Zscaler and APPI

Introduction

Japan’s general data protection law is the Act on the Protection of Personal Information (“APPI”). First enacted in 2003, and significantly amended effective 2017, the APPI is a comprehensive, cross-sectoral framework that regulates private businesses using personal information databases. The APPI incorporates the eight basic principles under the Guidelines on the Protection of Privacy and Transborder Flows of Personal Data from the Organisation for Economic Co-operation and Development.

Similar to the GDPR distinction between controllers and processors, the APPI makes a distinction between entities (“business operators,” in APPI terminology) with the authority to control and make decisions about retained personal data (i.e. our customers), and third party service providers that act on behalf of a business operator in processing personal information (i.e. Zscaler).

With respect to cross-border transfers of personal information, the transfer or disclosure of personal data to a third party located outside of Japan requires the data subject's prior consent, unless an exception applies. Exceptions include: (1) the third party is in a country that offers the same level of protection for personal information as Japan, as determined by the Personal Information Protection Commission (the “Commission”) (currently only the European Economic Area and the UK have been so designated), or (2) the third party has established a system to continuously ensure that it undertakes the same level of protective measures required under the APPI, which may include entering into a data transfer agreement.

In 2019, the European Commission determined that Japan provides a comparable level of protection of personal data to that in the European Union, thus permitting the free flow of personal data from the European Economic Area to Japan.

In June 2020, Japan’s National Diet approved a bill to further amend the APPI. These amendments are expected to take effect in the spring of 2022. The proposed revisions include expanding data subjects' control over their data, enabling internal big data uses under specific circumstances, and increasing fines for violations. Zscaler will update these FAQs as appropriate to be consistent with such amendments.

Zscaler is committed to our customers’ success, including compliance with the APPI, and will assist our customers in satisfying their APPI obligations.

What is Personal Information Under the APPI?

Personal information under the APPI includes information about a living individual from which the identity of the individual can be ascertained, and includes information that enables identification of the individual by easy reference to, or combination with, other information. 

With the 2017 revision to the APPI, “personal information” includes “personal identifier codes”: characters, numbers, symbols and/or other codes for computer use that represent certain specified personal physical characteristics (such as DNA sequences, facial appearance, finger and palm prints) that are sufficient to identify a specific individual. In addition, identifier numbers such as those on passports, driver's licenses and resident's cards are personal information. 

The revised APPI added a new category of sensitive data that could be used as the basis for discrimination or prejudice, such as medical history, marital status, race, religious beliefs and criminal records. Business operators always need the prior consent of the individual concerned to process such sensitive data.

How Does Zscaler Comply with the APPI?

In its role as a processor of customer data that may be subject to the APPI, Zscaler has several compliance obligations, including the following:

  1. Purpose of Use. The APPI requires that a business operator specify the purpose of use of the personal information collected; and once the purpose of use has been identified, the business operator may not make any changes to such purpose that is beyond the scope of the original purpose. Zscaler only uses customer data for the purpose of providing its services and products to the customer.
  2. Sharing of Personal Information. With limited exceptions, the APPI does not permit personal information to be disclosed to a third party without the prior consent of the individual. Zscaler does not share customer data with third parties except as disclosed to and permitted by the customer (for example, the sub-processors listed at https://www.zscaler.com/legal/subprocessors).
  3. Security. The APPI requires that business operators (i) take necessary and appropriate measures to safeguard and protect against unauthorized disclosure of, loss of, or damage to the personal information they process, and (ii) conduct necessary and appropriate supervision over their employees and service providers who process personal data. The Commission has promulgated mandatory and recommended security measures under the APPI. Consistent with the requirements of the APPI and the Commission’s guidance, Zscaler has developed and implemented security policies to protect all personal information against loss, theft, or any unauthorized access, disclosure, copying, use or modification, taking into account the sensitivity of the information and other factors. 
  4. Data breaches. While the APPI does not require notification to data subjects or to the Commission following a data breach, the Commission has issued guidance mandating notifications under certain circumstances. Zscaler will promptly notify its customers of any data breach involving customer data and provide reasonable assistance to its customers to comply with any legally required notifications. 
  5. Cross-border transfers. As noted above, the APPI imposes restrictions on transfers of personal information outside of Japan. Zscaler will enter into data transfer agreements with its customers as necessary to satisfy the cross-border transfer requirements of the APPI.
  6. Rights of data subjects. The APPI gives data subjects the right to require that a business operator disclose the purpose of processing of their personal information, how they can access and correct their personal information, how they can suspend the processing of their personal information, and where they can submit complaints concerning the handling of their personal information. Zscaler assists its customers in fulfilling their obligations to allow data subjects to exercise their rights under the APPI.
  7. Audits. The APPI requires business operators that engage third party processors to evaluate the compliance of such third party processors with the APPI through onsite audits, periodic reporting, or other appropriate means. Zscaler will submit to audits or provide reports as necessary to demonstrate Zscaler’s compliance with the APPI.

Helpful Links Regarding the APPI

Japan Personal Information Protection Commission: https://www.ppc.go.jp/en/

Text of the APPI: https://www.jetro.go.jp/ext_images/usa/APPI.pdf 

NOTE: While this site is designed to help organizations understand the APPI in connection with Zscaler's services and products, the information contained herein may not be construed as legal advice and organizations should consult with their own legal counsel with respect to interpreting their unique obligations under Japan’s data protection laws.