Japan adopted its Act on the Protection of Personal Information (APPI) in 2003, but by 2015, when a series of major data breaches hit the country, it became clear APPI’s requirements could no longer adequately protect Japanese data subjects. APPI therefore received an update in September 2015, with its new provisions coming into force on 30 May 2017, a year ahead of the EU General Data Protection Regulation (GDPR).
One of the biggest differences between APPI and the GDPR is their penalties. The GDPR’s fines are by now notorious and have gone a long way to scare companies straight: organizations found to be in breach of the GDPR’s core principles face fines of up to €20 million or 4% of their annual worldwide turnover, whichever is higher.
APPI’s financial penalties are negligible: if companies choose to ignore the PPC’s administrative orders, organizations can be fined up to ¥500,000 (approximately €4,100). However, they also face the possibility of imprisonment of up to one year.