Thales banner

Data Security Compliance for the Act on Protection of Personal Information in Japan

Thales helps organizations address the essential requirements for advanced encryption and key management of APPI.

Japan Act on Protection of Personal Information

Test

The Act on the Protection of Personal Information (APPI) – No. 57 of 2003 was enacted on May 15 and fully enforced in April 2003, aiming to protect the rights and interests of individuals while considering the usefulness of personal information.

The APPI has been revised three times to respond to changes in economic and social conditions such as the progress of digital technology and globalization, as well as the growing awareness of personal information globally, the latest revision which enforced on Apr 4, 2022, has consolidated and integrated the rules of private businesses, national administrative agencies, independent administrative agencies, and other local government agencies and local incorporated administrative agencies.

Thales helps Japanese organizations comply with the Act on the Protection of Personal Information (APPI) by addressing essential requirements for advanced encryption and key management.

  • Regulation
  • Compliance

Regulation Overview

The Act on the Protection of Personal Information (APPI) - No. 57 of 2003 is the primary legislation that applies to the collection and processing of personal data and the law went through revision in 2017 and 2022 respectively.

The APPI establishes the Personal Information Protection Commission (PPC) a regulatory body that can issue guidance on the application and interpretation of the Law and its requirements. 

Practical guidance for the APPI – General Rules was published by the PPC with 10 chapters below:

  • Chapter 1: Purpose and Scope of Application
  • Chapter 2: Definition
  • Chapter 3: Obligations of Business Operators Handling Personal Information
  • Chapter 4: Approach to Recommendations, Orders, Emergency Orders
  • Chapter 5: Exemptions
  • Chapter 6: Special Provisions for Application
  • Chapter 7: Responsibilities of Academic Research Institutions
  • Chapter 8: Extraterritorial application
  • Chapter 9: Revision of Guidelines
  • Chapter 10: Details of security control measures to be taken

Organizations based in Japan must comply with the APPI requirements when handling the personal data of data subjects. If you are a foreign organization, you will be subject to the APPI if the following three criteria are met:

  • Personal scope: The APPI applies if your organization handles the personal information of Japanese data subjects.
  • Territorial scope: If you collect the personal data of a data subject for the purpose of providing your products and services and handle the personal data of data subjects in a foreign country, you will be subject to the APPI requirements. 
  • Material scope: The APPI applies to the “handling” of personal data. Handling refers to the collection, retention, use, transfer, and otherwise handling of personal information.

Thales helps Japanese organizations comply with the Act on Protection of Personal Information by addressing essential requirements of protecting personal information for the following requirements with advanced encryption and key management.

Requirement: Chapter 2-1: Personal Information; Chapter 3-5-3-1: Situations to be reported & Chapter 10-3: Organizational safety management measures

Encryption and tokenization can successfully secure sensitive data such as personal information, the cryptographic keys themselves must be secured, managed and controlled by the organization to further enhance data security.

Protect sensitive data

  • Organization can secure sensitive data with CipherTrust Tokenization which provides comprehensive data security capabilities, including file-level encryption with access controls, application-layer encryption, database encryption, static data masking, vaultless tokenization with policy-based dynamic data masking, and vaulted tokenization to support a wide range of data protection use cases. CipherTrust Transparent Encryption (CTE) delivers data-at-rest encryption with centralized key management, privileged user access control, and detailed data access audit logging. This protects data wherever it resides, on-premises, across multiple clouds and within big data, and container environments.

Control:

Requirement: Chapter 10-6: Technical safety control measures

Network encryption can protect data in motion and ransomware protection solution helps organizations detect cyber attacks and secure sensitive data.

  • Thales High Speed Encryptors (HSE) provide network-independent, data-in motion encryption (layers 2, 3, and 4) ensuring data is secure as it moves from site-to site, or from on-premises to the cloud and back.
  • CipherTrust Transparent Encryption Ransomware Protection (CTE-RWP) provides a non-intrusive way of protecting files/folders from ransomware attacks. It continuously monitors processes for abnormal I/O activity and alerts or blocks malicious activity before ransomware can take complete hold of your endpoints and servers.

Recommended Resources

Data Security Compliance for The Act on the Protection of Personal Information in Japan -  Compliance Brief

Data Security Compliance for The Act on the Protection of Personal Information in Japan - Compliance Brief

The Act on the Protection of Personal Information was enacted on May 15 and fully enforced in April 2003, aiming to protect the rights and interests of individuals (APPI) while considering the usefulness of personal information. Information such as name, gender, date of birth,...

compliance-vietnam-pdpd

Data Security Compliance with the Personal Data Protection Decree (PDPD) in Vietnam

Thales enables organizations to comply with PDPD Requirements by recommending the appropriate data security and identity management technologies.

Addressing Requirements of Personal Data Protection (PDP) Law of Indonesia – eBook

Addressing Requirements of Personal Data Protection (PDP) Law of Indonesia – eBook

Indonesia passed its first Personal Data Protection (PDP) Law in 2022. The PDP Law is an effort to enhance the existing regulatory framework on personal data protection, it signifies the development of policies on personal data protection and confidentiality and strengthens...

Other key data protection and security regulations

GDPR

Regulation
Active Now

Perhaps the most comprehensive data privacy standard to date, GDPR affects any organization that processes the personal data of EU citizens - regardless of where the organization is headquartered.

PCI DSS

Mandate
Active Now

Any organization that plays a role in processing credit and debit card payments must comply with the strict PCI DSS compliance requirements for the processing, storage and transmission of account data.

Data Breach Notification Laws

Regulation
Active Now

Data breach notification requirements following loss of personal information have been enacted by nations around the globe. They vary by jurisdiction but almost universally include a “safe harbor” clause.