APPI
Google has a long history of taking a user-first approach in everything we do. As a part of our commitment to users, we never sell personal information. We give users transparency and control over their ad experiences with tools like My Account, Why this Ad, and Mute this Ad. We also invest in initiatives such as the Coalition for Better Ads, the Digital News Initiative, the Google News Initiative and ads.txt in order to support a healthy, sustainable ads ecosystem.
In Japan, the Act on the Protection of Personal Information (APPI) is one of the regulations put in place to protect personal information. The Japanese government introduced a set of amendments to the APPI in June 2020. In May 2021, the Japanese government enacted the Act on the Establishment of Relevant Laws for the Formation of a Digital Society, and based on the Act, the APPI was revised (“Amended APPI”). The Amended APPI came into force on April 1, 2022.
The Amended APPI, amongst other things, includes rules relating to the processing of “personally referable information” (“PRI”) of Japanese users. The Amended APPI will require companies to, when providing PRI of Japanese users to a third party who will likely receive the information as Personal Data, confirm with the recipient that the recipient has obtained consent from data subjects to the transfer, and record the confirmation. PRI is Information about a living individual that does not fall under any of the following categories of data: “personal information”, “pseudonymously processed information” or “anonymously processed information”, each as defined in the APPI. PRI typically takes the form of identifiers that do not in themselves identify a specific individual (for example, a cookie ID) and are not stored alongside Personal Data (as defined in the APPI).
If your organization discloses PRI of Japanese users to Google in connection with your use of Google’s advertising or measurement products (i.e., a service listed in the Google Ads Data Protection Terms), this article provides you with the information to assist your compliance with the Amended APPI.
Google obtains user consent
When Google receives PRI from organizations in connection with Google advertising or measurement services, Google may combine it with Personal Data independently collected by Google. Where Google combines PRI with Personal Data that Google has independently collected, it does so on the basis of consent from data subjects and typically combines the data in order to “provide personalized services, including content and ads” and “measure performance” (see “Why Google collects data” in our Privacy Policy), for serving ads, and similar or related processing activities.
The details regarding Google’s handling of PRI are as follows:
- Personal information handling business operator details:
- Personal information handling business operator: Google LLC
- Physical address: 1600 Amphitheatre Parkway Mountain View, CA 94043 United States
- CEO name: Sundar Pichai
- Date of provision: Dates when you provide PRI to Google
- Types of data which may be considered PRI that Google may combine with Personal Data:
- Online identifiers such as cookie identifiers, internet protocol addresses and device identifiers, partner-provided identifiers, client identifiers; and other types of PRI described in the applicable Legal Notices to Users in Japan of Privacy Policy.
- Activity information that is connected to such online identifiers (such as browsing history), listed in our Privacy Policy.
- Measure to obtain the consent from data subjects (Amended APPI Article 31.1.1): Google obtains user consent via our Privacy Policy and Japan Privacy Policy Addendum
- Provision of information on the personal information protection systems in foreign countries (Amended APPI Article 31.1.2): Google LLC is a personal information business handling operator directly regulated under the APPI. Google LLC, including its subsidiaries and affiliates, has established a personal information protection system that complies with the standards set forth in the Personal Information Protection Commission Regulations (hereinafter referred to as the "Established System"). Therefore, Google LLC does not need to provide information on foreign personal information protection systems when obtaining user consent for PRI. For more information on Google’s Established System for personal information protection, please refer to Google Business Data Responsibility, Privacy Policy, or relevant Legal Notices to Users in Japan. If you require any additional information regarding the Established System, please contact your Google representative.