Data Protected - Japan

Last updated December 2017

General | Data Protection Laws

National Legislation
National Supervisory Authority
Scope of Application
Personal Data
Sensitive Personal Data
Data Protection Officers
Accountability and Privacy Impact Assessments
Rights of Data Subjects
Security
Transfer of Personal Data to Third Countries
Enforcement

ePrivacy | Marketing and cookies

National Legislation
Cookies
Marketing by E-mail
Marketing by Telephone

_____________________________________________________________________

General | Data Protection Laws

____________________________________________________________

National Legislation

General data protection laws 

Japan is not an EU Member State and therefore has not implemented the GDPR or the Data Protection Directive. However, the Act on the Protection of Personal Information (Act No. 57 of 2003) (the “APPI”) contains similar provisions.

An act to amend the APPI (the “APPI Amendment”) came into force fully on 30 May 2017. References in this summary to the APPI Amendment indicate the changes made by the amendment. The APPI Amendment, amongst other things, permits the disclosure of so-called “big data” without obtaining data subjects’ consent and restricts data transfers to a third country without obtaining data subjects’ consent where the level of data protection is insufficient.

In October 2015, the Act on Use, etc. of Numbers to Identify Specific Individuals in Administrative Procedures (Act No. 27 of 2013) (the so-called “My Number Act”) came into force, under which an ID number is allocated to every individual so that the government can manage social security and tax systems effectively.  Please note that this memo does not cover the My Number Act, which is a special law of the APPI.

Entry into force

The APPI fully came into force on 1 April 2005, followed by the APPI Amendment, which came into force on 30 May 2017.

_____________________________________________________________________ Top

National Supervisory Authority

Details of the competent national supervisory authority

The Personal Information Protection Commission (the “PIPC”) has overall responsibility for the legal framework of the APPI.

Personal Information Protection Commission
Kasumigaseki Common Gate West Tower 32nd Floor
3-2-1, Kasumigaseki
Chiyoda-ku
Tokyo, 100-0013
Japan
TEL: +81-(0)3-6457-9680

http://www.ppc.go.jp/en/

Before the APPI Amendment came into force, each regulatory authority, such as the Financial Services Agency and Ministry of Economy, Trade and Industry, had authority to advise, recommend or order the businesses it supervises to comply with the APPI. With the APPI Amendment having come into force, the PIPC (instead of each regulatory authority) has centralised authority to supervise these businesses, though the PIPC may delegate its certain authority to the regulatory authorities.

Notification or registration scheme and timing

Under the APPI Amendment, a notification to the PIPC is required to rely on the opt out exemption to transfer data to a third party. Other than this notification, there is no requirement to make any notifications to the regulatory authority. However, the relevant authority can order an information handler to submit a report to the authority on the treatment of personal information.

Exemptions to notification

Not applicable.

_____________________________________________________________________ Top

Scope of Application

What is the territorial scope of application?

The APPI Amendment extends the APPI to apply to overseas information handlers who have acquired personal information of data subjects in Japan in connection with the offering of their goods or services, even if they deal with such personal information outside of Japan.

Is there a concept of a controller and a processor?

Japanese law does not contain the concepts data controller and data processor. However, Japanese law has a concept of retained personal data” which is personal information with respect to which an information handler has the authority to disclose, correct, add or delete, cease utilisation, erase, and cease the provision to third parties.

Some of the provisions in the APPI apply only to information handlers who have “retained personal data”. For example, the obligation to disclose retained personal data to the relevant data subject only applies to an information handler in respect to its “retained personal data”. It is therefore fair to say that Japanese law has a distinction that is similar to the distinction of data controller and data processor under EU law.

Are both manual and electronic records subject to data protection legislation?

The APPI applies to both manual and electronic records.

Are there any national derogations?

The APPI does not apply to government entities or some types of quasi-government entities.

Further, some of the provisions under the APPI do not apply to press organisations, writers, academic organisations, religious organisations or political organisations when they deal with personal information solely for those purposes. For example, if a newspaper discloses the name of a person in an article describing a crime conducted by such person, that will fall outside the scope of the APPI.

_____________________________________________________________________ Top

Personal Data

What is personal data?

The APPI defines personal information as information about a living person that would allow identification of the person as an individual. This includes such information as will allow easy reference to other information and will thereby enable the identification of the specific individual.

Although the APPI Amendment does not change the coverage of personal information, it clarifies that information containing the code for personal identification, such as fingerprint data and passport number, is categorised as personal information.

Is information about legal entities personal data?

No.

What are the rules for processing personal data?

As a general rule, information handlers must: (i) specify so far as possible the purpose for which personal information will be processed (“purpose of use”); (ii) not change the purpose of use such that it no longer has a reasonable relationship to the original purpose of use; and (iii) not process personal information except to the extent required to achieve the purpose of use without the prior consent of the data subject.

An information handler may not transfer personal information to a third party without prior consent of a data subject. However, there are some exceptions to this requirement, for example where: (i) the disclosure is based on Japanese law; (ii) the disclosure is necessary for cooperating with a Japanese government entity in executing its legal duties, and obtaining the consent of a data subject is likely to impede the execution of such duties; (iii) the disclosure is for health or public hygiene purposes and it is difficult to obtain consent; (iv) the disclosure is part of a merger or other business succession, subject to it being used for the same purposes of use; (v) the disclosure is to a third party processor; (vi) the disclosure is to a joint user and the data subjects are informed; or (vii) the information handler informs data subjects of the transfer of information intended to be provided to a third party and those data subjects do not object (this last condition being the “opt out exemption”).

The APPI Amendment defines anonymous processed information (the “Anonymous Processed Information”) as the information obtained from personal information from which it is impossible to identify a specific individual. An information handler may transfer Anonymous Processed Information to a third party without obtaining the prior consent of the data subject, provided that it makes a public announcement and clarifies to the third party recipient that the data to be provided is categorised as Anonymous Processed Information.

Are there any formalities to obtain consent to process personal data?

Consent is not generally required to process personal information. However, prior consent (oral or written) is needed for processing outside the scope of the original purpose of use.

Financial institutions handling personal information are required by the guidelines of the Financial Services Agency (the “FSA Guidelines”) to obtain consent in writing to a change in the purpose of use.

Are there any special rules when processing personal data about children?

No.

_____________________________________________________________________ Top

Sensitive Personal Data

What is sensitive personal data?

Before the APPI Amendment came into force, the APPI did not distinguish between different types of personal information based on the sensitive nature of such data. However, certain guidelines (including the FSA Guidelines) stipulated additional rules for processing sensitive personal information such as information relating to an individual’s political views, faith, labour union membership, race, ethnic group, family status, physical/mental handicap, sex life, criminal records and medical records.

However, the APPI Amendment now defines sensitive personal information as information such as the data subject’s race, beliefs, social status, medical history, criminal record, and whether the data subject has been a victim of crime.

Are there additional rules for processing sensitive personal data?

The APPI Amendment provides that information handlers in principle must obtain a prior consent of the data subject to acquire sensitive personal information. Under the APPI Amendment, the opt-out exemption to transfer data to a third party is not available for the provision of sensitive personal data.

Further, the FSA Guidelines provide that the relevant information handlers may not acquire, use or transfer sensitive personal information defined under the FSA Guidelines except where strictly necessary.

Are there additional rules for processing information about criminal offences?

 

The rules are the same as for sensitive personal data.

 

Are there any formalities to obtain consent to process sensitive personal data?

No.

_____________________________________________________________________ Top

Data Protection Officers

When must a data protection officer be appointed?

The APPI does not specifically require the appointment of data protection officers. However, the guidelines on the APPI (the “APPI Guidelines”) state that the appointment of a person responsible for dealing with personal data is one example of the security measures that information handlers must take under the APPI.

What are the duties of a data protection officer?

Not applicable.

_____________________________________________________________________ Top

Accountability and Privacy Impact Assessments

Is there a general accountability obligation?

Under the APPI, information handlers are required to take necessary and appropriate measures to ensure the security of personal information. What measures will be appropriate in each case will depend on the nature, scope, context and purposes of the use or processing of relevant personal data as well as the risks for rights and freedoms of individuals.

The APPI Guidelines provide some guidance on such measures but that guidance is not decisive. In summary, however, each information handler is expected to: (i) have a basic privacy policy in place; (ii) have internal rules and other internal documentary arrangements that are designed to protect personal data; (iii) have organisational structures that are designed to protect personal data (e.g. appointing data protection officers); (iv) fully educate its officers and employees on data protection requirements; (v) have appropriate physical security systems; and (vi) take appropriate measures in relation to information technology systems.

Are privacy impact assessments mandatory?

As mentioned above, under the APPI, information handlers are required to take necessary and appropriate measures for the security of personal information. As part of such requirements, information handlers are expected to carry out routine investigations of their security measures.

_____________________________________________________________________ Top

Rights of Data Subjects

Privacy notices

Information handlers are required to make available to data subjects the following information (and must reply to a data subject’s request for such information without delay): (i) the information handler’s name; (ii) the purpose of use of the data subject’s personal information; (iii) procedures for requesting access to personal information held by the information handler (including the amount of any fees payable); and (iv) details of whom to contact in order to lodge complaints concerning the handling of their personal information.

An information handler who has acquired personal information is required to promptly notify data subjects of the purpose of use of their personal information, except in cases where the purpose of use has already been publicly disclosed. When an information handler has changed the purpose of use, it must notify the data subject of the changed purpose of use or publicly announce such changed purpose of use.

An information handler is required to publish the privacy policy on its website or post or display copies of the privacy policy in its reception or other prominent position at its offices.

Rights to access information

An information handler is required to notify data subjects of the purpose of use of their personal information upon their request.

An information handler is required, upon a data subject’s request, to disclose such retained personal information as may lead to the identification of the data subject without delay.

An information handler may collect reasonable charges for the notification or disclosure mentioned above.

Rights to data portability

There is no concept of “data portability” under the APPI.

Right to be forgotten

Data subjects may require an information handler to cease using or erase their personal information if such personal information is being used beyond the purpose of use without their consent, or was obtained by unfair means. The information handler may refuse such request if compliance with such request would cause the information handler to incur excessive costs, or where it would otherwise be difficult for the information handler to discontinue using or to erase the personal information, provided that the information handler takes necessary alternative measures to protect the rights and interests of the data subject.

Objection to direct marketing and profiling

The APPI does not provide any specific rights to reject direct marketing. However, information handlers must not process personal information except to the extent required to achieve the purpose of use, without the prior consent of the data subject.

Other rights

Data subjects may require an information handler to correct, add to or delete their personal information if such information is not factually correct.

_____________________________________________________________________ Top

Security

Security requirements in order to protect personal data

Information handlers are required to implement appropriate control measures in respect of the personal information in their possession to prevent unauthorised disclosure, loss or damage of such personal information.

Specific requirements for appropriate control measures are provided in the guidelines issued by the regulatory authorities.

Specific rules governing processing by third party agents (processors)

When an information handler entrusts a third party with the handling of personal information in whole or in part, the information handler must exercise necessary and appropriate supervision over the third party to ensure the security of the entrusted personal information.

Notice of breach laws

In general, there is no notice of breach obligation under the APPI. However, an Announcement issued by the PIPC requires an information handler to exercise efforts to report any data breach to the PIPC (or, in some cases, a regulatory authority to which the authority to receive a report is delegated or a business association of which the information handler is a member).

_____________________________________________________________________ Top

Transfer of Personal Data to Third Countries

Restrictions on transfers to third countries

The APPI Amendment has introduced a restriction on the transfer of personal data to foreign countries. An information handler must obtain prior consent from the data subject to the transfer of personal data to a recipient in a foreign country, unless that country’s data protection system is considered by the PIPC to provide the same level of protection as Japan or when the recipient third party has established a sufficient data protection system. The consent must specifically relate to the transfer to that particular recipient in the foreign country, rather than being general in nature.

Notification and approval of national regulator (including notification of use of Model Contracts)

There is no requirement to make any notifications to or obtain any approvals of the regulatory authority.

Use of binding corporate rules

No concept of binding corporate rules is used in the APPI.

_____________________________________________________________________ Top

Enforcement

Fines

Breaches of the APPI and/or related regulatory guidelines may result in civil liability or criminal sanctions, which include up to six months’ imprisonment or a fine of up to 300,000 Japanese yen.

Further, the APPI Amendment has created a direct criminal sanction prohibiting an information handler or its employees from providing or stealing personal information for a dishonest purpose, which includes up to one year’s imprisonment or a fine of up to 500,000 Japanese yen.

Imprisonment

Breach of the APPI can lead to imprisonment for six months and, under the APPI Amendment, providing or stealing personal information for a dishonest purpose can lead to imprisonment for up to one year.

Compensation

Data subjects have a right to compensation for damages, including mental distress.

Other powers

A breach of the APPI and/or related regulatory guidelines would not, of itself, be a criminal offence. However, a breach of the APPI and/or related regulatory guidelines may result in the PIPC issuing an enforcement notice ordering the information handler to cease or improve data handling. A failure by the information handler to comply with such enforcement notice would be a criminal offence.

Practice

The PIPC normally first asks for further information, gives advice on proper data handling or recommends that an information handler cease the violation and take other necessary measures to correct the violation. If the information handler does not take the recommended measures without justifiable reasons, the PIPC may then order the information handler to take the recommended measures.

The regulatory authorities issued 326 requests for report, 3 advices and 8 recommendations during the period since the APPI came into force until the end of 2016.

_____________________________________________________________________ Top

ePrivacy | Marketing and cookies

_____________________________________________________________

National Legislation

ePrivacy laws

Japan is not an EU Member State and, therefore, has not implemented the Privacy and Electronic Communications Directive. However, the Act on Specified Commercial Transactions (Act No. 57 of 4 June 1976) (the “ASCT”) and the Act on Regulation of Transmission of Specified Electronic Mail (Act No. 26 of 17 April 2002) (the “ARTSEM”) provide restrictions on direct marketing.

_____________________________________________________________________ Top

Cookies

Conditions for use of cookies

There are no special rules for cookies. If information collected by using cookies allows identification of an individual by reference to other information already available to a website owner, the owner is required by the APPI to notify the individual directly or publish the purpose of use of the personal information.

Regulatory guidance on the use of cookies

Not applicable.

_____________________________________________________________________ Top

Marketing by E-mail

Conditions for direct marketing by e-mail to individual subscribers

It is only possible to send direct marketing e-mails to individual subscribers if they consent.

Conditions for direct marketing by e-mail to corporate subscribers

It is only possible to send direct marketing e-mails to corporate subscribers if they consent.

Exemptions and other issues

Under the ARTSEM, it is permitted to send e-mails for the purpose of direct marketing without consent if: (i) the recipient notifies the sender of its e-mail address in writing; (ii) the recipient has a business relationship with a person engaged in sales activities relating to the marketing; or (iii) the recipient is an organisation or an individual engaged in business who discloses its e-mail address on the Internet.

Under the ASCT, it is permitted to send e-mails for the purpose of direct marketing without consent in connection with certain types of sales transactions if: (i) such e-mail for direct marketing is sent in association with notifications of important matters relating to contracts; or (ii) such e-mail for direct marketing is sent together with emails from free email providers, such as Yahoo! or Google.

The sender of the e-mail must be identified by providing its name and address. The sender also needs to provide the receiver’s right to opt out of further marketing emails and provide email address or URL in order to opt out.

_____________________________________________________________________ Top

Marketing by Telephone

Conditions for direct marketing by telephone to individual subscribers (excludes automated calls)

It is not permitted to solicit a sales contract or a service contract from an individual subscriber who has expressed his/her intention not to enter into a sales contract or a service contract.

Conditions for direct marketing by telephone to corporate subscribers (excludes automated calls)

It is not permitted to solicit a sales contract or a service contract from a corporate subscriber which has expressed its intention not to enter into the sales contract or a service contract.

Exemptions and other issues

When a product seller or a service provider solicits customers for their products or services by means of telephone communication, it is required to inform the recipient of the following information prior to the solicitation: (i) its name and address; (ii) the name of the person in charge of the solicitation; (iii) the type of product or service being offered; and (iv) the purpose of the telephone call (i.e., to solicit the custom of the recipient).

_____________________________________________________________________ Top