Major Laws

Japan's principal data protection legislation is the Act on the Protection of Personal Information (APPI). It provides the basic principles for the government's regulatory policies and authority, as well as the obligations of private business operators that handle personal information (the handling operator). An amendment to the APPI was approved in June 2020 and came into full force on 1 April 2022.

Another set of amendments to the APPI was approved in May 2021. Previously, national administrative bodies were regulated by the Act on the Protection of Personal Information Held by Administrative Organs and the Act on the Protection of Personal Information Held by Independent Administrative Agencies. One of the main purposes of the 2021 amendments was to integrate the obligations prescribed in these two laws into the APPI. The amendments relating to this integration came into effect on 1 April 2022.

In addition, local government bodies are regulated under their own local regulations (jyorei), but these vary between bodies. The 2021 amendments to the APPI introduced nationwide principles for jyorei and related implementing guidelines to homogenise the administration of national data protection regulations. Under this set of amendments, standard rules regarding personal information handled by local governments are uniformly stipulated in the APPI, and jyorei can only stipulate local rules in very limited situations allowed under the APPI. These amendments came into effect on 1 April 2023.

Another important law is the Act on the Use of Numbers to Identify a Specific Individual in the Administrative Procedure (the “My Number Act”), which stipulates special rules for what is known in Japan as the Number to Identify a Specific Individual in the Administrative Procedure (“My Number”), a 12-digit individual number assigned to each resident of Japan.

The bill to amend the Telecommunication Business Act (TBA) was passed in June 2022 and came into effect on 16 June 2023. This amendment mainly introduced a regulation about sending cookies to an external party. It also imposed new obligations regarding user information on large telecommunications service providers that have either 5 million paid users or 10 million free users.

There are no laws or regulations that target artificial intelligence (AI) at this time. Please refer to 5.1 Addressing Current Issues in Law (Artificial Intelligence) for more details.

Furthermore, the Personal Information Protection Commission (PPC – the regulator primarily responsible for the APPI and the My Number Act) has published guidelines for handling personal information (the PPC Guidelines). For some industrial sectors, the ministry with jurisdiction over them has published data protection guidelines for those sectors. For example, the Financial Services Agency (FSA) and the PPC have jointly published data protection guidelines for the financial sector, and the Ministry of Internal Affairs and Communications (MIC) has issued data protection guidelines for telecommunication business operators.

Enforcement and Penalty Trends

Between 1 April 2023 and 30 September 2023, no administrative orders were issued, no administrative recommendations were made, 165 issuances of administrative guidance or advice were made, no on-site inspections were conducted, and 60 administrative requests for reports and materials were made against handling operators under the APPI. No administrative orders or recommendations have been issued because ordinary companies were in compliance with the PPC's administrative guidance and advice. Moreover, companies are typically concerned with their social reputation, so endeavour to comply with laws and regulations.

Key Concepts and Terminology

In order to understand the regulations under the APPI, it is important to distinguish between three key categories: personal information, personal data and retained personal data.

The APPI defines personal information as information about living individuals that can identify specific individuals or that contains an individual identification code (Article 2.1).

Information that can be used to identify specific individuals includes information that can be readily collated with other information to identify specific individuals. Whether information can be readily collated with other information for this purpose would be determined on a case-by-case basis, depending on how it is stored or handled by the handling operator. For example, information collected by cookies is not personal information by itself; however, if the handling operator can easily collate information collected by cookies with the name of the individual (which typically occurs when registered customers log in to the website of a company, and the company knows the cookie ID of the registered customer), the information collected by the cookies will be deemed to be personal information.

An individual identification code means a partial bodily feature of a specific individual that has been converted into any character, number, symbol or other code by computers for use, and that can identify that specific individual or is assigned to services or goods provided to an individual, or is stated or electromagnetically recorded on a card or any other document issued to an individual, to identify them as a specific user, purchaser or recipient of the issued document (Article 2.2). The various types of individual identification codes are listed in a Cabinet Order, and include driver's licences, passports and health insurance numbers. Credit card numbers and phone numbers are not individual identification codes.

Personal data is personal information contained in a personal information database (Article 16.3), which is a collection of information (that includes personal information) that is systematically organised to enable a computer (or through another means) to search for particular personal information; however, this term excludes a collection of information that a Cabinet Order indicates as having little possibility of harming an individual's rights and interests considering how that collection uses personal information. Examples of information collections excluded from this definition include a commercially available telephone directory or a car navigation system (Article 16.1).

Retained personal data is personal data that a handling operator has the authority to disclose, correct, add or delete content from; discontinue the use of; erase; or discontinue the provision of to a third party, excluding certain limited personal data (Article 16.4).

The PPC is tasked with enforcing and implementing the APPI, and has the following powers:

• to require a handling operator to report or submit materials regarding its handling of personal information and to enter a handling operator’s offices or other places to investigate, make enquiries and check records or other documents (Article 146);
• to provide guidance or advice to a handling operator (Article 147);
• to recommend that a handling operator cease any violation of the APPI and take other necessary measures to correct the violation (Article 148.1);
• to order a handling operator to take necessary measures to implement the PPC’s recommendation mentioned above and to rectify certain violations of the APPI (Articles 148.2 and 148.3); and
• to publicly announce a handling operator's violation of an order issued by the PPC pursuant to Articles 148.2 and 148.3 (Article 148.4).

For some sectors, other government authorities also enforce the APPI – for example, the FSA is the relevant authority for banks, whereas the MIC is the appropriate authority for telecommunication service providers. There is no regulator specifically overseeing AI data.

The PPC does not have the authority to conduct criminal investigations, and the APPI explicitly stipulates that the PPC’s power to conduct on-site inspections does not include criminal investigations (Article 146.3).

It is important to note that the APPI imposes no administrative fines. Criminal sanctions may only be imposed if the handling operator:

• refuses to co-operate with or makes any false report in response to an investigation by the PPC (Article 178);
• provides a personal information database to unauthorised persons or misuses the database for unlawful gains (Article 180); or
• violates any order given by the PPC as part of an administrative sanction (Article 181).

Please also see 2.5 Enforcement and Litigation.

While local governments have enacted jyorei on data protection, those regulations apply only to the public sector. Please note that, from 1 April 2023, jyorei are regulated by the APPI, as discussed in 1.1 Laws.

The PPC empowers private organisations called accredited personal information protection organisations (Nintei Kojin Jyouhou Hogo Dantai) to handle and promote the protection of the personal information of handling operators. These accredited organisations process complaints against handling operators or provide information on them to ensure the reliability of the business of those handling operators and promote the protection of personal information. They also establish their own rules, with which their members must comply.

The APPI follows the Organisation for Economic Co-operation and Development’s eight Privacy Principles. Japan has reached an agreement with both the EU and the UK to certify each other’s country or territory as an “adequate” country for Japan’s and the EU/UK’s data protection purposes; this decision was renewed in March and April 2023. However, this does not mean that the APPI is identical to Regulation (EU) 2016/679 (the General Data Protection Regulation – GDPR).

Japanese data protection law is, nonetheless, closer to the EU omnibus model than the US sectoral/subnational approach in the sense that Japan has a comprehensive data protection law: the APPI.

As discussed in 1.1 Laws (Major Laws), the APPI was amended in 2020 and 2021, and the TBA was amended in 2022.

The MIC and the Ministry of Economy, Trade and Industry (METI) are in the process of establishing an AI Business Guideline for AI developers, AI service providers and AI users, which will be finalised around March 2024. This Guideline includes points regarding privacy and data protection.

The PPC is also having discussions to aim for updates of the APPI. According to a PPC document published in November 2023, there are three main topics:

• how to balance the technology development and substantive protection of personal interests, including children’s interests;
• more effective measures to enforce the APPI; and
• assistance for personal data utilisation.

The PPC plans to publish an interim report on the potential amendment in spring 2024.

Handling Operator Duties

The various obligations of a handling operator under the APPI are set out below.

• It must specify and make known to the data subject the purpose of collecting their personal information (Articles 17 and 21).
• It cannot use personal information for any other specified purpose without the data subject’s consent (Article 18). Exceptions to the consent requirement include instances when the use of information is required by law or is necessary to perform governmental duties, to protect the life, body or property of a person, or to improve public health (Article 18.3). A handling operator must not utilise personal information in a way that entails the possibility of fomenting or prompting unlawful or unfair acts (Article 19).
• It has to establish appropriate safeguards to protect personal data (Article 23).
• It cannot transfer personal data to another entity without the opt-in consent of the data subject, unless it meets the requirements of any of the exceptions provided by the APPI (Article 27.1). These exceptions include instances when the transfer is required by law or is necessary to perform governmental duties to protect the life, body or property of a person or to improve public health or is necessary for academic or research purposes (Article 27.1(i) through (vii)). Other major exceptions include cases of entrustment of the handling of personal data to another entity, joint use of the personal data with another entity, business succession resulting from a merger or other legal reasons (Article 27.5), or the filing of a notification of opt-out consent with the PPC (Article 27.2), as detailed in other sections below.
• It cannot transfer personal data to countries that do not have sufficient data protection safeguards without the data subject’s consent (Article 28). For details, please see 4.1 Restrictions on International Data Issues.
• It must keep a record of the provision of personal data to a third party (Article 29).
• Upon receiving personal data from another handling operator, it must confirm the providing handling operator’s compliance with applicable regulations regarding the provision of the personal data and keep a record of the confirmation process (Article 30).
• It must handle pseudonymously processed information and anonymously processed information in certain ways (Articles 41 to 46).

The 2020 amendments to the APPI introduced mandatory obligations to report data breach incidents to the PPC and to notify affected data subjects in cases where their rights and interests are likely to be infringed (Article 26).

Entrustment

Under Article 27.5 (i) of the APPI, if a handling operator entrusts all or part of the handling of personal data it acquires to an individual or another entity, that individual or entity will not be considered a third party under Article 27.1. For example, if a handling operator uses third-party vendors of handling operator services and shares personal data with those vendors for them to use on the handling operator’s behalf and not for their own use, that transfer will be deemed an “entrustment” and is not subject to data transfer restrictions.

When a handling operator “entrusts” personal data, it must exercise the necessary and appropriate supervision over the entrusted person to ensure security control over the entrusted personal data (Article 25).

Joint Use

A handling operator may share and jointly use personal data with specific individuals or entities as long as the handling operator notifies the data subject or makes the following information accessible to them (Article 27.5(iii)), before any information sharing and joint use:

• the fact that personal data will be used jointly with specific individuals or entities;
• the personal data to be used jointly;
• who the joint users are;
• the purpose of the joint use; and
• the name of the individual or entity responsible for managing the personal data (the address of the responsible individual or entity and, if it is a corporate body, the name of its representative are also required).

After notice or publication of these matters is made, the identified joint users will not be deemed third parties within the context of Article 27 and, therefore, the handling operator and the identified joint users may share and jointly use specific items of personal data as if they were a single entity.

Business Succession

A handling operator may transfer personal data to a third party without the opt-in consent of data subjects if the transfer accompanies a business succession caused by a merger or other legal reason (Article 27.5 (ii)).

Filing of Notification of Opt-Out Consent

Under Article 27.2 of the APPI, a handling operator may provide personal data (excluding special-care-required personal information and personal data that was acquired by improper means or provided by another handling operator pursuant to the opt-out mechanism) to a third party without the opt-in consent of data subjects if the following conditions are satisfied:

• it agrees to stop providing personal data to the third party upon the demand of the data subject;
• it notifies the data subjects in advance of certain matters outlined in Article 27.2 or makes such notification of matters readily accessible to the data subject; and
• it submits a notification of certain matters to the PPC.

Please note that, in practice, the PPC does not readily accept the foregoing opt-out notification unless it is not practical to seek the data subjects’ consent, and it is difficult to use the other exceptions.

Data Protection Officers

The APPI has no provision mandating the appointment of a privacy or data protection officer; however, a handling operator must take necessary and proper measures to prevent the leakage, loss or damage of personal data and to implement other security controls. Under the PPC Guidelines, those measures should include the following:

• organisational security measures, such as establishing rules for handling personal data and clarifying the person responsible for supervising such handling;
• HR security measures, including educating/training employees;
• physical security measures, including controlling the area where personal data is handled, such as servers and offices;
• technical security measures, including controlling access to personal data; and
• understanding of the external environment – this security measure, introduced by the amendments to the guidelines, requires a handling operator who processes personal data in a foreign country to understand the foreign country’s legal system for personal information protection and, taking that legal system into consideration, to take necessary and appropriate measures to ensure the security of personal data.

As of 1 April 2024, the PPC Guidelines will also require a handling operator to take security control over personal information that will be collected and expected to be treated as personal data so that a cyber-attacker will not intercept such information on behalf of the operator.

The PPC Guidelines indicate that appointing a person to be in charge of the handling of personal data is an example of proper and necessary measures. However, although a handling operator is expected to adopt the measures described in the PPC Guidelines, the failure to adopt such measures is not a direct breach of the APPI.

Under the amendment of the TBA, large telecommunications service providers are required to appoint a chief manager responsible for handling user information.

Privacy By Design/Default and Privacy Impact Analyses

The APPI does not mandate obligations regarding privacy impact analyses (PIA). However, the PPC has issued a report titled “Promoting the implementation of PIA – Significance of PIA and points to keep in mind in the implementation procedure”, which it encourages business operators to follow voluntarily. The APPI does not refer to the concepts of privacy by design or by default, but PPC guidelines on accredited personal information protection organisations recommend that these organisations promote privacy by design.

Internal or External Privacy Policy

The PPC Guidelines recommend releasing a privacy policy or statement.

Article 32.1 of the APPI requires handling operators to make the following information regarding retained personal data available to data subjects:

• the name of the handling operator, an address for the individual or entity responsible and, if it is a corporate body, the name of its representative;
• the purposes of the use of retained personal data;
• the procedures for responding to requests from data subjects to disclose, correct, suspend or erase the use of retained personal data;
• contact information for accepting complaints regarding the processing of retained personal data; and
• security measures being implemented by the handling operator.

Most handling operators typically comply, using internal and external privacy policies.

The PPC Guidelines also recommend stating the following in a handling operator’s basic policies as security control measures regarding personal data:

• the name of the handling operator;
• compliance with the relevant laws, regulations and guidelines;
• an explanation of security control measures regarding personal data; and
• contact details for complaints and questions.

Most handling operators typically comply, using internal and external privacy policies.

The PPC Guidelines also recommend being transparent in disclosing the entrustment of work involving personal data (eg, disclosing whether entrustment has been made and what kind of work has been entrusted).

Data Subjects’ Rights

A data subject may request a handling operator to disclose their retained personal data and the record of providing it to a third party. The handling operator must comply with the request unless there is a possibility that the disclosure could harm the data subject’s or a third party’s life, body, property or other rights and interests, or that it could seriously interfere with the handling operator’s business (Article 33).

A data subject may also request a handling operator to correct, add or delete retained personal data. The handling operator must investigate without delay and, based on the results of the investigation, comply with the request to the extent necessary to achieve the purposes of use of the retained personal data (Article 34).

Furthermore, the data subject may request the handling operator to discontinue the use of or erase retained personal data and to stop providing retained personal data to third parties if:

• that data was or is being acquired, processed or provided to a third party in violation of the APPI;
• the retention of retained personal data has become unnecessary;
• a data breach has occurred regarding the retained personal data; or
• there is a possibility that the handling of the retained personal data would harm the rights or legitimate interests of the data subject.

However, this obligation will not apply if it will be too costly or difficult to discontinue the use of or erase the retained personal data and the handling operator takes necessary alternative measures to protect the rights and interests of the data subject (Article 35).

The APPI has no provision for data portability.

Anonymisation, De-identification or Pseudonymisation

The APPI recognises the concept of anonymously processed information, which is defined as information obtained by processing personal information so that ordinary people cannot identify a specific data subject using the processed information nor restore any personal information from the processed information (Article 2.6). This framework intends to promote the use of anonymously processed information by clarifying the rules and was expected to lead to the use of big data, innovations and new businesses. A handling operator can provide anonymously processed information to third parties without the consent of the data subjects, provided that the handling operator:

• produces the anonymously processed information in compliance with the standards set forth in an ordinance of the PPC (Article 43.1);
• takes measures for security control in compliance with the standards set forth in the PPC Ordinance to prevent leakage (Article 43.2);
• discloses items that will be included in the anonymously processed information pursuant to the PPC Ordinance (Article 43.3);
• when it provides anonymously processed information to third parties, discloses items that will be included in the anonymously processed information and the medium to be used to deliver the information in compliance with the PPC Ordinance, and explicitly informs the third-party recipients that the disclosed information is anonymously processed information (Article 43.4);
• does not do anything to identify the individual (Article 43.5); and
• takes measures to secure the safe control of anonymously processed information and to deal with complaints regarding the handling thereof, and publicly announce such measures (Article 43.6).

According to the PPC Guidelines, statistical information – ie, information that can be obtained by extracting items concerning a common element from information taken from several people and tallying them up by category – is not anonymously processed information because it is not information regarding an individual, and is therefore not covered by any regulations under the APPI.

The 2020 amendment of the APPI introduces the concept of pseudonymously processed information. This information is processed so that it cannot be used to identify a specific individual without collation with other information (Article 2.5). The pseudonymously processed information is exempted from certain regulations under the APPI, such as restrictions on changing the purpose of use, the obligation to comply with the data subject’s rights, and report/notification obligations in the case of a data breach (Article 43).

Profiling, Microtargeting, Automated Decision-Making, Online Monitoring or Tracking, Big Data Analysis and AI

There is no specific statutory law on microtargeting, online monitoring or tracking. However, any activity relating to the collection, use and provision of personal information will be subject to the rules of the APPI.

Under the 2020 amendment of the APPI, certain types of cookies, web beacons, online identifiers and so forth are subject to new regulations. Under the APPI, the transfer of personal data to third parties – whether the data is personal data or not – is judged based on the circumstances surrounding the transferor, not the transferee. In brief, if the data is not personal data in the hands of the transferor, regulations regarding the transfer of personal data to third parties are not applicable.

In recent years, some schemes have emerged whereby data management platforms provide non-personal information such as user data collected by cookies (eg, user browsing histories/interests and preferences) to third parties, with the knowledge that the data will be personal data in the hands of the recipient. The PPC was concerned by the expansion of this kind of data sharing without the involvement (control) of the data subjects. As a result, the concept of personally referable information has been introduced, defined as a collective set of information comprising information relating to a living individual that does not fall under personal information, pseudonymously processed information or anonymously processed information but that has been systematically organised to be searchable using a computer for specific personally referable information or similar information prescribed by Cabinet Order. The amended APPI regulates the provision of personally referable information if the provider assumes that a recipient will acquire a database of the provided personally referable information as personal data. In this case, the transferor must confirm that the transferee has obtained the data subjects’ consent to transfer their data as personal data.

See 5.1 Addressing Current Issues in Law for other items relating to profiling, microtargeting, automated decision-making, big data analysis and AI.

Injury/Harm

There is no definition of “injury” or “harm” under the APPI. However, an infringement of privacy is a tort under the Civil Code if the individual suffers from a mental burden or mental unease regarding the disclosure of information.

AI Data

There are no regulations specific to AI data, but please note that general regulations are applicable. For example, if AI data includes personal information, the APPI applies to the data processing. The MIC and the METI are in the process of establishing an AI Business Guideline for AI developers, AI service providers and AI users, which will be finalised around March 2024. This Guideline includes points regarding privacy and data protection. The PPC published an announcement on 2 June 2023, setting out its interpretation of the APPI in the context of generative AI and requesting generative AI service providers and users to comply with the APPI.

Health Data

The APPI contains the concept of special-care-required personal information, which is defined as personal information comprising a principal’s race, creed, social status, medical history, criminal record, the fact of having suffered damages from crime, or other descriptions that may be prescribed by a Cabinet Order (Article 2.3). The handling operator must get prior consent to obtain special-care-required personal information (Article 20.2) and to transfer the same (opt-out consent is not allowed) (Article 27.2). For health data, the following categories of personal information are included in special-care-required personal information:

• medical history;
• physical disability, intellectual disability, mental disability (including developmental disability) or other disorders of physical or mental functions as defined by the regulations;
• the results of medical examinations, etc, carried out on the person by a doctor, etc; and
• medical treatment or the dispensing of medicine that has been given to the person by a doctor, etc, to improve his/her physical or mental condition.

Under the Act Regarding Anonymised Medical Data to Contribute to Research and Development in the Medical Field (the “Medical Big Data Act”), government-accredited medical information anonymisation entities can obtain medical information from medical institutions (eg, hospitals) unless the data subjects opt out. Those entities are entitled to anonymise the acquired medical information and distribute the anonymised medical information for the purpose of R&D in the medical area.

Financial Data

Financial data is not categorised as special-care-required personal information, but will be treated as ordinary personal information if it can identify an individual.

Communications Data

A voice recording by voice telephony itself is not personal information, but it can be considered as such if the speaker can be identified from its contents or with other information. Even if a voice recording is not considered protected personal information, it is subject to protection under the basic principle of secrecy of communication granted under the Constitution of Japan, the TBA, the Radio Act and the Wire Telecommunications Act, which specifically protect the secrecy of telecommunication data.

The same applies to text messaging.

Other Categories of Sensitive Data

Information on political or philosophical beliefs generally falls within special-care-required personal information as a personal belief.

The APPI has no provisions regarding personal information related to union membership or sexual orientation. However, since that type of information is protected under the GDPR, the PPC has issued Supplementary Rules under the APPI for the handling of personal data transferred from the EU based on an adequacy decision, which provides that if any information is transferred from member countries of the EEA and the UK based on an adequacy decision, the information must be protected under the same standards as special-care-required personal information. In addition, data protection guidelines for the financial sector, published jointly by the FSA and the PPC, stipulate that information on union membership and sexual orientation is considered sensitive information. Financial companies should not acquire, use or collect such information unless specific exceptions apply.

Internet

There is no mandatory requirement under the APPI to set up privacy policies; however, as explained in 1.1 Laws (Key Concepts and Terminology), it is common and highly recommended for handling operators with websites to publish their privacy policy on their websites.

The use of cookies, web beacons and other tracking technology is not directly regulated under the APPI. Information collected by cookies or web beacons is not automatically personal information, but will be deemed to be personal information if the handling operator can easily collate information collected by cookies or web beacons with the name of the individual (for example, when an internet-based company can identify the cookie ID of customers when logged in to its website).

Behavioural advertising is not directly regulated under the APPI, but any personal information collected to provide behavioural advertising is subject to the APPI.

It is good practice to have a cookie policy and to offer an opt-out from using cookies (especially behavioural advertising). The Japan Interactive Advertising Association’s Guidelines are useful for an understanding of good practices in Japan.

The 2020 amendment of the APPI introduced regulations for certain cookies, web beacons and other tracking technology underlying behavioural or targeted advertising. Please see 2.1 Omnibus Laws and General Requirements (Profiling, Microtargeting, Automated Decision-Making, Online Monitoring or Tracking, Big Data Analysis and AI).

The amendment of the TBA imposed new obligations on telecom service providers (TSP), which have a non-trivial impact on users’ interests. More specifically, a TSP is an entity that provides:

• service of intermediating telecommunication of others, such as email services and direct message services;
• social media services, bulletin board systems, movie sharing services, online shopping malls, live streaming services, online games, online education or the like;
• online search engines; or
• various information to unspecified people, such as news, weather, movies and maps.

When a TSP makes users send their information (typically including cookies) to an external party, the TSP is required to make a notification, make a public announcement, obtain opt-in consent or provide an opt-out mechanism with respect to certain information, including the content of the information, the name of the recipient party and the recipient’ purpose of use of the information.

Video and Television

Image information in videos or television would be categorised as personal information and subject to restrictions under the APPI if it can identify a specific individual. The MIC has published a Handbook for the Use of Camera Images, which explains the considerations necessary for utilising camera images for commercial purposes and the key points of the considerations through specific examples. In addition, the PPC published the Draft Report of the Expert Panel on the Use of Camera Images for Crime Prevention and Security, which underwent the public comment procedures in January 2023. This report covers points to be noted when introducing camera systems with facial recognition functions from the perspective of compliance with the APPI and ensuring that they do not cause infringements of portrait rights and privacy, as well as voluntary measures to gain understanding from the subjects of the images and society.

Social Media, Search Engines and Large Online Platforms

If social media and online platforms are categorised as “telecommunication services” under the TBA, then the provider is subject to the MIC’s guidelines on personal information for telecommunication businesses. Business operators providing telecommunications services with an average of more than 10 million users per month in the previous year (for free telecommunications services) or more than 5 million users per month (for fee-based telecommunications services) are required under the amended Telecommunications Business Act (effective 16 June 2023) to formulate and notify information handling rules, formulate and publish information handling policies, conduct self-evaluation and reflect them in information handling rules and regulations, and appoint and notify a general management representative.

As for large online platforms, the Act on Enhancing Transparency and Fairness of Specified Digital Platforms (the “Transparency Act”) takes the necessary measures to ensure transparency and fairness of transactions between designated large-scale digital platform operators and digital platform users. It also provides a mandatory disclosure rule about how user data is processed.

Intermediary Liability for User-Generated Content

Under the Provider Liability Limitation Act, even if an online platform has distributed information posted by a third party that infringes the rights of another person, the general rule is that the service provider will not be liable unless it is aware of or has a good reason to be aware of the infringement.

Children’s Privacy

A Q&A issued by the PPC states that, for minors between the ages of 12 and 15, the consent of a person with parental authority over the minor must be obtained for data processing, which requires the consent of data subjects (eg, the provision of personal data to third parties and the collection of special-care-required personal information).

Educational or school data is not subject to special restrictions but only to the restrictions under the APPI as personal information.

Rights to Object to Sale of Data and Tracking

There are no rights to object to the sale of personal data, but the APPI sets forth a similar scheme regarding the provision of personal data. Providing personal data to a third party is generally permissible only with consent or under an opt-out mechanism. If a data subject does not want their personal data to be provided or sold to another entity, they should either not provide their consent or object to any such provision/sale (opt-out.) For more opt-out details, please see 2.1 Omnibus Laws and General Requirements (Filing of Notification of Opt-Out Consent). The APPI introduced some regulations for tracking; please see 2.1 Omnibus Laws and General Requirements (Profiling, Microtargeting, Automated Decision-Making, Online Monitoring or Tracking, Big Data Analysis and AI).

Unsolicited marketing by email is regulated principally by the Act on the Regulation of Transmission of Specified Electronic Mail (the Anti-Spam Act), under which marketing emails can only be sent to recipients who:

• have given prior consent to receive them;
• have provided the sender with their email addresses in writing (for instance, by providing a business card);
• have a business relationship with the sender; or
• make their email address available on the internet for business purposes.

In addition, the Act requires the senders to allow the recipients to opt out.

Furthermore, the Act on Special Commercial Transactions restricts marketing regarding mail order businesses, including online shopping, but does not provide exceptions similar to the last three items above.

As discussed in 2.1 Omnibus Laws and General Requirements, behavioural and targeted advertising is not directly regulated under the APPI, but any personal data collected to provide behavioural and targeted advertising is subject to the APPI. There are no specific restrictions for behavioural and targeted advertising, but the 2020 amendment of the APPI introduced regulations for certain cookies, web beacons and other tracking technology underlying behavioural or targeted advertising.

There are special restrictions on telecommunication business operators regarding location information under the MIC’s guidelines on personal information for telecommunication businesses. Under these guidelines, telecommunication business operators can obtain or transfer location information from a mobile device only with the data subject’s prior consent or if there is a justifiable cause.

The Ministry of Health, Labour and Welfare has issued a notice regarding the health information of employees, which provides for an employer’s handling of the health information of its employees, including a condition that an employer shall not handle the health information of any employee beyond the scope necessary to secure the employee’s health.

Furthermore, the Employment Security Act has special restrictions on obtaining information on job applicants during recruitment, to prevent discrimination.

The employer has the right to monitor workplace communications in relation to work and to use cybersecurity tools, insider threat detection and prevention programmes, and digital loss prevention technologies, but a privacy issue may arise regarding private communications and other privacy matters at the workplace. Thus, employers are recommended to establish internal rules prohibiting the use of company PCs and email addresses for private use, and to disclose the possibility of monitoring those devices and data, including emails.

In principle, there is no special role for labour organisations or works councils regarding employment-related data privacy, but there is a general requirement for employers to obtain the opinion of the employee representative in establishing work rules.

The Whistle-Blower Protection Act prohibits employers from dismissing whistle-blowers, and requires large companies with more than 300 employees to have whistle-blower systems in place. The Act also mandates companies to appoint personnel to handle whistle-blowing; such personnel have statutory confidentiality obligations about the whistle-blowing cases.

Administrative Sanctions

The PPC has the power to enforce administrative sanctions; please see 1.2 Regulators for details.

Please see 1.1 Laws for recent statistics about administrative sanctions enforced by the PPC. The PPC did not issue any official recommendations or administrative orders between May 2017, when it became the regulator and enforcement authority of the APPI, and August 2019, but has subsequently issued them for cases with a large social impact. For example, on 26 August 2019, the PPC first officially recommended a company operating an online job platform. It was considered that the company captured users’ likelihood of declining a job offer based on their web browsing history and sold the data to potential employers. The PPC decided that the company did not comply with the required procedures under the APPI.

On 29 July 2020, the PPC first issued two administrative orders regarding non-compliance with an official recommendation. In these cases, two anonymous internet-based companies published the personal data of bankrupts, including names and addresses, in violation of required procedures in the APPI. On 23 March 2022 and 2 November 2022, the PPC again issued administrative orders against similar website operators. On 11 January 2023, the PPC officially requested a criminal investigation authority to file a criminal charge against an operator for non-compliance with the order.

Please note that, even after May 2017, the PPC entrusts its enforcement powers to relevant public authorities for some industries.

Criminal Sanctions

Criminal sanctions for violations of the APPI are as follows.

• If a handling operator (natural person or a director or employee of the handling operator) breaches an order of the PPC issued as part of an administrative sanction (please note that this order does not include guidance, advice or recommendation by the PPC), they may be subject to imprisonment of up to one year or a fine of up to JPY1 million (Article 178). If an employee of an entity commits the breach, that entity will be subject to a fine of up to JPY100 million (Article 184.1 (i)).
• If a handling operator (natural person or a director or employee of the handling operator) provides a personal information database to an unauthorised party or misuses such a database for unlawful gains, they may be subject to imprisonment of up to one year or a fine of up to JPY500,000 (Article 180). If an employee of an entity commits the breach, that entity will be subject to a fine of up to JPY100 million (Article 184.1 (i)).
• If a handling operator (natural person or a director or employee of the handling operator) refuses to make a report or makes a false report in response to an investigation by the PPC or an administrative sanction, it may be subject to a criminal fine of up to JPY500,000 (Article 181). If an employee of an entity commits the breach, that entity will be subject to a fine of up to JPY500,000 (Article 184.1 (ii)).

The APPI does not provide the legal procedures that the PPC or the prosecutors must follow to allege violations of privacy or data protection laws. However, the authorities must generally follow the general restrictions of the Code of Criminal Procedure regarding the imposition of criminal sanctions, while the PPC does not have to follow those restrictions regarding administrative sanctions.

Private Actions

A data subject may go to court to seek compensation for damages or distress caused by a breach of data protection. There are two major types of legal causes.

• Firstly, Japanese courts recognise the right to privacy, which is the right of a person not to have their private life disclosed except for a legitimate reason. A breach of the right to privacy consists of torts under Article 709 of the Civil Code.
• Secondly, if a business promises to keep personal data confidential in an agreement (such as terms of use) but then compromises the data, the legal cause of breach of contract may also be available.

Class actions

The Act on Special Measures Concerning Civil Court Proceedings for Collective Redress for Property Damage Incurred by Consumers allows for class actions to be filed by consumers. Please note that claims allowed under that law are limited to property damage and do not cover compensation for distress caused by a breach of the APPI. Please also note that an amendment to this act came into force on 1 October 2023, which includes emotional distress in the scope of the class action if it is caused along with property damage or by intentional conduct.

As a practical matter, a number of data subjects may select the same lawyer to represent them, and that lawyer can file one litigation for those data subjects, which can be similar to a class action.

Recent leading cases

In a decision issued in October 2017, the Supreme Court found that the breach of a right to privacy may give rise to a claim for compensation for distress caused by the leakage of personal information (eg, names, birth dates, addresses and telephone numbers). The case was remanded to the Osaka Appeal Court, which awarded JPY1,000 to the claimant on 20 November 2019. In addition, the Tokyo Appeal Court awarded JPY3,300 to other plaintiffs on 25 March 2020 for the same data breach. The Supreme Court denied appeals of these cases in December 2020, so these Appeal Court decisions are deemed final.

In criminal investigations, prosecutors and law enforcement agencies such as the police must follow the Constitution of Japan and the Code of Criminal Procedure requirements for any compulsory access to data. Any compulsory search or seizure can only be made with a court warrant.

In addition, the Constitution of Japan prohibits the violation of the secrecy of communication. In this regard, the Act on Wiretapping for Criminal Investigation allows investigative authorities to intercept phone conversations and electronic telecommunications only for certain serious crimes and only within the scope of a court warrant, and stipulates special restrictions for wiretapping.

Judicial review acts as a safeguard to protect privacy.

Any compulsory search, seizure or wiretapping for national security purposes is also considered to be subject to the restrictions discussed in 3.1 Laws and Standards for Access to Data for Serious Crimes.

Judicial review acts as a safeguard to protect privacy. Japan is a signatory to the OECD's Declaration on Government Access to Personal Data Held by Private Sector Entities (December 2022), which can be referred to in order to assess “the presence or absence of a system in that foreign country that might affect the implementation of the equivalent measures” in the context of international data transfer regulations. Please see 4.1 Restrictions on International Data Issues for more details.

Without relying on international assistance in investigation schemes, a foreign government may not forcibly request a Japanese entity to turn over personal information. In addition, a handling operator may face a problem if it voluntarily gives personal data to a foreign government. The reason is that, under the APPI, the general rule is that a handling operator cannot provide personal data to any third party without the data subject’s prior consent, except in specified cases (Article 27.1). These specified cases are where the provision of personal data is:

• based on laws;
• necessary to protect the life, body or property of an individual and it is difficult to obtain the consent of the data subject;
• especially necessary to improve public hygiene or promote the sound growth of children, and it is difficult to obtain the consent of the data subject;
• necessary for co-operating with a state institution, a local public body or an individual or entity entrusted with executing operations prescribed by laws, and obtaining the consent of the data subject might impede the execution of those operations; or
• necessary for academic or research purposes.

It is understood that a “state institution” referenced in the fourth point above refers only to the Japanese government and not foreign governments, and the “laws” referenced in the first point above do not include foreign laws.

If a handling operator is required to disclose the personal data of Japanese residents in accordance with foreign law or by the action of a foreign governmental institution, it may use the exception in the second point above, although this is debatable. If a handling operator would like to make disclosures based on foreign law or the action of a foreign government, then it is advisable for it to obtain the prior consent of users to provide the user data where required by foreign law or a foreign governmental institution through its privacy policies.

Japan does not participate in a Cloud Act agreement with the United States of America.

As discussed in 1.1 Laws (Major Laws), the My Number System was introduced in Japan in January 2016 to improve administrative efficiency, public convenience and fairness in tax administration and social welfare in Japan. My Numbers are used by central governmental organisations and local governments for administrative procedures relating to social security, taxation and disaster response.

While there were discussions and dissenting public opinion concerning the introduction of the My Number, the system has now been fully implemented, and the scope of its use is slowly expanding. Since January 2018, it has been used in the financial sector (eg, to obtain information regarding bank saving accounts), and it has been used as a health insurance card since March 2021. The government uses My Number to manage COVID-19 vaccination status.

Basic Regulation

There are special restrictions on the transfer of personal data to a foreign country. In principle, the APPI requires the transferor to obtain the prior consent of individuals whose personal data will be transferred to a third party located in a foreign country (Article 28). Thus, the overseas transfer restrictions will apply if a foreign company transfers the user data to another company outside Japan. However, if the foreign company transfers the user data to a company in Japan, the overseas transfer restrictions will not apply. This restriction applies even in cases of entrustment and joint use, which are exceptions to local third-party data transfer restrictions.

The data subjects’ consent to overseas data transfers is not necessary only if the following applies:

• the PPC designates the foreign country as a country with a data protection regime with a level of protection equivalent to that of Japan (only member countries of the EEA and the UK have been designated to date); or
• the third-party recipient has an equivalent system of data protection that meets the standards prescribed by the PPC Ordinance – ie, either of the following:
1. there is assurance, by appropriate and reasonable methodologies, that the recipient will treat the disclosed personal data in accordance with the spirit of the requirements for handling personal data under the APPI; or
2. the recipient has been certified under an international arrangement recognised by the PPC regarding its system of handling personal data.

The implementation of the PPC Ordinance is contained in the PPC Guidelines, under which the “appropriate and reasonable methodologies” referred to above include agreements between the data importer and the data exporter, or inter-group privacy rules, which ensure that the data importer will treat the disclosed personal data in accordance with the spirit of the APPI. With respect to the second item above, the PPC Guidelines have identified the APEC CBPR as a recognised international framework for the handling of personal information.

Additional Obligation Under the 2020 Amendments

Under the 2020 amendment of the APPI, international data transfers are permitted, with additional requirements. First, when handling operators transfer personal data to a foreign country based on the aforementioned consent mechanism, they will be required to provide a data subject with certain information, as specified by the amended Ordinance issued by the PPC (the amended PPC Ordinance) (Article 28.2). According to the PPC Ordinance, information about the foreign country’s name, the foreign country’s personal information protection system and the measures to be taken by a recipient party to protect personal information are required to be provided to the data subject.

Secondly, when handling operators transfer personal data relying on the recipient’s equivalent system of data protection, they will be required to take the necessary steps to ensure that the overseas recipient continuously takes equivalent measures and to provide a data subject with certain information about the measures to be taken upon a request under the amended PPC Ordinance (Article 28.3). In this regard, according to the PPC Ordinance, one of the measures to ensure such matters is to periodically confirm the implementation status of the equivalent measures taken by the recipient and the presence or absence of a system in the foreign country that might affect the implementation of the equivalent measures. The other measure is to take necessary and appropriate measures if the recipient party’s implementation of the equivalent measures is interfered with in some way, and to suspend the provision of personal data if it becomes difficult to ensure the continuous implementation of the equivalent measures.

The PPC Ordinance also states that the information to be provided to a data subject upon request is:

• the recipient party’s equivalent system of data protection;
• an outline of the equivalent measures taken by the recipient;
• the frequency and method of confirmation of the status of the equivalent measures and of the system in the foreign country that might affect the implementation of the measures;
• the name of the foreign country;
• the presence or absence of a system in that foreign country that might affect the implementation of the equivalent measures;
• the presence or absence of any impediment to the implementation of the equivalent measures; and
• an outline of the measures to be taken in response to such impediments.

As a result, data transfer to countries where improper government access is implemented can be difficult. An example of this difficulty is the international data transfer regulations under the GDPR raised by the Schrems II case.

International data transfers are allowed if certain requirements are met; please see 4.1 Restrictions on International Data Issues.

As discussed in 4.1 Restrictions on International Data Issues, overseas data transfer restrictions do not require government notification or approval.

There are no data localisation requirements under the APPI.

Software code, algorithms and encryption systems are not required to be shared with the government.

See 3.3 Invoking Foreign Government Obligations.

There are no blocking statutes under Japanese law.

Big Data Analytics

The APPI has a concept of anonymously processed information, to which the regulations regarding personal information will not apply, and the 2020 amendment of the APPI introduces a concept of pseudonymously processed information. Please see 2.1 Omnibus Laws and General Requirements (Anonymisation, De-identification or Pseudonymisation) for further details on anonymously processed information and pseudonymously processed information.

As for big data analytics, data sharing will typically happen between companies subject to contracts between those companies. The METI has published guidelines on contracts regarding sharing (big) data between companies.

Automated Decision-Making, Profiling and Microtargeting

There are currently no specific laws or regulations regarding automated decision-making, profiling and microtargeting; however, the improper use of relevant technology may, in theory, be deemed fomenting or prompting unlawful or unfair acts that are prohibited under Article 19 of the amended APPI. The amended guidelines stipulate that, when analysing information on the behaviour and interests of an individual, handling operators must specify the purpose of use so that the data subject can predict or assume what kind of data processing is being performed, and the process of profiling may need to be explained accordingly.

Artificial Intelligence

Legal problems concerning AI have been the subject of intensive discussions of late, including matters such as liability for the actions of an AI and ownership of rights regarding contents created by an AI; however, no laws or regulations target AI at this time.

The PPC published an announcement on 2 June 2023, stating its interpretation of the APPI in the context of generative AI and requesting generative AI service providers and users to comply with the APPI. The Institute for Information and Communications Policy (IICP) and the MIC have jointly published the Draft AI R&D Guidelines for International Discussions, which explain the AI R&D principles and nine other principles for research into and the development of AI. These are tentative guidelines for further international discussion. The MIC also published Guidelines for AI Utilisation in August 2019, which summarise the issues that AI users (including AI service providers) are expected to pay attention to in the utilisation phase in the form of “principles” and provide explanations based on the principle of a human-centred AI society. Some other associations regarding AI have also published the same principles or guidelines for research into and the development of artificial intelligence.

Internet of Things (IoT) and Ubiquitous Sensors

Legal problems regarding the IoT and ubiquitous sensors have been the subject of intensive discussions of late, but no specific laws or regulations are currently targeting the IoT or ubiquitous sensors. However, the MIC has published guidelines regarding comprehensive measures for IoT securities (July 2016).

Please also refer to the sections on big data analytics and artificial intelligence.

Autonomous Decision-Making, Including Autonomous Vehicles

Legal problems regarding autonomous vehicles, including ethical issues, disclosure of the bases and logic of autonomous decision-making processes, and responsibility for accidents, have been the subject of recent intensive discussions in Japan. The Road Traffic Act was amended in April 2020 and April 2022, allowing autonomous vehicles to drive if certain requirements are met.

Facial Recognition

Facial recognition data is considered personal information subject to the regulations explained in 2.1 Omnibus Laws and General Requirements. For example, facial recognition data collected for the prevention of crimes cannot be used for marketing purposes.

Biometric Data

Biometric data is considered personal information subject to the regulations explained in 2.1 Omnibus Laws and General Requirements.

Geolocation

The geolocation of persons is considered personal information and is subject to the regulations explained in 2.1 Omnibus Laws and General Requirements. In practice, it is highly recommended to obtain the consent of data subjects before collecting accurate GPS data, because of privacy concerns. If the geolocation information is obtained through mobile communication provided by a telecommunications company, it will be protected under the secrecy of communication.

Drones

There are laws and regulations on the use of drones, including the Aviation Act, prohibitions on the flight of small pilotless planes, and local government ordinances. There are also privacy concerns regarding the use of drones, and the MIC has published guidelines regarding the use of images or videos filmed by drones on the internet.

Disinformation, Deepfakes and Other Online Harms

There are currently no laws or regulations regarding disinformation and deepfakes. However, online harm – such as anonymous online defamation, privacy infringement and insults – is viewed as a serious problem. To address it, a legal procedure mandates server operators and internet service providers to disclose the identity of relevant personal information. However, this procedure is complicated, costly and lengthy, and thus an amendment of a relevant law that eases the legal procedure was approved in April 2021 and took effect from October 2022. The MIC started a public consultation about how online platforms should respond to illegal and harmful information such as slander and defamation on 27 December 2022.

“Dark Pattern” or Online Manipulation

There are currently no specific laws or regulations regarding “dark patterns” or online manipulation. However, if a business obtains consent in a deceitful or unfair manner, such consent or the contract may be cancelled.

Fiduciary Duty for Privacy or Data Protection

Directors of companies owe a fiduciary duty to those companies, which typically includes the duty to establish an internal risk management system for privacy or data protection. The Corporate Privacy Governance Guidebook for the DX Era, issued by the METI (version 1.3 in April 2023), can be useful for corporate privacy governance.

The METI takes the necessary measures to improve transparency and fairness in trading on digital platforms under the Transparency Act. The Japan Fair Trade Commission is authorised to exercise certain measures against unreasonable restraint of trade and unfair trade practices taking advantage of market power under the Anti-monopoly Act.

Please refer to 2.5 Enforcement and Litigation for examples of significant privacy and data protection regulatory enforcement or litigation.

In the context of due diligence in M&A, analysing the legal issues related to privacy and data protection that come with an acquired business is necessary, given the potential for such issues to crystallise into a significant risk.

There are no non-cybersecurity-specific laws that legally mandate the disclosure of an organisation’s cybersecurity risk profile or experience; however, in practice, it is common for publicly listed companies to disclose cybersecurity risks in the “risk of business” section of their annual securities reports. Both the Cybersecurity Management Guidelines issued by the METI and the Information-Technology Promotion Agency and the Point of View Regarding Cybersecurity for Enterprise Management issued by the National Centre of Incident Readiness and Strategy for Cybersecurity (NISC) mention the possibility of public disclosure. The MIC has also published Manuals for Information Disclosure of Cybersecurity Measures (28 June 2019).

The key development in consumer protection law is an amendment of the Consumer Contract Act, which came into force on 1 June 2023. This act nullifies a clause in a consumer agreement if the clause limits the liabilities of a business resulting from its slight negligence, but it is unclear whether or not such clause applies to the slight negligence of the business. For example, a limitation of liability clause will be nullified if it states: “To the maximum extent permitted by applicable law: (i) in no event will ABC, ltd be liable for special, incidental, or consequential damages; and (ii) ABC, ltd’s liability will in no event exceed fifty dollars.” Instead, it should state: “Where ABC, ltd’s slight negligence causes damages, (i) in no event will ABC, ltd be liable for special, incidental, or consequential damages; and (ii) ABC, ltd’s liability will in no event exceed fifty dollars.”

There are no data protection or privacy issues of major importance that have not already been covered in this chapter.