Overview of data protection requirements in Japan

This article sets out an overview of the data protection requirements under the Act on the Protection of Personal Information of Japan (‘APPI’). APPI was passed in 2003 and went into effect in 2005. It has been amended time to time, including the amendments in 2021 and 2022.

Acquisition

Under APPI, a personal information handling business operator (‘business operator’) shall specify the purpose of using the personal information (‘purpose of use’) as explicitly as possible, shall promptly notify the identifiable person of the purpose of use or disclose it to the public and shall not acquire personal information by deceit or other improper means.

When obtaining ‘special care-required personal information’, which includes but not limited to race, creed, social status, medical history, criminal record, and the fact of having suffered damage by a crime, the consent of the principal must be generally obtained (exceptions similar to third-party transfer will apply).

Use

A business operator shall not handle personal information beyond the necessary scope to achieve a purpose of use without obtaining in advance the principal’s consent (except anonymised personal information). Besides, changing the purpose of use may only be permitted within the scope reasonably related to the original purpose of use. When the purpose of use is changed, the business operator shall inform the change individually to the principals or disclose to the public. Pseudonymised personal information may be used for a new purpose without obtaining in advance the principal’s consent.

Security measures

A business operator shall take necessary and appropriate action for the security control of personal data to prevent the leakage, loss or damage of personal data. The Personal Information Protection Commission (‘PPC’) illustrates in its guideline seven categories, taking into account the scale and nature of the business: formulation of the basic policy for handling of personal data, establish internal rules regarding handling of personal data, organisational security control measures, human security control measures, physical security control measures, technical security control measures and measures taken in light of the external circumstances.

Third-party transfer/sharing

The consent of the principal is required to provide the personal information to a third party with the exception provided by article 27 (1) of APPI, where the need to protect the social public good or other interests outweighs the interest of the individual. Besides, provision of data under entrustment, M&A transaction, or joint use (limited to those that meet legal requirements) shall not fall under ‘provision to a third party’. Anonymised personal information may be provided without obtaining the principal’s consent, although a business operator must disclose the categories of information on an individual that is contained in the anonymised personal information, and the means of providing it, and state to the third party explicitly that the information it will provide is anonymised personal information.

Cross-border transfer

(1) General principles for cross-border transfer

APPI generally requires prior consent from the principal for transferring his/her personal data to a third party in a foreign country, after disclosing the following information to the principal: (i) the name of the foreign country where the third party is located; (ii) information on the system for the protection of personal data in that foreign country; and (iii) information on the measures taken by that third party to protect personal data.

(2) Exceptions
  1. A ‘foreign country’ under APPI does not include a country that has a personal information protection regime equivalent to Japan designated by PPC, currently, EU and UK.
  2. A ‘third party in a foreign country’ under APPI does not include a party which takes necessary actions to ensure continuous implementation of proper measures which are equivalent to the rules under APPI (‘necessary actions’) including (a) an appropriate contract with a foreign recipient of the personal data, setting forth measures which are equivalent to the rules under APPI, or (b) a recognition based on an international framework concerning the handling of personal information (APEC CBPR certification).
(3) Data transferred from EU and UK to Japan

For data transferred from EU and UK to Japan based on adequacy decision, there are supplementary rules provided by PPC.

  1. In providing personal data provided from EU or UK based on adequacy decision to a third party in a foreign country, it is necessary to obtain the prior consent of the individual, with certain exceptions, in accordance with article 28 of APPI.
  2. When data acquired from EU or UK is anonymised in Japan, it is considered as ‘anonymised personal information’ only if it is impossible for any person to
    re-identify the anonymised individual.
  3. Under the proposed amendment currently under consideration, pseudonymised personal information obtained by processing personal information provided from EU or UK based on adequacy decision shall be handled only for statistical purposes.

Record keeping

When providing personal data to a third party and receiving personal data from a third party, a business operator shall keep the record as required under APPI.

Incident response

When leakage or loss of personal data or other situation concerning security of personal data which is highly likely to harm an individual’s rights and interests, a business operator shall provide a preliminary report (generally within three to five days) and a definite report (within 30 days (in the case of the leakage of personal data, etc. committed with a wrongful purpose, within 60 days)) to PPC, and notify to the principal.

Individual’s rights

Under certain requirements, a principal of personal data has right to request notification of purposes of use, disclosure, correction/addition/deletion, suspension of use/elimination, suspension of provision to a third party, or disclosure of records of provision to a third party.

Regulatory oversight

PPC has power and authority to require business operators to submit information and materials, conduct on-site inspection, provide guidance and advice concerning handling of personal information. In the case of breach of the regulations under APPI, PPC has authority to make recommendation or issue an order against the breach.

Penalties

There are penalties for violation of APPI. For example, if an employee has committed an unauthorised provision of personal information database, the individual is subject to imprisonment for no more than one year or to a fine of no more than ¥500,000, and the corporate body is subject to a fine of no more than ¥100m.

Civil liabilities

When a business operator leaks personal data, it may be held liable for torts to the affected principals. The amount of damages awarded by the court is basically low. Recent court cases have awarded damages of about ¥3,000 per each plaintiff.