Japan's principal data protection legislation is the Act on the Protection of Personal Information (APPI). It provides the basic principles for the government's regulatory policies and authority, as well as the obligations of private business operators who handle personal information (the handling operator). An amendment to the APPI was approved in June 2020 and came into full force on 1 April 2022.
Another set of amendments to the APPI was approved in May 2021. Previously, national administrative bodies were regulated by the Act on the Protection of Personal Information Held by Administrative Organs and the Act on the Protection of Personal Information Held by Independent Administrative Agencies. One of the main purposes of the 2021 amendments is to integrate the obligations prescribed in these two laws into the APPI. The amendments relating to the foregoing integration were effective from 1 April 2022.
In addition, local government bodies are regulated under their own local regulations (jyorei), but these vary from one body to the other. The 2021 amendments to the APPI will introduce nationwide principles for jyorei and related implementing guidelines to homogenise the administration of national data protection regulations. Under this set of amendments, standard rules regarding personal information handled by local governments are uniformly stipulated in the APPI, and jyorei can only stipulate local rules in very limited situations allowed under the APPI. The aforesaid amendments will be effective from 1 April 2023. Please note that the 2021 amendments will change the article numbers of the APPI on 1 April 2023; however, in this article, we refer to the current numbers.
Another important law is the Act on the Use of Numbers to Identify a Specific Individual in the Administrative Procedure (the My Number Act), which stipulates special rules for what is known in Japan as the Number to Identify a Specific Individual in the Administrative Procedure (My Number), a 12-digit individual number assigned to each resident of Japan.
The bill of amendment of the Telecommunication Business Act (TBA) was passed in June 2022 and will be effective from 16 June 2023. This amendment will mainly introduce a regulation about sending cookies to an external party. It will also impose new obligations regarding user information on large telecommunications service providers, which have either 5 million paid users or 10 million free users.
There are no laws or regulations that target artificial intelligence (AI) at this time. Please refer to 5.1 Addressing Current Issues in Law (Artificial Intelligence (including Machine Learning)) for more details.
Furthermore, the Personal Information Protection Commission (PPC) - the regulator primarily responsible for the APPI and the My Number Act - has published guidelines for handling personal information (the PPC Guidelines). For some industrial sectors, the ministry with jurisdiction over them has published data protection guidelines for those sectors. For example, the Financial Services Agency (FSA) and the PPC have jointly published data protection guidelines for the financial sector, and the Ministry of Internal Affairs and Communications (MIC) has issued data protection guidelines for telecommunication business operators.
Enforcement and Penalty Trends
For the period from 1 April 2022 to 30 September 2022, no administrative orders were issued, one administrative recommendation was made, 30 issuances of administrative guidance or advice were made, one on-site inspection was conducted, and 62 administrative requests for reports and materials were made under the APPI. Few administrative orders or recommendations have been issued because ordinary companies were in compliance with the PPC's administrative guidance and advice. Moreover, companies are typically concerned with their social reputation and, thus, endeavour to comply with laws and regulations.
Key Concepts and Terminology
In order to understand the regulations under the APPI, it is important to distinguish between three key categories: personal information, personal data and retained personal data.
The APPI defines personal information as information about living individuals that (i) can identify specific individuals or (ii) contains an individual identification code (Article 2.1).
Information that can be used to identify specific individuals includes information that can be readily collated with other information to identify specific individuals. Whether information can be readily collated with other information for this purpose would be determined on a case-by-case basis, depending on how it is stored or handled by the handling operator. For example, information collected by cookies by itself is not personal information; however, if the handling operator can easily collate information collected by cookies with the name of the individual (which typically occurs when registered customers log in to the website of a company, and the company knows the cookie ID of the registered customer), the information collected by the cookies will be deemed to be personal information.
An individual identification code means a partial bodily feature of a specific individual that has been converted into any character, number, symbol or other code by computers for use and which can identify that specific individual or which is assigned to services or goods provided to an individual, or is stated or electromagnetically recorded on a card or any other document issued to an individual, to identify them as a specific user, purchaser or recipient of the issued document (Article 2.2). The various types of individual identification codes are listed in a Cabinet Order, including driver's licence, passport, and health insurance numbers. Credit card numbers and phone numbers are not individual identification codes.
Personal data means personal information contained in a personal information database (Article 16.3), which is a collection of information (which includes personal information) that is systematically organised to enable a computer (or through another means) to search for particular personal information; however, this term excludes a collection of information that a Cabinet Order indicates as having little possibility of harming an individual's rights and interests considering how that collection uses personal information. Examples of information collections excluded from this definition include a commercially available telephone directory or a car navigation system (Article 16.1).
Retained personal data means personal data that a handling operator has the authority to disclose, correct, add, or delete content from; discontinue the use of; erase; or discontinue the provision of to a third party, excluding certain limited personal data (Article 16.4).
The regulator tasked with enforcing and implementing the APPI is the PPC, which has the following powers:
For some sectors, other government authorities are also enforcing the APPI. For example, the FSA is the relevant authority for banks, whereas for telecommunication service providers, MIC is the appropriate authority.
The PPC does not have the authority to conduct criminal investigations and the APPI explicitly stipulates that the PPC’s power to conduct on-site inspections does not include criminal investigations (Article 143.3).
It is important to note that the APPI imposes no administrative fines. Criminal sanctions may only be imposed if the handling operator refuses to cooperate with or makes any false report in response to an investigation by the PPC (Article 173), provides to unauthorised persons or misuses a personal information database for unlawful gains (Article 175), or violates any order given by the PPC as a part of an administrative sanction (Article 176). Please also see 2.5 Enforcement and Litigation.
While local governments have enacted jyorei on data protection, those regulations apply only to the public sector. Please note that from 1 April 2023, jyorei will be regulated by the APPI, as discussed in 1.1 Laws.
The PPC accredits private organisations called accredited personal information protection organisations (Nintei Kojin Jyouhou Hogo Dantai) to handle and promote the protection of the personal information of handling operators. These accredited organisations process complaints against handling operators or provide information on them to ensure the reliability of the business of those handling operators and promote the protection of personal information. They also establish their own rules, and such accredited personal information protection organisations’ members must comply with them.
The APPI follows the Organisation for Economic Co-operation and Development’s eight Privacy Principles. Japan has reached an agreement with both the EU and the UK to certify each other’s country or territory as an “adequate” country for Japan’s and the EU/UK’s data protection purposes; however, this does not mean that the APPI is identical to Regulation (EU) 2016/679 (the General Data Protection Regulation, or GDPR).
Japanese data protection law is, nonetheless, closer to the EU omnibus model than the US sectoral/subnational approach in the sense that Japan has a comprehensive data protection law, the APPI.
As discussed in 1.1 Laws (Major Laws), the APPI was amended in 2020 and 2021, and TBA was amended in 2022.
As explained in 1.1 Laws, significant portions of the APPI amendments, approved in 2020 and 2021, came into force on 1 April 2022, while the remaining part is expected to be effective from 1 April 2023. In line with the amendment of the APPI, the relevant Cabinet Order, the PPC Ordinance, guidelines, and FAQs of the APPI were updated.
Handling Operator Duties
The various obligations of a handling operator under the APPI are set out below.
The 2020 amendments to the APPI introduced mandatory obligations to report data breach incidents to the PPC and to notify affected data subjects in cases where their rights and interests are likely to be infringed (Article 26).
Under Article 27.5 (i) of the APPI, if a handling operator entrusts all or part of the handling of personal data, it acquires to an individual or another entity, that individual or entity will not be considered a third party under Article 27.1.
For example, if a handling operator uses third-party vendors of handling operator services and shares personal data with those vendors for them to use on the handling operator’s behalf and not for their own use, that transfer will be deemed an “entrustment” and is not subject to data transfer restrictions.
When a handling operator “entrusts” personal data, it must exercise the necessary and appropriate supervision over the entrusted person to ensure security control over the entrusted personal data (Article 25).
A handling operator may share and jointly use personal data with specific individuals or entities as long as the handling operator, before any information sharing and joint use, notifies the data subject or makes the following information accessible to them (Article 27.5(iii)):
After notice or publication of the foregoing matters is made, the identified joint users will not be deemed third parties within the context of Article 27 and, therefore, the handling operator and the identified joint users may share and jointly use specific items of personal data as if they were a single entity.
A handling operator may transfer personal data to a third party without the opt-in consent of data subjects if the transfer accompanies a business succession caused by a merger or other legal reason (Article 27.5 (ii)).
Filing of Notification of Opt-Out Consent
Under Article 27.2 of the APPI, a handling operator may provide personal data (excluding special-care-required personal information and personal data which was acquired by improper means or provided by another handling operator pursuant to the opt-out mechanism) to a third party without the opt-in consent of data subjects if the following conditions are satisfied:
Please note that, in practice, the PPC does not readily accept the foregoing opt-out notification unless it is not practical to seek the data subjects’ consent, and it is difficult to use the other exceptions.
Data Protection Officers
The APPI has no provision mandating the appointment of a privacy or data protection officer; however, a handling operator must take necessary and proper measures to prevent the leakage, loss or damage of personal data and implement other security controls. Under the PPC Guidelines, those measures should include the following:
The PPC Guidelines indicate that appointing a person to be in charge of the handling of personal data is an example of proper and necessary measures. However, although a handling operator is expected to adopt the measures described in the PPC Guidelines, the failure to adopt such measures is not a direct breach of the APPI.
Under the amendment of the TBA, large telecommunications service providers will be required to appoint a chief manager responsible for handling user information.
Privacy by Design/Default and Privacy Impact Analyses
The APPI does not mandate obligations regarding privacy impact analyses. Still, the PPC has issued a report titled “Promoting the implementation of PIA - Significance of PIA and points to keep in mind in the implementation procedure” and encourages business operators to follow the report voluntarily. The APPI does not refer to the concepts of privacy by design or by default, but PPC guidelines on accredited personal information protection organisations recommend that these organisations promote privacy by design.
Article 32.1 of the APPI requires handling operators to make the following information regarding retained personal data available to data subjects:
Most handling operators typically comply using internal and external privacy policies.
The PPC Guidelines also recommend stating the following in a handling operator’s basic policies as security control measures regarding personal data:
Most handling operators typically comply using internal and external privacy policies.
The PPC Guidelines also recommend being transparent in disclosing the entrustment of work involving personal data (eg, disclosing whether entrustment has been made and what kind of work has been entrusted).
Data Subjects’ Rights
A data subject may request a handling operator disclose their retained personal data and the record of providing it to a third party. The handling operator must comply with the request unless there is a possibility that the disclosure could harm the data subject’s or a third party’s life, body, property or other rights and interests, or could seriously interfere with the handling operator’s business (Article 33).
A data subject may also request a handling operator to correct, add, or delete retained personal data. The handling operator must investigate without delay and, based on the results of the investigation, comply with the request to the extent necessary to achieve the purposes of use of the retained personal data (Article 34).
Furthermore, the data subject may request the handling operator to discontinue the use of or erase retained personal data and to stop providing retained personal data to third parties if:
However, this obligation will not apply if it will be too costly or difficult to discontinue the use of or erase the retained personal data and the handling operator takes necessary alternative measures to protect the rights and interests of the data subject (Article 35).
The APPI has no provision for data portability.
Anonymisation, De-identification or Pseudonymisation
The APPI recognises the concept of anonymously processed information, defined as information obtained by processing personal information so that ordinary people cannot identify a specific data subject using the processed information or restore any personal information from the processed information (Article 2.6). This framework intends to promote the use of anonymously processed information by clarifying the rules and was expected to lead to the use of big data, innovations and new businesses. A handling operator can provide anonymously processed information to third parties without the consent of the data subjects, provided that the handling operator:
According to the PPC Guidelines, statistical information, meaning information that can be obtained by extracting items concerning a common element from information taken from several people and tallying them up by category, is not anonymously processed information because statistical information is not information regarding an individual and, thus, is not covered by any regulations under the APPI.
The 2020 amendment of the APPI introduces the concept of pseudonymously processed information. This information is processed so that it cannot be used to identify a specific individual without collation with other information (Article 2.5). The pseudonymously processed information is exempted from certain regulations under the APPI, such as restrictions on changing the purpose of use, the obligation to comply with the data subject’s rights, and report/notification obligations in the case of a data breach (Article 43).
Profiling, Microtargeting, Automated Decision-Making, Online Monitoring or Tracking, Big Data Analysis and Artificial Intelligence
There is no specific statutory law on microtargeting, online monitoring or tracking. However, any activity relating to the collection, use and provision of personal information will be subject to the rules of the APPI.
Under the 2020 amendment of the APPI, certain types of cookies, web beacons, online identifiers, and so forth are subject to new regulations. Under the APPI, the transfer of personal data to third parties – and whether the data is personal data or not – is judged based on the circumstances surrounding the transferor, not the transferee. In brief, if the data is not personal data in the hands of the transferor, regulations regarding the transfer of personal data to third parties are not applicable. In recent years, some schemes have emerged whereby data management platforms provide non-personal information, such as user data collected by cookies (eg, user browsing histories/interests and preferences) to third parties, with the knowledge that the data will be personal data in the hands of the recipient. The PPC was concerned by the expansion of this kind of data sharing without the involvement (control) of the data subjects. As a result, the concept of personally referable information is introduced; defined as a collective set of information comprising information relating to a living individual which does not fall under personal information, pseudonymously processed information or anonymously processed information but which has been systematically organised to be searchable using a computer for specific personally referable information or similar information prescribed by Cabinet Order. The amended APPI regulates the provision of personally referable information if the provider assumes that a recipient will acquire a database of the provided personally referable information as personal data. In this case, the transferor must confirm that the transferee has obtained the data subjects’ consent to transfer their data as personal data.
See 5.1 Addressing Current Issues in Law for other items relating to profiling, microtargeting, automated decision-making, big data analysis and artificial intelligence.
There is no definition of “injury” or “harm” under the APPI. However, an infringement of privacy is a tort under the Civil Code if the individual suffers from a mental burden or mental uneasiness regarding the disclosure of information.
The APPI contains the concept of special-care-required personal information, defined as personal information comprising a principal’s race, creed, social status, medical history, criminal record, the fact of having suffered damages from crime, or other descriptions that may be prescribed by a Cabinet Order (Article 2.3). The handling operator must get prior consent to obtain special-care-required personal information (Article 20.2) and transfer the same (opt-out consent is not allowed) (Article 27.2). For health data, the following categories of personal information are included in special-care-required personal information:
The Act Regarding Anonymised Medical Data to Contribute to Research and Development in the Medical Field (the so-called Medical Big Data Act) was enacted. Under this act, government-accredited medical information anonymisation entities can obtain medical information from medical institutions (eg, hospitals) unless the data subjects opt out. Those entities are entitled to anonymise the acquired medical information and distribute the anonymised medical information for the purpose of R&D in the medical area.
Financial data is not categorised as special-care-required personal information; however, if the information can identify an individual, then the financial data will be treated as ordinary personal information.
A voice recording by voice telephony itself is not personal information, but can be considered as such if the speaker can be identified from its contents or with other information. Even if a voice recording is not considered protected personal information, it is subject to protection under the basic principle of secrecy of communication granted under the Constitution of Japan, the TBA, the Radio Act and the Wire Telecommunications Act, which specifically protect the secrecy of telecommunication data.
The same applies to text messaging.
Other Categories of Sensitive Data
Information on political or philosophical beliefs generally falls within special-care-required personal information as a personal belief.
The APPI has no provisions regarding personal information related to union membership or sexual orientation. However, since that type of information is protected under the GDPR, the PPC has issued Supplementary Rules under the APPI for the handling of personal data transferred from the EU based on an adequacy decision, which provides that if any information is transferred from member countries of the EEA and the UK based on an adequacy decision, the information must be protected under the same standards as special-care-required personal information. In addition, data protection guidelines for the financial sector, published jointly by the FSA and the PPC, stipulate that information on union membership and sexual orientation is considered sensitive information. Financial companies should not acquire, use or collect such information unless specific exceptions apply.
Behavioural advertising is not directly regulated under the APPI, but any personal information collected to provide behavioural advertising is subject to the APPI.
The 2020 amendment of the APPI introduced regulations for certain cookies, web beacons, and other tracking technology underlying behavioural or targeted advertising. Please see 2.1 Omnibus Laws and General Requirements (Profiling, Microtargeting, Automated Decision-Making, Online Monitoring or Tracking, Big Data Analysis and Artificial Intelligence).
The amendment of the TBA will impose new obligations on telecom service providers, which have a non-trivial impact on users’ interests (“TSP”). More specifically, a TSP will be those which provide:
When a TSP makes users send their information (typically including cookies) to an external party, the TSP is required to (i) make a notification, (ii) make a public announcement, (iii) obtain opt-in consent, or (iv) provide an opt-out mechanism with respect to certain information including content of the information, name of the recipient party, and the recipient’ purpose of use of the information.
Video and Television
Image information in videos or television would be categorised as personal information and subject to restrictions under the APPI if it can identify a specific individual. MIC has published a Handbook for the Use of Camera Images. This handbook explains the considerations necessary for utilising camera images for commercial purposes and the key points of the considerations through specific examples. In addition, the PPC published the Draft Report of the Expert Panel on the Use of Camera Images for Crime Prevention and Security, which went through the public comment procedures in January 2023. This report covers points to be noted when introducing camera systems with facial recognition functions from the perspective of compliance with the APPI and ensures that they do not cause infringements of portrait rights and privacy, as well as voluntary measures to gain understanding from the subjects of the images and society.
Social Media, Search Engines, Large Online Platforms
If social media and online platforms are categorised as “telecommunication services” under the TBA, then the provider will be subject to the MIC’s guidelines on personal information for telecommunication businesses. Business operators providing telecommunications services with an average of more than 10 million users per month in the previous year (for free telecommunications services) or more than 5 million users per month (for fee-based telecommunications services) are required under the amended Telecommunications Business Act (effective 16 June 2023) to formulate and notify information handling rules, formulate and publish information handling policies, conduct self-evaluation and reflect them in information handling rules and regulations, and appoint and notify a general management representative.
As for large online platforms, there is an Act on Enhancing Transparency and Fairness of Specified Digital Platforms (the Transparency Act), which takes the necessary measures to ensure transparency and fairness of transactions between designated large-scale digital platform operators and digital platform users. It also provides a mandatory disclosure rule about how user data is processed.
Intermediary Liability for User Generated Content
Under the Provider Liability Limitation Act, even if an online platform has distributed information posted by a third party which infringes the rights of another person, the general rule is that the service provider will not be liable unless it is aware of or has a good reason to be aware of the infringement.
A Q&A issued by the PPC states that for minors between the ages of 12 and 15, the consent of a person with parental authority over the minor must be obtained for data processing, which requires the consent of data subjects (eg, provision of personal data to third parties and collection of special-care-required personal information).
Educational or school data is not subject to special restrictions but only to the restrictions under the APPI as personal information.
Rights to Object to Sale of Data and Tracking
There are no rights to object to the sale of personal data, but the APPI sets forth a similar scheme regarding the provision of personal data. Providing personal data to a third party is generally permissible only with consent or under an opt-out mechanism. If a data subject does not want their personal data to be provided or sold to another entity, they should either not provide their consent or object to any such provision/sale (opt-out.) For more opt-out details, please see 2.1 Omnibus Laws and General Requirements (Filing of Notification of Opt-Out Consent). As for tracking, the APPI will introduce some regulations. Please see 2.1 Omnibus Laws and General Requirements (Profiling, Microtargeting, Automated Decision-Making, Online Monitoring or Tracking, Big Data Analysis and Artificial Intelligence).
Unsolicited marketing by email is regulated principally by the Act on the Regulation of Transmission of Specified Electronic Mail (the Anti-Spam Act). Under the Anti-Spam Act, marketing emails can only be sent to recipients who (i) have given prior consent to receive them, (ii) have provided the sender with their email addresses in writing (for instance, by providing a business card), (iii) have a business relationship with the sender, or (iv) make their email address available on the internet for business purposes. In addition, the Act requires the senders to allow the recipients to opt out.
Furthermore, the Act on Special Commercial Transactions restricts marketing regarding mail order businesses, including online shopping, but does not provide exceptions similar to items (ii) to (iv) of the preceding paragraph.
As discussed in 2.1 Omnibus Laws and General Requirements, behavioural and targeted advertising is not directly regulated under the APPI, but any personal data collected to provide behavioural and targeted advertising is subject to the APPI. There are no specific restrictions for behavioural and targeted advertising. However, the 2020 amendment of the APPI introduced regulations for certain cookies, web beacons, and other tracking technology underlying behavioural or targeted advertising.
There are special restrictions on telecommunication business operators regarding location information under the MIC’s guidelines on personal information for telecommunication businesses. Under the guidelines, telecommunication business operators can obtain or transfer location information from a mobile device only with the data subject’s prior consent or if there is a justifiable cause.
The Ministry of Health, Labour and Welfare has issued a notice regarding the health information of employees, which provides for an employer’s handling of the health information of its employees, including a condition that an employer shall not handle the health information of any employee beyond the scope necessary to secure the employee’s health.
Furthermore, the Employment Security Act has special restrictions on obtaining information on job applicants during recruitment to prevent discrimination.
The employer has the right to monitor workplace communications in relation to work and to use cybersecurity tools, insider threat detection and prevention programmes, and digital loss prevention technologies, but a privacy issue may arise regarding private communications and other privacy matters at the workplace. Thus, it is recommended that employers establish internal rules prohibiting the use of company PCs and email addresses for private use and disclose the possibility of monitoring those devices and data, including emails.
In principle, there is no special role for labour organisations or works councils regarding employment-related data privacy, but there is a general requirement for employers to obtain the opinion of the employee representative in establishing work rules.
The Whistle-Blower Protection Act prohibits employers from dismissing whistle-blowers. The Act does not require companies to have whistle-blower hotlines or systems, but the Consumer Affairs Agency has published guidelines for private entities to establish and operate whistle-blower hotlines. The guidelines also specify several measures that companies must implement to protect the Personal Information of whistle-blowers, such as limiting persons who can access documents regarding the whistle-blowing.
The PPC has the power to enforce administrative sanctions. Please see 1.2 Regulators for the details of administrative sanctions.
Please see 1.1 Laws for recent statistics about administrative sanctions enforced by the PPC. From May 2017, when the PPC became the regulator and enforcement authority of the APPI, until August 2019, the PPC had not issued any official recommendations or administrative orders. However, the PPC subsequently issued them for cases entailing a large social impact. For example, on 26 August 2019, the PPC first officially recommended a company operating an online job platform. It was considered that the company captured users’ likelihood of declining a job offer based on their web browsing history and sold the data to potential employers. The PPC decided that the company did not comply with the required procedures under the APPI.
On 29 July 2020, the PPC first issued two administrative orders regarding non-compliance with an official recommendation. In these cases, two anonymous internet-based companies published the personal data of bankrupts, including names and addresses, in violation of required procedures in the APPI. On 23 March 2022, and 2 November 2022, the PPC again issued administrative orders against similar website operators. On 11 January 2023, the PPC officially requested a criminal investigation authority to file a criminal charge against an operator for non-compliance with the order.
Please note that even after May 2017, the PPC entrusts its enforcement powers to relevant public authorities for some industries.
Criminal sanctions for violations of the APPI are as follows.
Suppose a handling operator (natural person or a director or employee of the handling operator) breaches an order of the PPC issued as part of an administrative sanction (please note that order does not include guidance, advice or recommendation by the PPC). In that case, they may be subject to imprisonment of up to one year or a fine of up to JPY1 million (Article 173). If an employee of an entity commits the breach, that entity will be subject to a fine of up to JPY one hundred million (Article 179.1 (i)).
Should a handling operator (natural person or a director or employee of the handling operator) provide a personal information database to an unauthorised party or misuse such a database for unlawful gains, they may be subject to imprisonment of up to one year, or a fine of up to JPY500,000 (Article 175). If an employee of an entity commits the breach, that entity will be subject to a fine of up to JPY100 million (Article 179.1 (i)).
If a handling operator (natural person or a director or employee of the handling operator) refuses to make a report or makes a false report in response to an investigation by the PPC or an administrative sanction, it may be subject to a criminal fine of up to JPY500,000 (Article 176). If an employee of an entity commits the breach, that entity will be subject to a fine of up to JPY500,000 (Article 179.1 (ii)).
The APPI does not provide the legal procedures that the PPC or the prosecutors must follow to allege privacy or data protection laws violations. However, the authorities must generally follow the general restrictions of the Code of Criminal Procedure regarding the imposition of criminal sanctions, while the PPC does not have to follow those restrictions regarding administrative sanctions.
The Act on Special Measures Concerning Civil Court Proceedings for Collective Redress for Property Damage Incurred by Consumers allows for class actions to be filed by consumers. Please note that claims allowed under that law are limited to property damage and do not cover compensation for distress caused by a breach of the APPI. Please also note that an amendment to this act will come into force on 1 October 2023, which will include emotional distress in the scope of the class action if it is caused along with property damage or by intentional conduct. As a practical matter, a number of data subjects may select the same lawyer to represent them, and that lawyer can file one litigation for those data subjects, which can be similar to a class action.
Recent leading cases
In a decision issued in October 2017, the Supreme Court found that the breach of a right to privacy may give rise to a claim for compensation for distress caused by the leakage of personal information (eg, names, birth dates, addresses, and telephone numbers). The case was remanded to the Osaka Appeal Court, which awarded JPY1,000 to the claimant on 20 November 2019. In addition, the Tokyo Appeal Court awarded JPY3,300 to other plaintiffs on 25 March 2020 for the same data breach. The Supreme Court denied appeals of these cases in December 2020; thus, these Appeal Court decisions are deemed final.
In criminal investigations, prosecutors and law enforcement agencies such as the police must follow the Constitution of Japan and the Code of Criminal Procedure requirements for any compulsory access to data. Any compulsory search or seizure can only be made with a court warrant.
In addition, the Constitution of Japan prohibits the violation of the secrecy of communication. In this regard, the Act on Wiretapping for Criminal Investigation allows investigative authorities to intercept phone conversations and electronic telecommunications only for certain serious crimes and only within the scope of a court warrant and stipulates special restrictions for wiretapping.
Judicial review acts as a safeguard to protect privacy.
Any compulsory search, seizure or wiretapping for national security purposes is also considered as being subject to the restrictions discussed in 3.1 Laws and Standards for Access to Data for Serious Crimes.
Judicial review acts as a safeguard to protect privacy.
Without relying on international assistance in investigation schemes, a foreign government may not forcibly request a Japanese entity to turn over personal information. In addition, a handling operator may face a problem if it voluntarily gives personal data to a foreign government. The reason is that under the APPI, the general rule is that a handling operator cannot provide personal data to any third party without the data subject’s prior consent, except in specified cases (Article 27.1). These specified cases are where the provision of personal data is:
It is understood that a “state institution” referenced in the fourth point above refers only to the Japanese government and not foreign governments, and the “laws” referenced in the first point above do not include foreign laws.
If a handling operator is required to disclose the personal data of Japanese residents in accordance with foreign law or by the action of a foreign governmental institution, it may use the exception in the second point above, although this is debatable. If a handling operator would like to make disclosures based on foreign law or the action of a foreign government, then it is advisable that it obtains the prior consent of users to provide the user data where required by foreign law or a foreign governmental institution through its privacy policies.
Japan does not participate in a Cloud Act agreement with the United States of America.
As discussed in 1.1 Laws (Major Laws), the My Number System was introduced in Japan in January 2016 to improve administrative efficiency, public convenience, and fairness in tax administration and social welfare in Japan. My Numbers are used by central governmental organisations and local governments for administrative procedures relating to social security, taxation and disaster response.
While there were discussions concerning the introduction of the My Number, and there was dissenting public opinion, the system has now been fully implemented, and the scope of its use is slowly expanding. Since January 2018, it has been used in the financial sector; for example, to obtain information regarding bank saving accounts. From March 2021, it can be used as a health insurance card. The government uses My Number to manage COVID-19 vaccination status.
There are special restrictions on the transfer of personal data to a foreign country. In principle, the APPI requires the transferor to obtain the prior consent of individuals whose personal data will be transferred to a third party located in a foreign country (Article 28). Thus, the overseas transfer restrictions will apply if a foreign company transfers the user data to another company outside Japan. However, if the foreign company transfers the user data to a company in Japan, the overseas transfer restrictions will not apply. The foregoing restriction applies even in cases of entrustment and joint use, which are exceptions to local third-party data transfer restrictions. The data subjects’ consent to overseas data transfers is not necessary only if the following applies.
The implementation of the PPC Ordinance is contained in the PPC Guidelines, under which the “appropriate and reasonable methodologies” referred to above include agreements between the data importer and the data exporter, or inter-group privacy rules, which ensure that the data importer will treat the disclosed personal data in accordance with the spirit of the APPI. With respect to the second item above, the PPC Guidelines have identified the APEC CBPR as a recognised international framework for the handling of Personal Information.
Additional Obligation Under the 2020 Amendments
Under the 2020 amendment of the APPI, international data transfers are permitted with additional requirements. First, when handling operators who transfer personal data to a foreign country based on the aforementioned consent mechanism, they will be required to provide a data subject with certain information as specified by the amended Ordinance issued by the PPC (the amended PPC Ordinance) (Article 28.2). According to the PPC Ordinance, information about the foreign country’s name, the foreign country’s personal information protection system, and the measures to be taken by a recipient party to protect personal information are required to be provided to the data subject.
Secondly, when handling operators transfer personal data relying on the recipient’s equivalent system of data protection, they will be required to take steps necessary to ensure that the overseas recipient continuously takes equivalent measures and to provide a data subject with certain information about the measures to be taken upon a request under the amended PPC Ordinance (Article 28.3). In this regard, according to the PPC Ordinance, one of the measures to ensure such matters is to periodically confirm the implementation status of the equivalent measures taken by the recipient and the presence or absence of a system in the foreign country that might affect the implementation of the equivalent measures. The other measure is to take necessary and appropriate measures if the recipient party’s implementation of the equivalent measures is interfered with in some way and to suspend the provision of personal data if it becomes difficult to ensure the continuous implementation of the equivalent measures.
The PPC Ordinance also states that the information to be provided to a data subject upon request is:
As a result, data transfer to countries where improper government access is implemented can be difficult. An example of this difficulty is the international data transfer regulations under the GDPR raised by the Schrems II case.
International data transfers are allowed under some requirements. Please see 4.1 Restrictions on International Data Issues.
As discussed in 4.1 Restrictions on International Data Issues, overseas data transfer restrictions do not require government notification or approval.
There are no data localisation requirements under the APPI.
Software code or algorithms are not required to be shared with the government.
See 3.3 Invoking Foreign Government Obligations.
There are no blocking statutes under Japanese law.
Big Data Analytics
The APPI has a concept of anonymously processed information, to which the regulations regarding personal information will not apply. The 2020 amendment of the APPI introduces a concept of pseudonymously processed information. Please see 2.1 Omnibus Laws and General Requirements (Anonymisation, De-identification or Pseudonymisation) for further details on anonymously processed information and pseudonymously processed information.
As for big data analytics, data sharing will typically happen between companies subject to contracts between those companies. The Ministry of Economy, Trade and Industry (METI) has published guidelines on contracts regarding sharing (big) data between companies.
Automated Decision-Making, Profiling and Microtargeting
There are currently no specific laws or regulations regarding automated decision-making, profiling, and microtargeting; however, the improper use of relevant technology may, in theory, be deemed fomenting or prompting unlawful or unfair acts that are prohibited under Article 19 of the amended APPI. The amended guidelines stipulate that when analysing information on the behaviour and interests of an individual, handling operators must specify the purpose of use so that the data subject can predict or assume what kind of data processing is being performed, and the process of profiling may need to be explained accordingly.
Artificial Intelligence (including Machine Learning)
Legal problems concerning artificial intelligence have been the subject of intensive discussions of late, including matters such as liability for the actions of an AI and ownership of rights regarding contents created by an AI; however, no laws or regulations target AI at this time.
The Institute for Information and Communications Policy (IICP) and the MIC have jointly published the Draft AI R&D Guidelines for International Discussions, which explains the AI R&D principles and nine other principles for research into and the development of AI. These are tentative guidelines for further international discussion. The MIC also published Guidelines for AI Utilisation in August 2019. These summarise the issues that AI users (including AI service providers) are expected to pay attention to in the utilisation phase in the form of “principles” and provide explanations based on the principle of a human-centred AI society. Some other associations regarding AI have also published the same principles or guidelines for research into and the development of artificial intelligence.
Internet of Things (IoT) and Ubiquitous Sensors
Legal problems regarding the IoT and ubiquitous sensors have been the subject of intensive discussions of late, but no specific laws or regulations are currently targeting the IoT or ubiquitous sensors.
Still, the MIC has published guidelines regarding comprehensive measures for IoT securities (July 2016).
Please also refer to the sections on big data analytics and artificial intelligence.
Autonomous Decision-Making (including Autonomous Vehicles)
Legal problems regarding autonomous vehicles, including ethical issues, disclosure of the bases and logic of autonomous decision-making processes, and responsibility for accidents, have been the subject of recent intensive discussions in Japan. The Road Traffic Act was amended in April 2020 and April 2022, allowing autonomous vehicles to drive under some requirements.
Facial recognition data is considered personal information subject to the regulations explained in 2.1 Omnibus Laws and General Requirements. For example, facial recognition data collected for the prevention of crimes cannot be used for marketing purposes.
Biometric data is considered personal information subject to the regulations explained in 2.1 Omnibus Laws and General Requirements.
The geolocation of persons is considered personal information and is subject to the regulations explained in 2.1 Omnibus Laws and General Requirements. In practice, it is highly recommended to obtain the consent of data subjects before collecting accurate GPS data because of privacy concerns. If the geolocation information is obtained through mobile communication provided by a telecommunications company, it will be protected under the secrecy of communication.
There are laws and regulations on the use of drones, including the Aviation Act, prohibitions on the flight of small pilotless planes, and local government ordinances. There are also privacy concerns regarding the use of drones, and the MIC has published guidelines regarding the use of images or videos filmed by drones on the internet.
Disinformation, Deepfakes, and Other Online Harms
There are currently no laws or regulations regarding disinformation and deepfakes. However, online harm – such as anonymous online defamation, privacy infringement, and insults – are viewed as a serious problem. To address these, a legal procedure mandates server operators and internet service providers to disclose the identity of relevant personal information. However, this procedure is complicated, costly and lengthy, and thus, an amendment of a relevant law which eases the legal procedure was approved in April 2021 and took effect from October 2022. MIC started public consultation about how online platforms should respond to illegal and harmful information such as slander and defamation on 27 December 2022.
“Dark Pattern” or Online Manipulation
There are currently no specific laws or regulations regarding “dark patterns” or online manipulation. However, if a business obtains consent in a deceitful or unfair manner, the consent or the contract may be cancelled.
Fiduciary Duty for Privacy or Data Protection
Directors of companies owe a fiduciary duty to those companies. This fiduciary duty typically includes the duty to establish an internal risk management system for privacy or data protection. The Corporate Privacy Governance Guidebook for the DX Era, issued by the METI (version 1.2 in February 2022), can be useful for corporate privacy governance.
The METI takes necessary measures to improve transparency and fairness in trading on digital platforms under the Transparency Act. The Japan Fair Trade Commission is authorised to exercise certain measures against unreasonable restraint of trade and unfair trade practices taking advantage of market power under the Anti-monopoly Act.
Please refer to 2.5 Enforcement and Litigation for examples of significant privacy and data protection regulatory enforcement or litigation.
In the context of due diligence in M&A, analysing the legal issues related to privacy and data protection that come with an acquired business is necessary, given the potential for such issues to crystallise into a significant risk.
There are no non-cybersecurity-specific laws which legally mandate the disclosure of an organisation’s cybersecurity risk profile or experience; however, in practice, it is common for publicly listed companies to disclose cybersecurity risks in the “risk of business” section of their annual securities reports. Both the Cybersecurity Management Guidelines issued by the METI and the Information-Technology Promotion Agency and the Point of View Regarding Cybersecurity for Enterprise Management issued by the NISC mention the possibility of public disclosure. The MIC has published Manuals for Information Disclosure of Cybersecurity Measures (28 June 2019).
The key development in consumer protection law is an amendment of the Consumer Contract Act. It will come into force on 1 June 2023. This act will nullify a clause in a consumer agreement if the clause limits liabilities of a business resulting from its slight negligence but it is unclear that such clause applies to the slight negligence of the business. For example, if a limitation of liability clause states “To the maximum extent permitted by applicable law: (i) in no event will ABC, ltd be liable for special, incidental, or consequential damages; and (ii) ABC, ltd’s liability will in no event exceed fifty dollars,” such clause will be nullified. Instead, it should state “Where ABC, ltd’s slight negligence causes damages, (i) in no event will ABC, ltd be liable for special, incidental, or consequential damages; and (ii) ABC, ltd’s liability will in no event exceed fifty dollars.”
There are no data protection or privacy issues of major importance not already covered in this chapter.
16th Floor, Marunouchi Park Building
Tel +81 3 6212 8330
Fax +81 3 6212 email@example.com www.mhmjapan.com
Dramatic Increase in Data Breach Reporting
In November 2022, the Personal Information Protection Commission ("PPC") published a report stating that there were 1,587 reported data breach incidents pursuant to the Act on the Protection of Personal Information ("APPI") from April to September 2022. The number dramatically increased from the 517 reports during the same period in 2021.
In its report, the PPC stated that one of the causes for this surge was due to the substantive amendments to the APPI ("the 2020 Amendments"). Under the 2020 Amendments, businesses are required to file an initial report to the PPC of the data breach within three to five days of the incident. The 2020 Amendments also require businesses to file a more detailed follow-up report within 30 days (within 60 days if a wrongful act by third parties - ie, ransomware - has likely caused such data breach).
The PPC report states that a significant portion of the data breach was by medical institutions erroneously delivering or misplacing documents containing "special-care required personal information" (which broadly refers to "sensitive personal data"). Another major cause of data breach highlighted by the PPC report was unauthorised access exploiting technical vulnerabilities on websites and networks.
High Profile Data Breaches Lead to Increased Enforcement
In correlation with the number of data breach reports, many high-profile incidents have occurred, which has led to the PPC becoming increasingly active in enforcement.
One particular data breach incident widely coved by the Japanese media involved the temporary loss of personal information of an entire city in Hyogo Prefecture. In this highly publicised case, Amagasaki-City, which has a population of approximately 455,000, outsourced the processing of the personal information of its residents to an IT vendor, who further outsourced the processing to a subcontractor. In this case, the personal information of all residents of Amagasaki City - including bank accounts, residents' names, dates of birth, and other personal data - had been recorded on a USB memory stick. The USB was passed onto the subcontractor, where the loss occurred. Fortunately, the USB was later recovered without any apparent misuse. However, in light of the enormous volume and highly significant nature of the data breach incident, the PPC promptly issued a public administrative sanction against all parties involved. The incident also prompted the PPC to take further action beyond the parties, issuing a written notification to local governments throughout Japan to comply with the legally required procedures under the APPI, emphasising security. The PPC also issued a public statement alerting all businesses to comply with the required security control measures and adequately supervise employees and subcontractors to comply with the statutory requirements under the APPI.
Another notable data breach incident in the financial services area involved a payment agency suffering a cyberattack in the form of an unauthorised login by a third party due to a vulnerability in its system. The compromised data included credit card numbers and payment information of customers of e-commerce websites who had used the payment service for their customer transactions. This incident was also widely reported as it involved a significant volume of personal data, which included sensitive data such as credit card information. The PPC issued public administrative guidance against the payment agency, stating that it lacked sufficient audits and inspection procedures. In its administrative guidance, the PPC required the payment agency to take organisational and technical safety control measures to comply with the APPI fully.
As was highlighted in the PPC report, there were several data breach incidents involving medical institutions and sensitive data. For example, doctors at several medical institutions in Japan disclosed surgical videos containing personal information, such as the patients' names, to a medical device manufacturer without consent. Furthermore, the medical device manufacturer failed to inform the data subjects of the purpose of use, consequently triggering administrative sanctions by the PPC, which issued public guidance to the medical device manufacturer and medical institutions to comply with the APPI.
In the realm of medical data, a data breach issue arose in relation to special legislation of the APPI. The "Act on Anonymized Medical Data Use for the Purpose of Contributing to Research and Development in the Medical Field" ("Next Generation Medical Infrastructure Act") is a special legislation promoting research and development in the medical field. The Next Generation Medical Infrastructure Act allows medical institutions to provide medical data to authorised business operators by notification to the data subjects. Also, the act enables authorised business operators to provide anonymised processed medical information to users such as researchers at universities and pharmaceutical companies unless the notified data subjects opt-out. However, due to a software misconfiguration, the medical data of unnotified patients had been shared through this framework. Due to the sensitivity of this matter, the PPC issued public administrative guidance to all the parties concerned.
Another notable development was the Ministry of Health, Labour and Welfare ("MHLW") guidelines for hospitals on the safe management of medical information systems, published in March 2022. This was in response to the fact that numerous medical institutions in Japan had been a target of ransomware attacks. As a follow-up, in December 2022, the MHLW established a portal website for medical institutions, including online training and e-learning materials on cyber security and emergency contact point information.
Unique Development of Cross-Border Transfer Regulations
The 2020 amendments to the APPI have introduced a new regulation on cross-border data transfer by requiring data exporters to provide information on the personal information regime. The guidelines published by the PPC request businesses to provide data subjects with information related to the following:
Under the APPI, the data exporter is responsible for providing the information described above. However, in practice, it would be a significant burden for individual businesses to collect such information independently for various jurisdictions. To alleviate this burden, the PPC surveyed personal information protection systems in 40 major foreign countries and regions from August 2021 to March 2022 to provide reference information to businesses. The PPC published the findings of these results in consecutive reports in November 2021 and March 2022.
Apart from providing the data subjects with items necessary to comply with the statutory cross-border regulation, the PPC reports include a general overview of the personal data protection regime in major jurisdictions. Therefore, the PPC report is a guidepost for APPI compliance as well as a valuable source of reference for Japanese businesses seeking to do business in those jurisdictions. However, the PPC has explicitly stated that the published reports are only for basic reference, and Japanese businesses must be responsible for following up on any revisions and updates. As such, Japanese companies will need to establish their own means of remaining up to date on the development of laws and practices in other jurisdictions.
A Study Conducted Towards an EU-Japan-US Data Transfer Framework
Global Japanese companies have customers, subsidiaries or service providers in the United States and/or EU, thus creating cross-border data transfer between them. To assist Japanese businesses, the PPC published a report summarising its survey on the status of the cross-border transfer of personal data between Japan, the United States, and Europe. This report seeks to formulate a data transfer framework between the EU, Japan and the United States. The report analyses the needs of companies regarding the transfer of personal data within the EU from Japan to the US, including the percentage of companies implementing cross-border transfers of personal data from the EU to Japan and from Japan to the US. The report further examines the content of personal data transferred across borders through two surveys - a questionnaire and an interview - for numerous companies. The report serves as a valuable resource for future data transfer schemes between Japan, the United States and the EU.
Revision of Government Guidelines
In March 2022, the ethical guidelines for life sciences and medical research involving human subjects (Ethical Guidelines) issued by the MHLW were revised. Although the Ethical Guidelines are not legally enforceable, they function as a substantive code for life science and medical research, as compliance with the Ethical Guidelines is a requirement for granting grants. Amendments to the Ethical Guidelines include revisions to the procedures for obtaining informed consent in response to amendments to the APPI in 2020 and 2021. The Ethical Guidelines are expected to be amended in 2023. Due to the 2023 amendments of the Ethical Guidelines, research conducted outside of Japan not involving Japanese researchers and not involving collaboration with a Japanese research institution may be subject to the Ethical Guidelines when samples and information are provided from Japan to a third party outside of Japan.
In June 2022, the Telecommunications Business Act was revised. In connection with this revision, the Ministry of Internal Affairs and Communications (MIC) issued the Draft Explanation of Guidelines for the Protection of Personal Information in the Telecommunications Business (Draft Explanation of Telecommunications Business Guidelines). Telecommunication carriers that provide telecommunication services (eg, cell phones and e-mail) must comply with the Draft Explanation of Telecommunications Business Guidelines (in addition to the guidelines for protecting personal information in the telecommunication business sector published by the PPC).
Policies Promoting Business Use of Personal Data and Artificial Intelligence
In 2022, various government agencies (including the PPC) published a number of policy initiatives and policy papers aimed at promoting the business use of Personal Data and AI.
In March 2022, the PPC published a PPC Secretariat Report to promote the business use of "pseudonymously processed information" and "anonymously processed information". These categories of information are exempt from some parts of the regulations under the APPI, such as consent for third-party transfer. However, the APPI requires a specific processing method to create these privileged categories of data that are both complex and technical. Thus, the PPC issued the secretariat report to provide general guidance and actual examples so that businesses will better understand and take advantage of these options.
In April 2022, the Ministry of Interior and Communications published the "Guidebook on Artificial Intelligence (AI)-based Cloud Services," which outlines issues for cloud service providers to be aware of when developing and providing AI cloud services. Following studies conducted in 2020 on cloud services using AI by a study and working group of academic experts, lawyers, business operators, and other experts, this guidebook was prepared for the following purposes:
The guidebook attempts to systematically organise issues related to AI cloud services from various perspectives and is expected to serve as a practical guideline for developing new services and businesses using AI.
In July 2022, the PPC released reference materials entitled "Basics of the APPI (July 2022)," a document outlining the APPI incorporating the 2022 amendment. As the recent amendment to the APPI has made data privacy regulations more stringent and complex, the PPC aims to provide a practical reference to small and mid-size businesses with limited knowledge and resources.
In October 2022, the PPC published a set of practical tools specifically for "Data Mapping" to help small and mid-size businesses begin the data mapping of the personal data on hand. The toolkit includes questionnaires and checklists and is intended to assist enterprises in accurately grasping the data flow and the status of data privacy compliance as well as managing potential compliance risks.
Guidance on Business Use of CCD Camera Images
Apart from the general promotion of business use of personal data, there has been a trend to promote the use of CCD camera images. On March 30, 2022, the Ministry of Economy, Trade and Industry (METI) and the MIC published the updated "Camera Image Utilisation Guidebook version 3.0" ("Camera Images Guidebook"). The guidebook outlines the privacy issues businesses should consider when handling the facial image data of consumers collected through CCD cameras, coupled with actual use cases and best practices in addressing privacy concerns. Version 1.0 of the guidebook was published in 2017 and quickly became an essential practical reference tool. The new revision includes a review of the issues following the 2020 amendments.
The PPC established its own working group in late 2022 to examine the privacy implications of camera systems with face recognition functions for crime prevention and security. While the Camera Images Guidebook promotes the business use of facial images, the PPC working group aims to provide a more comprehensive overview of related privacy issues. The PPC schedules to publish its own report summarising its findings and practical guidance in early 2023.
Otemachi Park Building
+81 3 6775 firstname.lastname@example.org www.amt-law.com