Zscaler and APPI
Japan’s general data protection law is the Act on the Protection of Personal Information (“APPI”). The APPI was first enacted in 2003, and significantly amended effective 2017, with further amendments to become effective April 1, 2022. The APPI is a comprehensive, cross-sectoral framework that regulates private businesses using personal information databases. The APPI incorporates the eight basic principles under the Guidelines on the Protection of Privacy and Transborder Flows of Personal Data from the Organisation for Economic Co-operation and Development.
Similar to the GDPR distinction between controllers and processors, the APPI makes a distinction between entities (“business operators,” in APPI terminology) with the authority to control and make decisions about retained personal data (i.e. our customers), and third party service providers that act on behalf of a business operator in processing personal information (i.e. Zscaler).
With respect to cross-border transfers of personal information, the transfer or disclosure of personal data to a third party located outside of Japan requires the data subject's prior consent, unless an exception applies. Exceptions include: (1) the third party is in a country that offers the same level of protection for personal information as Japan, as determined by the Personal Information Protection Commission (the “Commission”) (currently only the European Economic Area and the UK have been so designated), or (2) the third party has established a system to continuously ensure that it undertakes the same level of protective measures required under the APPI. In Zscaler's End User Subscription Agreement, Zscaler commits to the protective measures required by the APPI.
In 2019, the European Commission determined that Japan provides a comparable level of protection of personal data to that in the European Union, thus permitting the free flow of personal data from the European Economic Area to Japan.
The revisions to the APPI that will take effect in April 2022 include expanding data subjects' control over their data, enabling internal big data uses under specific circumstances, and increasing fines for violations.
Zscaler is committed to our customers’ success, including compliance with the APPI, and will assist our customers in satisfying their APPI obligations.
What Is Personal Information Under the APPI?
Personal information under the APPI includes information about a living individual from which the identity of the individual can be ascertained, and includes information that enables identification of the individual by easy reference to, or combination with, other information.
With the 2017 revision to the APPI, “personal information” includes “personal identifier codes”: characters, numbers, symbols and/or other codes for computer use that represent certain specified personal physical characteristics (such as DNA sequences, facial appearance, finger and palm prints) that are sufficient to identify a specific individual. In addition, identifier numbers such as those on passports, driver's licenses and resident's cards are personal information.
The revised APPI added a new category of sensitive data that could be used as the basis for discrimination or prejudice, such as medical history, marital status, race, religious beliefs and criminal records. Business operators always need the prior consent of the individual concerned to process such sensitive data.
How Does Zscaler Comply with the APPI?
In its role as a processor of customer data that may be subject to the APPI, Zscaler has several compliance obligations, including the following:
1. Purpose of Use. The APPI requires that a business operator specify the purpose of use of the personal information collected; and once the purpose of use has been identified, the business operator may not make any changes to such purpose that is beyond the scope of the original purpose. Zscaler only uses customer data for the purpose of providing its services and products to the customer.
2. Sharing of Personal Information. With limited exceptions, the APPI does not permit personal information to be disclosed to a third party without the prior consent of the individual. Zscaler does not share customer data with third parties except as disclosed to and permitted by the customer (for example, the sub-processors listed at https://www.zscaler.com/legal/subprocessors).
3. Security. The APPI requires that business operators (i) take necessary and appropriate measures to safeguard and protect against unauthorized disclosure of, loss of, or damage to the personal information they process, and (ii) conduct necessary and appropriate supervision over their employees and service providers who process personal data. The Commission has promulgated mandatory and recommended security measures under the APPI. Consistent with the requirements of the APPI and the Commission’s guidance, Zscaler has developed and implemented security policies to protect all personal information against loss, theft, or any unauthorized access, disclosure, copying, use or modification, taking into account the sensitivity of the information and other factors.
4. Data breaches. Zscaler will promptly notify its customers of any data breach involving customer data and provide reasonable assistance to its customers to comply with any legally required notifications, including reports to Japan's Personal Information Protection Commission.
5. Cross-border transfers. As noted above, the APPI imposes restrictions on transfers of personal information outside of Japan. Zscaler satisfies the cross-border transfer requirements of the APPI by the commitments Zscaler makes to protect personal information in its End User Subscription Agreement. Zscaler will take all necessary measures to ensure the continued proper handling of personal information and the provision of information upon the request of data subjects.
6. Rights of data subjects. The APPI gives data subjects the right to require that a business operator disclose the purpose of processing of their personal information, how they can access and correct their personal information, how they can suspend the processing of their personal information, and where they can submit complaints concerning the handling of their personal information. Zscaler assists its customers in fulfilling their obligations to allow data subjects to exercise their rights under the APPI.
7. Audits. The APPI requires business operators that engage third party processors to evaluate the compliance of such third party processors with the APPI through onsite audits, periodic reporting, or other appropriate means. Zscaler will submit to audits or provide reports as necessary to demonstrate Zscaler’s compliance with the APPI.