Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Back
Dec 2021
LinkedIn Created with Sketch. Twitter Created with Sketch.

Japan: Data Protection in the Financial Sector

Financial Services
sankai / Signature collection / istockphoto.com

1. Governing Texts

The Act on the Protection of Personal Information (Act No. 57 of 2003, as amended in 2015) ('APPI') is the general privacy and data protection law in Japan.

The APPI sets out several obligations of a personal information handling business operator in respect of the collection, processing, and disclosure of personal data. 'Personal information handling business operator' means a person providing a personal information database etc., for use in business (Article 2(4) and (5) of the APPI).

In most cases, almost all private sector organisations maintain databases, which contain personal information for use in business. Therefore, practically, almost all private sector organisations will be regarded as personal information handling business operators and must comply with the APPI. For the purpose of this overview, the term 'entities handling personal information' is also used for personal information handling business operators.

The Amendment Act of the Act on the Protection of Personal Information ('Amendment Act 2020') was approved by the National Diet of Japan ('Parliament') on 5 June 2020 and promulgated on 12 June 2020. The Amendment Act 2020, except for some parts, will come into force on 1 April 2022. The new provisions relating to the penalty (Articles 83 to 87) of the Amendment Act 2020 entered into force on 12 December 2020. According to the cabinet order for the enforcement date of the Amendment Act (only available in Japanese here) ('Cabinet Order No. 55'), the remaining provisions of the Amendment Act 2020 will be effective on 1 April 2022 (except for Transitional Measures in relation to Article 23(2) which has been effective on 1 October 2021.).

On 12 May 2021, the act on the arrangement of related laws for the formation of a digital society was approved by Parliament and promulgated on 19 May 2021 ('Formation of Digital Society Act'). Currently, the APPI deals with the personal information handled by the organisations while the personal information handled by the public organ is dealt under the Act on the Protection of Personal Information Held by Administrative Organs, and the Act on the Protection of Personal Information Held by Incorporated Administrative Agencies, among others. The Formation of Digital Society Act (only available in Japanese here) ('the Formation of Digital Society Act') will integrate these three acts into one law, and unifies the entire jurisdiction under the Personal Information Protection Commission ('PPC'). The Formation of Digital Society Act will not change the basic rules of current APPI (including the Amendment Act 2020) in relation to the handling of personal information.

1.1. Legislation

General legislation and guidelines

With regard to the financial sector, the PPC (an external bureau of the Cabinet Office of Japan) and the Financial Services Agency ('FSA') have jointly issued:

The above two publications are intended to provide guidance on effective implementation steps that need to be taken by entities handling personal information, reflecting the characteristics of personal information in the financial sector and the way they are used, in order to support the appropriate handling of personal information by such entities in the financial sector, in accordance with Articles 6 and 8 of APPI, taking into consideration:

Sector specific guidelines

  • the PPC-FSA Guidelines;
  • the Operational Instructions; and
  • Q&As on Personal Information Protection in the Financial Field (only available in Japanese here);
  • Act on Prevention of Transfer of Criminal Proceeds (Act No. 22 of 2007) (here and the latest AML Law here, both only available in Japanese);
  • Cabinet Order No. 20 of 2008 for Enforcement of the Act on Prevention of Transfer of Criminal Proceeds (only available in Japanese here) ('Cabinet Order No. 20 of 2008'); and
  • Guidelines for Anti-Money Laundering and Combating the Financing of Terrorism. Updated on 19 July 2021, new guideline is available here.

1.2. Supervisory authorities

The regulators and supervisory authorities responsible for enforcing the regulations discussed are:

  • the PPC; and
  • the FSA. 

2. Personal and Financial Data Management

Collection of data - specifying utilisation purpose:

General requirements

As one of the basic rules of the APPI, entities handling personal information must specify the purpose of utilising personal information as explicitly as possible (Article 15(1) of the APPI). Entities handling personal information must handle personal information within the scope to achieve a utilisation purpose, and must not handle personal information without obtaining, in advance, a principal's consent when processing goes beyond the necessary scope to achieve a specified utilisation purpose (Article 16(1) of the APPI).

Specific requirements for the financial sector

In this regard, entities handling personal information in the financial sector must comply with Article 15 of the APPI, and must specify the utilisation purpose as much as possible so as to enable the principal to reasonably guess what type of business the personal information will be used for and the purpose of its use. Specifically, an abstract utilisation purpose, such as 'the information will be used in a purpose required by our company,' must not be considered as sufficiently specific. It is desirable to specify the utilisation purpose after presenting the financial instruments or services that will be provided, for example (Article 2(1) of the PPC-FSA Guidelines):

  • cases in which the company accepts deposits;
  • cases in which the company makes decisions regarding credit extension, and credit exposure management;
  • cases in which the company underwrites insurance, and cases in which it pays insurance money and insurance benefits;
  • cases in which the company conducts sales and soliciting activities for their services and financial instruments provided by the company or the affiliate company or the business partner;
  • cases in which the company, or affiliated company or the business partner, offers subscription of insurance;
  • cases in which the company conducts market research as well as research and development of financial instruments and services within the company; and
  • cases in which the qualification for purchasing specific financial instruments and services is checked.

In cases that the utilisation purpose for specific personal information is limited by laws and regulations, an entity handling personal information in the financial sector must clearly indicate this fact (Article 2(2) of the PPC-FSA Guidelines).

In the case where an entity handling personal information in the financial field acquires personal information in the course of conducting credit business, that entity will need to acquire the principal's consent regarding the utilisation purpose, and the provision on the utilisation purpose in the contract etc., must be printed clearly apart from other provisions in the contract. In this case, the entity should not exploit its advantageous business position and force the person to agree with the utilisation purpose that allows using personal information obtained in the course of conducting credit business for business other than credit extension, such as sending direct mails for financial instruments as a condition of credit extension. The principal can reject the utilisation purpose pertaining to sending of direct mails (Article 2(3) of the PPC-FSA Guidelines).

In the case where an entity handling personal information in the financial field provides personal information to a personal credit data institution in the course of conducting credit business, the entity will state this clearly in the utilisation purpose. Furthermore, the entity needs to acquire the consent of the person for the clearly stated utilisation purpose (Article 2(4) of the PPC-FSA Guidelines).

Collection of data - proper acquisition:

General requirements

Employers must not acquire personal information by deceit or other improper means (Article 17(1) of the APPI).

Specific requirements in financial sector

An entity handling personal information in the financial field must act in accordance with Article 17 of the APPI and must not acquire personal information by fraudulent or other dishonest means. When an entity acquires personal information from a third party, it should not unjustly infringe the person's interest, and the entity should not acquire personal information from a third party knowing that the personal information has been leaked from the party who conducted unjust actions, such as wrongful acquisition of personal information (the PPC-FSA Guidelines).

Collection of data - special care-required personal information:

General requirements

Entities handling personal information must, except in certain cases, not acquire 'special care-required personal information' without obtaining, in advance, a principal's consent (Article 17(2) of the APPI). The exceptions are:

  • in cases based on laws and regulations;
  • in cases in which there is a need to protect a human life, body or fortune, and when it is difficult to obtain a principal's consent;
  • in cases in which there is a special need to enhance public hygiene or promote fostering healthy children, and when it is difficult to obtain a principal's consent;
  • in cases in which there is a need to cooperate in regard to a central government organisation or a local government, or a person entrusted by them performing affairs prescribed by laws and regulations, and when there is a possibility that obtaining a principal's consent would interfere with the performance of the said affairs;
  • in cases in which the said special care-required personal information is opened to the public by a principal, a government organisation, a local government, a person set forth in each item of Article 76(1) of the APPI, or other persons prescribed by rules of the PPC; and
  • in other cases, prescribed by cabinet order as equivalent to those cases set forth in each preceding item.

In this regard, 'special care-required personal information' means personal information comprising a principal's race, creed, social status, medical history, criminal record, fact of having suffered damage by a crime, or other descriptions etc., prescribed by the Cabinet Order on APPI, as their handling requires special care so as not to cause unfair discrimination, prejudice, or other disadvantages to the principal (in this case, an employee) (Article 2(3) of the APPI).

Specific requirements in financial sector

Although the APPI does not have the definition of 'sensitive data,' the PPC-FSA Guidelines provide a specific requirement related to sensitive data for the financial sector.

An entity handling personal information in the financial sector must not acquire, use, or provide to a third party, information on participation in union activities, family origin and registered domicile, healthcare, and sex life, as well as special care-required personal information (i.e. sensitive information), other than the following (Article 5(1) of the PPC-FSA Guidelines):

  • cases in which the provision of personal data is required or otherwise justified by law;
  • cases in which the provision of personal data is necessary for the protection of the life, welfare, or property of an individual;
  • cases in which the provision of personal data is necessary for improving public hygiene or promoting the sound growth of children;
  • cases in which the provision of personal data is necessary for cooperating with a state institution, local public body, or an individual entity entrusted by one in executing the operations prescribed by laws;
  • cases in which acquiring, using, and providing sensitive information to a third party within the purview of political or religious groups or labour unions affiliated to the employee within the range necessary for the execution of administrative procedures for tax collection at source, etc. is necessary;
  • cases in which acquiring, using, and providing sensitive information to a third party within the range necessary for the execution of the transfer of rights and obligations arising from inheritance procedures is necessary;
  • cases in which acquiring, using, and providing sensitive information to a third party within the range necessary for the execution of business operations based on the consent of the person, in order to secure an appropriate conduct of business operations in insurance and other financial field businesses, is necessary; and
  • cases in which the use of biometrical information, falling under the category of sensitive information for personal identification and based on the person's consent is necessary.

In addition, an entity handling personal information in the financial sector must handle the information with great caution when acquiring, using, or providing sensitive information on the grounds prescribed in the respective items of the previous paragraph to the third party, not to acquire, use, or provide the information in a manner that does not comply with the grounds prescribed in the respective items (Article 5(2) of the PPC-FSA Guidelines).

2.1. Legal basis for processing

General data processing requirements

Entities handling personal information must strive to keep personal data accurate and up to date within the scope necessary to achieve a utilisation purpose, and to delete the personal data without delay when such utilisation has become unnecessary (Article 19 of the APPI). Entities handling personal information shall take necessary and appropriate action for the security of personal data including preventing the leakage, loss, or damage of the personal data they handle (Article 20 of the APPI).

Regarding necessary and appropriate actions for the security of personal data set out in Article 20 of the APPI, the APPI Guidance provides more specific measures to be taken by entities handling personal information as follows (Appendix of the APPI Guidance):

Matters to be taken as institutional security control measures:

  • development of organisational frameworks;
  • operation in accordance with the rules handling personal data;
  • preparing the measures to check the handling status in respect of the personal data;
  • organising the system to handle leaks, among other things; and
  • to grasp the handling status in respect of personal data and review security control measures.

The education of employees is to be taken as a human security control measure.

Matters to be taken as physical security control measures include:

  • management of the area which handles personal data;
  • protection against theft of the equipment and electronic media;
  • protection against the leak of the personal data when the personal data is carried; and
  • deletion of personal data and disposal of the equipment and electronic media.

Matters to be taken as technological security control measures include:

  • accessing control;
  • identifying and authenticating the accessing person;
  • protecting unauthorised access, among other things; and
  • protecting against leaks in connection with the use of the information system.

In addition to the above obligations of an entity handling personal information in respect of processing personal information, an entity handling personal information must not utilise personal information in a method that has the possibility of fomenting or prompting unlawful or unfair act under new Article 16(2) of the Amendment Act 2020. Article 16(2) is newly stipulated to address certain cases which are not necessarily illegal in terms of the provisions in the current APPI but utilise personal information in ways that cannot be overlooked in terms of protecting individual rights and interests, which is the purpose of the APPI. This includes using personal information in ways that may potentially facilitate or induce illegal or unjustifiable conducts.

Further, when there is a leakage of the personal data handled by an entity handling personal information, it is not a legal obligation to make a report to a principal or relevant authority under the current APPI. In this regard, Article 22(2) of the Amendment Act 2020 sets out that it is mandatory for an entity handling personal information to report to the PPC and to notify a principal in case that an incident including a leakage of the personal data occurs that may cause the violation of individual rights and interests (in limited cases that fall under specific types, including the reporting of a data leakage that affects more than a certain number of personal data). The amendment to the APPI Enforcement Rules set out the detailed situation where the report is required as follows (new Article 6(2)):

  • where the personal data including special care-required personal information is leaked, lost, or damaged;
  • where the personal data of which leakage will likely result in harm to property of the individual if such information is used for improper purpose is leaked, lost, or damaged;
  • where the leakage, loss, or damage of the personal data occurred for improper purpose; and
  • where the leakage, loss, or damage to the personal data involves or likely to involve the personal data of 1,000 or more individuals.

The Personal Information Controllers ('PICs') must report the above data breach to PPC no later than 30 days (or 60 days depending on the grounds of data breach) after the PIC came to know such data breach and must report to the individual promptly according to circumstances (new Articles 6(4) and 6(5) of the Amendment Act 2020). The amendment to the APPI Enforcement Rules further provides the details of information/items need to be included in the report to PPC (new Article 6(3) of the Amendment Act 2020). The draft amendment to APPI Guidance elaborates the above rules and explains more detailed guidance of interpretation of the reporting obligation showing some examples. The amendment guidance provides some case examples which will fall under each of the requirement of the report above, contents of the report, timeline of the report, example of the exemptions where the report will not be required, etc. The general guideline will help to understand how and when data breach should be reported.

Financial sector data processing requirements

In accordance with Article 19 of the APPI, an entity handling personal information in the financial field must endeavour to ensure that personal data is accurate and up to date within the scope necessary for the achievement of the utilisation purpose.

Thus, entities must determine the retention period of retained personal data according to their utilisation purposes, such as fixing the retention period for personal information for depositors or insurance contractors to be within a certain period after the expiry of the contract, etc. Personal data shall be deleted following this period (Article 7 of the PPC-FSA Guidelines).

With regard to necessary and appropriate actions for the security control of personal data set out in Article 20 of the APPI, an entity handling personal information in the financial field must also take necessary and suitable measures for the development of implementation structures pertaining to security control measures and basic guidelines and development of rules pertaining to security control measures, for the prevention of leakage, loss, or damage, and for other security controls for the personal data that it handles. The necessary and appropriate measures must include institutional security control measures, human security control measures, and technological security control measures, as laid out according to the respective levels of acquisition, usage, and retention of personal data (Article 8 of the PPC-FSA Guidelines).

Specifying the utilisation purpose and purpose limitation

Article 15 of the APPI provides that entities handling personal information must, in handling personal information, specify the purpose of utilising personal information as explicitly as possible.

For financial institutions specifically, an abstract utilisation purpose must not be considered as a sufficiently specific utilisation purpose. It is desirable to specify the utilisation purpose after presenting the financial instruments or services that will be provided (Article 2 of the PPC-FSA Guidelines).

Security control of personal data

Article 20 of the APPI requires that entities handling personal information take necessary and appropriate action for the security control of personal data, including preventing the leakage, loss, or damage of its handled personal data.

With regard to necessary and appropriate actions for the security control of personal data set out in Article 20 of the APPI, an entity handling personal information in the financial sector must also take necessary and suitable measures on the development of an implementation structure, basic guidelines, and rules pertaining to security control measures for the prevention of leakage, loss, or damage, and for other control of security of personal data that the entity handles (Article 8 of the PPC-FSA Guidelines).

Obtaining consent for transfer of personal data

Article 23 of the APPI provides that entities handling personal information must, except in certain cases, not provide personal data to a third party without obtaining the data subject's consent in advance.

In the financial sector, consent regarding provision to third parties should, in principle, be obtained in a written document.

Right to access

Article 28 of the APPI provides that a principal may demand an entity handling personal information disclose retained personal data that can identify themself. When an entity handling personal information has received a demand from a principal to disclose its personal data, such entity must disclose retained personal data to a principal without delay by delivering a written document (or other method as a principal may agree). However, in cases where disclosing such data falls under any of the following item, a whole or part thereof may be withheld in:

  • cases in which there is a possibility of harming a principal or third party's life, welfare, property, or other rights and interests;
  • cases in which there is a possibility of interfering seriously with the personal information handling business operator implementing its business properly; and
  • cases of violating other laws or regulations.

In this regard, the Amendment Act 2020 has introduced the following amendments:

  • A principal may demand of an entity handling personal information cessation of a utilisation and deletion of personal data retained by an entity handling personal information. Under the current APPI, this is allowed only if retained personal data that can identify the principal is being handled beyond the specified purpose for which the personal information is obtained or has been acquired by deceit or other improper manners. According to the Amendment Act 2020, in order to strengthen a principal's involvement in retained personal data and considering the burden of a business operator, requirements for the cease of utilisation, deletion, and ceasing of provision to a third party will be eased. The new Article 30(5) of the Amendment Act 2020 provides that the principal may demand to cease of, and deletion of personal data if there is a possibility of violating individual rights or legitimate interests.
  • The Amendment Act 2020 also provides a principal with the option to specify the disclosure methods when the principal request the entity handling personal information to disclose the personal information retained by such entity (New Article 28(1)(2) of the Amendment Act). Currently, the disclosure of retained information may only be made by delivering a written document. In order to enhance the convenience of a principal in using retained personal data obtained through disclosure, the principal will be able to specify disclosure methods. This includes by way of provision of electronic or magnetic record, and a personal information handling business operator will be obliged to make the disclosure through the specified methods as a general rule. However, if the specified disclosure methods incur extensive costs or are difficult to take for other reasons, disclosure through delivering written documents will be allowed if a business operator notifies a principal of it.
  • Under the new Article 28(5) of the Amendment Act 2020, the scope of personal data which will be disclosed to principal based on their demand will expand to include the records of third-party provision on transfer of their personal data (e.g. the date of the personal data provision, the name or appellation of such third party) to ensure the traceability of personal data.

2.2. Privacy notices and policies

Taking into consideration the importance of a clear explanation on how personal data is to be handled, an entity handling personal information in the financial sector must formulate some pronouncement of its intentions concerning its handling of personal data by way of, among other things, a privacy policy, privacy statement, among other things, referred to as a 'pronouncement concerning the protection of personal information', and publicise any such pronouncement by means such as posting the information on its homepage or counter, or making the information readily available at the counter. The examples of such pronouncements include (Article 18(1) of the PPC-FSA Guidelines):

  • pronouncements concerning protection of personal information, including statements on observance of relevant laws and regulations, observance of engagement against use of personal information for purposes other than those stated in the utilisation purpose, appropriate handling of complaints, etc.;
  • a clear explanation of procedures for the notification and publicising of the personal information's utilisation purpose stated in Article 18 of the APPI;
  • a clear explanation of procedures for the handling of personal information, such as the procedures for disclosure stated in Article 27 of the APPI; and
  • providing means for handling complaints and queries regarding the handling of personal information.

2.3. Data security and risk management

Article 8 of the PPC-FSA Guidelines provides security control measures which should be taken by entities handling personal information in the financial sector.

An entity handling personal information in the financial sector must take necessary and suitable measures on the development of implementation structures pertaining to security control measures and basic guidelines and development of rules pertaining to security control measures, for the prevention of leakage, loss, or damage, and for other security controls of the personal data that it handles. The necessary and appropriate measures must include institutional security control measures, human security control measures, and technological security control measures to be laid out according to the respective levels of collection, use, and retention of personal data. In this regard:

  • 'institutional security control measures' refer to framework development and implementation measures for entities handling personal information, such as clearly stating the responsibility and powers of the employee concerned to ensure the control of security of the personal data (Article 21 of the APPI), and developing and implementing rules, etc. on security control, and conducting inspections and audits of their performance status, etc.;
  • 'human security control measures' mean supervising employees to ensure compliance with personal data safety measures by concluding contracts on non-disclosure of personal data with employees, and by educating and training employees; and
  • 'technological security control measures' mean technological measures on security control of personal data, such as controlling access to personal data and information systems that handle personal data and monitoring information systems, etc.

Basic guidelines and rules pertaining to security control measures

As an undertaking to develop basic guidelines and rules pertaining to security control measures of personal data, an entity handling personal information in the financial sector must implement the institutional security control measures as listed below:

  • development of rules, etc:
    • development of basic guidelines pertaining to security control measures for personal data;
    • development of rules pertaining to security control measures for personal data; and
    • development of rules pertaining to inspection and audit for the handling situation for personal data; and
  • laying down rules pertaining to outsourcing:
    • rules pertaining to security control at respective control stages;
    • rules for acquiring and inputting stages;
    • rules for using and processing stages;
    • rules for the retention stage;
    • rules for transferring and sending stages;
    • rules for deleting and disposing stages; and
    • rules for responding to cases of information leakage.

Implementation structures pertaining to security control measures

As an undertaking to develop implementation structures pertaining to security control measures of personal data, an entity handling personal data in the financial sector must implement institutional security control measures, human security control measures, and technological security control measures, as listed below.

Institutional security control measures

  • assigning employees responsible for controlling personal data, etc.;
  • developing security control measures in rules of employment, etc.;
  • operational compliance with rules pertaining to security control measures for personal data;
  • developing measures to confirm the handling situation for personal data;
  • developing and implementing an inspection and audit framework for the handling of personal data; and
  • developing a framework to respond to instances of data leakage.

Human security control measures

  • concluding contracts on non-disclosure of personal data with employees;
  • clarifying employees' roles and responsibilities, etc.;
  • familiarising, educating, and training employees on security control measures; and
  • confirming employee compliance with personal data management procedures.

Technological security control measures

  • identifying and authenticating personal data users;
  • controlling access and setting up management classifications for personal data;
  • managing access authority for personal data;
  • setting up preventative measures against leakage and damage to personal data;
  • recording and analysing access to personal data;
  • recording and analysing the operational status of information systems handling personal data; and
  • monitoring and auditing information systems handling personal data.

2.4. Data retention/record keeping

Although there is no specific retention period stated in the APPI, entities handling personal information in the financial sector must determine the retention period of the retained personal data according to their utilisation purposes, such as fixing the retention period for personal information for depositors or insurance contractors within a certain period after the expiry of the contract, etc. Personal data shall be deleted following this period (Article 7 of the PPC-FSA Guidelines).

3. Financial Reporting and Money Laundering

General requirements

The legal requirements and local rules on the collection, processing, storage, and transfer of data for the purposes of customer due diligence, Know Your Customer ('KYC'), transaction reporting, and other law enforcement and compliance purposes are as discussed in the foregoing with respect to the collection, processing, storage, and transfer of data for entities in the financial sector (please see section on personal and financial data management above).

Anti-money laundering

However, there are some exceptional rules from the viewpoint of anti-money laundering ('AML'). The basic requirements on AML and combating the financing of terrorism ('CFT') in Japan, such as the identification and verification at the time of transactions, are prescribed in:

Financial institutions licensed or registered to conduct operations under:

  • the Banking Act (Act No. 59 of 1 June 1981) (('the Banking Act'), the latest Banking Act (as of 1 November 2021) is available in Japanese only here);
  • the Insurance Business Act (Act No. 105 of 7 June 1995) (('the Insurance Act'), the latest Insurance Business Act (as of 1 November 2021) is available in Japanese only here);
  • the Financial Instruments and Exchange Act (Act No. 25 of 13 April 1948) (('the Financial Instruments and Exchange Act'), the latest Financial Instruments and Exchange Act (as of 11 November 2021) is available in Japanese only here); or
  • other laws that introduce legislation for each type of business in the financial sector, are legally regarded as a 'specified business operator' under the AML Law, as well as 'banks, etc.' or 'financial institutions, etc.' under the Foreign Exchange Act, and therefore are subject to relevant requirements prescribed in such laws and regulations.

The AML Law requires that financial institutions report suspicious transactions to the administrative agency (Article 8 of the AML Law). The items which should be reported by financial institutions are as follows (Article 16 of Cabinet Order No. 20 of 2008):

  • name and location of the specified business operator reporting the suspicious transactions;
  • date and place of the suspicious transactions;
  • types of operations through which suspicious transactions have occurred;
  • types of subject assets of suspicious transactions;
  • information related to the identification and verification at the time of suspicious transactions; and
  • reasons for the suspicious transaction report.

Information related to identification and verification at the time of suspicious transactions may include the personal information, which is able to identify a specific individual, such as name, residential address, and date of birth, that the financial institutions may obtain during customer due diligence or KYC procedures (Article 4 of the AML Law).

Relationship between the APPI and the AML Law

Exceptions to the utilisation purpose limitation

As a general rule, entities handling personal information must handle the personal information within the scope to achieve a utilisation purpose and must not handle personal information without obtaining in advance a principal's consent for processing beyond the necessary scope to achieve a utilisation purpose specified in accordance with Article 15 of the APPI (Article 16(1) of the APPI).

This rule must not apply to cases in which the handling of personal information is based on laws (Article 4 of the PPC-FSA Guidelines). The AML Law is one of the examples of the laws mentioned, and financial institutions may handle personal information for the purpose of suspicious transaction reports.

Exceptions to notice of utilisation purpose

As a general rule, the utilisation purpose must promptly be informed to a principal when an entity handling personal information acquires the personal information of the principal, unless it has been disclosed in advance to the public (Article 18(1) of the APPI).

This rule must not apply to cases where there is a possibility that informing a principal of, or disclosing to the public, a utilisation purpose would harm a principal or third party's life, welfare, property, or other rights and interests (Article 18(4) of the APPI). In this regard, Article 6 of the PPC-FSA Guidelines states that the information related to reporting suspicious transactions pursuant to Article 8 of the AML Law is one of the examples of the above cases in which the general rule will not apply.

Exceptions to obtaining consent for transfer of personal data

Article 23 of the APPI provides that entities handling personal information must, except in certain cases, not provide personal data to a third party without obtaining in advance a principal's consent. One of the exceptional cases includes cases based on laws and regulations, and if the transfer of personal data is required under certain laws and regulations, entities handling personal information do not need to obtain a principal's consent in advance.

The AML Law is one of the examples of the laws in which financial institutions need not obtain customer consent in advance in the case of suspicious transaction report in accordance with Article 8 of the AML Law.

4. Banking Secrecy and Confidentiality

The financial institutions shall generally have the secrecy and confidentiality obligations regarding customer information under the contract (whether it is explicit or implicit), commercial custom or the principle of good faith and mutual trust even if there is no written confidentiality agreement (See Supreme Court of Japan Decision of 11 December 2007, 2007 (Kyo) 23 Minshu Vol. 61, No. 9).

The banking secrecy obligations can be released or shared in the cases that such release or sharing of the information is required by laws and regulations. Therefore, if the transfer of personal data is required under certain laws and regulations, the financial institution may transfer customer information without breaching secrecy obligations and do not need to obtain customer consent in advance.

The examples of cases in which the transfer of the information is required are as follows:

5. Insurance

Insurance companies are under the jurisdiction of the FSA. Therefore, the APPI and the PPC-FSA Guidelines will apply to the insurance industry as well as other financial industries, including the banking and securities industry. In relation to an overview of the general rule under the APPI and the specific rule under the PPC-FSA Guidelines, see section on personal and financial data management above.

6. Payment Services

The Payment Services Act (Act No. 59 of June 24, 2009) (('Payment Services Act'), the latest Payment Services Act (as of 1 May 2021) (only available in Japanese here) is a specific regulation regarding payment services in Japan. The purpose of the Payment Services Act is to enforce registration and provide other necessary measures with respect to the issuance of prepaid payment instruments, exchange transactions carried out by persons other than deposit-taking institutions, exchange of virtual currency, etc., and the clearing of exchange transactions between deposit-taking institutions, in order to ensure the appropriate provision of payment services, and protection of the users, etc. thereof, and to promote the provision of those services, thereby contributing to the improvement of the safety, efficiency, and convenience of the payment and settlement system (Article 1 of the Payment Services Act).

Financial institutions registered to conduct operations under the Payment Services Act are under the jurisdiction of FSA. Therefore, the APPI and the PPC-FSA Guidelines will apply to payment service providers regarding the collection, processing, and transfer of personal information.

7. Data Transfers and Outsourcing

Transfer of data - transfer to third party:

General requirement

Entities handling personal information shall, except in certain cases (i.e. in cases based on laws and regulations), not provide personal data to a third party without obtaining a principal's consent in advance (Article 23(1) of the APPI).

Specific requirements in financial sector

In the financial sector, consent regarding the provision of personal data to third parties, in principle, must be obtained in a written document. Thereby, it will be understood that the person's consent is attained after the person's recognition of the following:

  • third parties to whom the personal data will be provided;
  • the utilisation purpose of the third party who receives the data; and
  • the contents of the information that will be provided to the third party.

When providing personal data to personal credit data institutions, since the information will be provided to the member companies of the personal credit data institution via the former, the entity handling personal information that is responsible for providing personal data to the personal credit data institution must have secured the consent of the data subject. When obtaining such consent, the person needs to be able to make a judgment regarding the consent after clearly recognising that their personal data will be provided to the member companies of the personal credit information institution.

Thus, the entity will indicate, in the document aimed at obtaining the principal's consent on the matters prescribed above, the fact that personal data will be provided to the member companies of the institution, and provide the list of those who will be using personal data as the member companies of the institution. This list needs to objectively and clearly indicate the denotation of 'those who will be using personal data as the member companies of the institution,' and demonstrate this with sufficient concreteness that allows the person to decide whether to agree or disagree, such as by listing the names of the member companies, listing the home page address (i.e. matters prescribed in Article 18 of the APPI, including contact address of the complaint handling section) that publicises the institution's rules and names of member companies.

In addition, in the rules regarding the personal credit data institution that will be shown to the person, it will be appropriate to clearly indicate the qualification for joining the institution and the denotation of the member companies, and to expressly state the measures for sanctions against the breach of observance with confidentiality obligations and breach of obligations for laying down a framework for control of security confidentiality, from the viewpoint of the appropriate management of personal data and prevention of information use for purposes other than those stated in the utilisation purpose.

As for information regarding the debt service capacity of those who are in need of funds attained from personal credit information institutions, an entity handling personal information in the financial field must handle such information in a prudent manner, so as not to use the information for purposes other than inquiring into the debt service capacity of those who are in need of funds.

Transfer of data - opt-out:

General requirements

Notwithstanding Article 23(1) of the APPI, entities handling personal information with regard to personal data provided to a third party (excluding special care-required personal information), may provide the personal data to a third party, in cases where such provision of personal data that can identify the principal is set to cease in response to a principal's request, and when the entity has in advance informed a principal of those matters set forth in the following or put them into a state where a principal can easily know, and notified them to the PPC (Article 23(2) of the APPI):

  • intention to set a third-party provision as a utilisation purpose;
  • the categories of personal data provided to a third party;
  • the method of third-party provision;
  • capacity to cease, in response to a principal's request, a third-party provision of personal data that can identify the principal; and
  • a method of receiving a principal's request.

In this regard, the scope of personal data that can be provided to a third-party without a principal's consent based on the opt-out provisions will be limited under the Amendment Act 2020.

Even under the current APPI, the personal data that can be provided to a third party without a principal's consent based on the opt-out provisions excludes special care required personal information such as principal's race, creed, social status, medical history, criminal record, fact of having suffered damage by a crime, or other descriptions etc. as explained above. Though, in order to further prevent an opt-out business operator from improperly obtaining personal information and to protect individual rights and interests, the scope of personal data that can be provided to a third party without the principal's consent based on the opt-out provisions will be more limited.

According to Article 23(2) of the Amendment Act 2020, personal data which is illegally obtained (Article 17), and personal data which is provided based on opt-out provision cannot be provided to a third party based on opt out provisions.

Specific requirements in financial sector

Any entity handling personal information in the financial field will not apply when providing a personal credit information institution information regarding personal debt capacity pertaining to credit business and must obtain the principal's consent to comply with the third-party disclosure rules, discussed in the foregoing (Article 23(2) of the APPI).

8. Breach Notification

The PPC-FSA Guidelines provide sector-specific requirements for financial institutions to notify regulators and clients or consumers of a data breach.

Notification to regulators

In the event of a breach of any personal information or the leakage of information concerning descriptions, etc. and individual identification codes deleted from personal information used to produce anonymously processed information and information relating to a processing method carried out pursuant to the provisions of Article 36(1) of the APPI (hereinafter, referred to as personal information leakage or other incident), entities handling personal information in the financial sector shall immediately report that incident to the relevant supervisory authority (Article 17(1) of the PPC-FSA Guidelines).

Notification to clients or consumers

In the event of the leakage of personal information or other related incident, entities handling personal information in the financial sector shall promptly inform the principal in question involved in the relevant incident of the facts concerning the incident (Article 17(3) of the PPC-FSA Guidelines).

9. Fintech

There is no specific laws and regulations or guidelines which set out specific requirements for financial institutions when dealing personal information using Fintech.

10. Enforcement

Penalties for violating the APPI

There are mainly two types of penalties for non-compliance with the APPI, an administrative or a criminal penalty.

Administrative penalty

The PPC has the authority to supervise, inspect, and provide a personal information handling business operator with necessary guidance or advice on the handling of personal information (Articles 40 and 41 of the APPI).

If the personal information handling business operator has violated certain provisions, the PPC may request the personal information handling business operator to suspend the violation or take other necessary action to rectify the violation (Article 42(1) of the APPI).

The PPC may, when recognising that a serious infringement of an individual's rights and interests is imminent in cases where a personal information handling business operator having received a recommendation pursuant to the provisions under the Article 42(1) of the APPI did not take action in line with the recommendation without legitimate grounds, order such operator to take action in line with any such recommendation (Article 42(2) of the APPI).

Such orders are binding on operators. Therefore, if an operator has violated an order pursuant to the provisions of Article 42(2) or (3), as a criminal penalty, the operator may be punished by imprisonment with labour for not more than six months or a fine of not more than JPY 300,000 (approx. €2,320) (Article 84 of the APPI). This penalty will be reinforced under new Article 83 of the Amendment Act (i.e. imprisonment with labour for not more than one year or a fine of not more than JPY 1 million (approx. €7,730)).

Criminal penalty

In addition to the above, the following criminal penalties may be applicable under the APPI:

  • a person who has divulged or used by stealth a secret in violation of the provisions of Article 72 shall be punished by imprisonment with work for not more than two years or a fine of not more than JPY 1 million (approx. €7,730) (Article 82 of the APPI); or
  • a personal information handling business operator (or its director, representative, or administrator if it is a corporate body, including a non-corporate body having appointed a representative or administrator (the same applies in Article 87(1))) its employee, or a person who used to be such a business operator or employee must, when having provided or used by stealth a personal information database etc. (including their wholly or partially duplicated or processed ones) that they handled in relation to their business for the purpose of seeking their own or a third party's illegal profits, be punished by imprisonment with labour for not more than one year or a fine of not more than JPY 500,000 (approx. €3,870) (Article 83 of the APPI) (New Article 84 of the Amendment Act).

A person falling under any of each of the following item shall be punished by a fine of not more than JPY 300,000 (approx. €2,320) (Article 85 of the APPI), this penalty will be reinforced under new Article 85 of the Amendment Act (i.e. a fine of not more than JPY 500,000 (approx. €3,780)):

  • a person who has failed to submit a report or material under the provisions of Article 40(1) of APPI or did falsely submit a report or material, or who failed to answer a question posed by the staff concerned or did falsely answer a question, or refused, obstructed, or evaded an inspection; or
  • a person who failed to submit a report under the provisions of Article 56 of APPI or falsely submitted a report.

The provisions of Articles 82 and 83 (New Article 84 of the Amendment Act 2020) must apply to a person who has committed an offence under these provisions outside of Japan (Article 86 of the APPI).

Article 87 of the APPI provides that:

  • when a representative of a corporate body, or an agent, employee or other worker of a corporate body or natural person has committed a violating act under Articles 83, 84, and 85 in relation to the corporate body or a natural person's business, such party shall be punished, and a fine set forth in the respective Articles shall be imposed on any such corporate body or natural person (A amount of fine which shall be imposed on the corporate body will be increased to not more than JPY 100 million (approx. €773,510) under new Article 87 of the Amendment Act 2020 (Under the current APPI, a fine not more than JPY 300,000 (approx. €2,320) or JPY 500,000 (approx. €3,780) as the case may be)); or
  • in cases where the provisions of the preceding paragraph apply to a non-corporate body, its representative or administrator shall represent the non-corporate body in regard to an act of litigation, and the provisions of a law on a criminal suit in the cases where a corporate body is a defendant or suspect shall apply mutatis mutandis.

A person falling under any of the following items shall be punished by a non-criminal fine of not more than JPY 100,000 (€770) (Article 88 of the APPI):

  • a person who has violated the provisions of Article 26(2) or Article 55; or
  • a person who failed to submit a notification or did falsely submit a notification under the provisions of Article 50(1).

Penalties for violating AML rules

An administrative agency may provide the specified business operator (including financial institutions) with necessary guidance or advice on the specified business operator when recognising that there is a need for ensuring the proper handling enforcement under the AML Law (Article 17 of the AML Law).

An administrative agency may order the specified business operator to take necessary action to rectify the violation (Article 18 of the AML Law).

A person who has violated an order pursuant to the provisions of Article 18 shall be punished by imprisonment with labour for not more than two years or a fine of not more than JPY 3 million (approx. €23,200) (Article 25 of the AML Law).

The Banking Act

Under the Banking Act, if a bank violates a law or regulation, the Prime Minister of Japan may order the bank to suspend all or part of its business activities or to dismiss its director, executive officer, accounting advisor, company or accounting auditor, or may revoke its operational licence (Article 27 of the Banking Act).

The Insurance Business Act

The Prime Minister may, if an insurance company violates laws and regulations, order the full or partial suspension of the business of the insurance company or the dismissal of the director, executive officer, accounting advisor, company or financial auditor, or rescind the licence (Article 133 of the Insurance Business Act).

11. Additional Areas of Interest

The PPC-FSA Guidelines, which are sector-specific guidelines for the financial sector merely constitute guidance to interpret the APPI and are not legally binding. Therefore, non-compliance with the PPC-FSA Guidelines does not amount to an infringement of the APPI. However, it is highly preferable and advisable for financial institutions to comply with the PPC-FSA Guidelines, as these may practically be considered in Japan to amount to a type of rule or obligation.

Hiroyuki Masuda Lawyer [email protected] One Asia Lawyers, Tokyo

Company

Our Policies

Your Rights

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
© OneTrust, LLC. All Rights Reserved.
The materials herein are for informational purposes only and do not constitute legal advice.
Feedback