requests will be processed or honored internally.
(*6) Pursuant to the Current APPI, such as to: (i) cease utilization or delete when Retained Personal Data is used in violation of Article 16 (Restriction Due to a Utilization Purpose) or obtained in violation of Article 17 (Proper Acquisition); (ii) cease the transfer of Retained Personal Data to third parties when such data is transferred in violation of Article 23.1 (Restriction on Third-Party Provision) or Article 24 (Restriction on Provision to a Third Party in a Foreign Country) (all articles referred to in this sentence are the articles of the Current APPI).
Under the amendment which came into effect in 2017 (the Current APPI), business operators who transfer Personal Data to third parties outside Japan are basically under the obligation to obtain consent from the data subjects after informing them of the fact that the third-party transferee is located in a foreign country, unless certain exceptions (*7) apply. This is also true for when the third parties receive such Personal Data within the scope of entrustment, business transfer, or joint use, although business operators may transfer Personal Data to domestic third parties within Japan without the data subjects’ consent, if this is within the scope of the entrustment, business transfer, or joint use. However, there are certain transfers that are exempted from this obligation, such as transfers to recipients who are obligated to comply with the equivalent or comparable rules as those under the APPI by way of contracts with the disclosing party or policies put in place among group companies and have put in place necessary systems for taking appropriate measures with respect to personal information on a continuous basis (“Appropriate Measures”). Transfers to countries belonging to the EU/EEA or the United Kingdom are also exempted, as such countries have been approved as having the same level of personal information protection systems in place as Japan.
The Amended APPI will further impose the following obligations on business operators providing Personal Data to third parties located outside Japan.
Business operators must provide certain relevant information, such as: (i) the name of the country to which the Personal Data will be transferred; (ii) information on the data privacy regulations of such foreign country; and (iii) the security measures implemented by the third-party transferee, when obtaining consent from the data subject. The purpose of this regulation is to enable data subjects to determine whether or not to give consent after knowing the extent of protection his/her personal information may be afforded in the country to which such personal information will be transferred. Information on the privacy regulations of major countries is provided on the PPC website (*8) .
If Personal Data is transferred not by way of obtaining the consent of the data subject but by taking Appropriate Measures, the transferor business operators must put in place necessary measures such as to periodically confirm that the third-party transferee is taking Appropriate Measures on a continuous basis. It is also necessary for transferors to confirm any changes to the data privacy regulations of the foreign country which may affect the Appropriate Measures to be taken by the third-party transferees, and further take necessary measures such as requesting corrective measures to be taken by the third party transferee or suspending the provision of Personal Data when any issues arise in the implementation of the Appropriate Measures, in order to resolve such issues. Further, it is necessary to provide the data subject with information on the necessary measures taken when requested by the data subject.
Although business operators transferring Personal Data to domestic third parties in Japan within the scope of entrustment, business transfer or joint use are exempt from the Record-Keeping Obligations, business operators transferring Personal Data outside Japan within the scope of entrustment, business transfer or joint use by obtaining the data subject’s consent (i.e., to countries other than in the EU/EEA or the UK, or without implementing the Appropriate Measures) must comply with the Record-Keeping Obligations under the APPI, and such records will be subject to the rights of data subjects to request disclosure after the Amended APPI comes into effect.
(*7) For example, pursuant to the laws or regulations or as necessary to protect life, limb and property
(*8) Investigation on the Data Privacy Regulations of Countries Outside Japan
(https://www.ppc.go.jp/personalinfo/legal/kaiseihogohou/#gaikoku)
Under the Amended APPI, Personally Referable Information (“PRI”) is defined as information relating to a living individual that does not fall under the definitions of Personal Information, Pseudonymized Information, or Anonymized Information as defined in the APPI. Information related to individuals such as: (i) browsing history collected by cookie data, etc.; (ii) age, gender or family structure associated with a personal email address; (iii) service use history; (iv) location data; (v) information which indicates personal interests, that cannot identify an individual (i.e., items that do not fall under the definition of Personal Information), are generally considered to fall under the definition of PRI. Please note that the APPI defines Personal Information as “information about a living individual which can identify the specific individual by name, date of birth or other description contained in such information (including such information as will allow easy reference to other information and will thereby enable the identification of the specific individual).” Thus, Personal Information includes any and all information so long as such information is linked to information which enables the identification of the specific individual. As a result, for example, browsing history linked to registration information such as names would constitute Personal Information, but not PRI.
Under the Current APPI, a business operator may transfer non-Personal Data (i.e., PRI under the Amended APPI) to a third party even if the business operator is aware that such data will become Personal Data to the transferee. However, after the Amended APPI takes effect, the business operator transferring the PRI on the basis of knowing or assuming that the PRI is to become Personal Data on the part of the transferee must first confirm that the transferee has obtained consent from the data subjects when it is disclosing PRI (*9) . In addition, the provider and transferee must keep internal records of such transfer and retain such records for a certain period of time.
In addition, if the transferee is a third party located outside Japan, the transferor must confirm that the following information has been provided to the data subjects: (i) the name of the country to which the PRI will be transferred; (ii) information regarding the personal data regulations of the country to which the PRI will be transferred; and (iii) the measures taken by the transferee in such country to protect personal information, unless a certain exemption applies.
For those business operators that intend to obtain PRI from a third party to be used as Personal Data, it will be necessary to obtain the consent of the data subject that the PRI will be received by the business operator as Personal Data in an explicit manner, such as by having the data subject click on the check box giving consent. It will also be necessary to review the business operator’s privacy policies to check if they properly disclose the purposes of use of the PRI obtained as Personal Data, and it is recommended that such purposes of use be indicated to the data subjects when obtaining their consent. Such business operator will also be subject to the obligation to keep internal records of the transfer and to retain such records for a certain period of time.
(*9) It is possible for the transferor to obtain consent from the data subject on the transferee’s behalf if the same level of protection is afforded to the rights and interests of the data subject.
The amendment to the APPI in 2017 (the Current APPI) introduced the concept of “Anonymized Information” (tokumeikakojoho) (such term is referred to in the Tentative Translation as “anonymously processed information”); namely, information relating to an individual that can be produced from processing Personal Information so that one can neither identify a specific individual by taking certain prescribed action nor restore such Personal Information. Anonymized Information that complies with the requirements of the techniques and processes for anonymization under the APPI is not considered to be Personal Information; therefore, no consent is required to transfer Anonymized Information to third parties or to use the same for any purpose other than the purposes of use specified for the Personal Information.
However, business operators which produce Anonymized Information must publicly announce the categories of information related to individuals contained in such Anonymized Information. Further, in order to transfer Anonymized Information to third parties, it is necessary to publicly announce, prior to the transfer: (i) the items of information related to the individual within the Anonymized Information which will be provided to third parties; and (ii) the method through which such information will be provided. At the same time, it will also be necessary to notify such third party that the information being provided is Anonymized Information.
The Guidelines on Pseudonymized and Anonymized Information provide examples of how anonymization may be accomplished. For example, when using tentative IDs, it is better to use methods such as hash functions in addition to adding other descriptions (such as random digits) to the original data such as the name and address, to ensure that it is not possible to re-identify the original data.
Please note that the Anonymized Information as set forth under the APPI is a very limited concept, and will only be applicable in cases where such information is produced (anonymized) from processing Personal Information with the intention of producing Anonymized Information by certain means in compliance with the APPI, and in particular with the intention of handling such information as Anonymized Information under the APPI (such as for the purpose of transferring Anonymized Information to third parties or the purpose of using the same for any purpose other than the purposes of use specified as at the collection of the Personal Information, without the consent of the data subject). Therefore, even if a party deletes or replaces names in the Personal Data with other descriptions as part of its security control measures without the intention of producing Anonymized Information, such party will still not be required to comply with the obligations as described above. On the other hand, however, if each individual’s information contained in such Personal Data can be used to identify a specific individual (whether or not by means whereby it may be easily linked to other information and thereby used to identify a specific individual), such information even without each individual’s name will still constitute and should be treated as Personal Data.
The Amended APPI will further introduce the concept of “Pseudonymized Information” (kameikakojoho), in furtherance of promoting innovation through the use of data.
While business operators have been required to abide by strict standards to anonymize Personal Information into “Anonymized Information,” Personal Information can instead be processed to become “Pseudonymized Information” by meeting less stringent standards- so long as such data is processed by deleting any reference to names, etc. so that it will not be possible to identify an individual without reference to other information. Roughly speaking, in order to qualify as Anonymized Information, it will be necessary to anonymize Personal Information to the extent that it is not possible to be restored as Personal Information, but it is possible for Pseudonymized Information to become personally identifiable by collating the same with other information to thereby identify an individual.
Pseudonymized Information may be used for purposes outside of the purposes for which the Personal Information was initially obtained, although it can only be used on an internal basis within the organization and may not be provided to third parties. Pseudonymized Information will also not be subject to the reporting and notification requirements, even in the case of data breach incidents, and also will not be subject to a request for disclosure or suspension of use by the data subjects, although it will also be necessary to take internal security measures for the methods of processing the names or other identifiers which were deleted (the “Deleted Information”).
Please note that, while Pseudonymized Information is usually Personal Information (as defined in the APPI), if business operators who receive Pseudonymized Information within the scope of entrustment, joint use, etc. do not have Deleted Information, such Pseudonymized Information may be non-Personal Information. Business operators who use Pseudonymized Information that is also Personal Information for purposes of use that are not already indicated in their privacy policies or are otherwise under certain obligations, such as the need to disclose such additional purposes of use. Further, when handling Pseudonymized Information, business operators are under certain obligations such as the need to implement security measures for Deleted Information, or the prohibition of identifying data subjects.
Under the APPI, business operators who provide Personal Data to third parties under an opt-out mechanism are required to submit a notification of certain matters to the PPC. The “opt-out mechanism” is a special exception provided under the APPI allowing for the provision of Personal Data (excluding Sensitive Personal Information) to third parties without obtaining the data subject’s consent, provided that such business operators are prepared to cease such provision upon request from the relevant data subject and that certain information regarding such provision is notified or made easily accessible to the data subject, such as by posting on the business operator’s website, prior to such provision. In Japan, use of the opt-out mechanism is not particularly popular, as data subjects are often said to feel uneasy about their Personal Information being provided to third parties without their consent. The Amended APPI reinforces such regulations by prohibiting the transfer to third parties of not only Sensitive Personal Information but also Personal Data obtained by fraudulent means and Personal Data obtained from third parties by way of an opt-out mechanism without obtaining the prior consent of the data subject.
Although the APPI is applicable to all entities that use Personal Data for their business in Japan, and most of the regulations under the APPI are also applicable to businesses outside Japan if they collect Personal Information from data subjects in Japan and use the Personal Data in relation to the sale of products or the provision of services to such data subjects, under the Current APPI, some provisions relating to the supervisory power of the PPC, such as requiring reports, conducting onsite inspections, or ordering certain actions, do not apply to such foreign businesses.
However, under the Amended APPI, all of the provisions of the APPI will be applicable to such foreign businesses.
For example, the PPC will be empowered to: (i) order business operators to submit necessary information to the PPC; (ii) perform on-site inspections; (iii) provide instructions and advice; (iv) hand down a corrective order if a foreign business violates the APPI; and (v) make a public announcement if such orders are not complied with.
In addition, the Amended APPI expands the scope of applicability of the APPI to foreign businesses. Under the Amended APPI, it is applicable not only to businesses outside Japan who collect personal information directly from data subjects in Japan, but also ones who collect personal information indirectly from data subjects in Japan. Thus, for example, the APPI is applicable to a foreign data processor who handles Personal Data of Japanese users received through a service provided to Japanese users operated by a Japanese business operator.
The penalties for breach have been raised considerably, and the maximum amount of fine for corporations has increased to JPY 100,000,000 (*10) up from JPY 500,000 under the Current APPI.
(*10) Note that this amendment has been in force from December 2020.
The above explains the overview of the APPI; however, there are other matters not covered under this letter. The details should be confirmed by referring to the APPI and its guidelines, and also consulting with legal advisors for advice on issues that need to be considered for each company/case.