They both protect the personal information of their respective residents and impose strict data processing obligations on applicable businesses. Yet their provisions differ significantly, as complying with one law doesn't guarantee compliance with the other.
This article will compare the major components of these laws, looking at their main provisions, scope, key requirements, and penalties for violations. Let's get into it.
At Step 1, select the Website option or App option or both.
Answer some questions about your website or app.
Answer some questions about your business.
- 1. The General Data Protection Regulation (GDPR): An Overview
- 1.1. Personal Data, Sensitive Data, and Processing Under the GDPR
- 1.2. Consumer Rights Under the GDPR
- 2. The Act on the Protection of Personal Information (APPI): An Overview
- 2.1. Personal Information, Special care-required data, and "Handling" under the APPI
- 2.2. Consumer Rights Under the APPI
- 3. Who Does Each Law Apply to?
- 3.1. Scope of the General Data Protection Regulation (GDPR)
- 3.2. Scope of the Act on the Protection of Personal Information (APPI)
- 4. What Does Each Law Require?
- 4.1. Requirements of the General Data Protection Regulation (GDPR)
- 4.2. Requirements of the Act on the Protection of Personal Information (APPI)
- 5. What are the Penalties for Violating Each Law?
- 5.1. Penalties for Non-Compliance with the GDPR
- 5.2. Penalties for Non-Compliance with the APPI
- 6. Summary
The General Data Protection Regulation (GDPR): An Overview
The EU's General Data Protection Regulation (GDPR) is the most renowned privacy legislation in effect today. Since coming into effect in 2018, the GDPR has unified data protection laws across its member countries, raised digital privacy standards, and inspired global personal data protection.
With six privacy principles and six lawful bases for data processing, the GDPR regulates how applicable organizations can collect and process the personal data of EU residents. It also grants data subjects eight consumer rights over their personal data.
Personal Data, Sensitive Data, and Processing Under the GDPR
Under the GDPR, personal data refers to:
"any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier..."
In practice, personal data includes but isn't limited to the following:
- Phone numbers
- Home/email addresses
- Social media handles
- Identification numbers
- Images or videos
- Banking information
The GDPR draws a distinction between personal data and a more delicate type of personal data known as "sensitive personal data." This includes the following:
- Genetic data
- Biometric data
- Racial/ethnic origin
- Sexual orientation
- Political views
- Philosophical/religious beliefs
- Health information
Due to the intrusive nature of these data types, businesses that collect or process them are held to stricter standards under the GDPR.
Furthermore, the GDPR regulates all action carried out on personal data. It refers to such actions as "processing." This includes any of the following:
- Disclosure by transmission
- Destruction or erasure
Consumer Rights Under the GDPR
Chapter 3 of the GDPR sets out eight rights data subjects have over their personal data. They include the following:
- The right to know how businesses collect and process their personal data, including the purposes and lawful basis for processing
- The right to request access to their personal data
- The right to request that businesses correct inaccurate or incomplete personal data about them
- The right to request the deletion of their data under certain circumstances, such as when it's no longer needed or if data subjects withdraw their consent
- The right to request the restriction of their data in specific situations, such as when the accuracy of the data is contested
- The right to obtain their data in a structured, commonly used, and machine-readable format and transmit it to another organization
- The right to object to the processing of their personal data, including profiling and direct marketing activities
- The right not to be subject to a decision based solely on automated processing, including profiling, if it produces legal effects or similarly significantly affects them
The Act on the Protection of Personal Information (APPI): An Overview
The Act on the Protection of Personal Information (APPI) is Japan's central data protection regulation. Although it was first drafted in 2003, it has since undergone a number of significant revisions, with major amendments in 2016 and 2020. The latest version of the APPI took full effect on April 1, 2022.
Following the APPI's 2016 amendments, a new regulatory body, the Personal Information Protection Commission (PPC), was established to oversee and enforce the provisions of the law.
Like the GDPR, Japan's APPI strengthens the privacy rights of its residents, safeguards personal information, and imposes specific responsibilities on applicable organizations.
However, the APPI differs from the GDPR in several important ways, notably including its terminologies for common data protection concepts. Let's take a closer look.
Personal Information, Special care-required data, and "Handling" under the APPI
Japan's APPI defines "personal information" in pretty much the same way the GDPR defines "personal data," which is "any information that can identify a natural person." Typical examples include names, phone numbers, email addresses, and other identifiable data.
Personal information also includes information linked to an "Individual Identification Code," which includes codes, numbers, or symbols generated by computers and used for identification.
Like the GDPR, the APPI distinguishes between standard personal information and a more sensitive type of data known as: "special care-required" personal information.
Introduced under the APPI's 2017 amendment, special care-required information refers to any data that, if exposed, could lead to discrimination or prejudice. As such, businesses need consumers' prior and explicit consent to handle special care-required data.
In practice, special care-required information includes but isn't limited to the following:
- Criminal records
- Medical history
- Marital status
- Credit history
- Religious beliefs
Finally, the APPI regulates actions performed on personal information, from collecting and using to sharing and destroying. It refers to all such actions as "handling," as opposed to the GDPR's term: "processing."
Consumer Rights Under the APPI
The APPI grants residents of Japan the following rights over their personal information:
- The right to access (be informed) the personal information organizations hold about them, including the purposes for collecting it and any third parties who may have access to their data
- The right to request correction or amendment of their personal information if it's inaccurate, incomplete, or outdated
- The right to request the suspension of the use or disclosure of personal information or if they believe it's being handled unlawfully
- The right to request the deletion of their information in certain circumstances, such as when the data is no longer necessary for the purpose for which it was collected
Who Does Each Law Apply to?
The GDPR and APPI primarily apply to businesses operating in the EU and Japan, respectively. However, there's a bit more to it than that.
Scope of the General Data Protection Regulation (GDPR)
The GDPR has an extraterritorial reach. This means it not only applies to businesses within the EU but can apply to non-EU-based businesses if certain thresholds are met.
In short, the GDPR applies regardless of where you're located if:
- Your business intentionally targets individuals in the EU to offer goods/services
- You process the personal or sensitive personal data of individuals residing in the EU
- Your business activities involve monitoring individuals' behavior within the EU (e.g., via web tracking cookies, CCTV surveillance, etc.)
Notably, the GDPR doesn't discriminate based on business size. It applies to both small and large enterprises, including startups, freelancers, and non-profit organizations.
For more comprehensive coverage of the GDPR's scope, check out our article: Do I Need to Comply with the GDPR?
Scope of the Act on the Protection of Personal Information (APPI)
Like the GDPR, the APPI has an extraterritorial reach. It doesn't distinguish businesses based on their location, size, or the amount of personal information they handle.
The APPI applies to businesses anywhere in the world, including small businesses, large corporations, and non-profit organizations that collect and handle the personal information of individuals in Japan for commercial purposes.
What Does Each Law Require?
The GDPR and APPI set out specific requirements for businesses operating in their respective jurisdictions. Let's briefly examine each law's requirements in turn.
Requirements of the General Data Protection Regulation (GDPR)
To comply with the GDPR, applicable businesses must observe the following requirements:
- Opt-in Consent: The GDPR requires businesses to obtain valid opt-in consent (when needed) from data subjects before collecting or processing their personal data. Consent must be "freely given, specific, informed, unambiguous, and easily withdrawable."
- Data Breach Notifications: In the event of a data breach that poses a risk to individuals' rights and freedoms, you must promptly notify relevant supervisory authorities and affected individuals. This notice should detail the nature of the breach and recommended actions to mitigate its effects.
- Data Protection Impact Assessments (DPIAs): The GDPR requires businesses to conduct DPIAs for high-risk data processing activities. A DPIA assesses the impact of your activities on individuals' privacy and recommends safeguards to mitigate risks.
- Data Protection Officer (DPO): If your business meets specific criteria under the GDPR, you may be legally required to appoint a DPO (though appointing one anyway is a best practice). A DPO oversees your data protection efforts, serves as your primary point of contact for privacy matters, and ensures GDPR compliance.
- Privacy by Design (PbD): Under the GDPR, businesses must implement privacy principles like data minimization, purpose limitation, and data security from the outset of designing their systems and processes. In other words, you must incorporate privacy measures at the initial stages of your operations.
- International Data Transfers: If your business transfers personal data to third countries (countries outside the EU), you must implement at least one of the GDPR's safeguards, including adequacy decisions, standard contractual clauses, binding corporate rules, or other approved data transfer mechanisms.
- Records of Processing Activities (ROPA): Under the GDPR, certain businesses must maintain comprehensive records of their data processing activities including purposes, categories of data, recipients, retention periods, and security measures implemented.
- Data Security Measures: The GDPR requires you to implement appropriate technical and organizational data security measures to protect personal data from unauthorized access, alteration, disclosure, or destruction. The level of security you need largely depends on the nature and amount of the data you process.
Requirements of the Act on the Protection of Personal Information (APPI)
To comply with Japan's APPI, businesses need to adhere to the following key requirements:
- Consent: Unlike the GDPR, the APPI doesn't require consent to collect or use personal information. However, you must obtain explicit consent if you intend to use personal information beyond the extent of its predetermined purposes, as well as before collecting and handling special care-required information.
- Data Breach Notifications: In the event of a data breach that affects at least 1,000 individuals, you must notify the affected individuals and the PPC, providing relevant details of the breach. You must also promptly take recommended actions to reduce damages and prevent future breaches.
- Security Measures: The APPI requires that you implement robust data security measures to protect personal information from unauthorized access, loss, destruction, alteration, and leakage.
- Data Subject Requests: You need to set up measures to promptly honor consumers' privacy rights upon request, including access, correction, suspension, and deletion of their personal information.
- Cross-Border Data Transfers: Before transferring personal or special care-required information to countries outside Japan, the APPI requires you to obtain consumers' express opt-in consent. Notably, this provision allows for cross-border data transfers between Japan and the EU by recognizing Japan's data protection standard as adequate under EU law.
What are the Penalties for Violating Each Law?
Japan's APPI and Europe's GDPR set different penalties for violating their respective provisions. Let's examine each.
Penalties for Non-Compliance with the GDPR
The GDPR grants Data Protection Authorities (DPAs) the power to impose fines on non-compliant businesses, which can vary depending on the specific provisions violated.
There are two tiers of penalties outlined in the GDPR.
- For less severe violations (tier 1), the maximum fine is €10 million or 2% of the company's global annual turnover, whichever is higher. These fines typically apply to infringements such as inadequate record-keeping, failure to conduct DPIAs, or insufficient data security measures.
- For more severe violations (tier 2), the maximum fine is €20 million or 4% of the company's global annual turnover, whichever is higher. Tier 2 fines apply to infringements of consumers' rights, inadequate consent mechanisms, and cross-border data transfer violations, among others.
It's important to note that fines are not the only potential penalty under the GDPR. DPAs may also impose other corrective measures, including warnings, reprimands, limitations on processing activities, and temporary or permanent bans on data processing.
For more in-depth coverage of the GDPR's fines, check out our article: GDPR Fines
Penalties for Non-Compliance with the APPI
Japan's APPI sets out separate fines for non-compliant individuals and businesses, which varies depending on the severity and extent of infractions.
Following the APPI's 2020 amendment, individuals who violate the law may be subject to fines of up to ¥1 million (about $7,000) and one year in prison. On the other hand, non-compliant businesses may face fines of up to ¥100 million (about $700,000) for infractions.
Interestingly, APPI violations don't directly result in penalties. Instead, the PPC will impose fines if individuals or businesses fail to adjust their data processing practices after being ordered by the agency.
Furthermore, while businesses are culturally expected to compensate affected data subjects for damages, data subjects have the right to seek compensation through civil lawsuits if a business fails to do so.
Japan's APPI and the EU's GDPR share common goals of promoting a privacy-focused approach in the digital age. They both prioritize consumer privacy and require businesses to uphold specific data protection standards to ensure transparency and accountability.
However, the GDPR has a broader reach and imposes stricter requirements, including more extensive rights for data subjects and higher penalties for violations.
To recap, here's a rundown of each regulation's key provisions.
The EU's GDPR:
- Applies to businesses offering goods/services to, monitoring the behavior of, or processing the personal data of individuals within the EU, regardless of their location
- Grants data subjects several rights, including the right to be informed, access, rectification, erasure, and data portability, among others
- Requires businesses to have a lawful basis for processing personal data and obtaining valid opt-in consent when needed
- Sets out several privacy principles to guide the conduct of business operations
- Requires appointing a DPO (in some instances), implementing safeguards for international data transfers, and conducting DPIAs for high-risk processing activities
- Requires observing Privacy By Design principles, data breach notification obligations, and maintaining robust security safeguards
- Applies to businesses handling the personal information of individuals in Japan, regardless of their location
- Requires businesses to observe consumer rights to access, correct, delete and suspend the use of their personal information
- Requires implementing adequate data security measures
- Requires prompt data breach notifications to affected individuals and the PPC
- Requires obtaining consent to handle special care-required information and for cross-border data transfers