Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Japan - Data Protection Overview
Back

Japan - Data Protection Overview

November 2023

1. Governing Texts

Japan's data protection laws were substantially revised in 2015 and further revised in 2022, with separate data protection laws governing and expanding the scope of the data protection to government and administrative agencies having entered into effect in 2022 and 2023. Data protection is one of the most active areas of law and is constantly evolving as the scope of personal information disclosed by individuals in day-to-day transactions expands and use by businesses becomes more widespread as the digital society and services develop. The revised laws impose wider obligations on data transfers, in particular to offshore entities, and on the handling of data breaches.

1.1. Key acts, regulations, directives, bills

1.2. Guidelines

Key guidelines provided by the Personal Information Protection Commission ('PPC'), the regulatory body established pursuant to the APPI is responsible for overseeing compliance with the APPI, and relevant ministries are listed below. Some of these guidelines are subject to 'Q&As' or 'commentaries' which supplement the guidelines with practical guidance. The APPI delegates the power to require reports from Personal Information Controllers ('PICs') (as defined in the section on key definitions below) to the minister regulating each business sector or designated minister, etc. As such, each ministry provides, jointly with the PPC or individually, guideline(s), Q&As, and commentaries with regard to the relevant business sector.

Guidelines issued by the PPC (only available in Japanese here) provide detailed guidance on the scope and meaning of the provisions of, and certain terms used in the APPI, and examples of their application, though the examples do not expand or limit the scope of the APPI. The guidelines also make it clear that a breach of a guideline that is expressed as an obligation, rather than a recommendation, would be deemed a breach of the APPI.

The following guidelines on the APPI, issued by the PPC, include:

  • General Guidelines on the APPI (only available in Japanese here) ('the General Guidelines');
  • Guidelines on the APPI (for Transfers to Third Parties in Foreign Countries) (only available in Japanese here);
  • Guidelines on the APPI (for Checking and Recording on Transfers to Third Parties) (only available in Japanese here); and
  • Guidelines on the APPI (for Pseudonymously/Anonymised Information) (only available in Japanese here).

Note that the above-listed are not intended to be comprehensive, additional guidelines have been issued for businesses and industries where there is a need for more stringent protection of personal information.

In particular, the PPC has issued the following additional guidance:

  • Guidelines concerning Appropriate Handling of Specific Personal Information (defined in the section on key definitions below) (main body and separate volume: security measures concerning specific personal information) (only available in Japanese here); and
  • Guidelines concerning Appropriate Handling of Specific Personal Information in Financial Businesses (only available in Japanese here).

Financial sector

For credit card businesses and businesses that use genetic information, the Ministry of Economy, Trade, and Industry ('METI') has issued the following guidance:

  • Guidelines for Personal Information Protection in the Credit Industry (only available in Japanese here); and
  • Guidelines for the Protection of Personal Information in the Industry Using Genetic Information of Individuals in the Economic and Industrial Sectors (only available in Japanese here).

For the financial sector (except the credit card industry, which is regulated by METI), the Financial Services Agency ('FSA') has issued the following guidance:

  • Guidelines for Personal Information Protection in the Financial Industries (only available in Japanese here); and
  • Practical Guidelines for Security Policies regarding Personal Information Protection in the Financial Industry (only available in Japanese here).

The Ministry of Justice has issued the following guidance:

  • Guidelines concerning the Protection of Personal Information in the Debt Collection Service Industry (only available in Japanese here).

Medical sector

For the medical sector, the Ministry of Health, Labour, and Welfare ('MHLW') has issued the following guidance:

  • Guidance for the Appropriate Handling of Personal Information by Medical or Care-related Service Providers (only available in Japanese here);
  • Guidance concerning Safety Management of Medical Information Systems (only available in Japanese here);
  • Ethical Guidelines concerning Medical Research Targeting Humans (only available in Japanese here);
  • Guidelines concerning Gene Therapy Clinical Research (only available in Japanese here); and
  • Ethical Guidelines concerning Research of Assisted Reproduction Technologies that Produce Fertilised Embryos (only available in Japanese here).

Employment sector

For employment and welfare areas, the MHLW has issued the following guidance:

  • Notice regarding the Handling of Health Information in Employment Management (only available in Japanese here);
  • Guidance for the Appropriate Handling of Personal Information at Health Insurance Societies, etc. (only available in Japanese here);
  • Guidance for the Appropriate Handling of Personal Information at National Health Insurance Societies (only available in Japanese here);
  • Technical Security Measures regarding Personal Information in the Private Pension Area (only available in Japanese here);
  • Guidelines for Appropriate Dealing by Employment Placement Service Providers, Employers Seeking Employees, Worker Recruiters, Worker Recruitment Agents, Recruitment Information Providers or Worker Suppliers with Appropriately Handling Their Management of Obligations, etc.(only available in Japanese here);
  • Guidelines concerning Measures which Staffing Service Providers are Required to Take (only available in Japanese here); and
  • Guidelines for Appropriate Dealing by Supervising Organisations with a Statement of Working Terms, Handling of Personal Information of Implementers of Intern Training Supervised by Organisations or Technical Intern Trainees at Training Supervised by Organisations, etc. (only available in Japanese here).

Telecommunications sector

For the telecommunication sector, the Ministry of Internal Affairs and Comminutions ('MIC') has issued the following guidance:

  • Guidelines concerning the Protection of Personal Information in Telecommunication Businesses (only available in Japanese here);
  • Commentary on the Guidelines concerning the Protection of Personal Information in Telecommunication Businesses (only available in Japanese here) ('the Commentary');
  • Guidelines concerning the Protection of Personal Information of Broadcast Receivers (only available in Japanese here);
  • Guidelines concerning the Protection of Personal Information in the Area of Postal Business (only available in Japanese here); and
  • Guidelines concerning the Protection of Personal Information in the Area of Correspondence Delivery Business (only available in Japanese here).

1.3. Case law

Benesse Leakage Incident

Benesse Holdings, Inc., a correspondence education service provider, disclosed that it had suffered a leakage affecting approximately 49 million customers consisting of children and their parents' personal data, such data included names, addresses, phone numbers, the children's genders and dates of birth, as well as expected baby delivery dates of a limited number of expecting mothers (though it did not include credit card information, bank account information, or children's achievement information).

In 2013 and 2014 an employee of a company subcontracted by Benesse's subsidiary ('the Subsidiary') to process its customers' data and engage in the data processing work through the Subsidiary's client PC, the employee proceeded to unlawfully download the data onto his personal smartphone. The data was sold by him to name-list brokers and were ultimately obtained by other service providers, who sent direct marketing mails to the affected parents and children. The Subsidiary had implemented security measures, but the systems to send alerts to senior managers regarding unusual data transfer activity and control the exporting of data from the client PC onto external devices were not effective. As a gesture of apology, Benesse sent a JPY 500 (approx. $3) shopping voucher to each customer it identified as affected by the incident.

The following cases of individual or collective damages claim actions against Benesse on this incident are publicly available:

Supreme Court Judgment of October 23, 2017

The Supreme Court of Japan's judgment of October 23, 2017, overturned the lower court's (Osaka High Court) judgment that the plaintiff should have established damages beyond a mere feeling of discomfort or anxiety. It instead found the plaintiff's privacy was infringed and remanded the case to the lower court to further review of what the moral damage due to the privacy infringement was.

Tokyo District Court Judgment of June 20, 2018

The Tokyo District Court ('TDC') judgment of June 20, 2018, found that:

  • the Subsidiary breached its duty of care by failing to appropriately upgrade its controls against data being exported to new models of smartphones using a Media Transfer Protocol ('MTP'); and
  • Benesse breached its duty of care by failing to appropriately monitor what security software was used by the Subsidiary, and accordingly failing to recognize that it should require the Subsidiary to upgrade its controls against data exports to new types of smartphones.

However, the TDC also found, taking into account the type of leaked data, such data only being available to certain parties and not in the public domain (e.g. the internet) in general, and Benesse's provision of JPY 500 (approx. $3) in shopping vouchers, that the emotional distress sustained by the plaintiffs was still not enough to establish a 'pain and suffering' award, and accordingly dismissed the collective damages claims against both Benesse and the Subsidiary. The judgment was appealed to the Tokyo High Court ('THC').

TDC Judgment of December 27, 2018

The TDC judgment of December 27, 2018, found that the Subsidiary could not have reasonably expected that its controls against data exports would not work against data exports to new Android smartphones using MTP and therefore was not in breach of its duty of care in not upgrading those controls to block data exports to such new models of smartphones. However, the TDC found that the Subsidiary was subject to the statutory 'Employer's Tort Liability,' which does not require a breach of duty of care but is based on the individual's tortious act and the defendant's supervision and control over the individual. Therefore, the TDC awarded damages against the Subsidiary of JPY 3,000 (approx. €21 at the then JPY-€ rate) for pain and suffering plus JPY 300 (approx. $2) as lawyers' costs per plaintiff. The TDC found that Benesse could also not have reasonably expected that the export controls would not work against data exports to new Android smartphones using MTP and therefore was not in breach of its duty of care in not requiring the Subsidiary to upgrade the export controls. As 'Employer's Tort Liability' also did not apply because Benesse was not in a position to supervise and control the tortfeasor individual, the TDC dismissed the damages claims against Benesse. The plaintiffs were reported to have appealed to the THC.

THC Judgments of March 25, 2020

The THC judgments of March 25, 2020, on the appeals of the two TDC judgments above found that the Subsidiary could have reasonably expected that its controls against data exports would not work against data exports to new Android smartphones using MTP and thus breached its duty of care by failing to control data exports to new model smartphones, Benesse breached its duty of care by failing to supervise the Subsidiary, and accordingly the Subsidiary and Benesse were liable as joint tortfeasors for damages of JPY 3,300 (approx. $22 at the then JPY-€ rate) plus 5% late charges per annum per affected individual.

2. Scope of Application

2.1. Personal scope

The APPI applies to every PIC in Japan, whether a person or entity; though the General Guidelines relax the standards of security measures for 'small or medium-sized business operators' (see the section on principles below).

The APPI only applies to persons or entities that handle personal information in the course of their business. For this purpose, a 'business' means activities that can be conducted repeatedly for a particular purpose and are regarded as a business under social conventions; a business can be for profit or not. A broadcasting institution, newspaper publisher or other press organizations, professional writer, university, or other academic organization, religious body, or political party are exempted from the obligations under the APPI in connection with such press, professional writing, academic, and political activities respectively.

2.2. Territorial scope

An offshore PIC that is not otherwise subject to the APPI regime but acquires personal information of data subjects in Japan for the purpose of supplying goods or services to any customer in Japan (whether they are a data subject or not and including a corporate customer if both the corporate customer and the data subject are in Japan) will be subject to the APPI if it handles that personal information, or any anonymized information created from it, in a foreign country. An offshore data processor engaged by a PIC in Japan is now also subject to the APPI if handling information on a data subject in Japan for the PIC as its customer.

The APPI amendments implemented on April 1, 2023, clarified that the PPC can render not only advice to but also order against a PIC based overseas, having set certain administrative procedural details for international delivery of written notices of any such advice or order (or effecting a deemed delivery if the location of an offshore PIC is not known to the authority). The PPC may also provide information to foreign regulatory authorities for their own regulatory enforcement purposes.

2.3. Material scope

The APPI applies to the 'handling' of personal information by a PIC. 'Handling' is not defined in the APPI or the PPC's guidelines. However, it was explained in published discussions made at the Government of Japan's ('Government') committee regarding the outline of the original APPI in 2000 to mean collection (acquisition), retention, use, transfer, and any other acts of handling personal information. 'Processing' was also explained at the discussions to include any such acts. The terms are understood in practice to be given such meanings.

For further information regarding the scope of the application of the law, see the section on personal scope above.

3. Data Protection Authority | Regulatory Authority 

3.1. Main regulator for data protection

The PPC is the primary regulator under the APPI and the My Number Act.

3.2. Main powers, duties and responsibilities

The PPC:

  • has the task of ensuring the appropriate handling of personal information and specific personal information so as to protect individuals' rights and interests;
  • has the primary investigatory, advisory, and enforcement powers under the APPI and the My Number Act, including the power to investigate the activities of a PIC, an anonymized information controller (see section on key definitions below), a person handling specific personal information, and in certain instances to render advice to and make orders against them, if the infringement of an individual's material rights or interests is imminent;
  • in connection with the protection of personal information under the APPI, may delegate its investigatory powers to the relevant minister, etc. in limited circumstances, but not its advisory or enforcement powers; and
  • can provide information to foreign data protection regulators and in limited circumstances may allow information to be used for criminal investigations overseas.

As regards the PPC's exercise of its investigatory and other powers:

  • the PPC will set out the details of forms for its demand for a PIC to provide a report or documents (as it exercises its investigatory power), advice, order, etc.;
  • the rules of Japan's Code of Civil Procedure regarding service of process will apply mutatis mutandis to the PPC's delivery to a PIC (including an offshore PIC) of such notices listed above;
  • the PPC's constructive service by publication will be available if:
    • the address of a PIC is not available;
    • delivery of its communications to an offshore PIC pursuant to the rules of the Code of Civil Procedure (i.e. the procedure for delivery via the foreign country's relevant authority or agency, or the Japanese embassy or council in the foreign country) is not available; or
    • the PPC does not receive a certificate of delivery within six months after requesting the foreign country's authority agency to serve the notice;
  • the PPC can effect constructive service by posting a notice at a specified location in the PPC's office, and the constructive service will be effective upon the expiry of two weeks (in the case of a PIC in Japan) or six weeks (in the case of an offshore PIC) from the date of posting; and
  • the PPC may publish a PIC's failure to comply with the PPC's order.

4. Key Definitions

Data controller: Data controller is not defined by the APPI. A personal information controller ('PIC') is a business operator using a personal information database for its business. (The verbatim English translation is 'business operator handling personal information').

Data processor: Data processor is not defined by the APPI but for the purpose of this note and for ease of reference for readers who are familiar with the concept in other jurisdictions, it is an entity to which a PIC 'entrusts the handling of personal data in whole or in part within the scope necessary for the achievement of the purpose of utilization' (e.g. entrusting personal data to a service provider such as a cloud computing service provider or a mailing service provider for the purpose of having them provide the PIC with the services). The PPC has recently clarified in its Q&As that a data processor is a PIC but clarifies that where a cloud service provider has no access to the entrusted personal data stored on its computer server, it is not a data processor and is thus not a PIC.

Personal data: Personal information contained in a database (whether electronic or not) that enables easy retrieval of the personal information contained in a personal information database.

Sensitive data: Sensitive information includes personal information relating to matters such as race, creed, religion, physical or mental disabilities, medical records, medical and pharmacological treatment, arrest, detention, or criminal proceedings (whether as an adult or a juvenile), or criminal victimization. (The verbatim English translation is personal information requiring consideration). Industry-sector guidelines may apply additional categories of sensitive information.

Health data: There is no definition of health data, but it would likely into fall within the scope of sensitive Information.

Biometric data: There is no definition of biometric data, but it would likely into fall within the scope of personal information as 'personal identifier codes' and be sensitive information.

Pseudonymization: Information that has been processed from personal information in a manner that the data subject can no longer be identified solely from the data. Whilst the PPC has not published draft guidelines or commentaries that clarify how pseudonymously processed information and anonymized information are different, the current understanding in practice is that pseudonymously processed information is information that would still enable identification of the principal if other information was also referenced to, or combined together, and as such still constitutes personal information, whilst anonymized information is not.

Personal information: Information about a living individual in Japan from which the identity of the individual can be ascertained (including information which enables identification by easy reference to, or in combination with other information); 'personal information' includes 'personal identifier codes' which include items such as characters, numbers, symbols and/or other codes for computer use which represent certain specified personal physical characteristics (such as DNA sequences, facial appearance, finger, and palm prints), and which are sufficient to identify a specific individual, as well as certain identifier numbers, such as those on passports, driver's licenses, and residents cards, and the 'My Number' individual social security ID numbers.

Principal (i.e. data subject): The individual that is the subject of the personal information.

Anonymized information: In summary, information regarding an individual has been processed by deleting information (or replacing it with information that does not enable reversion to the original information) so that it cannot be used to identify the individual.

Anonymized information handling business operator: The verbatim English translation is a business operator handling anonymized information. This was added to the APPI in the 2017 revisions and means a PIC using for its business a database (whether electronic or not) that allows easy retrieval of specific anonymized information contained in it.

Opt-out: A system whereby a principal is notified of the proposed transfer of its personal information to a third party and given the opportunity to object to that transfer.

Person-related information: Information that is not personal information for the transferor as it cannot identify the principal from the information (even by easy reference to, or combination with, other information) but maybe for a transferee as it may be able to identify the data subject by reference to other information held by the transferee.

Personal number: A number processed from an individual's resident registry code number and a code corresponding to and used in lieu of such number ('My Number').

Pseudonymously processed information handling business operator: A business operator using a pseudonymously processed information database for its business.

Purpose of utilization: The purpose of use of personal information as specified by a PIC to the principal whose personal data is to be used by the PIC.

Specific personal information: Personal information that contains a personal number in it.

5. Legal Bases

The basic principles of the APPI require a PIC to notify the data subject of the purposes of utilization prior to the collection of personal data unless it has published the purposes of utilization in advance in a manner readily accessible by the data subject and does not use personal data for any other purpose without the consent of the data subject.

5.1. Consent

A PIC must obtain the principal's consent before acquiring the sensitive information of the principal unless one of the exceptions listed below under the section on transfers permitted by law applies to the acquisition.

5.2. Contract with the data subject

The principles specified in the section on legal bases above can be dealt with by a contract between the PIC and the data subject.

5.3. Legal obligations

There are very few and limited circumstances where a data controller can handle personal information other than in accordance with the principles outlined in the section on legal bases above. The prior consent of the data subject to a transfer of its personal data (including sensitive information) is not required if the transfer is specifically required or authorized by any laws or regulations of Japan.

5.4. Interests of the data subject

There is no such 'interests of the data subject' exception to the basic requirements for the use of personal information referred to in the section on legal bases above.

5.5. Public interest

The prior consent of the data subject to a transfer of its personal data (including sensitive information) is not required if the transfer:

  • it is necessary for protecting the life, health, or property of an individual and consent of the data subject is difficult to obtain;
  • is necessary for improving public health and sanitation, or promoting the sound upbringing of children, and the consent of the data subject is difficult to obtain; or
  • is required by public authorities or persons commissioned by public authorities to perform their duties and obtaining the prior consent of the data subject carries the risk of hindering the performance of those duties (e.g. the disclosure is required by police investigating an unlawful act).

Otherwise, there is no 'public interest' exception to the basic requirements for the use of personal information referred to in the section on legal bases above.

5.6. Legitimate interests of the data controller

There is no such 'legitimate interest' exception to the basic requirements for the use of personal information referred to in the section on legal bases above.

5.7. Legal bases in other instances

Not applicable.

6. Principles

The APPI was enacted as an implementation by Japan of the eight basic principles on the protection of privacy adopted in the Organisation for Economic Co-operation and Development ('OCED') Council recommendation on 23 September 1980 ('OECD's 8 Principles'):

  • the Collection Limitation Principle;
  • the Data Quality Principle;
  • the Purpose Specification Principle;
  • the Use Limitation Principle;
  • the Security Safeguards Principle;
  • the Openness Principle;
  • the Individual Participation Principle; and
  • the Accountability Principle.

Japan has strong core values for the protection of the rights of the individual and the fundamental principle of Japan's data protection laws is the protection of the right to privacy, but also recognizing the increased scope, nature, and volume of personal data and the ever-expanding use of personal information in various forms by businesses. Key elements of the legislation are to restrict the use of personal information to the purposes it was obtained for as made known to the data subject, to protect sensitive information, and to limit the dissemination of personal information without the data subject's consent.

Data controller

The following obligations under the APPI apply to PICs:

  • to use personal information only to the extent necessary to achieve the purposes of utilization specified to the principal;
  • to make efforts to delete the personal data when it is no longer needed for the purposes of utilization;
  • to take reasonable steps to keep personal data as accurate and up-to-date as is necessary to achieve its purpose of utilization;
  • to take all necessary security measures to avoid loss of or unauthorized access to personal data; and
  • not to use personal information in a manner that may facilitate or prompt illegal or inappropriate acts.

7. Controller and Processor Obligations

Personal data management and security

A PIC must exercise necessary and appropriate supervision over its employees handling the personal data, or any persons or entities delegated to handle personal data (e.g. a personal information/data processor), so as to ensure they implement and comply with such security measures.

The PPC's General Guidelines illustrate high-level examples of security measures, which are categorized into:

  • establishing basic principles;
  • setting out internal rules;
  • organizational security measures (e.g. appointment of a responsible person, the definition of each person's responsibility, the definition of the scope of data handled by each staff member, data processing operation, and incident reporting line, the definition of responsibilities between divisions, periodical internal and/or external audit, etc.);
  • staffing security measures (e.g. staff education and training, confidentiality provisions in work rules, etc.);
  • physical security measures (e.g. area access control (IC card, number keys), prevention of device theft, prevention of leakage from portable devices, and non-recoverable deletion of data); and
  • technological security measures (e.g. system access control, access authorization (user ID, password, IC card, etc.) control, prevention of unauthorized access (security software installment and upgrading, encryption, access log monitoring, continuous review of system vulnerability, etc.).

The General Guidelines relax the standards for security measures for a 'small or medium-sized business operator', which is defined as a PIC with 100 or fewer employees but excluding:

  • a person who has handled the personal data of more than 5,000 principals on a day in the past six months; and
  • a person who processes personal data on behalf of another PIC under a contract.

The relaxed standards include the following measures:

  • establishing basic principles;
  • setting out the basic process for collecting, using, and storing personal data;
  • for organizational security measures:
    • clarifying who is responsible for handling personal data and who is not if, more than one staff member handles personal data;
    • the person responsible for checking personal data is handled in accordance with the prescribed basic process; and
    • checking the data breach reporting process in advance;
  • for physical security measures, simplified measures (e.g., password lock) are allowed; and
  • for technological security measures:
    • clarifying which staff members are allowed to access devices;
    • controlling access by user account control;
    • keeping the devices' operating software up-to-date and introducing security software; and
    • setting passwords for opening files when sending them by email.

Guidelines provided by the METI and the FSA set out further detailed requirements for security measures and provide specific examples for certain specified industry areas.

Pseudonymously processed information

When a PIC processes personal information into 'pseudonymously processed information', the processing must be in a manner that ensures the following information is deleted or irrecoverably replaced with other information:

  • person-identifiable description;
  • personal identifier codes; and
  • data that would cause a financial risk in the case of unauthorized use (which the PPC has suggested includes credit card numbers, internet banking IDs, etc.).

As pseudonymously processed information is still personal information (as it would still enable identification of the principal if other information was also referenced to or combined together), a pseudonymously processed information controller is generally subject to the same obligations as a PIC regarding the management and security of personal information above (and transfers to third parties) in connection with pseudonymously processed information.

A PIC who processes pseudonymous information must:

  • not disclose its methods for pseudonymization of the principal's personal information, the data removed during the pseudonymization process, or any process used to verify the pseudonymization ('removed data');
  • implement security measures to prevent leakage of pseudonymously processed information and removed data;
  • supervise and control a person contracted to process such information; or
  • not refer to other information to re-identify the principal relevant to the pseudonymously processed information.

Anonymized Information

A PIC who creates anonymized information may not disclose its methods for anonymization of the principal's personal information, the data removed in the anonymization process, or any process used to verify the anonymization. A recipient of anonymized information may not seek to acquire any such information, whether from the transferor or otherwise.

When a PIC processes personal information into anonymized information, it must make public in an appropriate manner (such as via the internet) what categories of personal information (e.g. ages, shopping behavior, and travel habits, etc.) are included in the anonymized information so that principals are able to make inquiries with the PIC.

7.1. Data processing notification

There is no general requirement that a PIC be registered under the APPI or related regulations, or for any registration under the My Number Act. A PIC that wishes to use an opt-out for disclosure of personal data to a third party has to file the opt-out provision prescribed in the order described below in the section on data transfers under 'transfers pursuant to an opt-out' (but not the rest of its privacy policies) with the PPC. The PPC will then review the provision to ensure it is in accordance with the requirements of the APPI and make it available to the public. If the opt-out is not sufficient in terms of clarity, easy-readability, and formality the PPC may require it to be improved and re-filed.

7.2. Data transfers

Generally transferring personal data to third parties, including affiliated entities of the PIC, without the prior consent of the principal is prohibited unless an exception applies. The primary exceptions are listed below.

Transfers permitted by law

The prior consent of the principal to a transfer of their personal data (including sensitive information) is not required if the transfer:

  • is specifically required or authorized by any laws or regulations of Japan;
  • is necessary for protecting the life, health, or property of an individual, and consent of the principal is difficult to obtain;
  • is necessary for improving public health and sanitation, or promoting the sound upbringing of children, and the consent of the principal is difficult to obtain; or
  • is required by public authorities or persons commissioned by public authorities to perform their duties and obtaining the prior consent of the principal carries the risk of hindering the performance of those duties (e.g. the disclosure is required by police investigating an unlawful act).

Transfer pursuant to an opt-out

Personal data (other than sensitive information) can be transferred after the period necessary for the principal to exercise their opt-out right has expired and the PIC has notified the principal or made readily available to the principal, and opt-out filed with the PPC, including all of the following information:

  • that the transfer is within the scope of the originally stated purpose of utilization;
  • the specific personal data to be transferred;
  • the means with which the personal data will be transferred;
  • the fact that the transfer of the personal data is subject to an opt-out;
  • where to provide such opt-out exercise notice;
  • the name of the person who is the representative of the transferor PIC if the PIC is a corporate body, in addition to the name of the transferor PIC itself;
  • how the transferor PIC has obtained the personal data that it will transfer pursuant to the opt-out rule; and
  • other matters which the PPC will set out in regulations.

The PPC guidelines only state that the length of the 'expiration period' will vary depending on factors such as the nature of the business, how close the relationship between the principal and the PIC is, the nature of the personal data to be transferred, and how quickly the PIC can handle the principal's exercising of its opt-out rights.

Transfers pursuant to the opt-out rule will not be available for personal information which has been obtained:

  • by fraudulent or other unlawful means; or
  • from a preceding transferor pursuant to the opt-out rule.

This requirement is based on the PPC's finding that personal data has often been traded or shared between name-list brokers or peer business operators under the opt-out rules.

Transfer of sensitive information

A transfer of sensitive information to a third party requires the consent of the principal unless an exception as listed under 'Transfers permitted by law' above applies; such consent cannot be given through the use of an opt-out.

Transfer of anonymized information

Anonymized information may be transferred to a third party without the consent of the original principal, as it no longer constitutes personal information, provided that the transferor makes public both the fact of the transfer and what types of personal information are included in it and notifies the recipient that the information is anonymized information.

Transfer of pseudonymously processed information

As pseudonymously processed information is still personal information, for a transfer of such information the general requirement for prior consent from the principal, transfers permitted by law (e.g. a transfer required or authorized by laws or regulations of Japan), or transfers pursuant to an opt-out, the consent requirement for the transfer of sensitive information, the scope of third parties, the additional requirement for a transfer to a third party in a foreign country, and transfer due diligence and records, as described above, equally apply.

Transfer of person-related information

Although person-related information is not personal information for a transferor, it is for a transferee as the relevant principal identifiable by reference to other information held by the transferee. Therefore, the prior consent of the principal for a transfer of person-related information to a third-party transferee (where the consent must be based on the principal's understanding that the information) is generally required; in principle the transferee (rather than the transferor) should obtain written consent to the transfer directly from the data subject as it is the transferee who has contact with the data subject and uses the transferred data as personal data, though the transferor can instead obtain the consent on behalf of the transferee if it is practically feasible (provided the data subject needs to be informed of the name of the transferee when providing the consent). If the consent is obtained by the transferee, the transferor must have been provided with a written confirmation of the consent prior to the transfer being made.

In addition:

  • the exceptions for transfers permitted by law (e.g. a transfer required or authorized by Japanese laws or regulations) also apply;
  • transfers under an opt-out are not permitted;
  • it is currently understood that transfers to entities listed in the 'scope of third parties' section below will still generally require the principal's consent, subject to a future clarification by the PPC in guidelines, etc.; and
  • the general rules on transfer due diligence and records will also apply but in addition, the transferor must create a record of the transfer which should contain:
    • confirmation (from the transferee) that the above consent has been obtained;
    • transfer date;
    • transferee's name and address, and the transferee's representative name; and
    • transferred data items.

To this end, the additional records must generally be kept for three years.

Cookies

APPI Regulations on Cookies

Cookies (which includes website browsing/web form entry history data associated with the cookies) are not personal information unless the relevant principal can be identified by easy reference to, or combination with, other information. However, even if a cookie is not personal information for a transferor in this sense, but if the cookie is transferred to a third-party transferee and would be, as a result of this the transfer, personal information for the transferee as it holds other information and the individual related to the cookie can be identified by reference to such other information (e.g. the cookie is a history of website browsing that suggests the individual's activity behavior, preference of goods or services, or information otherwise usable for profiling, and the transferee would use the cookie for targeted advertising, or assessment for a job position or financial services, etc.), this will now be a transfer of person-related information and will thus be subject to the general requirement for the prior consent of the principal and the transfer mechanisms outlined under 'transfer of person-related information' above.

Telecommunication Business Act’s Regulations on Cookies

Separately from the APPI, amendments to the Telecommunications Business Act (Act No. 86 of December 25, 1984, as amended) (only available in Japanese here) ('TBA') which were implemented on June 16, 2023, have introduced the following regulations on cookies:

The following persons are subject to the regulations:

  • a telecommunication carrier licensed under the act (by having registered with, or filed a notification with MIC as such); or
  • a provider of any of the following telecommunication services on software, browser,s or apps run on users' devices:
    • intermediary of communications between other parties (e.g., email service, direct messaging service, closed chat service, web meeting service);
    • dissemination of information provided by users to unspecified users (e.g., SNS, photo/video sharing platform);
    • website search (e.g., Google's search engine service); or
    • any other services of provision of information upon requests from/search by unspecified users (e.g., showing search results on online shopping platforms, online map/weather information service, sending news of categories selected by users, etc.).

If a person who provides any of the services listed above sends to users' devices any electronic communications that prompt the users' devices to send out any information related the user (whether or not personal information and whether or not person-related information as defined in the APPI) recorded on the devices to any third parties (except if the information will be sent only to that person, referred to as the First-Party Cookies Exemption, the person must implement one of the following measures in advance:

In addition, applicable person/organizations must:

  • notify users of the following information, or make the information readily available to the users:
    • what information related to users is prompted to be sent out by the cookie function;
    • name of the business operator who will use the information above on the telecommunication facilities to which the information is sent; and
    • the purpose of use of the information collected by the business operator above.

In the case of a cookie statement/policy available to the public (as opposed to individual notices to users), the policy must be available by 'one click' or less from the search page on the user's PC browser or smartphone app screen which uses cookies. In addition, at the link on the search page, a reference only to a 'link to privacy policy' is not sufficient even if the cookie policy is included in the privacy policy; it must also mention a 'link to privacy policy, including cookie statement' or an equivalent reference that enables users to recognize immediately on the search page that a cookie statement is available from there.

Furthermore, the regulations set out the following standards:

  • the statement must be in the Japanese language;
  • the statement must be in a plain style, avoid technical or specialized terms, and must be with a normal (or larger) font size; and 
  • MIC's guidelines advise that it is desirable to have a heading and/or table of contents if the cookie statement is contained in the privacy policy.

More generally, persons/organizations must only send cookies to users' devices upon users' informed consent or any opt-out arrangement, where the service provider will cease, upon a user's request, either (i) the send out information related to the user or (ii) use of information collected by cookies.

Scope of third parties

Under the APPI, the following entities are deemed not to be third parties (meaning that the transfer of personal data (including sensitive information) to such parties does not require the principal's consent):

  • a personal information/data processor;
  • a company that enters into a merger, a company split, or a business transfer with the PIC. (Disclosure in the process of negotiations for mergers and acquisitions is permissible if made upon execution of a non-disclosure agreement which requires the company to which the data is disclosed to implement appropriate safety measures); or
  • a company designated to jointly use the personal data with the PIC. In this case, the PIC must notify, or make readily accessible to the principal:
    • the fact of such joint use of the personal data;
    • the scope of the personal data to be jointly used;
    • the scope of the parties who will jointly use the personal data;
    • the purpose of the joint use; and
    • the name of a party among the joint users responsible for the management of the joint use of the personal data.

Such joint use is available by group companies business partners or affiliates that provide integrated services to common customers.

Though not a specified exception to the general consent requirement, a transfer of personal data between a Japanese company and its Japanese branch, or between a foreign company and its Japanese branch is not a transfer of personal data to a third party as in each case the branch and the company are the same legal entity. Whether a Japanese company and its foreign branch are a single legal entity would be determined in accordance with the laws of the jurisdiction under which the branch was formed.

Where a transfer of personal data is to a person or entity that is not a third party, a further transfer of the personal data by that person or entity would be subject to the consent rules and exceptions applicable to such transfers, as described in this note.

Transfer of personal data to a third party in a foreign country

The transfer by a PIC of personal data to a third party in a foreign country (other than in reliance on one of the exceptions listed above under 'transfers permitted by law') is subject to the following requirements in addition to those generally applicable to transfers of personal data:

  • where consent to the transfer is given by the principal, it must be clear and cover the transfer to a third party in a foreign country, and the principal must be provided, when giving consent, with information necessary for judging whether to provide consent (e.g. the foreign country is identified, identifiable, or the circumstances where such a data transfer will be made are identified); or
  • in the absence of such consent, if the transferor wishes to rely on an opt-out or the fact that the transfer is not to a third party, as an exception to the requirement to obtain the principal's consent to the transfer, it is also necessary that the transferee:
    • is in a country on a list of countries issued by the PPC as having a data protection regime equivalent to that under the APPI; or
    • is in a country that implements data protection standards equivalent to those that PICs subject to the APPI must follow.

As of the date of this note, only the UK and countries in the European Union (including the European Economic Area ('EEA')) are on the list of countries issued by the PPC as having equivalent data protection. If the transferee is not in any such country, a transferor PIC would have to rely on the transferee implementing equivalent standards to the APPI in order to affect a transfer of personal information offshore without the principal's consent or in reliance on an exception listed above in transfers permitted by law. The requirement for equivalent standards to the APPI can be satisfied by the transferor and the transferee:

  • entering into a contract;
  • if they are in the same corporate group, both being subject to binding standards of the group for the handling of personal data, in either case, pursuant to which the transferee is subject to all the obligations imposed by the APPI on PICs who are subject to it, and which must include certain specified matters, such as the purpose of use, record-keeping, and details of security measures;
  • if the transferee is accredited under APEC's CBPR system; or
  • if the transferor is accredited under the APEC's CBPR system (based on the fact that under the system the accreditation is issued only when the PIC has established measures to ensure a data transferee will implement data protection standards required under the system).

A transfer to the foreign branch of a Japanese third party is a transfer to an entity offshore.

Consent to transferring personal data to a third-party offshore

For transfers based on the principal's consent, the transferor must in general provide the principal with the following information when obtaining their consent:

  • the name of the country the transferee is in irrespective of which country the data is to be stored in (but if the data is stored in another country, it is desirable to say which country);
  • information about the foreign country's data protection laws which is obtained 'by appropriate and reasonable means'. The PPC has indicated that: 'information about the foreign country's data protection laws' means descriptions of the 'essential difference' between the data protection laws of Japan and the data protection system of the foreign country which shall be reasonably recognizable by data subjects. The following indicate the level of protection within the system:
    • whether the foreign country has any system of personal information protection;
    • the foreign country has obtained a General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') Article 45 adequacy decision;
    • the foreign country is a member state of APEC's CBPR system;
    • whether business operators' obligations or data subject's rights are in line with the OECD's 8 Principles (as described above) under the foreign country's system (e.g., existence or lack of 'limitation by specified purposes of utilization' rule, existence or lack of data subjects' rights, etc.); and/or;
    • any rules in the foreign country which may materially affect data subjects' rights and interests, such as:
      • a rule that business operators are subject to obligations to cooperate with the foreign country's government's data collection activities so that a broad range of personal information held by business operators are subject to collection by the foreign country's government;
      • in this connection a draft revision to the PPC's General Guidelines (which will be implemented between later November and mid-December 2023) will be a reference to the OECD Declaration on Government Access to Personal Data Held by Private Sector Entities as a reference material in determining access by the foreign government exists; or
      • a rule requiring the retention of personal information so that data subjects cannot effectively exercise their rights to deletion;
  • 'appropriate and reasonable means' mean such information is not required to be too detailed as to be too onerous to the transferor, but still informative enough for the principal to judge whether to give consent, and the transferor is not required to check every detail of the transferee's country's data protection law but only to 'reasonably' check the protection level (e.g., ask the transferee or check websites of the country's data protection authority); and
  • information about data security measures taken by the transferee.

The PPC has published its own investigation reports of such information about a limited number of jurisdictions (note below) (only available in Japanese here) so that data transferors are relieved from the burden of obtaining such information by themselves by providing the PPC's webpage link to the data subjects. As of October 2023, the jurisdictions covered by the PPC's own investigation reports are US Federal and US States namely New York, California, Illinois, Canada, Mexico, Panama, Costa Rica, Brazil, Peru, People's Republic of China, Hong Kong, Singapore, Malaysia, Indonesia, Thailand, Vietnam, Myanmar, Cambodia, Laos, Philippines, South Korea, Taiwan, Mongolia, Australian Federal, New Zealand, India, Turkey, Israel, the UAE Federal and on the regional level Abu Dhabi Global Market, Dubai Healthcare City, and Dubai International Financial Centre, Qatar, Morocco, Tunisia, South Africa, Switzerland, Russia, and Ukraine.

If, at the time of obtaining a consent:

  • the transferee's country is not identified, then, instead of the above information, the reason why it is not, and any other information that may be helpful to the data subject; or
  • where the above is not available, then the reason why it is not.

If the transfer is allowed without the principal's consent because the transferee has established a level of personal data protection equivalent to that under the APPI, the transferor must:

  • ensure the transferee's continuous maintenance of the protection level and:
    • 'periodically' (which means annually or more frequently) check, by 'appropriate and reasonable means':
      • the status of the transferee's implementation of the protection measures;
      • the foreign country's law which may affect the transferee's implementation of the protection measures; and
      • if it becomes difficult for the transferee to implement those measures:
    • take necessary and appropriate measures; and
    • discontinue data transfers to the transferee; and
  • on the request of the principal, provide the principal with information about the transferee's protection level, which should generally include:
    • the transferee's protection measures;
    • how frequently the transferor 'periodically' conducts the check above;
    • the transferee's country name;
    • any laws of the foreign country that may affect the transferee's implementation of the protection measures; and
    • any problem with the transferee's continuous implementation of the measures.

Transfer due diligence and records

A transfer of personal data requires that the transferor PIC and the transferee (if a PIC, or if it becomes a PIC as a result of the transfer) keep specified records and the transferee is also required to make inquiries on the source of the personal data transferred unless the transfer was made in reliance on an exception listed above as a transfer permitted by law or the transferee is not a third party.

The transferor must keep a record of:

  • (if the transfer was made in reliance on an opt-out) the transfer date;
  • the name or other identifiers of the transferee and the principal, and the type(s) of data transferred (e.g. name, age, gender); and
  • the principal's consent to the transfer, or, if consent has not been obtained and the transfer was made in reliance on an opt-out, of that fact.

The transferee must keep a record of:

  • (if the transfer was made in reliance on an opt-out) the date the personal data was received;
  • the name or other identifiers of the transferor and its address (and the name of its representative if the transferor is a legal entity), and the name of the principal;
  • the type(s) of data transferred;
  • the principal's consent to the transfer, or, if consent has not been obtained and if the transfer was made in reliance on an opt-out, of that fact;
  • if an opt-out has been relied on, the fact that the opt-out has been filed with, and published by the PPC; and
  • how the transferor acquired the personal information transferred.

See 'transfer of person-related information' above for additional record-keeping requirements.

7.3. Data processing records

There are no specific requirements to keep data processing records, though general record-keeping requirements may apply.

7.4. Data protection impact assessment

Under the APPI there are no requirements to conduct Data Protection Impact Assessments ('DPIA').

Under the My Number Act a business operator (as well as Japanese government agencies, municipal governments, and incorporated administrative agencies) who connects with the My Number managing network operated by the Japanese government (for example health insurance societies) in handling My Number must implement DPIAs pursuant to the DPIA Rules and DPIA Policy (including check sheets and report forms) published by the PPC (available only on Japanese here),

7.5. Data protection officer appointment

The APPI does not specifically require a PIC to appoint a data protection or similar officer. However, the General Guidelines which apply to all PICs provide that a PIC must take security measures for the handling of personal information, an example of such a security measure being 'the appointment of a person in charge of the handling of personal information and the definition of the responsibilities of the person'. The guidelines state that whether measures are mandatory depends on the materiality of the damage that may be suffered by principals in the event of a data breach, the size and nature of the business, and the general nature of the data handling (including the nature and volume of data handled).

Some sector-specific guidelines also provide data protection or similar officer requirements. Certain private organizations or associations have created qualifications such as 'data protection officer' ('DPO') or equivalent, and issue them to persons who have passed examinations set by them (e.g. Japan Consumer Credit Association issues a Personal Information Handling Officer qualification, and the Information-Technology Promotion Agency issues an Information Systems Security Administrator qualification). These qualifications are not acknowledged, supported, or required by law, but are industry-driven efforts to enhance data privacy.

7.6. Data breach notification

The amendments to the APPI which were implemented on April 1, 2022, have created statutory data breach notification provisions in law and regulations. (Before the amendments, data breach notification requirements were provided only in the General Guidelines.) Interpretation of the provisions in the APPI amended and regulations are provided in the General Guidelines.

Data breach that must be notified

A PIC must notify the PPC and affected data subjects of a data breach where the breach is a leakage:

  1. of personal data that contains sensitive information;
  2. of personal data that may cause financial damage by unauthorized use (e.g., if only the last four digits of payment card numbers were affected it usually does not trigger this category);
  3. caused or possibly caused by an intentional act (e.g., a malicious attack on a data server, or data theft) by a third party (or the PIC's internal staff) (i.e., as opposed to by error of the PIC), of personal data; or
  4. of personal data of more than 1,000 data subjects.

'Leakage,' means the occurrence or possible occurrence of:

  • leakage (both by an intentional act or by error) (not only the transfer of data outside of the data controller or data processor, but also the availability of access and/or viewing of the content of the data from outside) (if the leaked personal data is retrieved before being seen by any third parties, or is highly encrypted, it will not constitute 'leakage');
  • loss (e.g., personal data is lost or discarded by error within a PIC) (provided that back-up data is still available within the PIC, such event will not constitute 'loss');
  • damage (e.g., a PIC lost a decryption key of personal data which it has encrypted or personal data was encrypted by ransomware so that the personal data becomes unavailable to be recovered by the PIC); or
  • alteration of personal data by an unauthorized party.

As described above, a data breach that is generally subject to the notification requirement is leakage of personal data, which is slightly narrower than 'personal information', as described in the section on key definitions above. However, a draft revision to the APPI Enforcement Rules (which will be implemented on April 1, 2024) will provide, in connection with a category three data breach above (i.e., breach by an intentional act), that the leakage of personal data or personal information which a PIC has collected or is collecting to handle it as personal data is subject to the notification requirements. Given the change, the draft revision to the General Guidelines adds a comment that, where, for example, an online data entry (web entry form) page maintained by a PIC has been maliciously tampered with by a third party so that personal information entered by users on the page (which is yet to become 'personal data', by going onto the PIC's database would be immediately and automatically transferred to a third party's server would also fall under category three.

Action following a data breach

In the event of the leakage of personal data which must be notified, the affected PIC shall take the following steps:

  • report the incident within the PIC;
  • take measures to prevent the expansion/aggravation of any damage (to principals or third parties affected by the incident) due to the incident;
  • conduct an investigation of relevant facts and the cause of the incident;
  • identify the affected areas within the servers/systems of the PIC and of the principals whose data was affected;
  • promptly planning and implementing measures to prevent the recurrence of the incident or further incidents that may otherwise occur due to the incident in question;
  • 'promptly' notify the principals potentially affected or make the facts of the leakage easily available to those principals (depending on the facts of each case) for the purpose of preventing the principals or third parties incurring further damage (e.g. to give the principals opportunities to take actions to avoid or mitigate harms by third parties' use of the leaked information); and
  • publicly announce the relevant facts and measures to be taken to prevent a recurrence of the incident (depending on the facts of each case).

A data breach notification to the PPC is done by completing an online form (only available in Japanese here).

Where a PIC has entrusted personal data to a personal information/data processor and the personal information/data processor was subject to the data breach, the obligations above also fall on the PIC. The general obligations to notify the PPC and the principals of a data breach are not applicable to pseudonymously processed information.

Notification and outsourcing

Where a PIC has entrusted personal information to a data processor and the data processor is subject to a data breach both the PIC and the data processor are now liable to report the breach, as both will be considered PICs.

Notification to the PPC

If the PIC thinks the data breach is not such as to require a formal report, it can seek informal guidance from the PPC on what action to take. If the data breach may be serious and the PIC is not certain what action to take the PIC should contact the PPC (and local counsel) at the earliest opportunity, without waiting to complete the formal report to the PPC. Should a data breach not be reported, and the PPC subsequently becomes aware of it, it may require a report to be submitted.

The first notification to the PPC must be made 'sumiyaka-ni' (promptly) upon becoming aware of the incident, which the PPC has advised as being three to five days (including holidays and weekends) depending on the facts, with an updated notification (including items such as the scope of the breach, the cause of the breach (e.g. a security vulnerability), the status of notifications to affected individuals and measures against recurrence) being made within 30 days (or, in the case of leakage, etc. caused by an intentional theft or similar act, 60 days) from the time of becoming aware of the incident. A PIC is deemed to become aware of a data breach when any person at the PIC other than the person responsible for the breach becomes aware of it.

Notifying affected principals

When considering whether to notify affected principals of a data breach directly, or by a more general notice, the two major factors for a PIC to consider are the seriousness of the loss and the harm it may cause, and the effectiveness of the means of notification. If a loss may cause serious harm, the prudent course would be to make it public promptly, and then notify affected parties individually (always subject to any directions from the PPC). Where a PIC has decided to give a general notification, it will need to evaluate how effective the means of notification is likely to be; for example, if notification is given on a website, how likely is it that the affected parties will visit the website and how long it should be kept active in order to notify an appropriate proportion of affected principals. A notification, individual or general, should include a description of the loss and the actions taken by the PIC to mitigate its effects, and it would be advisable to include a phone number or email address that the affected principals can use to obtain further information on the loss.

As noted, depending on the facts of each case, it might be appropriate for the PIC to publicly announce the relevant facts of the data breach, and the measures to be taken to prevent its recurrence; there is no guidance on what form this notice should take, and although it may also be sufficient as a notice to the affected principals, its effectiveness as such would need to be considered carefully.

Notifications, individual or general, should be given in Japanese, and if any affected principals may not understand Japanese, any other appropriate foreign language. Notifications should not be given only in a foreign language unless it is certain that all affected principals will understand that language.

Timing of the notification

Notification must be given 'sumiyaka-ni' (promptly) upon becoming aware of the incident; what constitutes as 'promptly' depends on situations of each case as the PPC suggests that there may be cases where an immediate notification would not be appropriate (e.g., the details of the incident are not identified at all, or where notifications to the data subjects would only cause confusion and would not help the protection of the data subject's rights).

Reporting of losses

Any loss of any specific personal information must be reported to the PPC in the same manner as described in the section on data processing notification 'Timing of the notification to the PPC' above though the form of the report is slightly different from that for other data breaches. The system for escalation of remedial orders by the PPC is the same as that for losses of other personal information, though failure to comply with an order for improvement could lead to more serious criminal sanctions against both the PIC and any of its officers responsible for the loss. Notification to the affected principals is still only 'desirable'.

Investigations

If a data breach has occurred and been reported to the PPC, voluntarily or at the request of the PPC, it may investigate the background to the loss, the PIC's data management procedures, and the actions taken (or not taken) by the PIC to notify the affected parties (and the PPC). Where the PPC finds defects in the PIC's data management or post-loss actions, it may give guidance to the PIC on what actions to take to improve its data management, or what further steps should be taken to notify affected principals of the loss. If the defects are material, the PPC may issue advice for improvement to the PIC and publish the advice on its website. If the PIC fails to follow advice for improvement, the PPC may then escalate the matter and issue an order for improvement. An order for improvement may be issued immediately without preceding advice for improvement in limited cases of a serious data breach.

If a PIC has not notified the PPC or the affected principals of the data breach (or has not publicized the loss if material in either scale or subject matter) and the PPC comes to know of the loss, it might be more likely to find the PIC's attitude to compliance unsatisfactory, and thus issue and publish advice for improvement.

Compensation

To date, PICs that have suffered a data breach have often voluntarily offered compensation to affected parties both to forestall any proceedings and to maintain good public relations. Compensation payments to principals (per person) have ranged from JPY 500 (approx. $3) of e-money or gift vouchers (see the Benesse incident discussed in the section on case law above), through gift vouchers of JPY 10,000 (approx. $67), to cash payments of JPY 35,000 (approx. $235). If an affected party brings an action before a court against a PIC for a data breach, any judgment by the court would likely be an order against the PIC to pay damages on the grounds of a breach of contract or tort theory. Save for cases such as the unauthorized use of affected payment card data or the disclosure of sensitive information affecting the personal lives of individuals, the amount of damages an affected party might be entitled to is frequently not large enough to warrant the commencement of proceedings once the costs of the proceedings are taken into consideration.

It should also be noted that in Japan it is often important to treat all affected parties equally. Even if a PIC does not publicize a data breach and communicates privately with each affected party individually, the widespread use of social media makes the risk of unequal treatment between affected parties being kept private increasingly unlikely and may have an associated negative impact on the PIC's reputation.

Sectoral

The Guidelines on Protection of Personal Information in the Financial Field, which have been issued jointly by the PPC and the FSA, provide that any 'leakage of Personal data (not limited to circumstances (i) to (iv) listed in the subsection on 'data breach that must be notified' above must be reported to the FSA in the financial service sector. Similarly, the Commentary issued by MIC, which gives guidance on the Telecommunications Business Act (Act No. 86 of December 25, 1984), provides that a breach of secrecy of communications must be reported to the authority.

7.7. Data retention

Storage and security

The My Number Act and related guidelines require an employer to establish appropriate systems for the secure storage and handling of specific personal information.

In practical terms, the employer should:

  • draft and/or amend internal rules on data protection to ensure the handling of specific personal information in accordance with the My Number Act;
  • ensure employees handling specific personal information are aware of the restrictions on their use and the scope of the related data protection regime, in particular, the areas where obligations are stricter than those currently generally implemented by the employer for data protection; and
  • ensure its data protection systems are adequate to comply with the obligations under the My Number Act as they are likely to be stricter than under the employer's other data protection obligations (whether under the APPI or otherwise).

7.8. Children's data

Whilst there are no specific provisions in the APPI that regulate the processing of children's data, the General Guidelines indicate that, if a minor, adult ward, or person under curatorship has no capacity to understand the results of their own consent under the APPI, such consent should be obtained from their statutory guardians. The PPC further indicates in its Q&As that, whilst the ages of children who can understand the results of their own consents should be considered on an individual case base, it can generally be said that consents should be obtained from a statutory guardian (e.g., a parent) for a child in the age of 15 or lower.

7.9. Special categories of personal data

Yes, please see the items above relating to specific personal information and sensitive information.

7.10. Controller and processor contracts

Necessary and appropriate supervision must be exercised by a PIC over any third parties delegated to handle personal data. Such supervisory measures include the execution of agreements between a PIC and a service provider providing appropriate security measures that should be taken by the service provider, and the power of the PIC to instruct and investigate the service provider in connection with its handling of personal data entrusted to it.

In addition, the PPC has recently clarified in Q&As that a data processor is a PIC, provided that if a cloud service provider has no access to the entrusted personal data stored on its computer server, it is not a data processor and is thus not a PIC. If a data processor is a PIC, it is subject to the related obligations under the APPI.

8. Data Subject Rights

If requested by a principal, a PIC must disclose in writing and without delay to the principal, the principal's personal data held by it, unless the principal has agreed to receive it by other means (e.g. as electronic data). Access can be refused if it would result in:

  • injury to life or bodily safety, property, or other rights and interests of the principal or any third party;
  • a material interference with the PIC's business operations; or
  • a violation of other Japanese laws prohibiting disclosure.

Principals also have the right to:

  • revise, correct, amend, or delete their personal data;
  • request the cessation of use of their personal data if it is used for a purpose other than the one originally stated, or if it was acquired by fraudulent or other unlawful means;
  • access a PIC's record of data transfers to third parties; and
  • require the PIC to cease using personal data or to cease transferring personal data to third parties if the PIC no longer needs to use the data, a data breach has occurred, there is a likelihood of infringement of the principal's rights, or lawful interests due to the PIC's handling of the personal data.

Notably, pseudonymously processed information is not subject to the principal's right to access or cessation of use.

If a principal requests a PIC to cease using their personal data, the PIC must do so unless the request is unreasonable, or the cessation would be costly or would otherwise be difficult (e.g. the recall of books already distributed). In this case, the PIC must take alternative measures to protect the rights and interests of the principal. The PIC must notify the principal without delay of whether the requested action has been taken, and, if not taken, must endeavor to explain the reasons why. A principal can enforce its rights to require revision, etc. of its personal data by civil action if such a request is not complied with within two weeks of being made.

Principals do not have any of the rights above if the principal or other person comes to know that there is such personal data held by the PIC which might result in:

  • injury to the life or bodily safety, property, or other rights and interests of the principal or any third party;
  • encouraging illegal or unjust acts;
  • endangering national security, or damaging a trusted relationship with a foreign country or international organization;
  • disadvantage the country's negotiation with a foreign country or international organization; or
  • present an obstacle to the prevention, suppression, or investigation of crimes or otherwise impairing public safety and order.

8.1. Right to be informed

A PIC must make the following items readily accessible to each principal:

  • name of the PIC;
  • purpose of utilization of personal information retained;
  • the procedure for the principal to require access, correction, etc. of their personal data;
  • where to complain about the PIC's handling of personal data;
  • whether the purpose of utilization of the personal information it handles includes 'profiling';
  • the address of the PIC;
  • the name of the representative person of the PIC; and
  • the security measures taken by the PIC to protect personal information retained (including that a person has been appointed to be responsible for controlling how personal information is handled and that the scope of personal information to be handled by staff has been clarified).

The following descriptions are indicated by the PPC as examples of data security measures that satisfy the requirement (the PPC also indicates that the level of security measures can be relaxed for 'small or medium-sized business operators,' as described below):

  • establishment of basic principles concerning compliance with applicable laws, handling inquiries and complaints, etc.;
  • establishment of rules on the manner of data processing, staff in charge, their responsibilities, etc. on each step of collection, use, storage, transfer, and deletion of personal data;
  • organizational security measures: appointment of staff in charge, their responsibilities, reporting line, external audit system, etc.;
  • staffing security measures: staff training, confidentiality obligations of staff, etc.;
  • physical security measures: room access control, access authorization control, restriction of bringing out devices or personal data, etc.; and
  • technological security measures: access control, firewall from unauthorized access, etc.

8.2. Right to access

There is no specific right for a data subject to access its personal information; see the opening paragraph re disclosure of personal information held.

8.3. Right to rectification

Please see section on data subject rights above.

8.4. Right to erasure

Please see section on data subject rights above.

8.5. Right to object/opt-out

Please see the right to request cessation of use outlined in section on data subject rights above and the right to opt out in section on data transfers.

8.6. Right to data portability

Not applicable.

8.7. Right not to be subject to automated decision-making

Not applicable.

8.8. Other rights

Not applicable.

9. Penalties

Please see the provision on penalties outlined section on breach notification and retention above.

In addition, many sector-specific regulations authorize the relevant regulators to enforce the regulations by rendering business improvement orders, or business suspension orders in the most serious cases, against providers of services that require licenses from the regulator, 'where necessary for ensuring the appropriate operation of the business'. 'Appropriate operation of the business' may include the management of the security of customer data. For example, the FSA may issue a business improvement order against a bank pursuant to the Banking Act (Act No. 59 of 1981), or against an investment manager pursuant to the Financial Instruments and Exchange Act (Act No. 25 of 13 April 1948), if the service provider failed to manage the security of customer data in the course of operation of the licensed businesses.

If a PIC (and where the PIC is an entity, its officer, representative person, or administrator) or any of its employees, or a person who was in such a position, provides to a third party or misappropriates a personal information database handled in the course of the business for the purpose of wrongful gain for themselves or a third party, the PIC (if a person) and any such person is liable to imprisonment for not more than one year or a fine of not more than JPY 100 million (approx. $674,090).

9.1 Enforcement decisions

Rikunabi scandal

Recruit Career Co., Ltd., a subsidiary of Recruit Co., Ltd. (the two companies together 'Recruit Companies'), operated an online platform service 'Rikunabi' for university students who were looking for information on job positions after graduation and companies who wanted to advertise their graduate recruiting information, as customers.

On August 26, 2019, the PPC issued 'advice' and 'instruction' against Recruit Career for improvement arising out of the company's breach of the APPI. On December 4, 2019, based on further facts found since the August advice, the authority issued further 'advice' for improvement against the Recruit Companies for their 'extremely inappropriate service to circumvent the APPI' and rendered 'instructions' for 35 companies (mostly leading listed companies) which were customers of the platform service for improvement of their inappropriate handling of personal data.

In summary, the PPC found in its August advice and instruction that on 'Rikunabi 2020' (i.e., the service in connection with students who would graduate from universities in 2020) personal data of 7,983 registered students was provided to customer companies (at which the students might apply for jobs) without the student's consent.

In its December advice and instruction, the PPC found that on 'Rikunabi 2019' and 'Rikunabi 2020' cookies that recorded registered students' business sector-based browsing histories were used for profiling and scoring such students to calculate their 'possibility [by percentage] of declining job offer'. The data on the 'possibility of declining job offer' was hashed and then provided to customer companies, though the recipient companies could re-identify the students from the data. The recipient companies used the data in selecting applicant students to hire. The Recruit Companies provided the data of 26,060 students to customer companies without the student's consent. The Recruit Companies conducted such data handling based on their understanding that the data would no longer be 'personal data' once hashed, which the PPC concluded was a 'wrong understanding' because the companies 'could still identify students from the hashed data by reference to other data held by them'.

The facts and issues found in particular in the December advice and instruction led to the PPC's drafting new rules on the transfer of 'person-related information' in the 2020 Amendments (see on the section on data transfers above).

Feedback