ブログ
Comparison of Data Protection Laws in the EU and Japan: GDPR v. APPI
2024.10.28
SCOPE
1.1. Personal scope
The General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') applies to data controllers and data processors, which may be businesses, public bodies, institutions as well as not for profit organisations. The Act on the Protection of Personal Information (Act No. 57 of 2003 as amended in 2020) ('APPI') applies to all public and private entities subject to the APPI. Specifically, 'business operators handling personal information', 'central government organisations', 'local governments', 'incorporated administrative agencies', and 'local incorporated administrative agencies' will be covered by the APPI.
Both the GDPR and APPI protect living individuals with regard to the use of their personal data. The GDPR provides that individuals are protected regardless of their nationality and/or residency, while the APPI does not explicitly address this point. However, the Guideline of the APPI (General Rules Edition) (only available in Japanese here) ('General Rules Guideline') published by the Personal Information Protection Commission ('PPC') states that individuals are protected regardless of their nationality and/or residency.
Consistency: Fairly Inconsistent
GDPR |
APPI |
Articles 3, 4(1) Recitals 2, 14, 22-25 |
Articles 1, 2(4), 16(2)
* In this article, only articles for business operators handling personal information are quoted. |
Similarities
1. The GDPR only protects living individuals. Legal persons' personal data is not covered by the GDPR. The GDPR does not protect the personal data of deceased individuals, this being left to Member States to regulate. 2. Article 4(1) of the GDPR clarifies that a data subject is 'an identified or identifiable natural person'. 3. The GDPR provides that it 'should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data'. 4. The GDPR applies to businesses, public bodies, institutions, as well as not for profit businesses. |
1. The APPI only applies to the personal information of living individuals. 2. Article 2(4) of the APPI clarifies that a principal is a 'specific individual identifiable by personal information'. 3. The APPI does not explicitly make any reference to a principal's nationality or place of residence. However, the General Rules Guideline states that individuals are protected regardless of their nationality and/or residency. 4. The APPI applies to 'central government organisation', 'local government', 'incorporated administrative agency', and 'local incorporated administrative agency'. |
Differences
1. The GDPR applies to a data controller which is defined by the fact that it establishes the means and purposes of the processing. 2. The GDPR sets several obligations that apply to 'processors', which are entities that process personal data on behalf of data controllers. |
1. The APPI applies to a personal information controller ('PIC'), which is defined as a person providing a personal information database for use in business. This encompasses among others business operator handling personal information. 2. The APPI only explicitly refers to PICs as being subject to its obligations. |
1.2. Territorial scope
Both the GDPR and the APPI have extraterritorial scope. In particular, the GDPR applies to organisations outside the EU if they offer goods or services to, or monitor the behaviour of, individuals within the EU.
Some provisions of the APPI apply to business operators who, in relation to supplying a good or service to a person in Japan, have directly or indirectly acquired personal information relating to persons in Japan and handle it in a foreign country.
Consistency: Fairly Consistent
GDPR |
APPI |
Articles 3, 4(1) Recitals 2, 14, 22-25 |
Articles 171, 183 |
Similarities
In relation to exterritorial scope, the GDPR applies to organisations that do not have any presence in the EU, but that offer goods, services or monitor the behaviour of individuals in the EU. |
1. Some provisions of the APPI have an extraterritorial scope, where a business operator, who in relation to supplying a good or service to a person in Japan, has directly or indirectly acquired personal information relating to a person in Japan, and handles it in a foreign country. |
Differences
1. The GDPR also explicitly applies to organisations that have presence in the EU. In particular, under Article 3, the GDPR applies to entities that have an 'establishment' in the EU, or if the processing of personal data takes place in the context of the activities of that establishment, irrespective of whether the data processing takes place in the EU or not. 2. The GDPR does not include any enforcement provision directly aimed at a person that committed an offence outside of the EU. |
1. The APPI does not explicitly mention its applicability to PICs established in Japan. 2. Article 183 specifies that criminal fines under Articles 176, 177, 179, 180, and 181 of the APPI apply to a person who has committed an offence outside of Japan. |
1.3. Material scope
The GDPR applies to the processing of personal data, whilst the APPI applies to the handling of personal data. In addition, both the GDPR and the APPI apply to pseudonymous data. However, only the APPI includes anonymously processed information within its scope.
Consistency: Fairly Consistent
GDPR |
APPI |
Articles 2,4(1), 4(2), 4(6) Recitals 15-21, 26 |
Articles 2, 16, 41-46 |
Similarities
1. The GDPR applies to personal data which is defined as 'any information that directly or indirectly relates to an identified or identifiable individual' (see section on key definition - personal data below). 2. The GDPR defines special categories of personal data and provides specific requirements for its processing. 3. The GDPR excludes from its application the processing of personal data by individuals for purely personal or household purposes. This is data processing that has 'no connection to a professional or commercial activity'. |
1. The APPI applies to personal information, which is defined as 'data relating to a living individual' (see section on key definition - personal data below). The APPI also defines personal data as 'personal information constituting a personal information database'. 2. The APPI defines special care required personal information and provides specific requirements for its handling. 3. The APPI applies to PICs which use personal data in business as well as public authorities/ institutions. |
Differences
1. The GDPR applies to the processing of personal data. The definition of 'processing' covers 'any operation' performed on personal data 'such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction'. 2. Anonymous data is specifically outside the scope of the GDPR. Anonymous data is information that does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. 3. The GDPR does not differentiate between personal data and retained personal data. |
1. The APPI does not define what activities form part of the handling of personal information. It clarifies that the APPI applies to personal information, personal data, and retained personal data. 2. The APPI applies to business operators who handle anonymously processed information. A business operator must process anonymously processed information in accordance with standards prescribed by the PPC. 'Anonymously processed information' under the APPI is defined as information relating to an individual that can be produced from processing personal information, so as neither to be able to identify a specific individual by taking action such as deleting part of the identification codes or part of the description included in the personal data, nor be able to restore the personal information of that individual. 3. Some provisions of the APPI specifically apply to 'personal data', which is defined as 'personal information constituting a personal information database which is an assembly of information including personal information' and to 'retained personal data', which is defined as 'personal data which a PIC has the authority to disclose, correct, add, or delete the contents of, cease utilisation of, erase, and cease the third-party provision of personal data, and which shall not be those prescribed by a Cabinet Order as likely to harm the public or other interests if their presence or absence is made known. |
KEY DEFINITIONS
2.1. Personal data
Both the GDPR and the APPI include a definition of 'personal data' and 'personal information' respectively. Additionally, as mentioned in the section on material scope, the APPI defines 'personal data' with regard to 'personal information databases' and 'retained personal data' with regard to the authority to disclose etc. personal data.
The GDPR provides a definition of special categories of personal data and prohibits processing unless one of the exemptions apply. Under the APPI, special care-required personal information cannot be collected and provided to a third party, except where the principal gives their consent or when exemptions apply.
The APPI applies to anonymously processed information, whereas the GDPR explicitly excludes anonymised data from its scope of application.
Consistency: Fairly Consistent
GDPR |
APPI |
Articles 4(1), 9 Recitals 26-30 |
Articles 2, 16, 20(2) |
Similarities
1. ‘Personal data' is defined as 'any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. The GDPR also explains in its recitals that in order to determine whether a person is identifiable, 'account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person' to identify the individual directly or indirectly. In its recitals, the GDPR specifies that online identifiers may be considered as personal data, such as IP addresses, cookie identifiers, and radio frequency identification tags. 2. The GDPR defines special categories of personal data as data revealing the data subject's 'racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation'. |
1. ‘Personal information' means 'information relating to a living individual which falls under any of the following: a name, date of birth, or other type of descriptions (meaning any and all matters stated, recorded or otherwise expressed using voice, movement, or other methods in a document, drawing or electromagnetic record (meaning an electronic, magnetic, or other forms of record that cannot be recognised through the human senses)), whereby a specific individual can be identified (including those which can be readily collated with other information and thereby identify a specific individual). The same applies for an individual identification code, which includes 'any character, letter, number, symbol, or other codes falling under any of the following: identifying a specific individual through a character, letter, number, symbol, or other codes for use with computers converted from a person's bodily information which may identify the person or character, letter, number, symbol, or other codes which are assigned in regard to the use of services provided to an individual or to the purchase of goods sold to an individual, or which are stated or electromagnetically recorded in a card or other document issued to an individual so as to be able to identify a specific user or purchaser, or recipient of issuance by having made said codes differently assigned or, stated or recoded for the user or purchaser, or recipient of issuance'. The APPI also defines personal data as personal information constituting a personal information database. 2. The APPI defines special-care personal information as information about a principal's 'race, creed social status, medical history, criminal record, fact of having suffered damage by a crime, or other descriptions etc., prescribed by cabinet order as those of which the handling requires special care so as not to cause unfair discrimination, prejudice or other disadvantages to the principal'. |
Differences
1. The GDPR does not apply to 'anonymised' data, which is defined as information that does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or is no longer identifiable. 2. The definition of 'personal data’ in the GDPR does not require it to be made into a database. 3. The GDPR does not define retained personal data. |
1. The APPI applies to anonymously processed information, which is information that relates to an individual that can be produced from processing personal information so as to neither be able to identify a specific individual nor be able to restore the personal information of that individual. For personal information, this means deleting part of the descriptions of the data, and in case of identification codes, to delete them entirely and replace them with other descriptions. 2. The definition of 'personal data' in the APPI requires it to be part of a database. 3. The APPI makes reference to retained personal data. A business operator has the authority to disclose, correct, add, or delete the contents of, cease utilisation, erase, and cease the third-party provision of such data. |
2.2. Pseudonymisation
The GDPR defines pseudonymised data and clarifies that such data is subject to the obligations of the GDPR. The APPI also defines pseudonymised data and clarifies that such data is subject to the obligations of the APPI.
Consistency: Fairly Consistent
GDPR |
APPI |
Articles 4(5), 11 Articles 41, 42 Recitals 26, 28 |
Articles 41, 42 |
Similarities
1. The GDPR provides a definition of pseudonymised data and clarifies that such data is subject to the obligations of the GDPR. Notably, pseudonymised data is 'personal data that can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data is not attributed to an identified or identifiable natural person'. The GDPR also includes a definition of anonymized data (see section on key definition – personal data above). |
1. The APPI provides a definition of pseudonymously processed information and clarifies that such information is subject to the obligations of the APPI. Notably, 'pseudonymously processed information' is defined as being data about an individual that is pseudonymised by processing personal data so that a specific subject cannot be identified unless it is matched with other data. |
Differences
1. Not applicable. |
1. Not applicable. |
2.3. Controllers and processors
Unlike the GDPR, the concepts of data controller and data processor are not individually defined in the APPI. Instead, the APPI, defines 'business operators handling personal information', 'central government organisations', 'local governments', 'incorporated administrative agencies', and 'local incorporated administrative agencies' as entities covered by the APPI.
The GDPR sets out detailed requirements in relation to the processing of personal data by data controllers and data processors. The APPI establishes a number of specific obligations for PICs in relation to the utilisation of a principal's personal information.
Consistency: Fairly Inconsistent
GDPR |
APPI |
Articles 4, 17, 28, 30, 32, 33, 35, 37, 38 Recitals 90, 93 |
Articles 2, 17, 21, 22, 23, 24, 25, 26, 27, 29, 33, 34, 35, 39, 40 |
Similarities
1. Data controllers must comply with the request to exercise of data subject rights, such as the right to erasure, the right to rectification, the right to access, etc, unless exemptions apply. 2. Data controllers must also comply with the purpose limitation and accuracy principles, and rectify the data subject's personal data if it is inaccurate or incomplete. 3. Data controllers must implement technical and organisational security measures. 4. Other obligations are imposed on data processors, such as Notifying the data controller of any data breach: data processors are required to notify the data controller of any breach without undue delay after becoming aware of a breach. |
1. PICs must respond to a principal's demand for notification of utilisation purposes, disclosure, correction, addition or deletion, cessation of utilisation and third-party provision of retained personal data, etc. in cases specified by the law. 2. PICs must ensure that personal data is accurate and up to date within the scope necessary to achieve the utilisation purpose and correct, add, or delete any retained personal data of the principal's that is not factual. 3. PICs must take necessary and appropriate action for the security control of personal data including preventing the leakage, loss, or damage of the personal data it handles. 4. Other obligations imposed on PICs include mandatory reporting to the PPC and notification to principals in the event of statutory data breaches; disclose retained personal data to a principal without delay pursuant to a method prescribed by a cabinet order, unless exceptions apply. |
Differences
1. Data processors must comply with data subject's rights if required by the data controller. 2. A data controller is a natural or legal person, public authority agency, or other body that determines the purposes and means of the processing of personal data, alone or jointly with others. 3. A data processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller. 4. Other obligations are imposed on data processors, such as: Keeping records of data processing activities: data processors are required to maintain a record of data processing activities in certain situations, including if the processor has 250 or more employees or if it processes data that is likely to result in a risk to the rights and freedoms of data subjects. The record should contain the categories of processing and any data transfers outside of the European Economic Area ('EEA'). Implementing appropriate technical and organisational measures: processors must ensure security when processing data, which could include encryption or pseudonymisation practices. Data Protection Impact Assessments ('DPIA'): processors should assist the data controller to undertake DPIAs prior to processing. Appointing a Data Protection Officer ('DPO'): processors must designate a DPO when required by the law, including where the processor processes personal data on a large scale. |
1. The APPI does not contain an equivalent provision. 2. There is no definition for data controller or data processor under the APPI. The APPI applies to PICs, which are 'business operators handling personal information', 'central government organisations', 'local governments', 'incorporated administrative agencies', and 'local incorporated administrative agencies'. 3. The APPI does not refer to data processors. 4. Other obligations imposed on PICs include: deleting personal data without delay when such utilisation has become unnecessary; exercising necessary and appropriate supervision over an employee and an entrusted person so as to seek the security control of the personal data of which the handling has been entrusted; aim to handle appropriately and properly complaints about the handling of personal information; and aim to establish a system necessary to achieve a purpose under Article 40(1). |
2.4. Children
The GDPR sets specific provisions for protecting children's personal data, in particular, when processed for providing information society services. By contrast, the APPI does not include specific provisions on the processing of children's personal information.
Consistency: Inconsistent
GDPR |
APPI |
Articles 6, 8, 12, 40, 57 Recitals 38, 58, 75 |
Articles 18, 20, 27 |
Similarities
1. The GDPR does not define 'child' or 'children'. |
1. The APPI does not define 'child' or 'children. |
Differences
1. The GDPR considers children as 'vulnerable natural persons' that merit specific protection with regard to their personal data. Specific protection should be given when a child's personal data is used for marketing or collected for information society services offered directly to a child. 2. Where the processing is based on consent, the consent of a parent or guardian is required for providing information society services to a child below the age of 16. EU Member States can lower the age limit, which, in any case, cannot be lower than 13. Data controllers are required to make reasonable efforts to verify that consent is given or authorised by a parent or guardian. 3. The GDPR does not provide any exceptions for a data controller that is not aware that it provides services to a child. It is not clear whether the consent requirement will apply if the child's personal data is unintentionally collected online. 'Fostering healthy children' is not an exemption for not obtaining consent. 4. When any information is addressed specifically to a child, data controllers must take appropriate measures to provide information relating to processing in a concise, transparent, intelligible, and easily accessible form, using clear and plain language, that the child can easily understand. |
1. The APPI does not provide children with special protection with regard to the processing of their personal data. However, the General Rules Guideline states that, in the case where children do not have the capacity to judge the consequences of consenting to the processing of their personal data, it is necessary to obtain consent from their legal representatives such as parents. The Q&A of the APPI (only available in Japanese here) also states that PICs are generally required to obtain the consent of their legal representatives such as parents for children aged 15 or younger. 2. The APPI does not list specific conditions to process children's personal information. 3. The APPI states some exemptions to the need of obtaining consent for information processing. Such exemptions are (i) cases based on laws and regulations, (ii) cases in which there is a need to protect a human life, body or property, and when it is difficult to obtain a principal's consent, (iii) cases in which there is a special need to enhance public hygiene or promote fostering healthy children, and when it is difficult to obtain a principal's consent, (iv) cases in which there is a need to cooperate in regard to a central government organisation or a local government, or (v) cases where personal data is provided to an academic research organisation, etc., and the academic research organisation, etc. needs to handle the personal data for academic research purposes, or a person entrusted by them to perform affairs prescribed by the laws and regulations, and when there is a possibility that obtaining a principal's consent would interfere with the performance of said affairs. 4. There are no specific rules for privacy notices aimed at children. |
2.5. Research
The GDPR has specific provisions addressing the processing of personal data for 'historical or scientific research', as well as for 'statistical purposes'. The APPI also has specific provisions addressing the processing of personal data for academic research purposes.
Consistency: Fairly Consistent
GDPR |
APPI |
Articles 5(1)(b), 9(2)(j), 14(5), 17(3), 89 Recitals 33, 159, 160, 161 |
Article 18(3)(v)(vi), 20(2)(v)(vi), 27(1)(v)-(vii) |
Similarities
1. Under the GDPR, the processing of personal data for research purposes is subject to specific rules (e.g. with regard to the purpose limitation principle, the processing of special categories of personal data, etc.) |
1. Under the APPI, the processing of personal data for research purposes is subject to specific rules (e.g. with regard to the purpose limitation principle, the obtaining of special categories of personal information, the provision of personal information to third parties, etc.). |
Differences
1. Not applicable. |
1. Not applicable. |
LEGAL BASIS
The GDPR provides that the processing of personal data will only be lawful where one of the legal bases outlined in Article 6 is identified. In the case of special categories of personal data one of the exemptions provided in Article 9 must be fulfilled.
The APPI does not provide a general list of legal bases that need to be met when handling personal information. However, the APPI provides that consent is required in the circumstances specified by the law.
Consistency: Inconsistent
GDPR |
APPI |
Articles 5-10 Recitals 39-48 |
Articles 18, 20, 27, 28, 31 |
Similarities
1. The GDPR recognises consent as a legal basis to process personal data. |
1. The APPI recognises that consent is necessary with regard to specific circumstances. |
Differences
1. The GDPR states that data controllers can only process personal data when there is a legal basis for it. The legal bases are: consent, or when processing is necessary for: (i) the performance of a contract which the data subject is part of in order to take steps at the request of the data subject prior to entering into a contract; (ii) compliance with legal obligations to which the data controller is subject; (iii) to protect the vital interest of the data subject or of another natural person; (iv) performance carried out in the public interest or in the official authority vested in the data controller; or (v) for the legitimate interest of the data controller when this does not override the fundamental rights of the data subject. Further permissible uses are provided for in the processing of special categories of personal data under Article 9(2). As a general rule, the processing of special categories of personal data is restricted unless an exemption applies, which include the data subject's explicit consent. 2. The GDPR includes specific information on how consent must be obtained and can be withdrawn as well as the elements that make consent valid. |
1. The APPI does not list the legal grounds that PICs must adhere to a priori when handling personal data. Consent (unless exceptions apply) of the principal is required when (i) the handling goes beyond the utilisation purpose already declared to the principal; (ii) personal information is obtained by another operator as a result of a merger or another reason and the data is used for a different purpose from the one already specified to the principal; (iii) the personal information collected is special care-required personal data; (iv) personal information is provided to a third party; (v) in the context of cross border data transfers; and (vi) personally referable information is provided to third parties in a specific condition including where a such data could be processed into personal data when a transferee combines it with other data, even if the data did not constitute personal data on the side of the transferor. 2. The APPI does not include a definition of consent and it does not specify what elements make consent valid. However, the General Rules Guideline mentions that 'consent of the principal' means an indication of the principal's intention to consent to the handling of their personal information in the manner indicated by PICs. |
CONTROLLER AND PROCESSOR OBLIGATIONS
4.1. Data transfers
Both the GDPR and APPI regulate the cross-border transfer of personal data to third parties and allow such transfers to be performed based on an adequate or equivalent level of protection, respectively. The two jurisdictions also provide that, in the absence of an equivalent level of protection determination, cross border transfers can be undertaken based on consent, as well as other bases. The GDPR, however, outlines a number of appropriate safeguards which allow personal data to be transferred, whereas the APPI allows transfers based on standards prescribed by the PPC. Further to this, the PPC does not address transfers based on international agreements for judicial cooperation, or transfers from registers.
Consistency: Fairly Inconsistent
GDPR |
APPI |
Articles 44-50 Recitals 101, 112 |
Articles 27 and 28 |
Similarities
1. The GDPR allows personal data to be transferred to a third country or international organisation that has an adequate level of protection as determined by the European Commission. 2. One of the following legal grounds can be applied to the transfer of personal data abroad: ⦁ prior consent ⦁ when a data subject has explicitly consented to the proposed transfer and acknowledged the possible risks of such transfer due to inadequate safeguards; ⦁ when the transfer is necessary for important public interest reasons; and ⦁ when the transfer is necessary to protect the vital interests of a data subject or other persons. |
1. The APPI permits personal information transfers to foreign countries that have been recognised by the PPC as establishing a personal information protection system which provides an equivalent standard to that in Japan in regard to the protection of an individual's rights and interests. 2. The APPI provides that consent is generally required for the transferring of personal information to foreign countries. When PICs obtain such consent, certain information related to such data transfer must be provided to the data subject in advance (e.g., the name of the foreign country, the personal information protection system of such country, etc.). However, personal information can also be transferred on one of the following bases: ⦁ cases in which there is a need to protect a human life, body, or fortune, and when it is difficult to obtain a principal's consent; and ⦁ cases in which there is a special need to enhance public hygiene or promote fostering healthy children, and when it is difficult to obtain a principal's consent. |
Differences
1. One of the following legal grounds can be applied to the transfer of personal data abroad: ⦁ when the transfer is necessary for the performance or conclusion of a contract; and ⦁ when the transfer is necessary for the establishment, exercise, or defence of a legal claim; 2. In the absence of a decision on adequate level of protection, a transfer is permitted when the data controller or data processor provides appropriate safeguards with effective legal remedies that ensure the data subjects' rights as prescribed under the GDPR. Appropriate safeguards include: binding corporate rules with specific requirements (e.g. a legal basis for processing, a retention period, complaint procedures, etc.); ⦁ standard data protection clauses adopted by the European Commission or by a supervisory authority; or ⦁ an approved code of conduct; or an approved certification; 3. The GDPR specifies that a cross-border transfer is allowed based on international agreements for judicial cooperation. 4. The grounds for a cross-border transfer includes the transfer being made from a register which, according to the Union or a Member States' law, is intended to provide information to the public, and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by Union or Member State law for consultation are fulfilled in the particular case. |
1. However, personal information can also be transferred on one of the following bases: ⦁ cases based on laws and regulations; ⦁ cases in which there is a special need to enhance public hygiene or promote fostering healthy children, and when it is difficult to obtain a principal's consent; ⦁ cases in which there is a need to cooperate in regard to a central government organisation or a local government, or a person entrusted by them performing affairs prescribed by laws and regulations, and when there is a possibility that obtaining a principal's consent would interfere with the performance of affairs; ⦁ cases in which the business operator handling the personal data is an academic research organisation, etc., and the provision of such personal data is unavoidable for the publication of the results of academic research or for teaching (except where there is a risk of unjustified infringement of the rights and interests of individuals); ⦁ cases in which the business operator handling the personal data is an academic research organisation, etc., and it is necessary to provide such personal data for academic research purposes (including where part of the purpose of providing such personal data is for academic research purposes, except where there is a risk of unjustified infringement of the rights and interests of individuals); and ⦁ cases in which the third party is an academic research institute, etc., and the third party needs to handle the personal data concerned for academic research purposes (including where part of the purpose of handling the personal data concerned is for academic research purposes, except where there is a risk of unjustified infringement of the rights and interests of individuals). 2. The APPI does not outline appropriate safeguards for the foreign transfer of personal data in the absence of recognised equivalent standards. However, the APPI establishes that cross border transfers can be undertaken where a person establishes a system conforming to standards prescribed by rules of the PPC as necessary to continuously take when transferring personal data to a foreign country. In this case, PICs need to take necessary measures such as to periodically check the implementation status of the security measures taken by the recipient. 3. The APPI makes no specific reference to cross-border transfers based on international agreements for judicial cooperation. However, Japan is a member of Asia-Pacific Economic Cooperation Cross-Border Privacy Rules ('APEC CBPRs') which allows PICs to transfer personal information to foreign countries certified under the rules. 4. The APPI does not include a similar provision. |
4.2. Data processing records
Neither the GDPR nor APPI provide a general requirement for registering with supervisory authorities. In addition, both legislations outline recording keeping requirements in relation to cross border data transfers. On the other hand, the GDPR requires data controllers and processors to maintain a general record of processing activities, whereas the APPI imposes limited record-keeping obligations on PICs in relation to specific processing activities.
Consistency: Inconsistent
GDPR |
APPI |
Article 30 Recital 82 |
Article 29 |
Similarities
1. The GDPR does not provide general requirements for registering with a supervisory authority. 2. The GDPR prescribes a list of information that a data controller must record regarding international transfers of personal data, namely the identification of the third countries or international organisations, and the documentation of adopted suitable safeguards |
1. The APPI does not contain general requirements for registering with the PPC. 2. The APPI stipulates that PICs must keep a record pursuant to rules of the PPC on the date of the personal data transfer, the name or appellation of the third party, and other matters prescribed by rules of the PPC, except where exceptions apply. The APPI also sets out similar provisions for the provision of personally referable information in a specific condition. |
Differences
1. Data controllers and data processors have a general obligation to maintain a record of the processing activities under their responsibility. 2. The GDPR prescribes a list of information that a data controller must record: ⦁ the name and contact details of the data controller; ⦁ the purposes of the processing; ⦁ a description of the categories of personal data; ⦁ the categories of recipients to whom the personal data will be disclosed; ⦁ the estimated period for erasure of the categories of data; and ⦁ a general description of the technical and organisational security measures that have been adopted. 3. The obligations in relation to data processing records are also imposed on the representatives of data controllers. 4. The processing of information recorded by a data controller shall be in writing or electronic form. 5. The requirements around data processing records shall not apply to an organisation with less than 250 employees, unless the processing: ⦁ is likely to result in a risk to the rights and freedoms of data subjects; ⦁ is not occasional; or ⦁ includes special categories of data in Article 9(1) (e.g. religious beliefs, ethnic origin, etc.) or is personal data relating to criminal convictions and offences in Article 10. 6. The GDPR prescribes a list of information that a data processor must record: ⦁ the name and contact details of the data processor; ⦁ the categories of processing carried out on behalf of each controller; international transfers of personal data, with the identification of third countries or international organisations, and the documentation of adopted suitable safeguards; and ⦁ a general description of the technical and organisational security measures that have been adopted. |
1. The APPI does not contain a general requirement for PICs to maintain records of processing activities under their responsibility. However, the General Rules Guideline states that a PIC must 'establish means for checking the processing status of personal data' as part of the safety management measures. 2. The APPI does not contain an equivalent provision. However, the General Rules Guideline cites a method of clarifying the following items in advance as an example of 'establishing means for checking the processing status of personal data': ⦁ types and names of personal information databases etc.; ⦁ items that include personal data; ⦁ responsible person/department; ⦁ purpose of utilisation; and ⦁ those who have access rights etc. 3. The APPI does not contain an equivalent provision. 4. The APPI does not contain an equivalent provision. 5. The APPI does not contain an equivalent provision. However, the General Rules Guideline shows examples for PICs with 100 or less employees, in addition to the examples for PICs in general. 6. The APPI does not contain an equivalent provision. |
4.3. Data Protection Impact Assessment
The GDPR provides that a Data Protection Impact Assessment ('DPIA') must be conducted under specified circumstances and makes no distinction between private or public entities. The APPI conversely, only requires public institutions to conduct Privacy Impact Assessments ('PIA') in regard to specific personal information files.
Consistency: Inconsistent
GDPR |
APPI |
Article 35-36 Recitals 75, 84, 89-93 |
Article 132(5) Article 27 of the Act on the Use of Numbers to Identify a Specific Individual in Administrative Procedures ('the Use of Numbers Act') |
Similarities
1. Not applicable |
1. Not applicable |
Differences
1. A data controller is required to, where necessary, carry out a review to assess whether the processing of personal data is in accordance with the DPIA, particularly when there is a change in risks to processing operations. 2. The GDPR provides that a DPIA must be conducted if a data controller utilises new technologies to process personal data. 3. The GDPR provides that a DPIA must be conducted under the following circumstances: ⦁ the processing may result in a high risk to the rights and freedoms of an individual; ⦁ when a systematic and extensive evaluation of personal aspects relating to natural persons is involved, which is based on automated processing or profiling; ⦁ there is processing on a large scale of special categories of data; and ⦁ there is systematic monitoring of a publicly accessible area on a large scale. 4. The assessment must contain at least the following: ⦁ a systematic description of the envisaged processing; ⦁ operations and legitimate purposes of the processing; ⦁ the necessity and proportionality of the ⦁ operations in relation to the purposes; and ⦁ the risks to the rights and freedoms of data subjects. 5. A data controller must consult the supervisory authority prior to any processing that would result in a high risk in the absence of risk mitigation measures as indicated by the DPIA. |
1. The APPI does not contain PIAs requirements for data processing by PICs. The Use of Numbers Act, however, requires certain administrative and government agencies to conduct PIA's in specified circumstances. 2. Under the Use of Numbers Act, only government and administrative agencies are required to conduct a PIA. 3. Under the Use of Numbers Act, only government and administrative agencies are required to conduct a PIA. 4. Under the Use of Numbers Act only government and administrative agencies are required to conduct a PIA. 5. Under the Use of Numbers Act only government and administrative agencies are required to conduct a PIA. |
4.4. Data protection officer appointment
Unlike the GDPR, the APPI does not require data controllers and processors to appoint a DPO in specified circumstances. However, the General Rules Guidelines stipulate the appointment of a person in charge of personal information management as an example of security management measures under the APPI.
Consistency: Inconsistent
GDPR |
APPI |
Articles 13 - 14, 37-39 Recital 97 |
|
Similarities
1. Not applicable |
1. Not applicable |
Differences
1. The data controller and the data processor shall designate a DPO in any case where:
⦁ the processing is carried out by a public authority or body, except for courts acting in their judicial capacity; ⦁ the core activities of a data controller or data process or consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or ⦁ the core activities of the controller or the processor relate to a large scale of special categories of personal data (e.g. religious beliefs, ethnic origin, data required for the establishment, exercise, or defence of legal claims etc.) 2. A group may appoint a single DPO who must be easily contactable by each establishment. 3. The DPO shall perform a list of tasks including: ⦁ to inform and advise the controller or the data processor and the employees who carry out processing of their obligations pursuant to the GDPR and to other Union or Member State data protection provisions; ⦁ to monitor compliance with the GDPR with other Union or Member State data protection provisions and with the policies of the data controller or data processor in relation to the protection of personal data, including the assignment of responsibilities, awareness- raising and training of staff involved in processing operations, and the related audits; and ⦁ to act as a contact point the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter. 4. The DPO shall be designated on the basis of professional qualities and expert knowledge of data protection law and practices. 5. The DPO can be a staff member of the data controller or data processor, or can perform tasks based on a service contract. 6. Contact details of the DPO must be included in the privacy notice for data subjects, and they must be communicated to the supervisory authority. 7. Data subjects may contact the DPO with regard to the processing of their personal data as well as the exercising of their rights. 8. The DPO must be provided with the resources necessary to carry out their obligations under the GDPR. |
1. The APPI does not include a requirement to appoint a DPO. However, the General Rules Guidelines outline that security measures must be taken for the handling of personal information, the appointment of a person in charge of the handling of personal information and the definition of the responsibilities of that person, being an example of such security measures. 2. The APPI does not include a requirement to appoint a DPO. 3. The APPI does not include a requirement to appoint a DPO. 4. The APPI does not include a requirement to appoint a DPO. 5. The APPI does not include a requirement to appoint a DPO. 6. The APPI does not include a requirement to appoint a DPO. 7. The APPI does not include a requirement to appoint a DPO. 8. The APPI does not include a requirement to appoint a DPO. |
4.5. Security and data breach notification
In line with the GDPR, the APPI establishes a legal obligation to report statutory data breaches to the supervisory authority and principal (data subject). Nevertheless, notable differences exist between the two legislations. In particular, the GDPR provides exemptions to notification to data subject including where a disproportionate effort would be involved whereas the APPI does not. In addition, the two legislations differ in regard to the timeframe in which PICs (controllers) must report data breaches, with the APPI providing a timeline of three to five days.
Consistency: Fairly Consistent
GDPR |
APPI |
Article 5, 24, 32-34 Recitals 74-77, 83-88 |
Article 26 |
Similarities
1. The GDPR states that data controllers and data processors are required to implement appropriate technical and organisational security measures to ensure that the processing of personal data complies with the obligations of the GDPR. 2. In the case of a personal data breach, the data controller must notify the competent supervisory authority of the breach, unless the personal data breach is unlikely to result in a risk to the individuals' rights and freedoms. 3. The controller must notify the data subject of a data breach without undue delay if the data breach is likely to result in a high risk to the rights and freedoms of natural persons. 4. The GDPR states that data processors must notify the data controller without undue delay after becoming aware of the personal data breach. |
1. The APPI states that a PIC shall take necessary and appropriate action for the security control of personal data including preventing any leakage etc. of its handled personal data 2. When a statutory data breach is discovered, a PIC shall report certain matters to the PPC regarding the facts of the case and measures to prevent recurrence. 3. When a statutory data breach is discovered, a PIC shall notify to the data subject thereof. 4. The APPI states that in the event of a statutory data breach at a consignee, the consignee must report the prescribed matters to the PPC and must notify to the data subject thereof. However, the consignee is exempt from these obligations if the consignee reports the statutory breach to the consignor. |
Differences
1. Under the GDPR, the obligation of data controllers to notify data subjects when the data breach is likely to result in a high risk to the rights and freedoms of natural persons, is exempted in certain circumstances such as where: ⦁ appropriate technical and organisational protective measures have been implemented; ⦁ any subsequent measures have been taken in order to ensure that the risks are no longer likely to materialise; or ⦁ it would involve disproportionate effort. 2. Under the GDPR, a personal data breach must be notified to the supervisory authority without undue delay and, where feasible, no later than 72 hours after having become aware of the breach. 3. The GDPR provides a list of technical and organisational measures, where appropriate, that data controllers and data processors may implement such as pseudonymisation, encryption and the ability to restore availability and access to personal data in a timely manner in the event of physical or technical incidents, to ensure integrity and confidentiality. |
1. Under the APPI, a PIC is required to report to PPCs in any of the following cases:
⦁ when a leakage of personal information containing special care required personal information has occurred or is likely to occur; ⦁ when a leakage of personal information has occurred or is likely to occur that could cause property damage if misused; ⦁ when a leakage of personal information (including personal information that has been obtained or is about to be obtained by the PIC and is scheduled to be handled as personal data) has occurred or is likely to occur that may have been carried out for an improper purpose; and ⦁ when there has been or is likely to be a leakage involving more than 1,000 individuals in relation to the personal information; 2. As mentioned above, under the APPI, a statutory data breach must be notified to the PPC within 3-5 days after having become aware of the breach as a preliminary report and within 30 or 60 days after having become aware of the breach as a confirmed report. 3. The APPI and the notification do not include an equivalent provision. |
4.6. Accountability and good practice
Unlike the GDPR, the APPI does not explicitly refer to the concept of accountability. However, the APPI does contain provisions that can be taken to apply to accountability including the requirement to keep records in specific circumstances.
Consistency: Inconsistent
GDPR |
APPI |
Articles 5, 24-25 Recital 39 |
|
Similarities
1. Not applicable |
1. Not applicable |
Differences
1. The GDPR recognises accountability as a fundamental principle of data protection. Article 5 states that the data controller will be responsible and able to demonstrate compliance with paragraph 1 (accountability). In addition, the principles can be taken to apply to several other principles including the appointment of a DPO, and DPIAs. |
1. The APPI does not explicitly refer to the term accountability. However, the APPI does contain provisions related to accountability including the requirement to maintain records in relation to third-party-provisions of personal data under Articles 29 and 30. |
RIGHTS
5.1. Right to erasure
Both the GDPR and the APPI allow individuals to request the deletion of their personal information unless exceptions apply. In addition, both laws allow for the exercising of this right free of charge. However, the two legislations diverge in regard to verification requirements, exceptions, as well as a data subject's right to be informed about the existence of the right, among other things. Notably, the APPI does not contain a requirement to inform other PICs handling personal information of the cancellation request.
Consistency: Fairly Consistent
GDPR |
APPI |
Articles 12, 17 Recitals 59, 65-66 |
Articles 22, 34, 35, 37(4), 38 |
Similarities
1. The right to erasure only applies if any of the following grounds apply, such as where consent is withdrawn and there is no other legal basis for processing, or when personal data is no longer necessary for the purpose for which it was collected. The scope of this right is not limited to the data controller, but also impacts third parties, such as recipients, data processors and sub-processors that may have to comply with erasure requests. 2. This right can be exercised free of charge. However, there may be some instances where a fee may be requested, notably when the requests are unfounded, excessive, or have a repetitive character. |
1. When retained personal data of the principal is handled in violation of the provisions of Article 18, or is handled in violation of the provisions of Article 19, or is acquired in violation of the provisions of Article 20, the principal can demand the deletion of their personal information. A principal may demand that a PIC ceases the utilisation, etc. of retained personal data, or cease a third-party provision thereof, if it has become unnecessary for the PIC to utilise the retained personal data, if a situation prescribed in the main clause of Article 26(1) has occurred in connection with the retained personal data, or if there is a possibility that the handling of the retained personal data would harm the rights or legitimate interests of the principal. 2. This right can be exercised free of charge, with no exceptions set forth in the APPI. |
Differences
1. Among the exceptions to the right of erasure provided by the GDPR are: freedom of expression (free speech), freedom of information; processing for research purposes of personal data that, if erased, would impair the objectives of the research; establishment, exercise or defence of legal claims; and for complying with a legal obligation. A data controller is also exempted from complying with erasure requests for reasons of public interest in the area of public health. 2. Methods to submit a request include writing, orally and by other means which include electronic means when appropriate. If the data controller has made the personal data public, data controllers must take 'reasonable steps, including technical measures,' to inform other data controllers that are processing the personal data that the data subject has requested the erasure of any links to, or copy and/or replication of, that personal data. 3. The GDPR specifies that data controllers must have in place mechanisms to ensure that requests are made by a data subject whose personal data is to be deleted. 4. Data subjects must be informed that they are entitled to ask for their data to be erased. 5. Data subjects' requests under this right must be replied to without 'undue delay and in any event within one month from the receipt of the request'. The deadline can be extended by two additional months taking into account the complexity and number of requests. In any case, the data subject must be informed of such an extension within one month from the receipt of the request. |
1. Exceptions to deletion include: in cases where deletion of the retained personal data requires a large amount of expenses or other cases where it is difficult to fulfil deletion and when necessary alternative action is taken to protect a principal's rights and interests. 2. The APPI stipulates that the PIC may establish a method for receiving requests or demands from the principal. In this case, the principal shall make a request for deletion in accordance with the relevant method. 3. The APPI does not address the mechanisms for PICs to ensure that requests are made by the principal. 4. The APPI does not make reference as to whether principals must be informed of their right to request the cancellation of their personal data. 5. The APPI requires that PICs shall endeavour to delete personal data without delay when retaining the data is no longer necessary for the stated utilisation purpose for which they collected and held the data. PICs shall endeavour to act 'appropriately and promptly' when having received such complaints. There is no clarification on the meaning of 'without delay' in the APPI. |
5.2. Right to be informed
Both the GDPR and the APPI include provisions in relation to the information organisations must provide to individuals when collecting and processing their personal information. However, the legislations differ in regard to information that must be provided to data subjects (principals). Specifically, the GDPR requires information on recipients or categories of personal data, the right to withdraw consent, and data retention periods, whereas the APPI does not.
Consistency: Fairly Inconsistent
GDPR |
APPI |
Articles 5, 12-14 Recitals 58-63 |
Articles 17, 21, 27, 32 |
Similarities
1. The GDPR states that information on the following must be provided to individuals: identity of the data controller; the purposes of processing; the existence of data subjects' rights, the contact details of the data protection officer, transfers of personal data to third parties, and the right to lodge a complaint with a supervisory authority 2. Data controllers cannot collect and process personal data for purposes other than the ones about which the data subject was informed, unless they provide them with further information. 3. The GDPR states that information must be provided to data subjects by data controllers at the time when personal data is obtained, if collected directly from data subjects. |
1. The APPI states that information on the following must be provided to the principal: the name or appellation and address and, for a corporate body, the name of its representative for the personal information handling PIC; the utilisation purpose of all retained personal data (unless exemptions apply); the procedures for responding to a request in relation to exercise of the principal rights (only when specified); measures taken for the secure management of retained personal data pursuant to the provisions of Article 23 (excluding those that are likely to impede the secure management of retained personal data by providing information to the individual concerned); and where to file complaints regarding the handling of retained personal data. 2. PICs must, in case of altering the utilisation purpose, inform the principal of, or disclose to the public, the altered utilisation purpose. 3. The APPI states that PICs must, in cases of having acquired personal information, except where the utilisation purpose has been disclosed in advance to the public, promptly inform a principal of, or disclose to the public, the utilisation purpose. |
Differences
1. The GDPR also states that information on the following must be provided to individuals: the categories of personal data processed; the legitimate interest of the data controller or the third party; the recipients or categories of personal data; transfer of data to third parties; data retention period; the right to withdraw consent at any time; when data is necessary for the performance of a contract, the possible consequences of not doing so; and the existence of automated decision-making including profiling, the logic involved, and consequences of such processing. 2. The GDPR provides specific information that must be given to the data subject when their data is collected by a third party, which includes the sources from which data was collected. Notice must be given within a reasonable period after obtaining the data, but at the latest within one month; or at the time of the first communication with the data subject; or when personal data are first disclosed to a recipient. |
1. In addition, the APPI states that in cases where the PIC acquires directly from a principal their personal information stated in a written document, they must state a utilisation purpose explicitly to the principal. 2. The APPI states that PICs must notify a utilisation purpose to a principal or publicise it in some way when data is collected directly but orally from the principal, or indirectly through a third party. |
5.3. Right to object
Both the GDPR and the APPI allow for individuals to exercise their right to object (cease utilisation) and require business to provide individuals with information about this right. However, the scope of application of this right under GDPR and APPI differs.
Unlike the GDPR, the APPI does not outline any specific information on the right to object for direct marketing purposes and does not explicitly refer to the right to withdraw consent. However, the APPI allows a principal to request the deletion or cessation of use of retained personal data in the following cases: when there is no longer a need to use the retained personal data; when statutory data breaches occur; or when there is a risk of harm to the rights or legitimate interests of the principal.
Consistency: Fairly Inconsistent
GDPR |
APPI |
Articles 7, 18, 21 |
Articles 27, 32, 35 |
Similarities
1. The GDPR provides data subjects with the right to object to the processing of their personal data. 2. The GDPR states that where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the data controller may either charge a reasonable fee, or refuse to act on the request. The data controller bears the burden of demonstrating the manifestly unfounded or excessive character of the request. |
1. The APPI provides principals with a right to demand PICs to cease utilisation of retained personal data that can identify them. 2. The APPI highlights that the obligation to cease utilisation and delete retained personal data does not apply if it requires a large amount of expenses, or in circumstances where it is difficult to fulfil a cease utilisation request and necessary alternative action is taken to protect a principal's rights and interests. A PIC shall endeavour to give an explanation to the principal if the PIC does not fulfil entirely or partially a demand to cease utilisation |
Differences
1. Information about this right and on how to exercise it must be included in privacy notices. In particular, in the context of direct marketing, opting-out must be as easy as opting-in. 2. The GDPR provides that the right to object applies to the processing of personal data when the processing is based on the legitimate interests of a data controller or third party. The data controller would have to cease processing personal data unless it demonstrates that there are compelling legitimate grounds to continue the processing. Moreover, the data subject has the right to object to processing for direct marketing as well as to withdraw consent at any time. 3. Data subjects have several ways to opt-out of the processing of their personal data: they can withdraw consent; they can exercise the general right to object to processing that is based on legitimate interests or on a task carried out in the public interest; or they can object to the processing of their data for direct marketing purposes. |
1. PICs are required to make available to the principal information about, among other things, procedures for responding to a request to cease utilisation. 2. The APPI highlights that a principal may request a PIC to cease utilisation or delete retained personal data that can identify them if the data was handled in violation of Article 18, or acquired in violation of Article 19, acquired in violation of Article 20. In addition, the PIC must stop providing retained personal data to third parties, upon request by the principal, if the data was provided in violation of Article 27(1) or Article 28 of the APPI. 3. The APPI allows a principal to request the deletion or cessation of use of retained personal data in the following cases: ⦁ when there is no longer a need to use the retained personal data; ⦁ when a statutory data breach occurs; or ⦁ when there is a risk of harm to the rights or legitimate interests of the principal. |
5.4. Right of access
Both the GDPR and the APPI establish a right of access, which allows individuals to access personal data about them held by organisations.
However, the two laws have notable differences including the instances in which an organisation may refuse an access request. Furthermore, the APPI provides that a fee may be charged when access is granted.
Consistency: Inconsistent
GDPR |
APPI |
Articles 12, 15 Recitals 59-64 |
Articles 32, 33, 37, 38 |
Similarities
1. The GDPR recognises that data subjects have the right to access personal data that a data controller is processing about them. |
1. The APPI recognises that principals have the right to request a PIC to disclose retained personal data that can identify them. |
Differences
1. The GDPR states that, when responding to an access request, a data controller must indicate the purposes of the processing; the categories of personal data concerned; the recipients or categories of recipients to whom personal data has been disclosed to; and any sources from which the data was collected. In addition, under the GDPR, the data controller must include further information in response to a request of access, notably, the retention period, the right to lodge a complaint with the supervisory authority, the existence of automated decision making, and the existence of data transfers. The GDPR specifies that individuals also have the right to receive a copy of the personal data processed about them. 2. Data controllers can refuse to act on a request when it is manifestly unfounded, excessive or has a repetitive character. The GDPR also states, 'that right should not adversely affect the rights or freedoms of others, including trade secrets or intellectual property, and in particular the copyright protecting software. However, the result of those considerations should not be a refusal to provide all information to the data subject. Where the data controller processes a large quantity of information concerning the data subject, the data controller should be able to request that, before the information is delivered, the data subject specify the information or processing activities to which the request relates'. 3. Data subjects must have a variety of means through which they can make their request, including through electronic means and orally. When the request is made through electronic means, the data controller should submit the response through the same means. 4. The GDPR specifies that data controllers must have in place mechanisms to confirm that the request is made by the data subject whose personal data is requested access to. 5. The GDPR states that data subjects can exercise this right free of charge. There may be some instances where a fee may be requested, notably when the request is unfounded, excessive or has a repetitive character. 6. Data subjects' requests must be actioned without 'undue delay and in any event within one month from the receipt of the request'. The deadline can be extended to by an additional two months taking into account the complexity and number of requests. In any case, the data subject must be informed of such an extension within one month from the receipt of the request. |
1. The APPI states that a PIC shall disclose retained personal data about the principal, but it does not include a prescriptive list of the information a PIC must disclose as part of a disclosure demand. However, the APPI states that the PIC must, when requested by a principal, inform them about the utilisation purpose of retained personal data that can identify them. 2. PICs may refuse to disclose data in cases where disclosing such data would result in the possibility of harming a principal or third party's life, body, fortune, or other rights and interests, seriously interfere with the PIC conducting its business properly, or violate other laws or regulations. 3. In principle, a PIC must disclose retained personal data by the method requested by a principal (including the method of electromagnetic recording (e.g., email)). 4. The APPI does not explicitly address mechanisms to ensure that the request is made by the principal whose retained personal data is requested. However, Article 37(1) of the APPI stipulates that a PIC may establish a method of identity verification as part of the method of exercising the rights of the principal, in which case the principal must follow such method. In addition, Article 37(3) states that a request can be made through an agent pursuant to those prescribed by a Cabinet Order. 5. The APPI states that PICs may collect a fee which is within a range recognised as reasonable considering the actual expenses when responding to a request only if the fee was specified be the PICs. 6. A personal information handling business operator shall, when requested by a principal to be informed of the utilisation purpose of retained personal data that can identify them, inform the principal without delay. |
5.5. Right not to be subject to discrimination for the exercise of rights
The right not to be subject to discrimination for the exercise of rights is neither explicitly included in the GDPR nor the APPI. However, some provisions, based on the same principle, can be found on both laws.
Consistency: Fairly Inconsistent
GDPR |
APPI |
Articles 5, 22 Recitals 39, 71-73 |
Article 3 |
Similarities
1. The GDPR does not explicitly include this right and therefore no scope is defined. 2. The GDPR does not include an explicit provision stating that a data subject must not be discriminated on the basis of their choices on how to exercise their data protection rights. However, it is implicit from the principles of the GDPR that individuals must be protected from discriminatory consequences derived from the processing of their personal data. For example, Article 5 states that personal data must be processed 'fairly'. |
1. The APPI does not explicitly include this right and therefore no scope is defined. 2. The APPI does not include an explicit provision stating that a principal must not be discriminated on the basis of their choices on how to exercise their data protection rights. However, it is implicit from its provisions that individuals must be protected against discrimination. For example, Article 3 states that personal information should be carefully handled 'under the vision of respecting the personality of an individual'. |
Differences
1. The GDPR also include some provisions reflecting this principle, such as Article 13 which states that data subjects must be informed of the consequences derived from automated decision-making; and Article 22 specifies that individuals have the right not to be subject to automated decision-making that has a legal or significant effect upon them. Additionally, the GDPR emphasises that when processing is based on consent, in order for consent to be valid, it must be freely given and the withdrawal of consent must be without detriment. |
1. The APPI does not include any provisions explicitly reflecting this principle. |
5.6. Right to data portability
The GDPR has introduced the right to data portability, which is the right of individuals to obtain their personal data in a structured, commonly usable, and machine-readable format when the processing is based on consent or a contract and is carried out by automated means. The APPI does not address a right to data portability. However, the APPI allows a principal to instruct a PIC on the method of disclosure, including disclosure by electromagnetic records, when requesting disclosure from the PIC.
Consistency: Inconsistent
GDPR |
APPI |
Articles 12, 20 Recital 68 |
|
Similarities
1. Not applicable. |
1. Not applicable. |
Differences
1. The GDPR recognises the right of individuals to obtain the personal data they provided in a structured, commonly usable and machine-readable format when the processing is based on consent or a contract and is carried out by automated means. |
1. The APPI does not recognise a right to data portability. |
ENFORCEMENT
6.1. Monetary penalties
Both the GDPR and the APPI provide for monetary penalties to be issued in case of non-compliance. However, the nature of the penalties differs, it being administrative under the GDPR, and criminal as well as non-criminal under the APPI.
Consistency: Fairly Inconsistent
GDPR |
APPI |
Articles 83, 84 Recitals 148-149 |
Articles 176-185 |
Similarities
1. The GDPR provides for monetary penalties in the case of noncompliance. |
1. The APPI provides for monetary penalties in the case of noncompliance. |
Differences
1. Administrative fines can be issued by a data protection authority. Administrative fines can be imposed by the competent data protection authority taking into account that several data protection authorities may be involved if the violation concerns more than one Member State. 2. Depending on the violation that has occurred the penalty may be up to either: 2% of global annual turnover or €10 million, whichever is higher; or 4% of global annual turnover or €20 million, whichever is higher. The amount of the penalty may also vary depending on 'the nature, gravity and duration of the infringement', the nature of the processing, the number of data subjects affected, and the damages suffered, the negligent or intentional character of the infringement, etc., with a complete list in Article 83(2) of the GDPR. |
1. Criminal and non-criminal fines can be issued by a Court. 2. Depending on the violation occurred the criminal penalty may be up to: ⦁ JPY 1 million (approx. €6,000) or imprisonment with work for not more than two years for a person involved in the PPC who has divulgated, or used by stealth, a secret in violation of the provisions of Article 143. Article 184 states that this provision shall apply to a person who has committed an offence outside of Japan. ⦁ JPY 500,000 (approx. €3,000) or imprisonment with work for not more than one year for a PIC, or its employees or former employees, that have provided, or used by stealth, a personal information database etc. in relation to their business for the purpose of seeking their own or a third party's illegal profit. Article 184 states that this provision shall apply to a person who has commit-ted an offence outside of Japan. ⦁ JPY 1 million (approx. €6,000) or imprisonment with labour for not more than two years for a person that has violated an order pursuant to the provisions of Article 148(2) or (3). ⦁ JPY 500,000 (approx. €3,000) for a person who has failed to submit a report or material under Article 146(1), did falsely respond, or refused, obstructed, or evaded an inspection; or failed to submit a report or falsely submit a report under Article 153. ⦁ JPY 100 million (approx. €600,000) may be imposed if the PIC illegally provides a personal information database or violates the PPC's order pursuant to Article 148(2) or (3). ⦁ Non-criminal fines up to JPY 100,000 (approx. €600) may be issued to a person that has violated Article 30(2) or Article 56 or has failed to submit a notification or did falsely submit a notification under Article 51(1) or has received disclosure of retained personal data based on a disclosure decision prescribed in Article 85(3) by deception or other wrongful means. |
6.2. Supervisory authority
Both the GDPR and the APPI provide for the establishment of an authority with investigatory and corrective powers to supervise the application of the law, and to assist organisations in understanding and complying with the same. The GDPR also provides such an authority with the power to impose monetary penalties, while the PPC as regulated by the APPI, does not have the power to issue monetary penalties.
In addition, in the EU, national data protection authorities form part of the European Data Protection Board, a body that ensures the consistent application of the GDPR across Europe.
Consistency: Fairly Consistent
GDPR |
APPI |
Articles 51-59 |
Articles 130-170 |
Similarities
1. Data protection authorities have the task of promoting awareness and producing guidance on the GDPR. 2. The GDPR states that data protection authorities must act in 'complete independence when performing their tasks'. 3. Data protection authorities have investigatory powers which include to: 'conduct data protection audits, access all personal data necessary for the performance of its tasks, obtain access to any premises of a data controller and data processor, including equipment and means'. 4. Data protection authorities have corrective powers which include: 'issuing warnings, reprimands, to order the data controller and data processor to comply, order the data controller to communicate a data breach to the data subject, impose a ban on processing, order the rectification or erasure of data, suspend the transfer of data'. 5. The GDPR does not regulate how data protection authorities are funded, this being left to the Member States to decide. |
1. The PPC has the task to produce guidance and promote the application of the APPI. 2. The APPI states that the Chairperson and the Commissioners 'exercise their official authority independently'. 3. The PPC has investigatory powers, which include to require information, and conduct on-site inspections. 4. The PPC has corrective powers which include to suspend the act of violating or take other necessary action to rectify violation, provide guidance and advice. 5. The APPI does not include specific provisions establishing how the PPC is funded. |
Differences
1. Data protection authorities have the power to impose administrative fines. 2. The GDPR does not include prescriptive rules regarding the internal organisation of each supervisory authority this being left to the Member States to decide. |
1. The PPC does not have the power to directly impose monetary penalties. 2. The APPI specifically regulates the internal structure of the PPC, which includes, among other things, provisions on the number of members, their status, and the length of their term. |
6.3. Civil remedies for individuals
The GDPR provides individuals with a cause of action to seek damages for privacy violations. The APPI outlines the procedure for when a principal wishes to file a lawsuit with regards to the rights to disclosure, correction, and to cease utilisation.
Consistency: Fairly Inconsistent
GDPR |
APPI |
Articles 82 Recitals 146-147 |
Article 39 |
Similarities
1. The GDPR provides that data subjects may bring a claim before the Court for violations of the GDPR. |
1. The APPI recognises that principals may file a lawsuit for violations of the APPI. The APPI specifically addresses the scenario in which a lawsuit is filed in connection with the right to disclosure, correction, and to cease utilisation. |
Differences
1. The GDPR provides that any violation of the GDPR can trigger a claim for judicial remedies, but does not specify the steps data subjects must take before bringing the matter to court. Data subjects can claim both material and non-material damages. 2. The GDPR allows Member States to provide for the possibility for data subjects to give a mandate for representation to a non-for-profit association, association, or organisation that has as its statutory objective the protection of data subject rights. |
1. The APPI states that a principal may not file a lawsuit in connection with a demand related to the right of the principal, unless 'the principal had previously issued the demand against a person who should become the defendant in the lawsuit and two weeks have passed from the delivery day of the issued demand. This, however, shall not apply when the person who should become a defendant in the lawsuit has rejected the demand'. 2. The APPI does not include any provision explicitly recognising the possibility for principals to give a mandate for representation to associations and/or organisations. |
(*) This article is written by TMI Associates and OneTrust Technology Limited.