Japan - Data Protection Overview
Japan's data protection laws were substantially revised in 2015, and further materially revised in 2020 with those revisions to come into effect in 2022; data protection is probably the most active area of law and is constantly evolving as the scope of personal information disclosed by individuals in day-to-day transactions expands and use by businesses becomes more widespread. The revised laws impose wider obligations on data transfers, in particular to offshore entities, and on the handling of data breaches.
1. GOVERNING TEXTS
- The Act on the Protection of Personal Information (Act No. 57 of 2003 as amended in 2015) ('APPI'). The APPI was subject to substantial revisions which came into full effect on 30 May 2017. Unless stated otherwise, the discussion below relates to the APPI. Please note that the Amended Act on the Protection of Personal Information (Act No. 57 of 2003 as amended in 2020) ('2020 Amendments') was passed the National Diet of Japan on 5 June 2020 and was promulgated on 12 June 2020. The 2020 Amendments will come into force on 1 April 2022.
- The Act on the Use of Numbers to Identify a Specific Individual in the Administrative Procedure (Act No. 27 of 2013 as amended) ('the My Number Act').
Key guidelines provided by the Personal Information Protection Commission ('PPC'), the regulatory body established pursuant to the APPI is responsible for overseeing compliance with the APPI and relevant ministers are listed below. Some of these guidelines are subject to 'Q&As' or 'commentaries' which supplement the guidelines with practical guidance. The APPI delegates the power to require reports from Personal Information Controllers ('PICs') (as defined in section 4 below) to the minister regulating each business sector or designated minister, etc. As such, each ministry provides, jointly with the PPC or individually, guideline(s), Q&As, and commentaries with regard to the relevant business sector.
Guidelines issued by the PPC (only available in Japanese here) provide detailed guidance on the scope and meaning of the provisions of, and certain terms used in the APPI, and examples of their application, though the examples do not expand or limit the scope of the APPI. The guidelines also make it clear that a breach of a guideline which is expressed as an obligation, rather than a recommendation, would be deemed a breach of the APPI.
The following guidelines on the APPI, issued by the PPC, include:
- General Guidelines on the APPI (only available in Japanese here) ('the General Guidelines');
- Guidelines on the APPI (for Transfers to Third Parties in Foreign Countries) (only available in Japanese here);
- Guidelines on the APPI (for Checking and Recording on Transfers to Third Parties) (only available in Japanese here);
- Guidelines on the APPI (for Anonymised Information) (only available in Japanese here); and
- Guidelines on the APPI (for Data Leakages) (available only in Japanese here) ('the Data Breach Guidelines') (The Data Breach Guidelines will be merged into the General Guidelines when the 2020 Amendments come into effect).
Note that the above-listed are not intended to be comprehensive, additional guidelines have been issued for businesses and industries where there is a need for more stringent protection of personal information.
In particular, the PPC has issued the following additional guidance:
- Guidelines concerning Appropriate Handling of Specific Personal Information (defined below) (main body and separate volume: security measures concerning specific personal information) (only available in Japanese here); and
- Guidelines concerning Appropriate Handling of Specific Personal Information in Financial Businesses (only available in Japanese here).
For credit card businesses and businesses which use genetic information, the Ministry of Economy, Trade and Industry ('METI') has issued the following guidance:
- Guidelines for Personal Information Protection in the Credit Industry (only available in Japanese here); and
- Guidelines for the Protection of Personal Information in the Industry Using Genetic Information of Individuals in the Economic and Industrial Sectors (only available in Japanese here).
For the financial sector (except the credit card industry, which is regulated by METI), the Financial Services Agency ('FSA') has issued the following guidance:
- Guidelines for Personal Information Protection in the Financial Industries (only available in Japanese here); and
- Practical Guidelines for Security Policies regarding Personal Information Protection in the Financial Industry (only available in Japanese here).
The Ministry of Justice has issued the following guidance:
- Guidelines concerning the Protection of Personal Information in the Debt Collection Service Industry (only available in Japanese here).
For the medical sector, the Ministry of Health, Labour and Welfare ('MHLW') has issued the following guidance:
- Guidance for the Appropriate Handling of Personal Information by Medical or Care-related Service Providers (only available in Japanese here);
- Guidance concerning Safety Management of Medical Information Systems (only available in Japanese here);
- Ethical Guidelines concerning Medical Research Targeting Humans (only available in Japanese here);
- Ethical Guidelines concerning Analysis and Research of the Human Genome and Genes (only available in Japanese here);
- Guidelines concerning Gene Therapy Clinical Research (only available in Japanese here); and
- Ethical Guidelines concerning Research of Assisted Reproduction Technologies that Produce Fertilised Embryos (only available in Japanese here).
For employment and welfare areas, the MHLW has issued the following guidance:
- Notice regarding the Handling of Health Information in Employment Management (only available in Japanese here);
- Guidance for the Appropriate Handling of Personal Information at Health Insurance Societies, etc. (only available in Japanese here);
- Guidance for the Appropriate Handling of Personal Information at National Health Insurance Societies (only available in Japanese here);
- Technical Security Measures regarding Personal Information in the Private Pension Area (only available in Japanese here);
- Guidelines for Appropriate Dealing by Employment Placement Service Providers, Worker Recruiters, Worker Recruitment Agents or Worker Suppliers with Equal Treatment, Statement of Working Terms, Handling of Personal Information of Job Seekers, Duties of Employment Placement Service Providers, Correct Statement of Terms of Recruitment (only available in Japanese here);
- Guidelines concerning Measures which Staffing Service Providers are Required to Take (only available in Japanese here); and
- Guidelines for Appropriate Dealing by Supervising Organisations with a Statement of Working Terms, Handling of Personal Information of Implementers of Intern Training Supervised by Organisations or Technical Intern Trainees at Training Supervised by Organisations, etc. (only available in Japanese here).
For the telecommunication sector, the Ministry of Internal Affairs and Comminutions ('MIC') has issued the following guidance:
- Guidelines concerning the Protection of Personal Information in Telecommunication Businesses (only available in Japanese here);
- Commentary on the Guidelines concerning the Protection of Personal Information in Telecommunication Businesses (only available in Japanese here) ('the Commentary');
- Guidelines concerning the Protection of Personal Information of Broadcast Receivers (only available in Japanese here);
- Guidelines concerning the Protection of Personal Information in the Area of Postal Business (only available in Japanese here); and
- Guidelines concerning the Protection of Personal Information in the Area of Correspondence Delivery Business (only available in Japanese here).
1.3. Case law
Benesse Leakage Incident
Benesse Holdings, Inc., a correspondence education service provider, disclosed that it had suffered a leakage affecting approximately 49 million customers consisting of children and their parents' personal data, such data included names, addresses, phone numbers, the children's genders and dates of birth, as well as expected baby delivery dates of a limited number of expecting mothers (though it did not include credit card information, bank account information, or children's achievement information).
In 2013 and 2014 an employee of a company subcontracted by Benesse's subsidiary ('the Subsidiary') to process its customers' data and engage in the data processing work through the Subsidiary's client PC, the employee proceeded to unlawfully download the data onto his personal smartphone. The data was sold by him to name-list brokers and were ultimately obtained by other service providers, who sent direct marketing mails to the affected parents and children. The Subsidiary had implemented security measures, but the systems to send alerts to senior managers regarding unusual data transfer activity and control the exporting of data from the client PC onto external devices were not effective. As a gesture of apology, Benesse sent a JPY 500 (approx. €4) shopping voucher to each customer it identified as affected by the incident.
The following cases of individual or collective damages claim actions against Benesse on this incident are publicly available:
Supreme Court Judgment of 23 October 2017
The Supreme Court of Japan judgment of 23 October 2017 overturned the lower court's (Osaka High Court) judgment that the plaintiff should have established damages beyond a mere feeling of discomfort or anxiety. It instead found the plaintiff's privacy was infringed and remanded the case to the lower court to further review what the moral damage due to the privacy infringement was.
Tokyo District Court Judgment of 20 June 2018
The Tokyo District Court ('TDC') judgment of 20 June 2018 found that:
- the Subsidiary breached its duty of care by failing to appropriately upgrade its controls against data being exported to new models of smartphones using a Media Transfer Protocol ('MTP'); and
- Benesse breached its duty of care by failing to appropriately monitor what security software was used by the Subsidiary, and accordingly failing to recognise that it should require the Subsidiary to upgrade its controls against data exports to new types of smartphones.
However, the TDC also found, taking into account the type of leaked data, such data only being available to certain parties and not in the public domain (e.g. the internet) in general, and Benesse's provision of JPY 500 in shopping vouchers, that the emotional distress sustained by the plaintiffs was still not enough to establish a 'pain and suffering' award, and accordingly dismissed the collective damages claims against both Benesse and the Subsidiary. The judgment was appealed to the Tokyo High Court ('THC').
TDC Judgment of 27 December 2018
The TDC judgment of 27 December 2018 found that the Subsidiary could not have reasonably expected that its controls against data exports would not work against data exports to new Android smartphones using MTP and therefore was not in breach of its duty of care in not upgrading those controls to block data exports to such new models of smartphones. However, the TDC found that the Subsidiary was subject to the statutory 'Employer's Tort Liability,' which does not require a breach of duty of care but is based on the individual's tortious act and the defendant's supervision and control over the individual. Therefore, the TDC awarded damages against the Subsidiary of JPY 3,000 (approx. €23 at the then JPY-€ rate) for pain and suffering plus JPY 300 (approx. €2) as lawyers' costs per plaintiff. The TDC found that Benesse could also not have reasonably expected that the export controls would not work against data exports to new Android smartphones using MTP and therefore was not in breach of its duty of care in not requiring the Subsidiary to upgrade the export controls. As 'Employer's Tort Liability' also did not apply because Benesse was not in a position to supervise and control the tortfeasor individual, the TDC dismissed the damages claims against the Benesse. The plaintiffs were reported to have appealed to the THC.
THC Judgments of 25 March 2020
The THC judgments of 25 March 2020 on the appeals of the two TDC judgments above found that the Subsidiary could have reasonably expected that its controls against data exports would not work against data exports to new Android smartphones using MTP and thus breached its duty of care by failing to control data exports to new model smartphones, Benesse breached its duty of care by failing to supervise the Subsidiary, and accordingly the Subsidiary and Benesse were liable as joint tortfeasors for damages of JPY 3,300 (approx. €25 at the then JPY-€ rate) plus 5% late charges per annum per affected individual.
2. SCOPE OF APPLICATION
The APPI applies to every PIC in Japan, whether a person or entity; the exemption for a person or entity which has not handled personal information of more than 5,000 individuals in certain cases was abolished when the APPI was revised in 2017, though the General Guidelines relax the standards of security measures for 'small or medium sized business operators' (see section 6 below) .
The APPI only applies to persons or entities that handle personal information in the course of their business. For this purpose, a 'business' means activities which can be conducted repeatedly for a particular purpose and are regarded as a business under social conventions; a business can be for profit or not. A broadcasting institution, newspaper publisher or other press organisation, professional writer, university, or other academic organisation, religious body, or political party are exempted from the obligations under the APPI in connection with such press, professional writing, academic, and political activities respectively.
An offshore PIC which is not otherwise subject to the APPI regime, but acquires personal information of data subjects in Japan for the purpose of it supplying goods or services to those persons will be subject to the APPI if it handles that personal information, or any anonymised information created from it, in a foreign country. Although the PPC cannot enforce its orders for compliance with the APPI against such an offshore PIC, it may provide information to foreign regulatory authorities for their own regulatory enforcement purposes (see section 14 below).
The APPI applies extraterritorially when an overseas PIC which has obtained personal information of a principal in Japan in relation to its provision of goods or services provided to a principal in Japan and handles that personal information, or any anonymised information created from it, in a foreign country. The obligations which apply extraterritorially include:
- to specify and notify or publicise the purpose of utilisation of the personal information, and to use it within that purpose;
- to keep personal data accurate and up-to-date, and to delete it when no longer required;
- to take measures to protect the data against leakage, etc.;
- to supervise employees handling personal information and any service provider entrusted with the handling of personal data;
- the rules governing disclosure to a third party;
- to publicise privacy policies;
- the rights of a principal to access, correct, and stop the illegal use of personal data; and
- certain rules regarding anonymised information.
Whilst the PPC can only render 'advice' to a PIC based overseas, it may provide information to foreign regulatory authorities for their own regulatory enforcement purposes.
Under the current APPI, provisions apply exterritorialy only when an overseas PIC has obtained the personal information of a principal in Japan in relation to its provision of goods or services provided to a principal in Japan. This does not cover situations where the principal is different from the customer of the goods or services (e.g. an offshore PIC that provides a corporate body customer in Japan its goods or services, and in relation to the provision of the goods or services, collects personal information of a director or employee of the corporate body). Under the 2020 Amendments, the APPI will also apply extraterritorially to such cases as long as both of the corporate body customer and the principal are located in Japan.
Furthermore, the 2020 Amendments provide that:
- the PPC will set out the details of forms for its demand for a PIC to provide a report or documents (as it exercise its investigatory power), advice, order, etc.;
- the rules of Japan's Code of Civil Procedure regarding service of process will apply mutatis mutandis to the PPC's delivery to a PIC (including an offshore PIC) of such notices listed above;
- the PPC's constructive service by publication will be available if:
- the address of a PIC is not available;
- delivery of its communications to an offshore PIC pursuant to the rules of the Code of Civil Procedure (i.e. the procedure for delivery via the foreign country's relevant authority or agency, or the Japanese embassy or council in the foreign country) is not available; or
- the PPC does not receive a certificate of delivery within six months after requesting the foreign country's authority agency to serve the notice;
- the PPC's can effect constructive service by posting a notice at a specified location in the PPC's office, and the constructive service will be effective upon the expiry of two weeks (in the case of a PIC in Japan) or six weeks (in the case of an offshore PIC) from the date of posting; and
- the PPC may publish a PIC's failure to comply with the PPC's order.
The APPI applies to 'handling' of personal information by a PIC. 'Handling' is not defined in the APPI or the PPC's guidelines. However, it was explained in published discussions made at the Government of Japan's ('Government') committee regarding the outline of the original APPI in 2000 to mean collection (acquisition), retention, use, transfer, and any other acts of handling personal information. 'Processing' was also explained at the discussions to include any such acts. The terms are understood in practice to be given such meanings.
For further information regarding the scope of the application of the law, see section 2.1 above.
Pseudonymously processed information
When a PIC processes personal information to 'pseudonymously processed information', the processing must be in a manner that ensures the following information is deleted or irrecoverably replaced with other information:
- person-identifiable description;
- personal identifier codes; and
- data that would cause a financial risk in the case of unauthorised use (which the PPC has suggested includes credit card numbers, internet banking ID, etc.).
As pseudonymously processed information is still personal information (as it would still enable identification of the principal if other information was also referenced to or combined together), a pseudonymously processed information controller is generally subject to the same obligations as a PIC regarding the management and security of personal information above (and transfers to third parties) in connection with pseudonymously processed information. However, a PIC's obligations with respect to pseudonymously processed information are relaxed in several aspects. In particular, for pseudonymously processed information:
- the purpose of utilisation may be changed beyond the scope reasonably related to the original purpose of utilisation even after creation or acquisition of pseudonymously processed information;
- the general obligations to notify the PPC and the principals of a data breach are not applicable; and
- the principal's right to access, correction, or request to cease use are not applicable (and therefore its public announcements (as defined above) need not include procedures for principals to access, correction, etc.)
A PIC who processes pseudonymous information may not disclose its methods for pseudonymisation of the principal's personal information, the data removed during the pseudonymisation process or any process used to verify the pseudonymisation ('removed data'). The pseudonymously processed information controller must take security measures to prevent leakage of pseudonymously processed information and removed data as well as supervise and control a person contracted to process such information. Lastly, the pseudonymously processed information controller may not refer to other information to re-identify the principal relevant to the pseudonymously processed information
Under the 2020 Amendments, a PIC must not refer to other information that can re-identify the relevant data subject of the pseudonymously processed information.
Similarly, a PIC who creates anonymised information may not disclose its methods for anonymisation of the principal's personal information, the data removed in the anonymisation process or any process used to verify the anonymisation. A recipient of anonymised information may not seek to acquire any such information, whether from the transferor or otherwise.
When a PIC processes personal information to anonymised information, it must make public in an appropriate manner (such as via the internet) what categories of personal information (e.g. ages, shopping behaviour, and travel habits, etc.) are included in the anonymised information so that principals are able to make enquiries with the PIC.
3.1. Main regulator for data protection
The PPC is the primary regulator under the APPI and the My Number Act.
3.2. Main powers, duties and responsibilities
- has the task of ensuring the appropriate handling of personal information and specific personal information so as to protect individuals' rights and interests;
- has the primary investigatory, advisory, and enforcement powers under the APPI and the My Number Act, including the power to investigate the activities of a PIC, an anonymised information controller (see section 4 below), a person handling specific personal information, and in certain instances to render advice to and make orders against them, if the infringement of an individual's material rights or interests is imminent;
- in connection with the protection of personal information under the APPI, may delegate its investigatory powers to the relevant minister, etc. in limited circumstances, but not its advisory or enforcement powers; and
- can provide information to foreign data protection regulators and in limited circumstances may allow information to be used for criminal investigations overseas.
4. KEY DEFINITIONS
Data controller: Data controller is not defined by the APPI. A personal information controller ('PIC') is a business operator using a personal information database for its business. (The verbatim English translation is 'business operator handling personal information').
Data processor: Data processor is not defined by the APPI but for the purpose of this note and for ease of reference for readers who are familiar with the concept in other jurisdictions, it is an entity which a PIC 'entrusts the handling of personal data in whole or in part within the scope necessary for the achievement of the purpose of utilisation' (e.g. entrusting personal data to a service provider such as a cloud computing service provider or a mailing service provider for the purpose of having them provide the PIC with the services). The PPC has recently clarified in its Q&As that a data processor is a PIC, provided that if a cloud service provider has no access to the entrusted Personal Data stored on its computer server, it is not a data processor and is thus not a PIC.
Personal information: Information about a living individual in Japan from which the identity of the individual can be ascertained (including information which enables identification by easy reference to, or in combination with other information). Since the 2017 revision to the APPI, 'personal information' includes 'personal identifier codes' which include items such as characters, numbers, symbols and/or other codes for computer use which represent certain specified personal physical characteristics (such as DNA sequences, facial appearance, finger, and palm prints), and which are sufficient to identify a specific individual, as well as certain identifier numbers, such as those on passports, driver's licenses and residents cards, and the 'My Number' individual social security ID numbers.
Principal (i.e. data subject): The individual that is the subject of the personal information.
Anonymised information: In summary, information regarding an individual which has been processed by deleting information (or replacing it with information which does not enable reversion to the original information) so that it cannot be used to identify the individual.
Anonymised information handling business operator: The verbatim English translation is a business operator handling anonymised information. This was added to the APPI in the 2017 revisions, and means a PIC using for its business a database (whether electronic or not) that allows easy retrieval of specific anonymised information contained in it.
Opt-out: A system whereby a principal is notified of the proposed transfer of its personal information to a third party and given the opportunity to object to that transfer.
Personal number: a number processed from an individual's resident registry code number and a code corresponding to and used in lieu of such number ('My Number').
Purpose of utilisation: The purpose of use of personal information as specified by a PIC to the principal whose personal data is to be used by the PIC.
Specific personal information: Personal information which contains a personal number in it.
The following definitions have been introduced by the 2020 Amendments:
Person-related information: Information which is not personal information for the transferor as it cannot identify the principal from the information (even by easy reference to, or combination with, other information) but may be for a transferee as it may be able to identify the data subject by reference to other information held by the transferee.
Sensitive data: Sensitive information was added to the APPI in the 2017 revisions and includes personal information relating to matters such as race, creed, religion, physical or mental disabilities, medical records, medical and pharmacological treatment, and arrest, detention or criminal proceedings (whether as an adult or a juvenile), or criminal victimisation. (The verbatim English translation is personal information requiring consideration). Industry-sector guidelines may apply additional categories of sensitive information.
Pseudonymously processed information: Information which has been processed from personal information in a manner that the data subject can no longer be identified solely from the data. Whilst the PPC has not published draft guidelines or commentaries that clarify how pseudonymously processed information and anonymised information are different, the current understanding in practice is that pseudonymously processed information is information that would still enable identification of the principal if other information was also referenced to, or combined together, and as such still constitutes personal information, whilst anonymised information is not.
Pseudonymously processed information handling business operator: A business operator using a pseudonymously processed information database for its business.
5. LEGAL BASES
The basic principles of the APPI require a PIC must notify the data subject of the purposes of utilisation prior to the collection of personal data unless it has published the purposes of utilisation in advance in a manner readily accessible by the data subject and does not the use personal data for any other purpose without the consent of the data subject.
A PIC must obtain the principal's consent before acquiring the sensitive information of the principal unless one of the exceptions listed below under transfers permitted by law applies to the acquisition.
The principles specified in section 5 above, can be dealt with by a contract between the PIC and the data subject.
There are very few and limited circumstances where a data controller can handle personal information other than in accordance with the principles outlined in section 5 above.
There is no such 'interests of the data subject' exception to the basic requirements for the use of personal information referred to in section 5 above.
The prior consent of the data subject to a transfer of its personal data (including sensitive information) is not required if the transfer:
- is specifically required or authorised by any laws or regulations of Japan;
- is necessary for protecting the life, health or property of an individual and consent of the data subject is difficult to obtain;
- is necessary for improving public health and sanitation, or promoting the sound upbringing of children, and the consent of the data subject is difficult to obtain; or
- is required by public authorities or persons commissioned by public authorities to perform their duties and obtaining the prior consent of the data subject carries the risk of hindering the performance of those duties (e.g. the disclosure is required by police investigating an unlawful act).
Otherwise, there is no 'public interest' exception to the basic requirements for the use of personal information referred to in section 5 above.
There is no such 'legitimate interest exception to the basic requirements for the use of personal information referred to in 5 above.
The APPI was enacted as an implementation by Japan of the eight basic principles on the protection of privacy adopted in the Organisation for Economic Co-operation and Development ('OCED') Council recommendation on 23 September 1980 ('OECD’s 8 Principles'):
- the Collection Limitation Principle;
- the Data Quality Principle;
- the Purpose Specification Principle;
- the Use Limitation Principle;
- the Security Safeguards Principle;
- the Openness Principle;
- the Individual Participation Principle; and
- the Accountability Principle.
Japan has strong core values for the protection of the rights of the individual and the fundamental principle of Japan's data protection laws is the protection of the right to privacy, but also recognising the increased scope, nature, and volume of personal data and the ever-expanding use of personal information in various forms by businesses. Key elements of the legislation are to restrict the use of personal information to the purposes it was obtained for as made known to the data subject, to protect sensitive information and to limit the dissemination of personal information without the data subject's consent.
A data controller is a PIC and as such subject to the following obligations under the APPI:
A PIC must use personal information only to the extent necessary to achieve the purposes of utilisation specified to the principal and must make efforts to delete the personal data when it is no longer needed for the purposes of utilisation.
Furthermore, under the 2020 Amendments, a PIC must not use personal information in a manner which may facilitate or prompt illegal or inappropriate acts.
In addition, A PIC must take reasonable steps to keep personal data as accurate and up to date as is necessary to achieve its purpose of utilisation, and take all necessary security measures to avoid loss of, or unauthorised access to personal data.
7. CONTROLLER AND PROCESSOR OBLIGATIONS
Personal data management and security
A PIC must exercise necessary and appropriate supervision over its employees handling the personal data, or any persons or entities delegated to handle personal data (e.g. a personal information/data processor), so as to ensure they implement and comply with such security measures.
The PPC's General Guidelines illustrate high-level examples of security measures, which are categorised into:
- establishing basic principles;
- setting out internal rules;
- organisational security measures (e.g. appointment of a responsible person, the definition of each person's responsibility, the definition of the scope of data handled by each staff member, data processing operation, and incident reporting line, the definition of responsibilities between divisions, periodical internal and/or external audit, etc.);
- staffing security measures (e.g. staff education and training, confidentiality provisions in work rules, etc.);
- physical security measures (e.g. area access control (IC card, number keys), prevention of device theft, prevention of leakage from portable devices, non-recoverable deletion of data); and
- technological security measures (e.g. system access control, access authorisation (user ID, password, IC card, etc.) control, prevention of unauthorised access (security software instalment and upgrading, encryption, access log monitoring), continuous review of system vulnerability, etc.).
The General Guidelines relax the standards for security measures for a 'small or medium sized business operator,' which is defined as a PIC with 100 or less employees but excluding:
- a person who has handled personal data of more than 5,000 principals on a day in the past six months; and
- a person who processes personal data on behalf of another PIC under a contract.
The relaxed standards include the following measures:
- establishing basic principles;
- setting out the basic process for collecting, using, and storing personal data;
- for organisational security measures:
- clarifying who is responsible for handling personal data and who is not if, more than one staff member handles personal data;
- the person responsible for checking personal data is handled in accordance with the prescribed basic process; and
- checking the data breach reporting process in advance;
- for physical security measures, simplified measures (e.g., password lock) are allowed; and
- for technological security measures:
- clarifying which staff members are allowed to access devices;
- controlling access by user account control;
- keeping the devices' operating software up-to-date and introducing security software; and
- setting passwords for opening files when sending them by email.
Guidelines provided by the METI and the FSA set out further detailed requirements for security measures and provide specific examples for certain specified industry areas.
There is no general requirement that a PIC be registered under the APPI or related regulations, or for any registration under the My Number Act. A PIC that wishes to use an opt-out for disclosure of personal data to a third party has to file the opt-out provision prescribed in the order described below in section 7.2 under 'transfers pursuant to an opt-out' (but not the rest of its privacy policies) with the PPC. The PPC will then review the provision to ensure it is in accordance with the requirements of the APPI and make it available to the public. If the opt-out is not sufficient in terms of clarity, easy-readability, and formality the PPC may require it to be improved and re-filed.
Generally transferring personal data to third parties, including affiliated entities of the PIC, without the prior consent of the principal is prohibited unless an exception applies. The primary exceptions are listed below:
Transfers permitted by law
The prior consent of the principal to a transfer of their personal data (including sensitive information) is not required if the transfer:
- is specifically required or authorised by any laws or regulations of Japan;
- is necessary for protecting the life, health, or property of an individual and consent of the principal is difficult to obtain;
- is necessary for improving public health and sanitation, or promoting the sound upbringing of children, and the consent of the principal is difficult to obtain; or
- is required by public authorities or persons commissioned by public authorities to perform their duties and obtaining the prior consent of the principal carries the risk of hindering the performance of those duties (e.g. the disclosure is required by police investigating an unlawful act).
Transfer pursuant to an opt-out
Personal data (other than sensitive information) can be transferred after the period necessary for the principal to exercise their opt-out right has expired and the PIC has notified the principal or made readily available to the principal, and filed with the PPC, all of the following information:
- that the transfer is within the scope of the originally stated purpose of utilisation;
- the specific personal data to be transferred;
- the means with which the personal data will be transferred;
- the fact that the transfer of the personal data is subject to an opt-out; and
- where to provide such opt-out exercise notice.
PPC guidelines only state that the length of the 'expiration period' will vary depending on factors such as the nature of the business, how close the relationship between the principal and the PIC is, the nature of the personal data to be transferred, and how quickly the PIC can handle the principal's exercising of its opt-out rights.
It has been clarified that transfers pursuant to the opt-out rule, will not be available for personal information which has been obtained:
- by fraudulent or other unlawful means; or
- from a preceding transferor pursuant to the opt-out rule.
This revision is based on the PPC's finding that personal data has often been traded or shared between name-list brokers or peer business operators under the opt-out rules.
The following information will also be required to be filed with the PPC:
- the name of the person who is the representative of the transferor PIC if the PIC is a corporate body, in addition to the name of the transferor PIC itself;
- how the transferor PIC has obtained the personal data which it will transfer pursuant to the opt-out rule; and
- other matters which the PPC will set out in regulations.
Transfer of sensitive information
A transfer of sensitive information to a third party requires the consent of the principal unless an exception as listed above applies; such consent cannot be given through the use of an opt-out.
Transfer of anonymised information
Anonymised information may be transferred to a third party without the consent of the original principal, as it no longer constitutes personal information, provided that the transferor makes public both the fact of the transfer and what types of personal information are included in it and notifies the recipient that the information is anonymised information.
Transfer of pseudonymously processed information
As pseudonymously processed information is still personal information, for a transfer of such information the general requirement for prior consent from the principal, transfers permitted by law (e.g. a transfer required or authorised by laws or regulations of Japan), or transfers pursuant to an opt-out, the consent requirement for a transfer of sensitive information, the scope of third parties, the additional requirement for a transfer to a third party in a foreign country, and transfer due diligence and records, as described above, equally apply.
Transfer of person-related information
Although person-related information is not personal information for a transferor, it is for a transferee as the relevant principal identifiable by reference to other information held by the transferee. The 2020 Amendments set out the general requirements for the prior consent of the principal for a transfer of person-related information to a third-party transferee (where the consent must be based on the principal's understanding that the information will be person-identifiable to the transferee), which have been clarified as:
- generally the transferee (rather than the transferor) is the one who must obtain written consent to the transfer directly from the data subject as it is the transferee who has contact with the data subject and uses the transferred data as personal data, though the transferor can instead obtain the consent on behalf of the transferee if it is practically feasible (provided the data subject needs to be informed of the name of the transferee when providing the consent); and
- the transferor must create a record of the transfer which should contain: and
- confirmation (from the transferee) that the above consent has been obtained;
- transfer date;
- transferee's name and address, and the transferee's representative name; and
- transferred data items;
- and the record must generally be kept for three years.
Transfers permitted by law (e.g. a transfer required or authorised by Japanese laws or regulations) also apply. Transfers under an opt-out are not permitted. The amended language of the APPI does not provide that the entities listed in the 'scope of third parties' section below are not third parties for the purpose of transfers of person-related information; that being so, it is currently understood that transfers to such entities will still generally require the principal's consent, subject to a future clarification by the PPC in guidelines, etc. The revision of rules, under the 2020 Amendments, on a transfer of personal information to a third party in a foreign country (as described below) also applies to a transfer of person-related information. Transfer due diligence and records will also apply
Cookies are not personal information unless the relevant principal can be identified by easy reference to, or combination with, other information. However, even if a cookie is not personal information for a transferor in this sense, but if the cookie is transferred to a third-party transferee and would be, by result of this the transfer, personal information for the transferee as it holds other information and the individual related to the cookie can be identified by reference to such other information (e.g. the cookie is a history of website browsing that suggests the individual's activity behaviour, preference of goods or services, or otherwise usable for profiling, and the transferee would use the cookie for targeted advertising, or assessment for a job position or financial services, etc.), this will be a transfer of person-related information under the 2020 Amendments and will thus be subject to the general requirement for the prior consent of the principal and the transfer mechanisms outlined under 'transfer of person-related information' above.
Scope of third parties
Under the APPI, the following entities are deemed not to be third parties (meaning that the transfer of personal data (including sensitive information) to such parties does not require the principal's consent):
- a personal information/data processor;
- a company that enters into a merger, a company split, or a business transfer with the PIC. (Disclosure in the process of negotiations for mergers and acquisitions is permissible if made upon execution of a non-disclosure agreement which requires the company to which the data is disclosed to implement appropriate safety measures); or
- a company designated to jointly use the personal data with the PIC. In this case, the PIC must notify, or make readily accessible to the principal:
- the fact of such joint use of the personal data;
- the scope of the personal data to be jointly used;
- the scope of the parties who will jointly use the personal data;
- the purpose of the joint use; and
- the name of a party among the joint users responsible for the management of the joint use of the personal data.
Such joint use is available by group companies or business partners or affiliates which provide integrated services to common customers.
Though not a specified exception to the general consent requirement, a transfer of personal data between a Japanese company and its Japanese branch, or between a foreign company and its Japanese branch is not a transfer of personal data to a third party as in each case the branch and the company are the same legal entity. Whether a Japanese company and its foreign branch are a single legal entity would be determined in accordance with the laws of the jurisdiction under which the branch was formed.
Where a transfer of personal data is to a person or entity which is not a third party, a further transfer of the personal data by that person or entity would be subject to the consent rules and exceptions applicable to such transfers, as described in this note.
Transfer of personal data to a third party in a foreign country
The transfer by a PIC of personal data to a third party in a foreign country (other than in reliance on one of the exceptions listed above under 'transfers permitted by law') is subject to the following requirements in addition to those generally applicable to transfers of personal data:
- where consent to the transfer is given by the principal, it must be clear and cover the transfer to a third party in a foreign country and the principal must be provided, when giving the consent, with information necessary for judging whether to provide the consent (e.g. the foreign country is identified, identifiable, or the circumstances where such a data transfer will be made); or
- in the absence of such consent, if the transferor wishes to rely on an opt-out or the fact that the transfer is not to a third party, as an exception to the requirement to obtain the principal's consent to the transfer, it is also necessary that the transferee:
- is in a country on a list of countries issued by the PPC as having a data protection regime equivalent to that under the APPI; or
- implements data protection standards equivalent to those which PICs subject to the APPI must follow.
As of the date of this note, only the UK and countries in the European Union (including the EEA) are on the list of countries issued by the PPC as having equivalent data protection. If the transferee is not in any such country, a transferor PIC would have to rely on the transferee implementing equivalent standards to the APPI in order to effect a transfer of personal information offshore without the principal's consent or in reliance on an exception listed above in transfers permitted by law. The requirement for equivalent standards to the APPI can be satisfied:
- by the transferor and the transferee:
- entering into a contract;
- if they are in the same corporate group, both being subject to binding standards of the group for the handling of personal data, pursuant to which the transferee is subject to all the obligations imposed by the APPI on PICs who are subject to it, and which must include certain specified matters, such as the purpose of use, record-keeping, and details of security measures; or
- if the transferee is accredited under APEC's CBPR system.
When transferring personal data to a third party offshore:
For transfer based on the principal's consent, the transferor must in general provide the principal with the following information when obtaining their consent:
- the transferee's country name;
- information about the foreign country's data protection laws which is obtained 'by appropriate and reasonable mean'. The PPC has indicated that:
- 'information about the foreign country's data protection laws' means descriptions of the 'essential difference' between the data protection laws of Japan and the data protection system of the foreign country which shall be reasonably recognisable by data subjects, including the following points:
- if yes, then indicate the level of protection of the system, such as the following facts:
- whether the foreign country has any system of personal information protection; and
- the foreign country has obtained General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') Article 45 adequacy decision;
- the foreign country is a member state of APEC's CBPR system;
- whether business operators' obligations or data subject's rights in line with OECD's 8 Principles (as described above) exist under the foreign country's system(e.g., existence or lack of 'limitation by specified purposes of utilisation' rule, existence or lack of data subjects' including a right to access, correction, etc.); and/or;
- any rules in the foreign country which may materially affect data subjects' rights and interest, such as:
- a rule that business operators are subject to obligations to cooperate with the foreign country's government's data collection activities so that a broad range of personal information held by business operators are subject to collection by the foreign country's government; or
- a rule of requirement for retaining personal information so that data subjects cannot effectively exercise their rights to deletion; and
- the 'appropriate and reasonable means' mean such information is not required to be too detailed as to be to onerous to the transferor, but still informative enough for the principal to judge whether to give consent, and the transferor is not required to check every detail of the transferee's country's data protection law but only to 'reasonably' check the protection level (e.g., ask the transferee or check websites of the country's data protection authority); and
- information about data security measures taken by the transferee.
- 'information about the foreign country's data protection laws' means descriptions of the 'essential difference' between the data protection laws of Japan and the data protection system of the foreign country which shall be reasonably recognisable by data subjects, including the following points:
If, at the time of obtaining a consent:
- the transferee's country is not identified, then, instead of the above information, the reason why it is not, and any other information that may be helpful to the data subject; or
- where the above is not available, then the reason why it is not.
If the transfer is allowed without the principal's consent because the transferee has established a level of personal data protection equivalent to that under the APPI, the transferor must:
- ensure the transferee's continuous maintenance of the protection level and must:
- 'periodically' (which means annually or more frequently) check, by 'appropriate and reasonable means':
- the status of the transferee's implementation of the protection measures; and
- the foreign country's law which may affect the transferee's implementation of the protection measures; and
- 'periodically' (which means annually or more frequently) check, by 'appropriate and reasonable means':
- if it becomes difficult for the transferee to implement those measures:
- take necessary and appropriate measures;
- discontinue data transfer to the transferee; and
- on the request of the principal, provide the principal with information about the transferee's protection level, which should generally include:
- the transferee's protection measures;
- how frequently the transferor 'periodically' conducts the check above;
- the transferee's country name;
- any laws of the foreign country which may affect the transferee's implementation of the protection measures; and
- any problem with the transferee's continuous implementation of the measures.
Transfer due diligence and records
A transfer of personal data requires that the transferor PIC and the transferee (if a PIC, or if it becomes a PIC as a result of the transfer) keep specified records and the transferee is also required to make enquiries on the source of the personal data transferred, unless the transfer was made in reliance on an exception listed above as a transfer permitted by law or the transferee is not a third party.
The transferor must keep a record of:
- (if the transfer was made in reliance on an opt-out) the transfer date;
- the name or other identifiers of the transferee and the principal, and the type(s) of data transferred (e.g. name, age, gender); and
- the principal's consent to the transfer, or, if consent has not been obtained and the transfer was made in reliance on an opt-out, that fact.
The transferee must keep a record of:
- (if the transfer was made in reliance on an opt-out) the date the personal data was received;
- the name or other identifiers of the transferor and its address (and the name of its representative if the transferor is a legal entity), and the name of the principal;
- the type(s) of data transferred;
- the principal's consent to the transfer, or, if consent has not been obtained and if the transfer was made in reliance on an opt-out, that fact;
- if an opt-out has been relied on, the fact that the opt-out has been filed with, and published by the PPC; and
- how the transferor acquired the Personal Information transferred.
See 'transfer of person-related information' above for additional record-keeping requirements.
There are no specific requirements to keep data processing records, though general record-keeping requirements may apply.
There are no requirements to conduct Data Protection Impact Assessments ('DPIA').
The APPI does not specifically require a PIC to appoint a data protection or similar officer. However, the General Guidelines which apply to all PICs provide that a PIC must take security measures for the handling of personal information, an example of such a security measure being ' the appointment of a person in charge of the handling of personal information and the definition of the responsibilities of the person'. The guidelines state that whether measures are mandatory depends on the materiality of the damage which may be suffered by principals in the event of a data breach, the size and nature of the business, and the general nature of the data handling (including the nature and volume of data handled).
Some sector-specific guidelines also provide data protection or similar officer requirements. Certain private organisations or associations have created qualifications such as 'data protection officer' or equivalent, and issue them to persons who have passed examinations set by them (e.g. Japan Consumer Credit Association issues a Personal Information Handling Officer qualification, and the Information-Technology Promotion Agency issues an Information Systems Security Administrator qualification).These qualifications are not acknowledged, supported, or required by law, but are industry-driven efforts to enhance data privacy.
The Data Breach Guidelines are limited to setting out certain principles for handling leakages, leaving PICs to decide what specific action should be taken with regard to the facts of each case.
Action following a data breach
The Data Breach Guidelines state that in the event of the leakage, destruction, or damage to personal information or the likelihood of any of them:
- it is 'desirable' that the affected PIC takes the following steps:
- report the incident within the PIC;
- taking measures to prevent the expansion/aggravation of any damage (to principals or third parties affected by the incident) due to the incident;
- conduct an investigation of relevant facts and the cause of the incident;
- identification of the affected areas within the servers/systems of the PIC and of the principals whose data was affected;
- promptly planning and implementing measures to prevent the recurrence of the incident or further incidents that may otherwise occur due to the incident in question;
- unless the leaked data is encrypted at a high level, 'promptly' notify the principals potentially affected or make the facts of the leakage easily available to those principals (depending on the facts of each case) for the purpose of preventing the principals or third parties incurring further damage (e.g. to give the principals opportunities to take actions to avoid or mitigate harms by third parties' use of the leaked information); and
- publicly announce the relevant facts and measures to be taken to prevent a recurrence of the incident (depending on the facts of each case).
- the PIC must make efforts to promptly notify to the PPC of a breach unless:
- the leaked data is encrypted at a high level;
- all the leaked data has been collected by the PIC prior to being seen by third parties;
- there is no risk of any specific individual being identified from, or the affected principals being harmed by use of the leaked data;
- the data breach was obviously only internal and not an external leakage; or
- the leakage is obviously insignificant (e.g. a mis-delivery of parcel where the personal information is only on the delivery address label on it).
A data breach notification to the PPC is done by completing an online form (only available in Japanese here). If a PIC has a security policy which does not allow access from its system to external systems online or has trouble in completing an online submission, other methods of submission, e.g. by fax or post, are still available.
Where a PIC has entrusted personal data to a personal information/data processor and the personal information/data processor was subject to the data breach the obligations above falls on the PIC.
Whilst an outsourced data processor PIC, as well as an outsourcing PIC, will be subject to the obligations to notify the PPC and affected individuals under the APPI Amendments, such a processor's obligation will be discharged when it promptly provides the outsourcing PIC with a notification in the same form as required for notification to the PPC.
Leaked data is encrypted at a high level when:
- the encryption system is on the list of ISO/IEC 18033 or the Government has confirmed the encryption system as being sufficiently secure; and
- the decryption key is remotely controlled or not usable by a third party, or the leaked data or decryption key can be remotely deleted.
'Desirable', 'promptly', and 'make efforts' are not defined or explained in the Data Breach Guidelines and their meaning will need to be determined by reference to their common definition, regulatory, and best practice, and the facts of each case, in particular the risk of an innocent party suffering any loss.
The meaning of 'promptly' in connection with data loss notification to the PPC is given a clarification, as described below.
It is not uncommon for obligations under Japanese laws and regulations to be expressed as being desirable or similar, and in the absence of factors which would dictate otherwise, best practice would be to comply with the obligation unless there is a good reason not to. In addition, the greater the harm non-compliance may cause, the more advisable compliance becomes.
Although 'promptly' is generally not defined, the nuance of the original Japanese term 'sumiyakani' would suggest four or five days in many cases, though this is subject to the facts of each case, and in particular how seriously the principals may be affected and accordingly how urgently they should be notified.
Examples of what might constitute 'making the fact of the leakage easily available to the affected principals' include:
- placing a sign in an office habitually attended by the principals; or
- adding a notice on an accessible webpage directly linked from the home page of the PIC's website.
Although what constitutes 'make effort' is not defined it would be given its normal meaning, although, as with 'promptly' and 'desirable', the greater the actual or potential harm of the data breach, the more advisable compliance with the obligation becomes.
Reporting to the PPC
Under the current APPI, whilst the obligation to report a data breach to the PPC is only to make efforts, best practice would be to submit a report unless any of the exemptions above apply (in which case a report is not required). If the PIC thinks the data breach is not serious enough to warrant a formal report but it is not exempted from reporting, it can seek informal guidance from the PPC on what action to take. If the data breach is very serious, e.g. the loss of bank account details and passwords, or the PIC is not certain what action to take the PIC should contact the PPC (and local counsel) at the earliest opportunity, without waiting to complete the formal report to the PPC. Should a data breach not be reported, and the PPC subsequently becomes aware of it, it may require a report to be submitted.
Requirement to Notify the PPC
Unless the affected data is encrypted at a high level the PPC must be notified if:
- The affected or possibly affected data contains:
- sensitive Information; or
- data that would cause a financial risk in the case of unauthorised use;
- the loss is a result of intentional theft or possible theft by a third party (as opposed to just an accidental loss); or
- the number of affected or possibly affected individuals exceed 1,000.
Timing of notification to the PPC
A first notification is required 'sumiyaka-ni' (promptly) (which is suggested by the PPC as within approximately three to five days, though depending on each case) upon becoming aware of the incident and an update notification, is required within 30 days (or, in the case of intentional theft or possible theft, 60 days) from the time becoming aware of the incident.
Furthermore, whilst the current APPI regime enables reporting to the APPI and certain accredited information protections organisations, the 2020 Amendments will centralise the reporting process so reports will only be made to the PPC or delegated government agencies.
Notifying affected principals
When considering whether to notify affected principals of a data breach directly, or by a more general notice, the two major factors for a PIC to consider are the seriousness of the loss and the harm it may cause, and the effectiveness of the means of notification. If a loss may cause serious harm, the prudent course would be to make it public promptly, and then notify affected parties individually (always subject to any directions from the PPC). Where a PIC has decided to give a general notification, it will need to evaluate how effective the means of notification is likely to be; for example, if notification is given on a website, how likely is it that the affected parties will visit the website and how long it should be kept active in order to notify an appropriate proportion of affected principals. A notification, individual or general, should include a description of the loss and the actions taken by the PIC to mitigate its effects, and it would be advisable to include a phone number or email address which the affected principals can use to obtain further information on the loss.
As noted, depending on the facts of each case, it might be appropriate for the PIC to publicly announce the relevant facts of the data breach, and the measures to be taken to prevent its recurrence; there is no guidance on what form this notice should take, and although it may also be sufficient as a notice to the affected principals, its effectiveness as such would need to be considered carefully.
Notifications, individual or general, should be given in Japanese, and if any affected principals may not understand Japanese, any other appropriate foreign language. Notifications should not be given only in a foreign language unless it is certain that all affected principals will understand that language.
The same rules as under '2020 Amendments - Requirement to Notify the PPC' will apply.
Timing of notification
Notification must be given promptly, upon becoming aware of the incident; what constitutes as 'promptly' depends on situations of each case as the PPC suggests that there may be cases where an immediate notification would not be appropriate (e.g., the details of the incident is not identified at all, where notifications to the data subjects would only cause confusion and would not help protection of the data subject's rights).
PIHBOs should take all reasonable steps to maintain up-to-date contact details for their principals and/or periodically review their procedures for notifying data losses through public notices and other means.
If a data breach has occurred and been reported to the PPC, voluntarily or at the request of the PPC, it may investigate the background to the loss, the PIC's data management procedures, and the actions taken (or not taken) by the PIC to notify the affected parties (and the PPC). Where the PPC finds defects in the PIC's data management or post-loss actions, it may give guidance to the PIC on what actions to take to improve its data management, or what further steps should be taken to notify affected principals of the loss. If the defects are material, the PPC may issue advice for improvement to the PIC and publish the advice on its website. If the PIC fails to follow advice for improvement, the PPC may then escalate the matter and issue an order for improvement. An order for improvement may be issued immediately without preceding advice for improvement in limited cases of a serious data breach.
If a PIC has not notified the PPC or the affected principals of the data breach (or has not publicised the loss, if material in either scale or subject matter) and the PPC comes to know of the loss, it might be more likely to find the PIC's attitude to compliance unsatisfactory, and thus issue and publish an advice for improvement.
Neither the APPI nor the Data Breach Guidelines impose any sanctions for failure to make a report or notification of a data breach, and the Data Breach Guidelines only require a PIC to 'make efforts' to report a data breach. However, it should be noted that a PIC has presumably breached its duties for data security when it failed to prevent the data breach, and it would probably further be in breach of its obligation if it did nothing following the data breach where action was obviously required. These breaches will allow the PPC to issue advice for improvement. That said, and as noted here, it is advisable for PICs to report a data breach unless a report is clearly not required, and failure to report might be a factor the PPC would take into consideration when deciding whether to issue advice for improvement. The PPC will publish such advice once issued.
Failure to comply with an order for improvement would be grounds for criminal imprisonment for up to six months or a criminal fine of up to JPY 300,000 (approx. €2,300) for an individual who is the PIC, the director, or employee of the PIC entity in charge of the breach, and the same criminal fine for the PIC as an entity.
Under the 2020 Amendments, failure to comply with an order for improvement would be grounds for criminal imprisonment for up to one year or a criminal fine of up to JPY 1 million (approx. €7,700) for an individual who is the PIC, the director, or employee of the PIC entity responsible for the breach, and a criminal fine of up to JPY 100 million (approx. €770,000) for the PIC as an entity.
To date, PICs which have suffered a data breach have often voluntarily offered compensation to affected parties both to forestall any proceedings, and to maintain good public relations. Compensation payments to principals (per person) have ranged from JPY 500 (approx. €4) of e-money or gift vouchers (see the Benesse incident discussed in section 1.3 above), through gift vouchers of JPY 10,000 (approx. €77), to cash payments of JPY 35,000 (approx. €270). If an affected party brings an action before a court against a PIC for a data breach, any judgment by the court would likely be an order against the PIC to pay damages on the grounds of a breach of contract or tort theory. Save for cases such as the unauthorised use of affected payment card data or the disclosure of sensitive information affecting the personal lives of individuals, the amount of damages an affected party might be entitled to is frequently not large enough to warrant the commencement of proceedings once the costs of the proceedings are taken into consideration.
It should also be noted that in Japan it is often important to treat all affected parties equally. Even if a PIC does not publicise a data breach and communicates privately with each affected party individually, the widespread use of social media makes the risk of unequal treatment between affected parties being kept private increasingly unlikely, and may have an associated negative impact on the PIC's reputation.
Whilst the Data Breach Guidelines only provide that it is 'desirable' for an affected PIC to take actions, including giving notice to affected parties (save that notifications of certain data losses will be mandatory under the 2020 Amendments) as well as publicising the incident, and that PICs should 'make efforts' to notify to the PPC, the Guidelines on Protection of Personal Information in the Financial Field, which have been issued jointly by the PPC and the FSA, provide that such actions are mandatory in the financial service sector. Similarly, the Commentary issued by MIC, which gives guidance on the Telecommunications Business Act (Act No. 86 of December 25, 1984), provides that a breach of secrecy of communications must be reported to the authority.
Storage and security
The My Number Act and related guidelines require an employer to establish appropriate systems for the secure storage and handling of specific personal information.
In practical terms the employer should:
- draft and/or amend internal rules on data protection to ensure the handling of specific personal information in accordance with the My Number Act;
- ensure employees handling specific personal information are aware of the restrictions on their use and the scope of the related data protection regime, in particular, the areas where obligations are stricter than those currently generally implemented by the employer for data protection; and
- ensure its data protection systems are adequate to comply with the obligations under the My Number Act as they are likely to be stricter than under the employer's other data protection obligations (whether under the APPI or otherwise).
Reporting of losses
Any loss of any specific personal information must be reported to the PPC, though there is no specified deadline for giving the notification; the form of the report is slightly different from that for data breaches. The system for escalation of remedial orders by the PPC is the same as that for losses of other personal information, though failure to comply with an order for improvement could lead to more serious criminal sanctions against both the PIC and any of its officers responsible for the loss. Notification to the affected principals is still only 'desirable.'
Whilst there are no specific provisions in the APPI that regulate the processing of children's data, the General Guidelines indicate that, if a minor, adult ward, or person under curatorship has no capacity to understand results of their own consent under the APPI , such a consent should be obtained from their statutory guardians. The PPC further indicates in Q&As that, whilst ages of children who can understand results of their own consents should be considered on an individual case base, it can generally be said that consents should be obtained from a statutory guardian (e.g., a parent) for a child in the age of 15 or lower.
Yes; please see the items above relating to Sensitive Information.
Necessary and appropriate supervision must be exercised by a PIC over any third parties delegated to handle personal data. Such supervisory measures include the execution of agreements between a PIC and a service provider providing appropriate security measures that should be taken by the service provider, and the power of the PIC to instruct and investigate the service provider in connection with its handling of personal data entrusted to it.
In addition, the PPC has recently clarified in Q&As that a data processor is a PIC, provided that if a cloud service provider has no access to the entrusted personal data stored on its computer server, it is not a data processor and is thus not a PIC. If a data processor is a PIC, it is subject to the related obligations under the APPI.
8. DATA SUBJECT RIGHTS
If requested by a principal, a PIC must disclose in writing and without delay to the principal, the principal's personal data held by it, unless the principal has agreed to receive it by other means (e.g. as electronic data). Access can be refused if it would result in:
- injury to life or bodily safety, property or other rights and interest of the principal or any third party;
- a material interference with the PIC's business operations; or
- a violation of other Japanese laws prohibiting disclosure.
Principals also have the right to revise, correct, amend, or delete their personal data, and to request the cessation of use of their personal data if it is used for a purpose other than the one originally stated, or if it was acquired by fraudulent or other unlawful means. If a principal requests a PIC to cease using their personal data, the PIC must do so unless the request is unreasonable, or the cessation would be costly or would otherwise be difficult (e.g. the recall of books already distributed). In this case, the PIC must take alternative measures to protect the rights and interests of the principal. The PIC must notify the principal without delay of whether the requested action has been taken, and, if not taken, must endeavour to explain the reasons why. A principal can enforce its rights to require revision, etc. of its personal data by civil action if such a request is not complied with within two weeks of being made.
Principals do not have any of the rights above if:
- the personal data will be deleted within six months of collection; or
- if the principal or other person comes to know that there is such personal data held by the PIC which might result in:
- injury to the life or bodily safety, property or other rights and interest of the principal or any third party;
- encouraging illegal or unjust acts;
- endangering national security, damage a trusted relationship with a foreign country or international organisation;
- disadvantage the country's negotiation with a foreign country or international organisation; or
- Present an obstacle to the prevention, suppression, or investigation of crimes or otherwise impairing public safety and order.
Under the 2020 Amendments, the following provisions relating to principal rights will also apply:
- principals will have the right to access to a PIC's record of data transfers to third parties;
- personal data which the PIC will delete in six months will no longer be exempted from the principals' right to access;
- a principal will have the right to require the PIC to cease using personal data or to cease transferring personal data to third parties if the PIC no longer needs to use the data, a data breach has occurred, or there is a likelihood of infringement of the principal's rights or lawful interests due to the PIC's handling of the personal data; and
- pseudonymously processed information is not subject to the principal's right to access or cessation of use.
Collection & use of personal information
A PIC must:
- not collect personal information by fraudulent or other unlawful means; and
- notify the principal of the purpose of utilisation prior to the collection of the personal information unless it has published the purpose of utilisation in advance in a manner readily accessible by the principal.
It is clarified that a purpose of utilisation must be specified in a manner not abstract or general but detailed enough to reasonably enable the Data Subjects to anticipate how and for what purposes their personal information will be used. In light of this, it is also clarified as an example that if a PIC analyses the data Subjects' behaviour or interests, such as history of their online browsing or purchases, for marketing, it must be stated as a purpose of utilisation.
A PIC must make the following items readily accessible to each principal:
- name of the PIC;
- purpose of utilisation of personal information retained;
- the procedure for the principal to require access, correction, etc. of their personal data; and
- where to complain about the PIHBO's handling of personal data.
The following items are added:
- address of the PIC;
- name of the representative person of the PIC; and
- data security measures taken by the PIC.
The following descriptions are indicated by the PPC as examples of data security measures which satisfy the requirement (the PPC also indicates that the level of security measures can be relaxed for 'small or medium sized business operators,' as described below):
- establishment of basic principles concerning compliance with applicable laws, handling enquiries and complaints, etc.;
- establishment of rules on the manner of data processing, staff in charge, their responsibilities, etc. on each of step of collection, use, storage, transfer, deletion of personal data;
- organisational security measures: appointment of staff in charge, their responsibilities, reporting line, external audit system, etc.;
- staffing security measures: staff training, confidentiality obligations of staff, etc.;
- physical security measures: room access control, access authorisation control, restriction of bringing out devices or personal data, etc.; and
- technological security measures: access control, firewall from unauthorised access, etc.
There is no specific right for a data subject to access its personal information; see the opening paragraph re disclosure of personal information held.
Please see section 8 above.
Please see section 8 above.
Please see the right to request cessation of use outlined in section 8., above and the right to opt out in section 7.2 in regard to data transfers.
Please see provision on penalties outlined above 7.6 and 7.7 above,.
In addition, many sector-specific regulations authorise the relevant regulators to enforce the regulations by rendering business improvement orders, or business suspension orders in the most serious cases, against providers of services which require licences from the regulator, 'where necessary for ensuring the appropriate operation of the business.' 'Appropriate operation of the business' may include the management of the security of customer data. For example, the FSA may issue a business improvement order against a bank pursuant to the Banking Act (Act No. 59 of 1981), or against an investment manager pursuant to the Financial Instruments and Exchange Act (Act No. 25 of 13 April 1948), if the service provider failed to manage the security of customer data in the course of operation of the licensed businesses.
If a PIC (and where the PIC is an entity, its officer, representative person, or administrator) or any of its employees, or a person who was in such a position, provides to a third party or misappropriates a personal information database handled in the course of the business for the purpose of wrongful gain for himself/herself or a third party, the PIC (if a person) and any such person is liable to imprisonment for not more than one year or a fine of not more than JPY 500,000 (approx. €3,850), a PIC entity being liable for such a fine (which is increased to JPY 100 million (approx. €770,000) under the 2020 Amendments).
Recruit Career Co., Ltd., a subsidiary of Recruit Co., Ltd. (the two companies together 'Recruit Companies'), operated an online platform service 'Rikunabi' for university students who were looking for information on job positions after graduation and companies who wanted to advertise their graduate recruiting information, as customers.
On 26 August 2019 the PPC issued 'advice' and 'instruction' against Recruit Career for improvement arising out of the company's breach of the APPI. On 4 December 2019, based on further facts found since the August advice, the authority issued further 'advice' for improvement against the Recruit Companies for their 'extremely inappropriate service to circumvent the APPI' and rendered 'instructions' for 35 companies (mostly leading listed companies) which were customers of the platform service for improvement of their inappropriate handling of personal data.
In summary, the PPC found in its August advice and instruction that on 'Rikunabi 2020' (i.e., the service in connection with students who would graduate from universities in 2020) personal data of 7,983 registered students was provided to customer companies (at which the students might apply for jobs) without the students' consent.
In its December advice and instruction, the PPC found that on 'Rikunabi 2019' and 'Rikunabi 2020' cookies that recorded registered students' business sector-based browsing histories were used for profiling and scoring such students to calculate their 'possibility [by percentage] of declining job offer'. The data on 'possibility of declining job offer' was hashed and then provided to customer companies, though the recipient companies could re-identify the students from the data. The recipient companies used the data in selecting applicant students to hire. The Recruit Companies provided the data of 26,060 students to customer companies without the students' consent. The Recruit Companies conducted such data handling based on their understanding that the data would no longer be 'personal data' once hashed, which the PPC concluded was a 'wrong understanding' because the companies 'could still identify students from the hashed data by reference to other data held by them'.
The facts and issues found in particular in the December advice and instruction lead to the PPC's drafting new rules on the transfer of 'person-related information' in the 2020 Amendments (see 7.2 above).