cheq.ai
Open in
urlscan Pro
141.193.213.11
Public Scan
URL:
https://cheq.ai/blog/appi-vs-gdpr/
Submission: On March 27 via manual from IL — Scanned from DE
Submission: On March 27 via manual from IL — Scanned from DE
Form analysis 1 forms found in the DOM
POST https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/5228455/216d0bf7-5f02-4e21-ab93-9f44a97ca892
<form id="hsForm_216d0bf7-5f02-4e21-ab93-9f44a97ca892" method="POST" accept-charset="UTF-8" enctype="multipart/form-data" novalidate=""
action="https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/5228455/216d0bf7-5f02-4e21-ab93-9f44a97ca892"
class="hs-form-private hsForm_216d0bf7-5f02-4e21-ab93-9f44a97ca892 hs-form-216d0bf7-5f02-4e21-ab93-9f44a97ca892 hs-form-216d0bf7-5f02-4e21-ab93-9f44a97ca892_4338cfda-fdbf-44e9-89a1-04de33d13b33 hs-form stacked"
target="target_iframe_216d0bf7-5f02-4e21-ab93-9f44a97ca892" data-instance-id="4338cfda-fdbf-44e9-89a1-04de33d13b33" data-form-id="216d0bf7-5f02-4e21-ab93-9f44a97ca892" data-portal-id="5228455" data-hs-cf-bound="true">
<div class="hs_email hs-email hs-fieldtype-text field hs-form-field"><label id="label-email-216d0bf7-5f02-4e21-ab93-9f44a97ca892" class="" placeholder="Enter your Email" for="email-216d0bf7-5f02-4e21-ab93-9f44a97ca892"><span>Email</span><span
class="hs-form-required">*</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input id="email-216d0bf7-5f02-4e21-ab93-9f44a97ca892" name="email" required="" placeholder="Email" type="email" class="hs-input" inputmode="email" autocomplete="email" value=""></div>
</div>
<div class="hs_submit hs-submit">
<div class="hs-field-desc" style="display: none;"></div>
<div class="actions"><input type="submit" class="hs-button primary large" value="Submit"></div>
</div><input name="hs_context" type="hidden"
value="{"embedAtTimestamp":"1679899515374","formDefinitionUpdatedAt":"1678217512488","lang":"en","embedType":"REGULAR","renderRawHtml":"true","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.110 Safari/537.36","pageTitle":"APPI vs. GDPR: Comparing Japan’s Privacy Law to the EU Regulation","pageUrl":"https://cheq.ai/blog/appi-vs-gdpr/","isHubSpotCmsGeneratedPage":false,"hutk":"476a32d5757dbc5798e9693308cef872","__hsfp":828663872,"__hssc":"182866041.1.1679899517102","__hstc":"182866041.476a32d5757dbc5798e9693308cef872.1679899517101.1679899517102.1679899517102.1","formTarget":"#hbspt-form-4338cfda-fdbf-44e9-89a1-04de33d13b33","locale":"en","timestamp":1679899517113,"originalEmbedContext":{"portalId":"5228455","formId":"216d0bf7-5f02-4e21-ab93-9f44a97ca892","region":"na1","target":"#hbspt-form-4338cfda-fdbf-44e9-89a1-04de33d13b33","isBuilder":false,"isTestPage":false,"isMobileResponsive":true},"correlationId":"4338cfda-fdbf-44e9-89a1-04de33d13b33","renderedFieldsIds":["email"],"captchaStatus":"NOT_APPLICABLE","emailResubscribeStatus":"NOT_APPLICABLE","isInsideCrossOriginFrame":false,"source":"forms-embed-1.2916","sourceName":"forms-embed","sourceVersion":"1.2916","sourceVersionMajor":"1","sourceVersionMinor":"2916","_debug_allPageIds":{},"_debug_embedLogLines":[{"clientTimestamp":1679899515473,"level":"INFO","message":"Retrieved pageContext values which may be overriden by the embed context: {\"pageTitle\":\"APPI vs. GDPR: Comparing Japan’s Privacy Law to the EU Regulation\",\"pageUrl\":\"https://cheq.ai/blog/appi-vs-gdpr/\",\"userAgent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.110 Safari/537.36\",\"isHubSpotCmsGeneratedPage\":false}"},{"clientTimestamp":1679899515475,"level":"INFO","message":"Retrieved countryCode property from normalized embed definition response: \"DE\""},{"clientTimestamp":1679899517109,"level":"INFO","message":"Retrieved analytics values from API response which may be overriden by the embed context: {\"hutk\":\"476a32d5757dbc5798e9693308cef872\"}"}]}"><iframe
name="target_iframe_216d0bf7-5f02-4e21-ab93-9f44a97ca892" style="display: none;"></iframe>
</form>Text Content
___
___
The State of Fake Traffic 2023
DOWNLOAD REPORT
* Company
Company
* About us
* Technology
* Customers
* Partners
* Careers
* Contact Us
* Trust
* Press
Offices
* Tel-Aviv
23 Yehuda HaLevi Street, Tel Aviv 65136
* New York
22 W 19th Street,
New York, NY 10011
* Tokyo
1-5-1 Marunouchi, 10F
Chiyoda-ku 100-6590
* Miami
846 NE 191 Street,
Miami, FL 33179
* GTMSec
* Threats
* Web scrapers
* Account takeovers
* Lead gen fraud
* User hijacking
* Carding attacks
* Chargeback fraud
* Scalper fraud
* Resource draining
* Affiliate fraud
* Click fraud
* New account fraud
* Abandonment fraud
* Platform
Platform
* Overview
* Demo
How will you use CHEQ?
* Marketing Leader
* Paid Marketing Leader
* Data & BI Leader
* eCommerce Leader
* Affiliate Leader
* SEO Leader
* Solutions
Solutions
* On-Site Security Surgically prevent invalid website visitors from
disrupting your conversion efforts.
* Marketing Intelligence Security Un-skew your BI, Marketing Intelligence
and analytics from invalid traffic.
* Customer Acquisition Security Eliminate invalid activity from your paid
marketing funnels, campaigns and audiences.
* Privacy Compliance Enforcement Proactively enforce customer privacy and
prevent 3rd party data collection
Channel Partnerships
* CHEQ Paradome for Salesforce Datorama
* CHEQ Clickcease for Shopify
* Resources
Resources
* Blog
* Glossary
* Research
* Certification
Latest Reports
* The State of Fake Traffic 2023
This report includes a year's worth of data from more than 15,000 brands,
analyzed by 2,000+ cybersecurity challenges.
GET THE REPORT
LOGIN
APPI VS. GDPR: COMPARING JAPAN’S PRIVACY LAW TO THE EU REGULATION
Author: Jeffrey Edwards
Educational Content | December 28, 2022
WHAT IS THE APPI?
The Act on the Protection of Personal Information (APPI) is Japan’s main data
protection law, enforced by the Personal Information Protection Commission
(PPC). It was originally written in 2003 but is formally reviewed every three
years to identify rules that need tightening or clarifying. This often leads to
revisions of the law, sometimes substantial.
For example, the 2017 revisions removed an exemption for people and businesses
that handled data about 5,000 people or fewer. They also created a new category
of “special care” data with extra protection.
The most recent revisions passed Japan’s parliament in 2020 and took effect on 1
April 2022. The main changes are:
* To remove any restrictions on the APPI applying outside of Japan.
* To require businesses to disclose when they send data outside of Japan and to
take steps to make sure it remains protected.
* To extend the law’s reach to cover pseudonymously processed data.
* To require mandatory of data breaches meeting certain characteristics. These
include breaches that involve sensitive data, data covering more than 1,000
people, and suspected cyberattacks or other criminally-motivated breaches.
The law is enforced by the Personal Information Protection Commission (PPC).
WHAT ARE THE APPI’S GOALS?
Although the APPI was one of the earliest national data protection laws, it
arguably takes a softer touch approach than some similar laws, particularly in
its original form.
For example, with most personal data, the APPI emphasizes businesses keeping
data secure and informing data subjects about handling, rather than having to
get permission or use another legal justification to handle data.
The penalty regime arguably puts more emphasis on public standing and “doing the
right thing” than force and punishment. For example, fines rarely follow a
breach itself. Instead, the PPC has the power to order a business to take action
or make changes after a breach and it’s the failure to comply with this order
that leads to financial penalties.
Those penalties are punitive rather than monetary–the idea of the business
paying compensation to customers (for example, after a data breach) is a strong
cultural expectation rather than something forced by law.
Struggling with consent management and compliance? CHEQ can help. Schedule a
demo today.
WHAT RIGHTS DOES THE APPI ESTABLISH FOR DATA SUBJECTS?
Japan has an established general right to privacy, which the APPI aims to uphold
and strengthen. It also specifically gives data subjects the following rights:
* To access (know about) the personal information a business handles about them
and to get a copy of the information.
* To correct any errors in the information. There’s no specific right to have
information deleted unless this is the only way to correct an error.
* To demand a business stop handling any data that was obtained in a way that
breached the APPI.
* To complain to the PPC about alleged breaches of the APPI.
There’s no specific right to restrict data handling or to object to either
marketing itself or using personal information for marketing. A separate law
restricts the ways you can send unsolicited emails.
WHAT IS THE SCOPE OF THE APPI?
The APPI addresses individuals or businesses handling the personal information
of people in Japan in a business context.
MATERIAL SCOPE
The APPI applies to cases of handling personal information. Handling is
interpreted the same way as “processing” in laws such as the GDPR and covers any
use of personal information, including collecting, holding, and transferring to
a third party.
With the 2020 update, the rules vary slightly where some steps have been taken
to anonymize data. Data is classed as “pseudonymously processed” when it has
been stripped of any information that directly identifies a person or could
cause financial risk if exposed (such as credit card numbers.) Once data is
pseudonymous:
* Businesses can use the data for a purpose other than the originally stated
reason for handling it.
* The data breach notification rules don’t apply.
* The right of the data subject to access or correct the data don’t apply.
The APPI classifies data as completely anonymized if there’s no way it could be
linked to an individual, even when combined with other data. Anonymized data is
exempt from all the APPI’s measures. However, businesses should publicly detail
the types of information they handle in an anonymized form.
TERRITORIAL SCOPE
The APPI applies to anyone who handles personal information about somebody in
Japan in a business context.
For a business based outside of Japan, the rules have changed with the 2020
revision. Under the new rules, the APPI applies if the overseas business handles
personal information about somebody in Japan and:
* that person is their customer; or
* that person is a director or employee of a Japanese company that is a
customer of the overseas business.
DOES MY ORGANIZATION NEED TO COMPLY?
Where both the material and territorial scope apply, you will normally need to
comply with the APPI even if you are outside of Japan. The main exemptions are
for handling data in a non-business context, such as journalism, academic
activity, or politics.
WHAT ARE THE CONSENT MANAGEMENT REQUIREMENTS OF THE APPI?
The consent rules vary depending on the type of information and how you handle
it.
ORDINARY INFORMATION
For ordinary personal information, you don’t need consent to handle the
information. Instead, the APPI’s main requirement is that you tell people how
and why you will use their data before you collect it.
You do need consent before passing data on to a third party. The limited
exceptions to this principle are:
* A law says you must.
* It’s necessary to protect somebody’s health or life and the data subject
can’t give consent. (For example, accessing medical records of somebody who
is unconscious.)
* For public health reasons.
* It’s necessary for government activity, and getting consent would impede that
activity.
Alternatively, you can work on an opt-out basis. To do so, you must tell the
person about the planned transfer, including what data is involved and who will
get it. You must then give a reasonable period for the person to opt-out and
then only proceed if they don’t exercise the opt-out.
You cannot use the opt-out basis for the special care category detailed below.
Unless one of the exceptions applies, you’ll need active consent.
SENSITIVE INFORMATION
You also need consent before collecting data in the “special care required”
category. This covers information including:
* Criminal records.
* Medical history.
* Marital Status.
* Race.
* Religious Beliefs.
If you are unsure if data falls into this category, follow the guiding principle
that it’s intended to cover any data that, if exposed, could lead to
discrimination or prejudice.
The only exceptions that let you can acquire data from this category without
consent are:
* The same four exceptions that allow third-party transfers (legal requirement,
protect life, public health, government activity).
* Either the person or a government body has already made the information
public.
There’s no exception for GDPR-style “legitimate interests.”
INTERNATIONAL TRANSFERS
You will normally need consent to transfer somebody’s data outside of Japan.
This applies to both ordinary and “special care required “information
The only exception is if you are transferring it to a country which the PPC has
deemed to have an equivalent level of data protection as the APPI.
The only exception is if you are transferring it to a country which the PPC has
deemed to have an equivalent level of data protection as the APPI. At the time
of writing this is limited to the European Union and the United Kingdom.
KEY DIFFERENCES BETWEEN APPI AND GDPR
While the GDPR has largely remained unchanged since it took force, the APPI has
gone under a few major updates since it was first introduced way back in 2003.
The most significant update was in 2017 when the law was overhauled with changes
to both rules and enforcement to bring it up to par with the then-upcoming GDPR,
both to provide data adequacy for cross-border data transfers with the EU, and
to bolster the privacy protections and rights of Japanese citizens.
SCOPE
The APPI covers any business that handles the personal data of people who are in
Japan. It doesn’t matter where the business is based, or where the processing
happens. Since the 2017 review, it no longer matters how many people’s data you
handle.
The GDPR applies to any organization that meets any of three criteria:
* The organization has a presence (such as a local office or company) in the
European Union.
* The data subject (the person the data is about) is in the EU.
* The processing physically happens in the EU, for example in a data center.
The GDPR has slightly different rules for data controllers (who decide what
processing happens and how) and data processors (who do the processing in line
with a data controller’s instructions.) The APPI doesn’t make this distinction.
BREACH DISCLOSURE RULES
The APPI now requires businesses that suffer specific types of data breaches to
notify both the affected data subjects and the Personal Information Protection
Commission, Japan’s data protection enforcement body. Data breaches that require
notification are those that:
* Involve sensitive personal data.
* Pose a risk to property.
* Are likely to have been undertaken deliberately for a malicious or improper
purpose (such as a cyberattack.)
* Involve more than 1,000 data subjects.
Businesses must make an initial notification as soon as practical and must then
file a full report within 30 days (or within 60 days in “improper cause”
situations.)
The GDPR dictates that businesses must report any and all data breaches—unless
they are unlikely to risk people’s “rights and freedoms.” Businesses must notify
the supervisory authority (the data protection agency in the relevant country)
as soon as possible once they discover a breach. If a business takes more than
72 hours to disclose a breach it must explain why to the national data
protection authority.
Businesses must also directly tell the data subjects about the breach if it has
caused a “high risk” to their rights and freedoms. There are exemptions to this
rule if measures to significantly mitigate this risk (such as the breached data
being encrypted) are in place, or if businesses can inform people just as
effectively through public communications such as a media statement.
SPECIAL CATEGORIES
Both laws have different rules for ordinary personal data and more sensitive
data. This is known as “special care required personal information” under the
APPI and “special category data” under the GDPR.
The types of data that fall into these categories are largely similar, with
examples including medical history and religious beliefs. Some data is only
covered by one law, such as marital status in APPI and details of a person’s sex
life under the GDPR. With both laws, the principle is to have stronger
protection for data that could lead to prejudice or discrimination.
CONSENT AND LEGAL BASIS FOR PROCESSING
Unlike the GDPR, the APPI doesn’t have significant restrictions on the
processing of ordinary personal data, though data subjects do have the right to
ask what data you process and your reasons for doing so.
The APPI does restrict the processing of “special care required” data. Consent
is required to process these categories of data. In very limited circumstances
you can process this data without consent, such as when fulfilling a contract
with the data subject or acting in the public interest. The law doesn’t allow
for data processing based on “legitimate interest”.
Under the GDPR, processing (of both ordinary or sensitive personal data) is
only lawful when you can point to one of six lawful bases. The most appropriate
for businesses are:
* You have the data subject’s consent. (This must be consent in advance of the
processing and the data subject has the right to withdraw it.)
* You are pursuing legitimate interests (such as your core business activity)
and these outweigh the data subject’s rights. Generally, this only applies
for processing the data subject could reasonably have expected you to do and
that doesn’t have a significant effect on their privacy.
Other lawful bases include fulfilling a contract with the data subject,
processing acting in the public interest, and protecting somebody’s vital
interests (in other words, their life.)
PENALTIES FOR NONCOMPLIANCE
Breaching the APPI does not usually directly lead to a penalty in itself.
Instead, penalties follow a failure to comply with an order by the Personal
Information Protection Commission to improve your data practices, particularly
after a breach. Institutional penalties are also much lower than those put forth
by the GDPR, while individual penalties are much harsher. The maximum penalty is
now one year in prison and a one million yen fine for any of the following:
* An individual who is responsible for the breach.
* The director of the business.
* The person who is responsible for APPI compliance at the business.
The business itself can be fined up to 100 million yen, roughly $900,000 USD.
There’s also a cultural expectation that businesses will pay damages to data
subjects affected by a breach, though the data subjects do have the right to sue
if this doesn’t happen.
The GDPR has two categories of maximum penalties for non-compliance. For lesser
offenses, which generally involve procedural failings, the maximum is €10
million or two percent of your worldwide turnover, whichever is bigger. For more
serious offenses, which generally involve breaching the GDPR’s key principles,
the maximum is €20 million or four percent of your worldwide turnover, whichever
is bigger.
KEY TAKEAWAYS
If your organization is already GDPR compliant, you aren’t far from compliance
with the APPI, but you should review your data privacy processes and consent
management to ensure that:
* You gather consent to process sensitive data including marital status.
* You are not relying on “”legitimate interests”” to process sensitive data.
* You are ready to notify data subjects promptly after any breach.
* You are ready to prepare a full report for the Personal Information
Protection Commission within 30 days of a breach.
STAY OUT OF REGULATORS CROSSHAIRS WITH CONSENT MANAGEMENT
CHEQ offers organizations a solution to help maintain full website compliance
with the APPI, GDPR, CCPA, LGPD, and many more laws and frameworks.
With CHEQ Privacy, you can set up customizable consent banners for and give your
customers a clear-cut choice on how their data is used, or whether it is
collected at all.
You can also use CHEQ Privacy to perform a full audit of your website—up to 5000
pages—so you can understand which cookies and tracking technologies are in use
and identify potential security or compliance issues.
Book a demo to see how CHEQ Privacy can help your organization stay compliant
with evolving regulations worldwide.
AUTHOR
JEFFREY EDWARDS
Content Marketing Manager
Jeff is the resident content marketing expert at CHEQ. He has several years of
experience as a trained journalist, and more recently in his career found a
knack for communicating complex cybersecurity topics in an approachable yet
detailed manner.
SUBSCRIBE TO OUR NEWSLETTER!
Email*
RECOMMENDED ARTICLES
Are 3rd-Party Cookie Alternatives GDPR-Compliant?
Read Blog
CHEQ, Leader in Go-to-Market Security, Adds Top Talent to C-Suite
Read Blog
Examining the State of Fake Traffic in 2023
Read Blog
INFO
* About Us
* GTMSec
* Platform
* Technology
* Careers
* Press
* Contact Us
PRODUCT
* Data & Analytics
* On-Site Conversion
* Paid Marketing
* Paradome for Datorama
* Clickcease for Shopify
* Support
RESOURCES
* Blog
* Glossary
* Research
* Data Processing Agreement
* Privacy Policy
* Trust
* Terms of Service
OFFICES
* Tel-Aviv
23 Yehuda HaLevi Street, Tel Aviv 65136
* New York
22 W 19th Street, New York, NY 10011
* Tokyo
1-5-1 Marunouchi, 10F Chiyoda-ku 100-6590
* Miami
846 NE 191 St., Miami, FL 33179
FOLLOW US
*
*
*
*
*
© 2022 CHEQ AI Technologies Ltd.
Please ensure Javascript is enabled for purposes of website accessibility