Japan - Data Protection Overview
1. THE LAW
1.1. Key Acts, Regulations, Directives, Bills
- The Act on the Protection of Personal Information (Act No. 57 of 2003 as amended in 2015) ('APPI'). The APPI was subject to substantial revisions which came into full effect on 30 May 2017. Unless stated otherwise, the discussion below relates to the APPI. Note that a bill to amend the APPI (only available in Japanese here; English summary available here) ('the 2020 Amendments') passed the National Diet of Japan on 5 June 2020 and was promulgated on 12 June 2020. The 2020 Amendments will come into force on a date specified by a cabinet order, which is not later than two years from the date of promulgation.
- The Act on the Use of Numbers to Identify a Specific Individual in the Administrative Procedure (Act No. 27 of 2013, as amended) ('the My Number Act').
Key guidelines provided by the Personal Information Protection Commission ('PPC'), the regulatory body established pursuant to the APPI responsible for overseeing compliance with the APPI and relevant ministers are listed below; some of these guidelines are subject to 'Q&As' or 'commentaries' which supplement the guidelines with practical guidance. The APPI delegates the power to require reports from Personal Information Controller ('PICs') (as defined in section 4 below) to the minister regulating each business sector or designated minister, etc. As such, each ministry provides, jointly with the PPC or individually, guideline(s), Q&As, and commentaries with regard to the relevant business sector.
Guidelines issued by the PPC (only available in Japanese here) provide detailed guidance on the scope and meaning of the provisions of, and certain terms used in the APPI, and examples of their application, though the examples do not expand or limit the scope of the APPI. The guidelines also make it clear that a breach of a guideline which is expressed as an obligation, rather than a recommendation, would be deemed a breach of the APPI.
The following guidelines on the APPI, issued by the PPC, include:
- General Guidelines on the APPI (only available in Japanese here) ('the General Guidelines');
- Guidelines on the APPI (for Transfers to Third Parties in Foreign Countries) (only available in Japanese here);
- Guidelines on the APPI (for Checking and Recording on Transfers to Third Parties) (only available in Japanese here);
- Guidelines on the APPI (for Anonymised Information) (only available in Japanese here); and
- Guidelines on the APPI (for Data Leakages) (available only in Japanese here) ('the Data Breach Guidelines').
Note that the above-listed are not intended to be comprehensive and limited, additional guidelines have been issued for businesses and industries where there is a need for more stringent protection of personal information.
In particular, the PPC has issued the following additional guidance:
- Guidelines concerning Appropriate Handling of Specific Personal Information (defined below) (main body and separate volume: security measures concerning specific personal information) (only available in Japanese here); and
- Guidelines concerning Appropriate Handling of Specific Personal Information in Financial Businesses (only available in Japanese here).
For credit card businesses and businesses which use genetic information, the Ministry of Economy, Trade and Industry ('METI') has issued the following guidance:
- Guidelines for Personal Information Protection in the Credit Industry (only available in Japanese here); and
- Guidelines for the Protection of Personal Information in the Industry Using Genetic Information of Individuals in the Economic and Industrial Sectors (only available in Japanese here).
For the financial sector (except the credit card industry, which is regulated by METI), the Financial Services Agency ('FSA') has issued the following guidance:
- Guidelines for Personal Information Protection in the Financial Industries (only available in Japanese here); and
- Practical Guidelines for Security Policies regarding Personal Information Protection in the Financial Industry (only available in Japanese here).
The Ministry of Justice has issued the following guidance:
- Guidelines concerning the Protection of Personal Information in the Debt Collection Service Industry (only available in Japanese here).
For the medical sector, the Ministry of Health, Labour and Welfare ('MHLW') has issued the following guidance:
- Guidance for the Appropriate Handling of Personal Information by Medical or Care-related Service Providers (only available in Japanese here);
- Guidance concerning Safety Management of Medical Information Systems (only available in Japanese here);
- Ethical Guidelines concerning Medical Research Targeting Humans (only available in Japanese here);
- Ethical Guidelines concerning Analysis and Research of the Human Genome and Genes (only available in Japanese here);
- Guidelines concerning Gene Therapy Clinical Research (only available in Japanese here); and
- Ethical Guidelines concerning Research of Assisted Reproduction Technologies that Produce Fertilised Embryos (only available in Japanese here).
For employment and welfare areas, the MHLW has issued the following guidance:
- Notice regarding the Handling of Health Information in Employment Management (only available in Japanese here);
- Guidance for the Appropriate Handling of Personal Information at Health Insurance Societies, etc. (only available in Japanese here);
- Guidance for the Appropriate Handling of Personal Information at National Health Insurance Societies (only available in Japanese here);
- Technical Security Measures regarding Personal Information in the Private Pension Area (only available in Japanese here);
- Guidelines for Appropriate Dealing by Employment Placement Service Providers, Worker Recruiters, Worker Recruitment Agents or Worker Suppliers with Equal Treatment, Statement of Working Terms, Handling of Personal Information of Job Seekers, Duties of Employment Placement Service Providers, Correct Statement of Terms of Recruitment (only available in Japanese here);
- Guidelines concerning Measures which Staffing Service Providers are Required to Take (only available in Japanese here); and
- Guidelines for Appropriate Dealing by Supervising Organisations with a Statement of Working Terms, Handling of Personal Information of Implementers of Intern Training Supervised by Organisations or Technical Intern Trainees at Training Supervised by Organisations, etc. (only available in Japanese here).
For the telecommunication sector, the Ministry of Internal Affairs and Comminutions ('MIC') has issued the following guidance:
- Guidelines concerning the Protection of Personal Information in Telecommunication Businesses (only available in Japanese here);
- Commentary on the Guidelines concerning the Protection of Personal Information in Telecommunication Businesses (only available in Japanese here) ('the Commentary');
- Guidelines concerning the Protection of Personal Information of Broadcast Receivers (only available in Japanese here);
- Guidelines concerning the Protection of Personal Information in the Area of Postal Business (only available in Japanese here); and
- Guidelines concerning the Protection of Personal Information in the Area of Correspondence Delivery Business (only available in Japanese here).
1.3. Case Law
Benesse Leakage Incident
Benesse Holdings, Inc., a correspondence education service provider, disclosed that it had suffered a leakage affecting approximately 49 million customers consisting of children and their parents' personal data, such data included names, addresses, phone numbers, the children's genders and dates of birth, as well as expected baby delivery dates of a limited number of expecting mothers (though it did not include credit card information, bank account information, or children's achievement information).
In 2013 and 2014 an employee of a company subcontracted by Benesse's subsidiary ('the Subsidiary') to process its customers' data and engage in the data processing work through the Subsidiary's client PC, the employee proceeded to unlawfully download the data onto his personal smartphone. The data was sold by him to name-list brokers and were ultimately obtained by other service providers, who sent direct marketing mails to the affected parents and children. The Subsidiary had implemented security measures, but the systems to send alerts to senior managers regarding unusual data transfer activity and control the exporting of data from the client PC onto external devices were not effective. As a gesture of apology, Benesse sent a JPY 500 (approx. €4) shopping voucher to each customer it identified as affected by the incident.
The following cases of individual or collective damages claim actions against Benesse on this incident are publicly available:
Supreme Court Judgment of 23 October 2017
The Supreme Court of Japan judgment of 23 October 2017 overturned the lower court's (Osaka High Court) judgment that the plaintiff should have established damages beyond a mere feeling of discomfort or anxiety. It instead found the plaintiff's privacy was infringed and remanded the case to the lower court to further review what the moral damage due to the privacy infringement was.
Tokyo District Court Judgment of 20 June 2018
The Tokyo District Court ('TDC') judgment of 20 June 2018 found that:
- the Subsidiary breached its duty of care by failing to appropriately upgrade its controls against data being exported to new models of smartphones using a Media Transfer Protocol ('MTP'); and
- Benesse breached its duty of care by failing to appropriately monitor what security software was used by the Subsidiary, and accordingly failing to recognise that it should require the Subsidiary to upgrade its controls against data exports to new types of smartphones.
However, the TDC also found, taking into account the type of leaked data, such data only being available to certain parties and not in the public domain (e.g. the Internet) in general, and Benesse's provision of JPY 500 in shopping vouchers, that the emotional distress sustained by the plaintiffs was still not enough to establish a 'pain and suffering' award, and accordingly dismissed the collective damages claims against both Benesse and the Subsidiary. The judgment was appealed to the Tokyo High Court ('THC').
TDC Judgment of 27 December 2018
The TDC judgment of 27 December 2018 found that the Subsidiary could not have reasonably expected that its controls against data exports would not work against data exports to new Android smartphones using MTP and therefore was not in breach of its duty of care in not upgrading those controls to block data exports to such new models of smartphones. However, the TDC found that the Subsidiary was subject to the statutory 'Employer's Tort Liability,' which does not require a breach of duty of care but is based on the individual's tortious act and the defendant's supervision and control over the individual. Therefore, the TDC awarded damages against the Subsidiary of JPY 3,000 (approx. €25) for pain and suffering plus JPY 300 (approx. €2) as lawyers' costs per plaintiff. The TDC found that Benesse could also not have reasonably expected that the export controls would not work against data exports to new Android smartphones using MTP and therefore was not in breach of its duty of care in not requiring the Subsidiary to upgrade the export controls. As 'Employer's Tort Liability' also did not apply because Benesse was not in a position to supervise and control the tortfeasor individual, the TDC dismissed the damages claims against the Benesse. The plaintiffs were reported to have appealed to the THC.
THC Judgments of 25 March 2020
The THC judgments of 25 March 2020 on the appeals of the two TDC judgments above found that the Subsidiary could have reasonably expected that its controls against data exports would not work against data exports to new Android smartphones using MTP and thus breached its duty of care by failing to control data exports to new model smartphones, Benesse breached its duty of care by failing to supervise the Subsidiary, and accordingly the Subsidiary and Benesse were liable as joint tortfeasors for damages of JPY 3,300 (approx. €27) plus 5% late charges per annum per affected individual.
2. SCOPE OF APPLICATION
2.1. Who do the laws/regs apply to?
The APPI applies to every PIC in Japan, whether a person or entity; the exemption for a person or entity which has not handled personal information of more than 5,000 individuals in certain cases was abolished when the APPI was revised in 2017, though the General Guidelines relax the standards of security measures for 'small or medium sized business operators' (see section 6 below) .
The APPI only applies to persons or entities that handle personal information in the course of their business. For this purpose, a 'business' means activities which can be conducted repeatedly for a particular purpose and are regarded as a business under social conventions; a business can be for profit or not. A broadcasting institution, newspaper publisher or other press organisation, professional writer, university or other academic organisation, religious body, or political party are exempted from the obligations under the APPI in connection with such press, professional writing, academic, and political activities respectively.
An offshore PIC which is not otherwise subject to the APPI regime which acquires personal information of data subjects in Japan for the purpose of it supplying goods or services to those persons is now subject to the APPI if it handles that personal information, or any anonymised information created from it, in a foreign country. Although the PPC cannot enforce its orders for compliance with the APPI against such an offshore PIC, it may provide information to foreign regulatory authorities for their own regulatory enforcement purposes (see section 14 below).
2.2. What types of processing are covered/exempted?
The APPI applies to 'handling' of personal information by a PIC. 'Handling' is not defined in the APPI or the PPC's guidelines. However, it was explained in published discussions made at the Government's committee regarding the outline of the original APPI in 2000 to mean collection (acquisition), retention, use, transfer, and any other acts of handling personal information. 'Processing' was also explained at the discussions to include any such acts. The terms are understood in practice to be given such meanings.
For further information regarding the scope of the application of the law, see section 2.1 above.
3. DATA PROTECTION AUTHORITY | REGULATORY AUTHORITY
3.1. Main regulator for data protection
The PPC is the primary regulator under the APPI and the My Number Act.
3.2. Main powers, duties and responsibilities
- has the task of ensuring the appropriate handling of personal information and specific personal information so as to protect individuals' rights and interests;
- has the primary investigatory, advisory, and enforcement powers under the APPI and the My Number Act, including the power to investigate the activities of a PIC, an anonymised information controller (see section 4 below), a person handling specific personal information, and in certain instances to render advice to and make orders against them, if the infringement of an individual's material rights or interests is imminent;
- (in connection with the protection of personal information under the APPI) may delegate its investigatory powers to the relevant minister, etc. in limited circumstances, but not its advisory or enforcement powers; and
- can provide information to foreign data protection regulators and in limited circumstances may allow information to be used for criminal investigations overseas.
4. KEY DEFINITIONS | BASIC CONCEPTS
Personal data: Personal information contained in a database (whether electronic or not) that enables easy retrieval of the personal Information contained in it (personal information database).
Personal information: Information about a living individual in Japan from which the identity of the individual can be ascertained (including information which enables identification by easy reference to, or in combination with other information). Since the 2017 revision to the APPI, 'personal information' includes 'personal identifier codes' which include items such as characters, numbers, symbols and/or other codes for computer use which represent certain specified personal physical characteristics (such as DNA sequences, facial appearance, finger, and palm prints), and which are sufficient to identify a specific individual, as well as certain identifier numbers, such as those on passports, driver's licenses and resident's cards, and the 'My Number' individual social security ID numbers.
Sensitive information: Sensitive information was added to the APPI in the 2017 revisions and includes personal information relating to matters such as race, creed, religion, physical or mental disabilities, medical records, medical and pharmacological treatment, and arrest, detention or criminal proceedings (whether as an adult or a juvenile), or criminal victimisation. (The verbatim English translation is personal information requiring consideration). Industry-sector guidelines may apply additional categories of sensitive information.
Data controller: Data controller is not defined by the APPI. A personal information controller ('PIC') is a business operator using a personal information database for its business and is a similar concept to a data controller. (The verbatim English translation is 'business operator handling personal information').
Data processor: Data processor is not defined by the APPI but for the purpose of this note and for ease of reference for readers who are familiar with the concept in other jurisdictions, is an entity which a PIC 'entrusts the handling of personal data in whole or in part within the scope necessary for the achievement of the purpose of utilisation' (e.g. entrusting personal data to a service provider such as a cloud computing service provider or a mailing service provider for the purpose of having them provide the PIC with the services).
Anonymised information: In summary, information regarding an individual which has been processed by deleting information (or replacing it with information which does not enable reversion to the original information) so that it cannot be used to identify the individual.
Anonymised information controller: The verbatim English translation is a business operator handling anonymised information. This was added to the APPI in the 2017 revisions, and means a PIC using for its business a database (whether electronic or not) that allows easy retrieval of specific anonymised information contained in it.
Principal (i.e. data subject): The individual that is the subject of the personal information.
Opt-out: A system whereby a principal is notified of the proposed transfer of its personal information to a third party and given the opportunity to object to that transfer.
Personal number: a number processed from an individual's resident registry code number and a code corresponding to and used in lieu of such number ('My Number').
Purpose of utilisation: The purpose of use of personal information as specified by a PIC to the principal whose personal data is to be used by the PIC.
Specific personal information: Personal information which contains a personal number in it.
The following definitions have been introduced by the 2020 Amendments:
Person-related information: Information which is not personal information for the transferor as it cannot identify the principal from the information (even by easy reference to, or combination with, other information) but may be for a transferee as it may be able to identify the data subject by reference to other information held by the transferee.
Pseudonymously processed information: Information which has been processed from personal information in a manner that the data subject can no longer be identified solely from the data.
Whilst the PPC has not published draft guidelines or commentaries that clarify how pseudonymously processed information and anonymised information are different, the current understanding in practice is that pseudonymously processed information is information that would still enable identification of the principal if other information was also referenced to, or combined together, and as such still constitutes personal information, whilst anonymised information is not.
Pseudonymously processed information controller: A business operator using a pseudonymously processed information database for its business.
5. NOTIFICATION | REGISTRATION
5.1. Requirements and brief description
There is no general requirement that a PIC be registered under the APPI or related regulations, or for any registration under the My Number Act. A PIC which wishes to use an opt-out for disclosure of personal data to a third party has to file the opt-out provision prescribed in the order described below in section 6 under 'transfers pursuant to an opt-out' (but not the rest of its privacy policies) with the PPC. The PPC will then review the provision to ensure it is in accordance with the requirements of the APPI and make it available to the public. If the opt-out is not sufficient in terms of clarity, easy-readability, and formality the PPC may require it to be improved and re-filed.
6. DATA CONTROLLER RIGHTS AND RESPONSIBILITIES
Collection & use of personal information
A PIC must:
- not collect personal information by fraudulent or other unlawful means;
- notify the principal of the purpose of utilisation prior to the collection of the personal information unless it has published the purpose of utilisation in advance in a manner readily accessible by the principal; and
- obtain the principal's consent before acquiring the sensitive information of the principal unless one of the exceptions listed below under transfers permitted by law applies to the acquisition.
A PIC must make the following items readily accessible to each principal:
- name of the PIC;
- purpose of utilisation of personal information retained;
- the procedure for the principal to require correction, etc. of their personal data; and
- where to complain about the PIC's handling of personal data.
Use of personal information
A PIC must use personal information only to the extent necessary to achieve the purposes of utilisation specified to the principal and must make efforts to delete the personal data when it is no longer needed for the purposes of utilisation.
Furthermore, under the 2020 Amendments, a PIC must not use personal information in a manner which may facilitate or prompt illegal or inappropriate acts.
Personal data management and security
A PIC must:
- take reasonable steps to keep personal data as accurate and up to date as is necessary to achieve its purpose of utilisation;
- take all necessary security measures to avoid loss of, or unauthorised access to personal data; and
- exercise necessary and appropriate supervision over its employees handling the personal data, or any persons or entities delegated to handle personal data (e.g. a personal information/data processor), so as to ensure they implement and comply with such security measures.
The PPC's General Guidelines illustrate high-level examples of security measures, which are categorised into:
- establishing basic principles;
- setting out internal rules;
- organisational security measures (e.g. appointment of a responsible person, the definition of each person's responsibility, the definition of the scope of data handled by each staff member, data processing operation and incident reporting line, the definition of responsibilities between divisions, periodical internal and/or external audit, etc.);
- staffing security measures (e.g. staff education and training, confidentiality provisions in work rules, etc.);
- physical security measures (e.g. area access control (IC card, number keys), prevention of device theft, prevention of leakage from portable devices, non-recoverable deletion of data); and
- technological security measures (e.g. system access control, access authorisation (user ID, password, IC card, etc.) control, prevention of unauthorised access (security software instalment and upgrading, encryption, access log monitoring), continuous review of system vulnerability, etc.).
The General Guidelines relax the standards for security measures for a 'small or medium sized business operator,' which is defined as a PIC with 100 or less employees but excluding:
- a person who has handled personal data of more than 5,000 principals on a day in the past 6 months; and
- a person who processes personal data on behalf of another PIC under a contract.
The relaxed standards include the following measures:
- establishing basic principles;
- setting out the basic process for collecting, using, and storing personal data;
- for organisational security measures:
- clarifying who is responsible for handling personal data and who is not if, more than one staff member handles personal data;
- the person responsible for checking personal data is handled in accordance with the prescribed basic process; and
- checking the data breach reporting process in advance;
- for physical security measures, simplified measures (e.g., password lock) are allowed; and
- for technological security measures:
- clarifying which staff members are allowed to access devices;
- controlling access by user account control;
- keeping the devices' operating software up-to-date and introducing security software; and
- setting passwords for opening files when sending them by email.
Guidelines provided by the METI and the FSA set out further detailed requirements for security measures and provide specific examples for certain specified industry areas.
2020 Amendments: Pseudonymously processed information
As pseudonymously processed information is still personal information (as it would still enable identification of the principal if other information was also referenced to or combined together), a pseudonymously processed information controller is generally subject to the same obligations as a PIC regarding the management and security of personal information above (and transfers to third parties) in connection with pseudonymously processed information. However, a PIC's obligations with respect to pseudonymously processed information are relaxed in several aspects. In particular, for pseudonymously processed information:
- the purpose of utilisation may be changed beyond the scope reasonably related to the original purpose of utilisation even after creation or acquisition of pseudonymously processed information;
- the general obligations to notify the PPC and the principals of a data breach are not applicable;
- the principal's right to access, correction, or request to cease use are not applicable (and therefore its public announcements (as defined above) need not include procedures for principals to access, correction, etc.)
An PIC who processes pseudonymous information may not disclose its methods for pseudonymisation of the principal's personal information, the data removed during the pseudonymisation process or any process used to verify the pseudonymisation ('removed data'). The pseudonymously processed information controller must take security measures to prevent leakage of pseudonymously processed information and removed data as well as supervise and control a person contracted to process such information. Lastly, the pseudonymously processed information controller may not refer to other information to re-identify the principal relevant to the pseudonymously processed information
Similarly, a PIC who creates anonymised information may not disclose its methods for anonymisation of the principal's personal information, the data removed in the anonymisation process or any process used to verify the anonymisation. A recipient of anonymised information may not seek to acquire any such information, whether from the transferor or otherwise.
When a PIC processes personal information to anonymised information, it must make public in an appropriate manner (such as via the internet) what categories of personal information (e.g. ages, shopping behaviour, and travel habits, etc.) are included in the anonymised information so that principals are able to make enquiries with the PIC.
Under the 2020 Amendments, a PIC must not refer to other information that can re-identify the relevant data subject of the pseudonymously processed information.
Please see section 13.1 for controller rights and responsibilities pertaining to data transfers.
7. DATA PROCESSOR RIGHTS AND RESPONSIBILITIES
Neither the APPI nor any related regulations impose any direct obligations on data processors. However, as explained above, necessary and appropriate supervision must be exercised by a PIC over any third parties delegated to handle personal data. Such supervisory measures include the execution of agreements between a PIC and a service provider providing appropriate security measures that should be taken by the service provider, and the power of the PIC to instruct and investigate the service provider in connection with its handling of personal data entrusted to it.
8. DATA CONTROLLER AND PROCESSOR AGREEMENTS
See section 7 above with regard to the requirement for a PIC to implement supervisory measures over any third parties delegated to handle personal data, which include the execution of agreements between a PIC and a service provider providing appropriate security measures.
9. DATA SUBJECT RIGHTS
If requested by a principal, a PIC must disclose in writing and without delay to the principal, the principal's personal data held by it, unless the principal has agreed to receive it by other means (e.g. as electronic data). Access can be refused if it would result in:
- injury to life or bodily safety, property or other rights and interest of the principal or any third party;
- a material interference with the PIC's business operations; or
- a violation of other Japanese laws prohibiting disclosure.
Principals also have the right to revise, correct, amend, or delete their personal data, and to request the cessation of use of their personal data if it is used for a purpose other than the one originally stated, or if it was acquired by fraudulent or other unlawful means. If a principal requests a PIC to cease using their personal data, the PIC must do so unless the request is unreasonable, or the cessation would be costly or would otherwise be difficult (e.g. the recall of books already distributed). In this case, the PIC must take alternative measures to protect the rights and interests of the principal. The PIC must notify the principal without delay of whether the requested action has been taken, and, if not taken, must endeavour to explain the reasons why. A principal can enforce its rights to require revision, etc. of its personal data by civil action if such a request is not complied with within two weeks of being made.
Principals do not have any of the rights above if:
- the personal data will be deleted within six months of collection; or
- if the principal or other person comes to know that there is such personal data held by the PIC which might result in:
- injury to the life or bodily safety, property or other rights and interest of the principal or any third party;
- encouraging illegal or unjust acts;
- endangering national security, damage a trusted relationship with a foreign country or international organisation;
- disadvantage the country's negotiation with a foreign country or international organisation; or
- Present an obstacle to the prevention, suppression, or investigation of crimes or otherwise impairing public safety and order.
Under the 2020 Amendments, the following provisions relating to principal rights will also apply:
- principals will have the right to access to a PIC's record of data transfers to third parties;
- personal data which the PIC will delete in six months will no longer be exempted from the principals' right to access;
- a principal will have the right to require the PIC to cease using personal data or to cease transferring personal data to third parties if the PIC no longer needs to use the data, a data breach has occurred, or there is a likelihood of infringement of the principal's rights or lawful interests due to the PIC's handling of the personal data; and
- pseudonymously processed information is not subject to the principal's right to access or cessation of use.
10. DATA PROTECTION OFFICER
10.1. DPO – compulsory appointment (yes/no)
The APPI does not specifically require a PIC to appoint a data protection or similar officer. However, guidelines issued by the PPC and which apply to all PICs provide that a PIC must take security measures for the handling of personal information, an example of such a security measure being ' the appointment of a person in charge of the handling of personal information and the definition of the responsibilities of the person' (see section 6 above). The guidelines state that whether measures are mandatory depends on the materiality of the damage which may be suffered by principals in the event of a data breach, the size and nature of the business, and the general nature of the data handling (including the nature and volume of data handled).
Some sector-specific guidelines also provide data protection or similar officer requirements. Certain private organisations or associations have created qualifications such as 'data protection officer' or equivalent, and issue them to persons who have passed examinations set by them (e.g. Japan Consumer Credit Association issues a Personal Information Handling Officer qualification, and the Information-Technology Promotion Agency issues an Information Systems Security Administrator qualification).These qualifications are not acknowledged, supported, or required by law, but are industry-driven efforts to enhance data privacy.
11. DATA BREACH NOTIFICATION
11.1. General obligation (yes/no)
The Data Breach Guidelines are limited to setting out certain principles for handling leakages, leaving PICs to decide what specific action should be taken with regard to the facts of each case.
Action following a data breach
The Data Breach Guidelines state that in the event of the leakage, destruction, or damage to personal information or the likelihood of any of them:
- it is 'desirable' that the affected PIC takes the following steps:
- report the incident within the PIC;
- taking measures to prevent the expansion/aggravation of any damage (to principals or third parties affected by the incident) due to the incident;
- conduct an investigation of relevant facts and the cause of the incident;
- identification of the affected areas within the servers/systems of the PIC and of the principals whose data was affected;
- promptly planning and implementing measures to prevent the recurrence of the incident or further incidents that may otherwise occur due to the incident in question;
- unless the leaked data is encrypted at a high level, 'promptly' notify the principals potentially affected or make the facts of the leakage easily available to those principals (depending on the facts of each case) for the purpose of preventing the principals or third parties incurring further damage (e.g. to give the principals opportunities to take actions to avoid or mitigate harms by third parties' use of the leaked information); and
- publicly announce the relevant facts and measures to be taken to prevent a recurrence of the incident (depending on the facts of each case).
- the PIC must make efforts to promptly notify to the PPC of a breach unless:
- the leaked data is encrypted at a high level;
- all the leaked data has been collected by the PIC prior to being seen by third parties;
- there is no risk of any specific individual being identified from, or the affected principals being harmed by use of the leaked data;
- the data breach was obviously only internal and not an external leakage; or
- the leakage is obviously insignificant (e.g. a mis-delivery of parcel where the personal information is only on the delivery address label on it).
A data breach notification to the PPC is done by completing an online form (only available in Japanese here). If a PIC has a security policy which does not allow access from its system to external systems online or has trouble in completing an online submission, other methods of submission, e.g. by fax or post, are still available.
Where a PIC has entrusted personal data to a personal information/data processor and the personal information/data processor was subject to the data breach the obligations above falls on the PIC.
Leaked data is encrypted at a high level when:
- the encryption system is on the list of ISO/IEC 18033 or the Japanese Government has confirmed the encryption system as being sufficiently secure; and
- the decryption key is remotely controlled or not usable by a third party, or the leaked data or decryption key can be remotely deleted.
'Desirable', 'promptly', and 'make efforts' are not defined or explained in the Data Breach Guidelines and their meaning will need to be determined by reference to their common definition, regulatory and best practice, and the facts of each case, in particular the risk of an innocent party suffering any loss.
It is not uncommon for obligations under Japanese laws and regulations to be expressed as being desirable or similar, and in the absence of factors which would dictate otherwise, best practice would be to comply with the obligation unless there is a good reason not to. In addition, the greater the harm non-compliance may cause, the more advisable compliance becomes.
Although 'promptly' is not defined, the nuance of the original Japanese term 'sumiyakani' would suggest four or five days in many cases, though this is subject to the facts of each case, and in particular how seriously the principals may be affected and accordingly how urgently they should be notified.
Examples of what might constitute 'making the fact of the leakage easily available to the affected principals' include:
- placing a sign in an office habitually attended by the principals; or
- adding a notice on an accessible webpage directly linked from the home page of the PIC's website.
Although what constitutes 'make effort' is not defined it would be given its normal meaning, although, as with 'promptly' and 'desirable', the greater the actual or potential harm of the data breach, the more advisable compliance with the obligation becomes.
The current obligation to 'make efforts to promptly notify to the PPC of a breach' will become an obligation to notify the PPC of certain information regarding the breach. The Outline of the 2020 Amendments (only available in Japanese here) ('the Outline'), published by the PPC on 13 December 2019 (prior to the publication of the bill for the 2020 Amendments) proposed that the report should be 'promptly', though this is not expanded upon in the amended APPI and will to be clarified in the PPC regulations or guidelines. What constitutes 'promptly' will still be judged on a case-by-case basis. The PPC will then be able to require a further report within a specified period. The change will mean that PICs should establish efficient data loss reporting mechanisms rather than handle the reporting of losses on an ad-hoc basis after they have occurred.
Reporting to the PPC
Under the current APPI, whilst the obligation to report a data breach to the PPC is only to make efforts, best practice would be to submit a report unless any of the exemptions above apply (in which case a report is not required). If the PIC thinks the data breach is not serious enough to warrant a formal report but it is not exempted from reporting, it can seek informal guidance from the PPC on what action to take. If the data breach is very serious, e.g. the loss of bank account details and passwords, or the PIC is not certain what action to take the PIC should contact the PPC (and local counsel) at the earliest opportunity, without waiting to complete the formal report to the PPC. Should a data breach not be reported, and the PPC subsequently becomes aware of it, it may require a report to be submitted.
Under the 2020 Amendments, reporting to the PPC will become mandatory. However, in order to minimise the burden on industries which would arise from having to report minor breaches, the obligation will be limited to certain breaches; the threshold(s) will be set later by PPC regulation and will likely be based on whether there is a substantial risk to individuals' rights and interests. The Outline proposed that the thresholds shall refer to the number of losses (though it is not clear whether the 'number' is the number of affected principals) and any losses, irrespective of the number of losses, of sensitive information, though these criteria are not expanded upon in the 2020 Amendments and are to be clarified in the PPC regulations.
Furthermore, whilst the current APPI regime enables reporting to the APPI and certain accredited information protections organisations, the 2020 Amendments will centralise the reporting process so reports will only be made to the PPC or delegated government agencies.
Notifying affected principals
When considering whether to notify affected principals of a data breach directly, or by a more general notice, the two major factors for a PIC to consider are the seriousness of the loss and the harm it may cause, and the effectiveness of the means of notification. If a loss may cause serious harm, the prudent course would be to make it public promptly, and then notify affected parties individually (always subject to any directions from the PPC). Where a PIC has decided to give a general notification, it will need to evaluate how effective the means of notification is likely to be; for example, if notification is given on a website, how likely is it that the affected parties will visit the website and how long it should be kept active in order to notify an appropriate proportion of affected principals. A notification, individual or general, should include a description of the loss and the actions taken by the PIC to mitigate its effects, and it would be advisable to include a phone number or email address which the affected principals can use to obtain further information on the loss.
As noted, depending on the facts of each case, it might be appropriate for the PIC to publicly announce the relevant facts of the data breach, and the measures to be taken to prevent its recurrence; there is no guidance on what form this notice should take, and although it may also be sufficient as a notice to the affected principals, its effectiveness as such would need to be considered carefully.
Notifications, individual or general, should be given in Japanese, and if any affected principals may not understand Japanese, any other appropriate foreign language. Notifications should not be given only in a foreign language unless it is certain that all affected principals will understand that language.
The current obligations to notify affected principals of a data breach are somewhat vague and leave the PIC to make a determination of the appropriate action. Under the 2020 Amendments, as a general rule, if a PIC is required to report a data loss to the PPC it will also be mandatory to notify the loss to any affected principal. Where it is not possible or practicable to notify principals directly, e.g. if the principal's contact details are not known, and the PIC has taken another measure to protect the rights and interest of the principals (such as using public notices), the obligations to directly notify the principals may be satisfied. The Outline and the provisions of the 2020 Amendments do not clarify the timing of notification; however, it has not been proposed that the obligation to make such a report 'promptly' be revised. PICs should take all reasonable steps to maintain up-to-date contact details for their principals and/or periodically review their procedures for notifying data losses through public notices and other means.
If a data breach has occurred and been reported to the PPC, voluntarily or at the request of the PPC, it may investigate the background to the loss, the PIC's data management procedures, and the actions taken (or not taken) by the PIC to notify the affected parties (and the PPC). Where the PPC finds defects in the PIC's data management or post-loss actions, it may give guidance to the PIC on what actions to take to improve its data management, or what further steps should be taken to notify affected principals of the loss. If the defects are material, the PPC may issue advice for improvement to the PIC and publish the advice on its website. If the PIC fails to follow advice for improvement, the PPC may then escalate the matter and issue an order for improvement. An order for improvement may be issued immediately without preceding advice for improvement in limited cases of a serious data breach.
If a PIC has not notified the PPC or the affected principals of the data breach (or has not publicised the loss, if material in either scale or subject matter) and the PPC comes to know of the loss, it might be more likely to find the PIC's attitude to compliance unsatisfactory, and thus issue and publish an advice for improvement.
Neither the APPI nor the Data Breach Guidelines impose any sanctions for failure to make a report or notification of a data breach, and the Data Breach Guidelines only require a PIC to 'make efforts' to report a data breach. However, it should be noted that a PIC has presumably breached its duties for data security when it failed to prevent the data breach, and it would probably further be in breach of its obligation if it did nothing following the data breach where action was obviously required. These breaches will allow the PPC to issue advice for improvement. That said, and as noted here, it is advisable for PICs to report a data breach unless a report is clearly not required, and failure to report might be a factor the PPC would take into consideration when deciding whether to issue advice for improvement. The PPC will publish such advice once issued.
Failure to comply with an order for improvement would be grounds for criminal imprisonment for up to six months or a criminal fine of up to JPY 300,000 (approx. €2,500) for an individual who is the PIC, the director, or employee of the PIC entity in charge of the breach, and the same criminal fine for the PIC as an entity.
Under the 2020 Amendments, failure to comply with an order for improvement would be grounds for criminal imprisonment for up to one year or a criminal fine of up to JPY 1 million (approx. €8,300) for an individual who is the PIC, the director, or employee of the PIC entity responsible for the breach, and the same criminal fine for the PIC as an entity.
To date, PICs which have suffered a data breach have often voluntarily offered compensation to affected parties both to forestall any proceedings, and to maintain good public relations. Compensation payments to principals (per person) have ranged from JPY 500 (approx. €4) of e-money or gift vouchers (see the Benesse incident discussed in section 1.3 above), through gift vouchers of JPY 10,000 (approx. €80), to cash payments of JPY 35,000 (approx. €290). If an affected party brings an action before a court against a PIC for a data breach, any judgment by the court would likely be an order against the PIC to pay damages on the grounds of a breach of contract or tort theory. Save for cases such as the unauthorised use of affected payment card data or the disclosure of sensitive information affecting the personal lives of individuals, the amount of damages an affected party might be entitled to is frequently not large enough to warrant the commencement of proceedings once the costs of the proceedings are taken into consideration.
It should also be noted that in Japan it is often important to treat all affected parties equally. Even if a PIC does not publicise a data breach and communicates privately with each affected party individually, the widespread use of social media makes the risk of unequal treatment between affected parties being kept private increasingly unlikely, and may have an associated negative impact on the PIC's reputation.
11.2. Sectoral obligations
Whilst the Data Breach Guidelines only provide that it is 'desirable' for an affected PIC to take actions, including giving notice to affected parties as well as publicising the incident, and that PICs should 'make efforts' to notify to the PPC, the Guidelines on Protection of Personal Information in the Financial Field, which have been issued jointly by the PPC and the FSA, provide that such actions are mandatory in the financial service sector. Similarly, the Commentary issued by MIC, which gives guidance on the Telecommunications Business Act (Act No. 86 of December 25, 1984), provides that a breach of secrecy of communications must be reported to the authority.
Please see sections 1.3, 11.1, and 13.3.
In addition, many sector-specific regulations authorise the relevant regulators to enforce the regulations by rendering business improvement orders, or business suspension orders in the most serious cases, against providers of services which require licences from the regulator, 'where necessary for ensuring the appropriate operation of the business.' 'Appropriate operation of the business' may include the management of the security of customer data. For example, the FSA may issue a business improvement order against a bank pursuant to the Banking Act (Act No. 59 of 1981), or against an investment manager pursuant to the Financial Instruments and Exchange Act (Act No. 25 of 13 April 1948), if the service provider failed to manage the security of customer data in the course of operation of the licensed businesses.
13. ADDITIONAL RELEVANT TOPICS
13.1. Data Transfers and Outsourcing
Generally transferring personal data to third parties, including affiliated entities of the PIC, without the prior consent of the principal is prohibited unless an exception applies. The primary exceptions are listed below:
Transfers permitted by law
The prior consent of the principal to a transfer of their personal data (including sensitive information) is not required if the transfer:
- is specifically required or authorised by any laws or regulations of Japan;
- is necessary for protecting the life, health, or property of an individual and consent of the principal is difficult to obtain;
- is necessary for improving public health and sanitation, or promoting the sound upbringing of children, and the consent of the principal is difficult to obtain; or
- is required by public authorities or persons commissioned by public authorities to perform their duties and obtaining the prior consent of the principal carries the risk of hindering the performance of those duties (e.g. the disclosure is required by police investigating an unlawful act).
Transfer pursuant to an opt-out
Personal data (other than sensitive information) can be transferred after the period necessary for the principal to exercise their opt-out right has expired and the PIC has notified the principal or made readily available to the principal, and filed with the PPC, all of the following information:
- that the transfer is within the scope of the originally stated purpose of utilisation;
- the specific personal data to be transferred;
- the means with which the personal data will be transferred;
- the fact that the transfer of the personal data is subject to an opt-out; and
- where to provide such opt-out exercise notice.
PPC guidelines only state that the length of the 'expiration period' will vary depending on factors such as the nature of the business, how close the relationship between the principal and the PIC is, the nature of the personal data to be transferred, and how quickly the PIC can handle the principal's exercising of its opt-out rights.
It has been clarified that transfers pursuant to the opt-out rule will not be available for personal information which has been obtained:
- by fraudulent or other unlawful means; or
- from a preceding transferor pursuant to the opt-out rule.
This revision is based on the PPC's finding that personal data has often been traded or shared between name-list brokers or peer business operators under the opt-out rules.
The following information will also be required to be filed with the PPC:
- the name of the person who is the representative of the transferor PIC if the PIC is a corporate body, in addition to the name of the transferor PIC itself;
- how the transferor PIC has obtained the personal data which it will transfer pursuant to the opt-out rule; and
- other matters which the PPC will set out in regulations.
Transfer of sensitive information
A transfer of sensitive information to a third party requires the consent of the principal unless an exception as listed above applies; such consent cannot be given through the use of an opt-out.
Transfer of anonymised information
Anonymised information may be transferred to a third party without the consent of the original principal, as it no longer constitutes personal information, provided that the transferor makes public both the fact of the transfer and what types of personal information are included in it and notifies the recipient that the information is anonymised information.
Transfer or pseudonymously processed information
As pseudonymously processed information is still personal information, for a transfer of such information the general requirement for prior consent from the principal, transfers permitted by law (e.g. a transfer required or authorised by laws or regulations of Japan), or transfers pursuant to an opt-out, the consent requirement for a transfer of sensitive information, the scope of third parties, the additional requirement for a transfer to a third party in a foreign country, and transfer due diligence and records, as described above, equally apply.
Transfer of person-related information
Although person-related information is not personal information for a transferor, it is for a transferee as the relevant principal identifiable by reference to other information held by the transferee. The 2020 Amendments set out the general requirements for the prior consent of the principal for a transfer of person-related information to a third-party transferee (where the consent must be based on the principal's understanding that the information will be person-identifiable to the transferee). Transfers permitted by law (e.g. a transfer required or authorised by Japanese laws or regulations) also apply. Transfers under an opt-out are not permitted. The amended language of the APPI does not provide that the entities listed in the 'scope of third parties' section below are not third parties for the purpose of transfers of person-related information; that being so, it is currently understood that transfers to such entities will still generally require the principal's consent, subject to a future clarification by the PPC in guidelines, etc. The revision of rules, under the 2020 Amendments, on a transfer of personal information to a third party in a foreign country (as described below) also applies to a transfer of person-related information. Transfer due diligence and records will also apply.
Cookies are not personal information unless the relevant principal can be identified by easy reference to, or combination with, other information. However, even if a cookie is not personal information for a transferor in this sense, but if the cookie is transferred to a third-party transferee and would be, by result of this the transfer, personal information for the transferee as it holds other information and the individual related to the cookie can be identified by reference to such other information (e.g. the cookie is a history of website browsing that suggests the individual's activity behaviour, preference of goods or services, or otherwise usable for profiling, and the transferee would use the cookie for targeted advertising, or assessment for a job position or financial services, etc.), this will be a transfer of person-related information under the 2020 Amendments and will thus be subject to the general requirement for the prior consent of the principal.
Scope of third parties
Under the APPI, the following entities are deemed not to be third parties (meaning that the transfer of personal data (including sensitive information) to such parties does not require the principal's consent):
- a personal information/data processor;
- a company that enters into a merger, a company split, or a business transfer with the PIC. (Disclosure in the process of negotiations for mergers and acquisitions is permissible if made upon execution of a non-disclosure agreement which requires the company to which the data is disclosed to implement appropriate safety measures); or
- a company designated to jointly use the personal data with the PIC. In this case, the PIC must notify, or make readily accessible to the principal:
- the fact of such joint use of the personal data;
- the scope of the personal data to be jointly used;
- the scope of the parties who will jointly use the personal data;
- the purpose of the joint use; and
- the name of a party among the joint users responsible for the management of the joint use of the personal data.
Such joint use is available by group companies or business partners or affiliates which provide integrated services to common customers.
Though not a specified exception to the general consent requirement, a transfer of personal data between a Japanese company and its Japanese branch, or between a foreign company and its Japanese branch is not a transfer of personal data to a third party as in each case the branch and the company are the same legal entity. Whether a Japanese company and its foreign branch are a single legal entity would be determined in accordance with the laws of the jurisdiction under which the branch was formed.
Where a transfer of personal data is to a person or entity which is not a third party, a further transfer of the personal data by that person or entity would be subject to the consent rules and exceptions applicable to such transfers, as described in this note.
Transfer of personal data to a third party in a foreign country
The transfer by a PIC of personal data to a third party in a foreign country (other than in reliance on one of the exceptions listed above under 'transfers permitted by law') is subject to the following requirements in addition to those generally applicable to transfers of personal data:
- where consent to the transfer is given by the principal, it must be clear and cover the transfer to a third party in a foreign country and the principal must be provided, when giving the consent, with information necessary for judging whether to provide the consent (e.g. the foreign country is identified, identifiable, or the circumstances where such a data transfer will be made); or
- in the absence of such consent, if the transferor wishes to rely on an opt-out or the fact that the transfer is not to a third party, as an exception to the requirement to obtain the principal's consent to the transfer, it is also necessary that the transferee:
- is in a country on a list of countries issued by the PPC as having a data protection regime equivalent to that under the APPI; or
- implements data protection standards equivalent to those which PICs subject to the APPI must follow.
As of the date of this note, only the UK and countries in the European Union (including the EEA) are on the list of countries issued by the PPC as having equivalent data protection. If the transferee is not in any such country, a transferor PIC would have to rely on the transferee implementing equivalent standards to the APPI in order to effect a transfer of Personal Information offshore without the principal's consent or in reliance on an exception listed above in transfers permitted by law. The requirement for equivalent standards to the APPI can be satisfied:
- by the transferor and the transferee:
- entering into a contract;
- if they are in the same corporate group, both being subject to binding standards of the group for the handling of personal data, pursuant to which the transferee is subject to all the obligations imposed by the APPI on PICs who are subject to it, and which must include certain specified matters, such as the purpose of use, record-keeping, and details of security measures; or
- if the transferee is accredited under APEC's CBPR system.
When transferring personal data to a third party offshore:
- if the transfer is based on the principal's consent, the transferor must provide the principal with certain information regarding the protection level of the data protection law of the foreign country; the information required will be set out in more detail in regulations to be issued by the PPC; and
- if the transfer is allowed without the principal's consent because the transferee has established a level of protection of personal data equivalent to that under the APPI, the transferor must:
- provide the principal with information of such protection level if requested; and
- continue ensuring the transferee maintains that protection level.
Transfer due diligence and records
A transfer of personal data requires that the transferor PIC and the transferee (if a PIC, or if it becomes a PIC as a result of the transfer) keep specified records and the transferee is also required to make enquiries on the source of the personal data transferred, unless the transfer was made in reliance on an exception listed above as a transfer permitted by law or the transferee is not a third party.
The transferor must keep a record of:
- (if the transfer was made in reliance on an opt-out) the transfer date;
- the name or other identifiers of the transferee and the principal, and the type(s) of data transferred (e.g. name, age, gender); and
- the principal's consent to the transfer, or, if consent has not been obtained and the transfer was made in reliance on an opt-out, that fact.
The transferee must keep a record of:
- (if the transfer was made in reliance on an opt-out) the date the personal data was received;
- the name or other identifiers of the transferor and its address (and the name of its representative if the transferor is a legal entity), and the name of the principal;
- the type(s) of data transferred;
- the principal's consent to the transfer, or, if consent has not been obtained and if the transfer was made in reliance on an opt-out, that fact;
- if an opt-out has been relied on, the fact that the opt-out has been filed with, and published by the PPC; and
- how the transferor acquired the Personal Information transferred.
An employer is required by the Industrial Safety and Health Act (Act No. 57 of 1972) to engage a medical professional to conduct certain medical check-ups of their employees. In connection with diagnosis information obtained from the medical check-ups, it is generally understood that the medical professional is a PIC rather than a personal Information/data processor for the employer as PIC. In most cases, the medical professional should share with the employer the legally mandatory medical check-up information of the employees, and this sharing is generally permitted without the employees' consent as an exception to the general rule that the principal's consent is required for the transfer and acquisition of sensitive information.
The MHLW's guidelines require an employer not to handle such diagnosis information beyond the scope necessary for the purpose of ensuring the employees' health.
My Number Act
The My Number Act introduced a national social security ID number system for all individuals residing in Japan (whether Japanese or foreign) under which they are allocated a unique individual number ('Personal Number' also known as 'My Number'). An individual's specific personal information, which is personal information containing My Number in it, is regarded as their confidential private information and its handling is subject to stringent regulation under the My Number Act. The My Number Act regime is entirely separate from the APPI.
My Numbers will be used, among other things, to track income, social security, taxes, welfare and benefits, and will be required by public bodies when dealing with annual tasks, such as tax filings, as specified by the My Number Act and related guidelines (collectively 'specified purposes').
All employers will need to collect their employees' specific personal information (which may, in relation to filing of certain social security documents, need to include those of employees' dependents), as they will be used in documentation when the employer files certain tax/social security documents for their employees with administrative offices, such as tax and pension offices.
Transfers and outsourcing
The rules and exceptions that permit disclosure and transfer of an individual's personal data under the APPI do not apply to the disclosure of specific personal information.
The My Number Act and related guidelines require an employer to:
- not share an employee's specific personal information with any other person or entity, including any affiliate of the employer, even with the employee's consent (with certain limited exceptions), except a contracted third party (i.e. a third party engaged by the employer to provide services for specified purposes (e.g. tax accountants, data managing service providers); and
- establish appropriate supervision over any contracted third party.
In practical terms an employer should:
- if it provides an employee's information to a third party other than a contracted third party, ensure that the information transferred does not include My Numbers; and
- if specific personal information is transferred to a contracted third party, ensure that the transferee has appropriate systems in place for the protection of the confidentiality of the specific personal information and that the specific personal information is only used for a specified purpose.
According to the My Number Act and related guidelines an employer must:
- not obtain, store or use an employee's specific personal information for any purpose other than a specified purpose; and
- conduct identity verification of each employee (e.g. checking the employee's My Number card) as required by the My Number Act when obtaining the employee's specific personal information.
In practical terms the employer should:
- establish specific rules for the collection of specific personal information, including an identification process.
Banks, securities firms, and insurance companies may also request their customers to provide specific personal information. The regulations under the My Number Act described above equally apply to such financial institutions' handling specific personal information.
13.3. Data Retention
Storage and security
The My Number Act and related guidelines require an employer to establish appropriate systems for the secure storage and handling of specific personal information.
In practical terms the employer should:
- draft and/or amend internal rules on data protection to ensure the handling of specific personal information in accordance with the My Number Act;
- ensure employees handling specific personal information are aware of the restrictions on their use and the scope of the related data protection regime, in particular, the areas where obligations are stricter than those currently generally implemented by the employer for data protection; and
- ensure its data protection systems are adequate to comply with the obligations under the My Number Act as they are likely to be stricter than under the employer's other data protection obligations (whether under the APPI or otherwise).
Reporting of losses
Any loss of any specific personal information must be reported to the PPC, though there is no specified deadline for giving the notification; the form of the report is slightly different from that for data breaches. The system for escalation of remedial orders by the PPC is the same as that for losses of other personal information, though failure to comply with an order for improvement could lead to more serious criminal sanctions against both the PIC and any of its officers responsible for the loss. Notification to the affected principals is still only 'desirable.'
14. OTHER SPECIFIC JURISDICTIONAL ISSUES
The APPI applies extraterritorially when an overseas PIC which has obtained the personal information of a principal in Japan in relation to its provision of goods or services provided to a principal in Japan and handles that personal information, or any anonymised information created from it, in a foreign country. The obligations which apply extraterritorially include:
- to specify and notify or publicise the purpose of utilisation of the personal information, and to use it within that purpose;
- to keep personal data accurate and up-to-date, and to delete it when no longer required;
- to take measures to protect the data against leakage, etc.;
- to supervise employees handling personal information and any service provider entrusted with the handling of personal data;
- the rules governing disclosure to a third party;
- to publicise privacy policies;
- the rights of a principal to access, correct, and stop the illegal use of personal data; and
- certain rules regarding anonymised information.
Whilst the PPC can only render 'advice' to a PIC based overseas, it may provide information to foreign regulatory authorities for their own regulatory enforcement purposes.
Under the current APPI, provisions apply exterritorialy only when an overseas PIC has obtained the personal information of a principal in Japan in relation to its provision of goods or services provided to a principal in Japan. This does not cover situations where the principal is different from the customer of the goods or services (e.g. an offshore PIC that provides a corporate body customer in Japan its goods or services, and in relation to the provision of the goods or services, collects personal information of a director or employee of the corporate body). Under the 2020 Amendments, the APPI will also apply extraterritorially to such cases as long as both of the corporate body customer and the principal are located in Japan.
Furthermore, the 2020 Amendments provide that:
- the PPC will set out the details of forms for its demand for a PIC to provide a report or documents (as it exercise its investigatory power), advice, order, etc.;
- the rules of Japan's Code of Civil Procedure regarding service of process will apply mutatis mutandis to the PPC's delivery to a PIC (including an offshore PIC) of such notices listed above;
- the PPC's constructive service by publication will be available if:
- the address of a PIC is not available;
- delivery of its communications to an offshore PIC pursuant to the rules of the Code of Civil Procedure (i.e. the procedure for delivery via the foreign country's relevant authority or agency, or the Japanese embassy or council in the foreign country) is not available; or
- the PPC does not receive a certificate of delivery within six months after requesting the foreign country's authority agency to serve the notice;
- the PPC's can effect constructive service by posting a notice at a specified location in the PPC's office, and the constructive service will be effective upon the expiry of two weeks (in the case of a PIC in Japan) or six weeks (in the case of an offshore PIC) from the date of posting; and
- the PPC may publish a PIC's failure to comply with the PPC's order.