Please provide an overview of the legal and regulatory framework governing data protection and privacy in your jurisdiction (e.g., a summary of the key laws, who is covered by them, what sectors, activities or data do they regulate, and who enforces the relevant laws). Are there any expected changes in the data protection and privacy law landscape in 2022-2023 (e.g., new laws or regulations coming into effect, enforcement of any new laws or regulations, expected regulations or amendments)?
The Act on the Protection of Personal Information (the “APPI”, Act No. 57 of 2003)
The APPI imposes obligations on business operators handling personal information (“Business Operators”). If a foreign company has a branch office or business or liaison office in Japan, or conducts business in Japan, and uses a Personal Information Database for its business in Japan, such foreign company will fall under the definition of “Business Operator”.
Personal information(“Personal Information”) means:
- Information by which a specific living individual is identified or identifiable (including information which can be readily combined with other information and thereby make the identification of a specific individual possible); and
- Information containing an individual identification code (“lndividual ldentification Code”) which refers to any character, number, symbol or other code (i) into which a partial body feature of a specific individual has been converted by computers for use and which can identify such specific individual, or (ii) which is assigned to services or goods provided to an individual, or is stated or recorded electronically or magnetically on a card or other document issued to an individual (such as a driver’s license number), to identify him/her as a specific user, purchaser, or recipient of the issued document.
If such Personal Information is systematically organized to allow for its retrieval, such collective body of information will fall within the definition of Personal Information Database. The term “Personal Data” refers to Personal Information constituting a Personal Information Database.
The APPI (i) sets forth a basic framework regulating the responsibilities and policies of the national and local governments with respect to the protection of Personal Information; (ii) establishes the Personal Information Protection Commission (the “PPC”) and defines its role as the national data protection authority; and (iii) provides for enforcement measures such as imprisonment and criminal fines.
The PPC formulates basic policies on the protection of Personal Information in accordance with the APPI and promotes the protection of Personal Information in both the public and private sectors. These basic policies include guidelines that are updated from time to time .
The APPI is not sector-specific but certain guidelines such as those described below may apply to certain.
Main obligations under the APPI
Phase 1: Acquisition/collection of personal information
- Disclosure of the purposes of use of Personal Data (“Purposes of Use”) prior to collection of Personal Information
- No obligation to obtain the individual’s consent (except for sensitive Personal Information (“SPI”))
Phase 2: Use of Personal Information/Personal Data
- Duty to take reasonable security measures, including preventing the leakage, loss of, or damage to, Personal Data that is handled
- No obligation to obtain the individual’s consent when utilizing Personal Data within the scope of a previously disclosed Purposes of Use
Phase 3: Disclosure (to third parties) of Personal Data
- In principle, individual consent is required for disclosure to a third party.
- An entity disclosing Personal Data to a third party must maintain records of its disclosures, unless exemption requirements are met.
- An entity receiving Personal Data from a third party must confirm that the disclosing party is a legitimate holder of the Personal Data and maintain records of the disclosures received, unless exemption requirements are met.
General obligation to use Personal Data appropriately
Business Operators are prohibited from using Personal Information in ways that could promote or induce illegal acts or abuses. Such rule applies to all stages (Phases 1 to 3 above).
Guidelines (the “Guidelines”)
- Guidelines on APPI principles issued by the PPC
- Guidelines on the protection of Personal Information in the financial sector issued by the PPC and the Financial Services Agency
- Guidelines on the protection of Personal Information in the medical sector issued by the PPC and the Ministry of Health, Labour and Welfare (the “MHLW”)
- Other sectoral guidelines issued by other ministries
Supplemental Rules
- In addition to the APPI and the Guidelines, a Business Operator must comply with supplementary rules (“Supplemental Rules”) when it receives Personal Data from within the EU, based on the European Commission’s adequacy decision.
- The Supplemental Rules were introduced to facilitate the smooth transfer of Personal Data between Japan and EU member states pursuant to the European Commission’s decision designating Japan as a jurisdiction with an adequate level of protection for Personal Data. The PPC has likewise designated the EEA member states and the UK as foreign countries with an adequate system for the protection of Personal Data.
Local regulations
- All prefectures and municipal governments in Japan have local regulations dealing with protection of Personal Information.
Regulatory bodies
- The PPC is the sole national data protection authority in Japan.
Are there any registration or licensing requirements for entities covered by these laws and, if so, what are the requirements? Are there any exemptions?
There are no specific registration or licensing requirements for Business Operators.
How do these laws define personal data or personally identifiable information (PII) versus special category or sensitive PII? What other key definitions are set forth in the laws in your jurisdiction?
Personal Information (PII)
See Q1.
Sensitive Personal Information (“SPI”)
SPI means Personal Information which requires special handling measures, including but not limited to information on an individual’s race, creed, social status, medical history, criminal record, status as the victim of a crime. See Q7 on SPI regulations.
Business Operators
See Q1.
What are the principles related to, the general processing of personal data or PII – for example, must a covered entity establish a legal basis for processing personal data or PII in your jurisdiction or must personal data or PII only be kept for a certain period? Please outline any such principles or “fair information practice principles” in detail.
The laws of Japan and the Guidelines do not explicitly contain principles relating to the processing of Personal Data, such as transparency under Article 5 of GDPR. However, in the interpretation of the provisions of the APPI, rules similar to such principles are often applied (for example, if Personal Information held by a Business Operator is found to be unnecessary in light of the Purposes of Use, it is obligated to make efforts to immediately delete the Personal Information in question). The purpose of the APPI is to protect the rights and interests of individuals while taking into consideration the usefulness of Personal Information, in view of the exponential growth in use of Personal Information due to the rapid development and spread of information and communication technology, with Japan aspiring to become a leading advanced information and telecommunications network society. This can be achieved by clarifying the responsibilities of the State and local governments, i.e., by laying down basic principles, establishing basic policies to be pursued by the government and providing a framework for other measures regarding the protection of Personal Information.
Are there any circumstances where consent is required or typically used in connection with the general processing of personal data or PII?
In principle, individual consent is required for disclosure of personal data to a third party. However, the consent requirement is exempted in the following cases:
- (i) entrustment of Personal Data (subcontracting); (ii) disclosure upon business succession (e.g., M&A); and (iii) joint use.
- Regarding (iii), if a Business Operator informs an individual in advance or ensures that he or she can easily become aware of five specific statutory elements, such Business Operator can jointly use Personal Data with a third party (such as a subsidiary) without obtaining any prior consent to the disclosure.
- If a Business Operator satisfies the opt-out process requirements, such Business Operator does not need to obtain individual consent for each disclosure of Personal Data (except for SPI).
What are the rules relating to the form, content and administration of such consent? For instance, can consent be implied, incorporated into a broader document (such as a terms of service) or bundled with other matters (such as consents for multiple processing operations)?
The form of consent is not subject to detailed rules. It must be obtained reasonably in light of the surrounding circumstances.
Implied consent or bundled consent may be permitted as long as they are reasonable. However, opt-out consent is not permitted unless the relevant exemption requirements are met.
What special requirements, if any, are required for processing sensitive PII? Are there any categories of personal data or PII that are prohibited from collection?
In principle, for the SPI, individual consent is required for acquisition/collection and disclosure to a third party (including cases where the Business Operator meets the opt-out process requirements).
How do the laws in your jurisdiction address children’s personal data or PII?
If a minor does not have the ability to properly assess the consequences of giving his or her consent to a Personal Information processing, the consent of a person who has parental authority or the legal representative, etc. must be obtained.
If the data subject is a minor, the legal representative may request disclosure, a correction, or suspension of use, etc.
Does the law include any derogations, exclusions or limitations other than those already described? Please describe the relevant provisions.
Anonymously Processed Information
Anonymously Processed Information means information relating to an individual produced from the processing of Personal Information, from which it is impossible to identify a specific individual by taking certain actions prescribed by the APPI and Guidelines to restore the Personal Information.
Business Operators which handle Anonymously Processed Information (“Anonymously Processed Information Business Operators”) are subject to certain obligations. Also, a Business Operator that produces Anonymously Processed Information (“Anonymously Processed Information Producer”) is subject to numerous obligations in addition to the general obligations imposed on Business Operators.
Production of Anonymously Processed Information
The details of processing methods for the production of Anonymously Processed Information are provided in the Guidelines.
Obligations of Anonymously Processed Information Producers and Anonymously Processed Information Business Operators
A Business Operator is required to comply with the APPI when producing and handling Anonymously Processed Information (limited to information comprising an Anonymously Processed Information database). An Anonymously Processed Information Producer must take security control measures to prevent the leakage of related information on processing methods, etc., has a disclosure obligation when producing Anonymously Processed Information and providing it to a third party, and is prohibited from seeking any re-identification.
In addition, an Anonymously Processed Information Business Operator that receives Anonymously Processed Information processed and produced from Personal Information from another Business Operator and uses it for its business is required to comply with the APPI. An Anonymously Processed Information Business Operator that receives Anonymously Processed Information is subject to a prohibition on re-identification, must strive to take certain security control measures, and has a disclosure obligation when providing Anonymously Processed Information to a third party.
The figure below is from the former Guidelines (Report by the Personal Information Protection Commission Secretariat: Anonymously Processed Information) which were in force until March 31, 2022, and shows the respective obligations under the APPI. (Please note that APPI article numbers in the figure are from the former APPI, to which major amendments were made effective April 1, 2022.)
Pseudonymously Processed Information
The concept of “Pseudonymously Processed Information” was introduced as of April 1, 2022. Pseudonymized Processed Information means information relating to an individual which has been processed from Personal Information such that the data subject can no longer be identified solely from the data (replacing personally identifiable data with artificial identifiers). The introduction of this concept is due to complaints from business circles that the requirements for Anonymously Processed Information are too strict and therefore not frequently used.
The following chart is a general overview of the obligations regarding Pseudonymously Processed Information:
Regulations on Personal Information, Personal Data or Retained Personal Data (See Q32) Pseudonymously Processed Information which also constitutes Personal Information Pseudonymously Processed Information which does NOT constitute Personal Information Handling within the Purposes of Use (See Q1) applicable not applicable Disclosure of the Purposes of Use (See Q1) applicable not applicable Obligations in relation to disclosure to a third party (See Q5) applicable applicable Obligations in relation to disclosure to a third party in a foreign country applicable applicable Obligations in relation to the Retained Personal Data (See Q32) not applicable not applicable Reporting to the PPC and notification to data subjects in the event of Notifiable Data Breach (See Q13 and Q29) not applicable not applicable Security control measures (See Q26) applicable applicable Others A business operator producing Pseudonymously Processed Information must remove financial information and certain other items (which enable the unlawful use of such information by a third party) included in the relevant information. Collation with other information is prohibited when handling Pseudonymously Processed Information.
Using contact information of data subjects included in Pseudonymously Processed Information to contact the data subjects is prohibited.
Same requirements as those shown in the left column Personally Referable Information
The concept of “Personally Referable Information” (“PRI”) was introduced as of April 1, 2022. PRI is defined as information which does not qualify as Personal Information, Anonymously Processed Information or Pseudonymously Processed Information, but (i) relates to a living individual and is systematically organized to constitute or be part of a database, and (ii) is expected by the transferring party to be acquired by a third party recipient as Personal Data (i.e., the recipient would use the information in a personally identifiable manner). In other words, PRI is information which does not enable identification of an individual by the transferring party, and is only regulated (i.e., consent requirement) when it enables the identification of an individual person by the receiving party after transfer. The consent of the data subject is required for the transfer of PRI from the abovementioned transferring party to the abovementioned receiving party.
When the consent requirement to a PRI third-party transfer, discussed above, is applicable, the transferring party is obligated to confirm that the consent of the data subject has been obtained.
At the initial drafting stage, Personally Referrable Information was intended to mainly regulate cookie information. However, any information falling under the definition of PRI other than cookies is also regulated.
Does your jurisdiction impose requirements of 'data protection by design' or 'data protection by default' or similar? If so, please describe the requirement and how businesses typically meet the requirement.
Following the 2015 revisions to the APPI, the House of Representatives clearly expressed (as reflected in its Supplementary Resolution) the official position of the government, which is to encourage privacy by design in the private sector.
In addition, the “Smartphone Privacy Initiative” paper published by the Ministry of Internal Affairs and Communications in 2012 states that businesses involved in the provision of services related to smartphones should ensure in advance that their products and services are designed so that users’ Personal Information and privacy will be respected and protected from the time new applications, services, application provision sites, software, and devices are developed. Privacy-by-design appears to be one of the aspirational goals behind these policies.
Although these principles are for general guidance and not legally binding, there are some instances in which operators of application provider sites develop and publish guidelines for the design of applications that incorporate considerations relating to technical measures to be taken at the earliest stages of the design in a way that safeguards privacy.
Are owners or processors of personal data or PII required to maintain any internal records of their data processing activities or to establish internal processes or written documentation? If so, please describe how businesses typically meet these requirements.
Are Business Operators required to maintain any internal records of their data processing activities?
Mandatory requirements
The Guidelines provide that a Business Operator disclosing Personal Data to a third party must maintain records of its disclosures and log statutory disclosure items, unless exemption requirements are met.
The Guidelines also provide that a Business Operator receiving Personal Data from a third party must ensure that the disclosing party is a legitimate holder of the Personal Data and maintain records and log statutory disclosure items (together with the abovementioned records and logs by a disclosing Business Operator, “Third-party Transfer Records”), unless exemption requirements are met.
(In these situations, a Business Operator must disclose a Third-party Transfer Record upon a request by a data subject. See Q32.)
Best efforts obligations
The Guidelines obligate a Business Operator to make efforts to maintain internal records (such as daily operations records or records of access to the internal information system) of its data processing activities in order to confirm if Personal Information is being handled in accordance with relevant internal rules.
Are Business Operators required to establish internal processes or written documentation?
The Guidelines require a Business Operator to establish internal rules for the processing of Personal Data in order to ensure the prevention of Personal Data breach incidents, and other security controls applicable to Personal Data. As such, some Business Operators are developing rules for the processing of Personal Data that define how to process data, provide for the appointment of a manager in charge and a staff member in charge, and define their tasks for each of the relevant stages, such as collection, use, retention, provision, deletion and destruction of the data.
Do the laws in your jurisdiction require or recommend having defined data retention and data disposal policies and procedures? If so, please describe these data retention and disposal requirements.
A Business Operator must keep Personal Data accurate and up-to-date to the extent necessary to achieve the Purposes of Use, and must endeavor to delete Personal Data without delay when there is no longer a need to use it.
A Business Operator must define (i) organizational security control actions, (ii) human security control actions, (iii) physical security control actions, and (iv) technical security control actions as described below, when Personal Data is processed with an information system (including devices such as PCs), including where Personal Data is transmitted to external users through the Internet or any other network, as well as (v) how it will understand the external environment.
When are you required to, or when is it recommended that you, consult with data privacy regulators in your jurisdiction?
Data Privacy Regulator in Japan – PPC
The PPC was set up as an authority independent from other governmental bodies. Under the APPI, the PPC chairperson and members exercise their judgement and authority independently. The main roles of the PPC are as follows:
Formulation and Promotion of Basic Policies
The PPC formulates basic policies on the protection of Personal Information in accordance with the APPI and promotes the protection of Personal Information in both the public and private sectors. These basic policies include the Guidelines.
Enforcement Powers
The PPC has the power to issue guidance and advice, request reports, conduct on-site inspections, make recommendations and issue orders to governmental institutions and Business Operators.
International Cooperation
The PPC promotes cooperation with data protection authorities in other countries, through formal and informal exchanges of views with foreign data protection authorities.
Accredited Personal Information Protection Organization
To ensure the proper handling of Personal Information, the PPC accredits private organizations (“Accredited Personal Information Protection Organizations”) which provide services such as receiving complaints on the handling of Personal Information, advising those making a complaint and investigating the circumstances surrounding a complaint, based on the APPI.
In addition, the PPC supervises Accredited Personal Information Protection Organizations. The PPC requires them to report on the conduct of their services and may order them to improve their services or take other necessary action.
When are you required to consult with Data Privacy Regulator?
When a Business Operator has failed to comply with certain requirements under the APPI, the PPC may require the Business Operator to cease its violation of the APPI and take other necessary measures to remediate the violation, and may order further measures if a recommendation is ignored.
Specifically, the PPC has the power to require a Business Operator to submit information or materials relating to such Business Operator’s handling of Personal Information, or have its officials enter a business office or other relevant facilities of a Business Operator in order to enquire about the handling of Personal Information or inspect books, documents and other properties.
As to corrective measures, the PPC has the power to:
- issue guidance or advice to a Business Operator with regard to its handling of Personal Information;
- recommend that a Business Operator cease the violation or take other necessary corrective action if the PPC determines that there is a need to protect an individual’s rights and interests, in certain cases where the Business Operator has violated a provision of the APPI; and
- order a Business Operator to take action in line with the recommendation if the PPC determines that a serious infringement of an individual’s rights and interests is imminent, in cases where the Business Operator has received a recommendation but failed to take action in line with the recommendation without just cause.
Data Breach
- When a leakage, loss of or damage to the Personal Data (the “Data Breach”) has occurred, a Business Operator may be obligated to notify the PPC (and affected data subjects, see Q29) of the Data Breach, and provide them with a Japanese summary of the Data Breach and other relevant matters described in the Guidelines (the “Data Breach Information”).
Report to the PPC
(a) Notifiable Data Breach
The Data Breach is notifiable when:
- the Personal Data includes or is likely to include SPI.
- damage to property is likely to arise in light of the nature of the Personal Data (e.g., credit card number);
- persons with malicious intentions are likely to be involved in the Data Breach; or
- it has a significant scale (i.e., 1000 or more individuals)
(b) Who notifies the Data Breach
In cases of entrustment of data to a third party, the entrusted Business Operator is exempt from the obligation to report to the PPC if it has reported the Data Breach Information to the entrusting Business Operator.
(c) Procedure of notification
- (i) Preliminary report
- Upon becoming aware of the Data Breach, the Business Operator must immediately (i.e., within three to five days) report to the PPC the Data Breach Information based on the facts which are reasonably discoverable at the time of such report.
- (ii) Full report
- The Business Operator must submit to the PPC a full report of the Data Breach Information within 30 days (or 60 days if persons with malicious intentions are likely to be involved) of becoming aware of the Data Breach.
- Under the Guidelines on Personal Information Protection in the Financial Industry, a Business Operator in the financial sector must immediately report any leakage of Personal Information to the Financial Services Agency.
Do the laws in your jurisdiction require or recommend conducting risk assessments regarding data processing activities and, if so, in what circumstances? How are these risk assessments typically carried out?
Risk assessments
Japanese law does not lay down detailed rules dealing with risk assessments, and the Guidelines merely provide that Business Operators must make efforts to closely monitor their handling of Personal Data and to audit, review, and improve their security control measures. However, it is recommended that Business Operators voluntarily conduct risk assessments and establish appropriate systems according to the quantity, sensitivity, Purposes of Use, etc. of processed Personal Data.
Do the laws in your jurisdiction require appointment of a data protection officer (or other person to be in charge of privacy or data protection at the organization) and what are their legal responsibilities?
The APPI has no provision expressly mandating the appointment of a data protection officer. However, a Business Operator is required to take necessary and appropriate action for the security and control of Personal Data, including preventing the leakage, loss or damage of Personal Data which it handles. In connection with this provision, the Guidelines require a Business Operator to take security control measures which may include the following:
Organizational security control measures
For example, appointing a person responsible for handling Personal Data, establishing a system to respond to leakage, loss or damage, and conducting safety audits on systems that manage Personal Data.
Human security control measures
For example, employee training on the handling of Personal Data.
Physical security control measures
For example, controls on access to areas where important Personal Data is handled, and storage of documents containing Personal Data in a locked cabinet.
Technical security control measures
For example, installing a firewall on computers connected externally through networks, and restricting access to systems that handle Personal Data.
Do the laws in your jurisdiction require or recommend employee training? If so, please describe these training requirements.
A Business Operator must ensure that its employees are fully aware of the requirements for the proper handling (i.e., processing) of Personal Data and provided with appropriate training.
Do the laws in your jurisdiction require businesses to providing notice to individuals of their processing activities? If so, please describe these notice requirements (e.g., posting an online privacy notice).
The APPI imposes an obligation on companies to notify the data subject of the Purposes of Use of their Personal Data when they collect the Personal Information. In principle, companies can use their websites to make this notification, and in practice they often list the purposes in their privacy policies.
In addition, when acquiring Personal Information from a data subject in an application form, questionnaire or other document, companies need to clearly explain to the data subject the purpose of such collection of Personal Information.
Do the laws in your jurisdiction draw any distinction between the owners/controllers and the processors of personal data and, if so, what are they? (e.g., are obligations placed on processors by operation of law, or do they typically only apply through flow-down contractual requirements from the owners/controller?)
Japanese law does not draw any distinction between owners/controllers and processors, but does draw a distinction between the entrusting party and the entrusted party, which is relevant in the context of processing activities. The APPI imposes on an entrusted party the same obligations as those imposed on a Business Operator (entrusting party), and the entrusting party must exercise necessary and appropriate supervision over the entrusted party.
Do the laws in your jurisdiction require minimum contract terms with processors of personal data or PII or are there any other restrictions relating to the appointment of processors (e.g., due diligence or privacy and security assessments)?
General description
When a Business Operator “entrusts” Personal Information, it must exercise necessary and appropriate supervision over the entrusted party to ensure security control over the entrusted Personal Data. The Business Operator must ensure that the entrusted party has taken the same appropriate measures that the Business Operator is required to take.
The Guidelines provide that “necessary and appropriate supervision” includes:
- the appropriate selection of the entrusted party (e.g., when selecting an entrusted party, a Business Operator must confirm in advance that the measures set forth in the Guidelines are implemented.);
- the conclusion of contracts to ensure that security control measures required by the APPI are duly implemented and complied with by the entrusted party; and
- the regular monitoring of the conditions under which the entrusted party is handling the entrusted Personal Data (g., it is recommended that a Business Operator conduct inspections of an entrusted party, including regular audits, and then appropriately assess the conditions under which Personal Data is handled by such entrusted party.).
Minimum contract terms with processors of Personal Data
The Guidelines provide that it is preferable for the contractual terms and conditions agreed with the entrusted party to include provisions allowing the Business Operator (entrusting party) to reasonably monitor and audit the entrusted party’s handling of the entrusted Personal Data.
Please describe any restrictions on monitoring, automated decision-making or profiling in your jurisdiction including the use of tracking technologies such as cookies. How are these terms defined and what restrictions are imposed, if any?
- Under the APPI, online identifiers (IP address, cookies, etc.) and location information alone do not generally constitute Personal Information, unless such information can identify a specific individual by itself or in conjunction with other information.
- If Business Operators acquire/collect Personal Information in monitoring or profiling, they are required to disclose in advance the Purposes of Use to the extent possible. They are also prohibited from using the Personal Information of any person beyond the scope necessary to achieve the disclosed Purposes of Use without obtaining the prior consent of that person.
Please describe any restrictions on cross-contextual behavioral advertising. How is this term or related terms defined?
Restrictions on cross-contextual behavioral advertising
Cross-contextual behavioral advertising often involves the following case:
[Case]
Alpha Corp. (“Alpha”), a Business Operator, collects names, email addresses and cookie information of its members through its membership website. For example, Alpha collects Mx. Smith’s name, email address and cookie information.
Beta Corp. (“Beta”), a data management platform, collects cookie information (“Anonymous Cookie Information”) of numerous anonymous data subjects. Because Beta is not able to identify data subjects from the Anonymous Cookie Information, the Anonymous Cookie Information does not fall under the definition of Personal Information on Beta’s end. However, Beta is able to understand from the Anonymous Cookie Information the preferences of the data subjects (“Mx. X”) whom it is not able to identify.
Alpha provides Mx. Smith’s cookie information to Beta. Again, Mx. Smith’s cookie information does not fall under the definition of Personal Information on Beta’s end because Beta is not able to identify the data subject (i.e., Mx. Smith) from the cookie information. Beta collates Mx. Smith’s cookie information with the Anonymous Cookie Information. Beta provides the Anonymous Cookie Information (i.e., data on Mx. X’s preferences) to Alpha if the data subject of Mx. Smith’s cookie information (i.e., Mx. Smith) matches the data subject of the Anonymous Cookie Information (i.e., Mx. X).
Alpha is able to understand that the data subject of the Anonymous Cookie Information received from Beta is Mx. Smith. Accordingly, such Anonymous Cookie Information falls under the definition of Personal Information on Alpha’s end. Alpha understands Mx. Smith’s preferences from such Anonymous Cookie Information and sends targeted advertisements to Mx. Smith.
In the above case:
The Anonymous Cookie Information falls under the definition of PRI on Beta’s end while it falls under the definition of Personal Information on Alpha’s end. Accordingly, Alpha must obtain a consent from Mx. Smith to receive it. See Q9.
In addition, Beta must confirm that Alpha has obtained the above consent (and record certain statutory items) prior to providing the Anonymous Cookie Information to Alpha. See Q9.
How is “cross-contextual behavioral advertising” or related terms defined?
See “Restrictions on cross-contextual behavioral advertising” above. The APPI does not regulate cross-contextual behavioral advertising per se.
Amendments to the Telecommunications Business Act (“TBA”)
As in the case in “Restrictions on cross-contextual behavioral advertising” above, cross-contextual behavioral advertising often involves cookie information. In this regard, on June 13, 2022, the Diet passed a bill to amend the TBA to introduce new obligations on certain telecommunications business operators which use cookie information. The effective date of these amendments will be designated in due course, but it will not be later than June 17, 2023. Detailed explanation of the new obligations will be announced in relevant sub-legislation or guidelines to be issued by the effective date.
Please describe any laws in your jurisdiction addressing the sale of personal information. How is “sale” or related terms defined and what restrictions are imposed, if any?
Restrictions on transfer to third parties (see Q5) will apply when a Business Operator intends to sell Personal Data. The APPI does not have special restrictions on the “sale” of Personal Data, i.e., transfer to third parties is restricted regardless of whether it is a sale (with consideration) or a gratuitous assignment. As long as the requirements for third-party transfer are met, the sale is permissible from data protection regulation perspectives.
Please describe any laws in your jurisdiction addressing telephone calls, text messaging, email communication or direct marketing. How are these terms defined and what restrictions are imposed, if any?
General
APPI – Disclosure of the Purposes of Use
The APPI does not restrict the scope of the Purposes of Use (including use for marketing purposes) as long as the Purposes of Use have been disclosed to the public (e.g., privacy policy on the website) or notified to individuals.
The Guidelines have made it clear that a Business Operator handling Personal Information for marketing purposes must include detailed language on how it processes Personal Information in its disclosed Purposes of Use (e.g., in a privacy policy). The PPC proposes the following language by way of example: We handle your Personal Information for the following purposes:
- Information such as browsing history or purchase history obtained will be analyzed and used for advertisements on new products and services optimized in accordance with your interests and preferences.
- After calculating a credit score through analysis on the obtained information such as behavioral history, we will provide the credit score to a third party.
APPI – PRI
See Q9 and Q21.
Email Communication
The Act on Specified Commercial Transactions
Under this Act, sellers or service providers can only advertise to consumers via email when recipients opt in to receive emails; when sending email advertisements together with a notice regarding contracts (e.g., finalization of an agreement or shipment of goods); or when sending an email advertisement together with an email newsletter that is sent with the recipient’s consent.
The Act Regulating the Transmission of Specified Electronic Mail
Under this Act, senders can only advertise via email when recipients opt in to receive such email; when recipients notify their email address to the sender in writing (for instance, by providing a business card); when recipients have a business relationship with the sender; or when recipients make their email address available on the Internet for business purposes.
Text Messaging
The Act on Specified Commercial Transactions also applies to text messaging. See “Email Communication – The Act on Specified Commercial Transactions” above, replacing “email” with “text message”.
Telephone Calls
Under the Act on Specified Commercial Transactions, when a business operator conducts telemarketing, it must inform consumers of the following matters prior to solicitation:
- Name of the business operator
- Name of the employee conducting the solicitation
- The type of goods or services to be sold
- The purpose of the telephone calls (i.e., telemarketing)
In addition, a business operator must not continue solicitation or conduct re-solicitation of consumers who refused the solicitation.
Please describe any laws in your jurisdiction addressing biometrics, such as facial recognition. How are these terms defined and what restrictions are imposed, if any?
Biometrics, such as facial recognition, is regulated under the APPI as an lndividual ldentification Code (See Q1).
Is the transfer of personal data or PII outside the jurisdiction restricted? If so, please describe these restrictions and how businesses typically comply with them (e.g., does a cross-border transfer of personal data require a specified mechanism? Does a cross-border transfer of personal data or PII require notification to or authorization from a regulator?)
See Q5.
What security obligations are imposed on personal data or PII owners/controllers and on processors, if any, in your jurisdiction?
- Pursuant to the Guidelines, a Business Operator must implement the following measures as technical security control measures when Personal Data is processed through an information system (including devices such as personal computers), including when Personal Data is transmitted to external users through the Internet or other networks. A Business Operator must:
- implement appropriate access controls to restrict the number of authorized users and the scope of the Personal Information Database, etc. to be processed by each user (e.g., limiting the scope of an information system that can process a Personal Information Database.).
- use identification methods (e.g., User ID, password, magnetic and IC cards) to confirm that users of an information system that processes Personal Data are duly authorized.
- introduce a mechanism designed to protect information systems processing Personal Data from unauthorized external access, including through unauthorized software, and manage such mechanism in an appropriate manner (e.g., setting up firewalls at access points between an information system and external networks to block unauthorized access.).
- take preventive measures against the occurrence of Personal Data breach incidents in connection with the use of an information system, and manage such measures in an appropriate manner (e.g., ensuring security in designing information systems and reviewing security functions on a regular basis).
- Pursuant to the Guidelines, a Business Operator must implement the following measures as technical security control measures when Personal Data is processed through an information system (including devices such as personal computers), including when Personal Data is transmitted to external users through the Internet or other networks. A Business Operator must:
Do the laws in your jurisdiction address security breaches and, if so, how does the law define “security breach”?
See Q13 and Q29.
Does your jurisdiction impose specific security requirements on certain sectors, industries or technologies (e.g., telecoms, infrastructure, artificial intelligence)?
In certain sectors, the government has established sector-specific guidelines that apply the security control measures in the Guidelines or impose tighter requirements in addition to ones already contained in the Guidelines.
For example:
- In addition to Personal Data, which are covered by the Guidelines, the guidelines on the protection of Personal Information in the telecommunications sector also cover Personal Information which falls under the confidentiality of communications and require Business Operators in the sector to implement stricter security control measures when handling such information.
- In guidelines on the protection of Personal Information in the financial sector, security control measures listed in the Guidelines are generally more specifically described and strengthened.
Under what circumstances must a business report security breaches to regulators, to individuals, or to other persons or entities? If breach notification is not required by law, is it recommended by the regulator and what is the typical custom or practice in your jurisdiction?
Report to regulators
See Q13.
Notification to individuals
(a) Notifiable Data Breach
The Business Operator must notify the affected data subjects of certain part of the Data Breach Information if the Data Breach is notifiable (see Q13), subject to certain exceptions.
(b) Procedure
Upon becoming aware of the Data Breach, the Business Operator must “immediately in light of the circumstances” notify the affected data subjects of that part of the Data Breach Information described in the Guidelines. This requirement “immediately in light of the circumstances” means that the Business Operator may consider various factors such as the risk of public confusion when it determines the timing of the notification.
(c) Exceptions
The obligation to notify the affected data subjects does not apply when such notification is difficult and when the Business Operator takes necessary alternative measures for the protection of the data subjects’ rights and legitimate interests.
Does your jurisdiction have any specific legal requirement or guidance regarding dealing with cyber-crime, such as the payment of ransoms in ransomware attacks?
Japan has a cybersecurity law called the Basic Cybersecurity Act. The primary task of this Act is to ensure cybersecurity while also ensuring the free distribution of information. The Basic Cybersecurity Act establishes basic principles including a national responsibility to move cybersecurity-related policies forward in a comprehensive and effective manner.
Japan also has other substantive laws that cover cybercrime, such as the Unauthorised Computer Access Prohibition Act, the Unfair Competition Prevention Act, and the Copyright Act.
Does your jurisdiction have a separate cybersecurity regulator? If so, please provide details.
There is no separate cybersecurity regulator.
Do the laws in your jurisdiction provide individual data privacy rights, such as the right to access and the right to deletion? If so, please provide a general description of the rights, how they are exercised, what exceptions exist and any other relevant details.
Retained Personal Data
- Definition of Retained Personal Data
- The Business Operator may be required to respond to the data subject’s request regarding Retained Personal Data (e., Personal Data held by the Business Operator, for which it has authority to disclose, correct, add, delete, or suspend third-party transfer.)
Right to request disclosure
A data subject may request a Business Operator which holds Retained Personal Data to disclose it. In principle, a Business Operator must disclose Retained Personal Data without delay in writing following such a request.
However, the Business Operator is exempt from disclosing Retained Personal Data in whole or in part, if:
- there is a possibility of harming a data subject or a third party’s life, body, assets or other rights and interests;
- there is a possibility of seriously interfering with the Business Operator’s right to run its business properly; or
- the disclosure would violate another law or regulation.
Right to request a correction, addition or deletion
A data subject may request a Business Operator to make a correction, addition or deletion (the “Correction”) in relation to Retained Personal Data when it is incorrect. The Business Operator must conduct the necessary investigation without delay to the extent necessary to achieve the Purposes of Use and, based on the results thereof, make the Correction of the Retained Personal Data following a request pursuant to the APPI.
However, the Business Operator is exempt from making the Correction where a special procedure concerning the Correction is prescribed by another law or regulation.
Right to request suspension of use or deletion
A data subject may request the suspension of use or deletion (the “Suspension of Use”) of Retained Personal Data if such data is handled or acquired in violation of the APPI or the obligation to prevent inappropriate use, or if there is a risk that the rights or interests of the individual may be harmed. A Business Operator must give effect to the Suspension of Use of the Retained Personal Data to the extent necessary to remedy the violation without delay, following receipt of a request pursuant to the APPI and when it has become clear that there is a valid reason for the request.
However, the Business Operator is exempt from Suspension of Use of Retained Personal Data when it requires significant costs and expenses or is difficult to implement, and when the necessary alternative action is taken to protect rights and interests of the data subject.
Disclosure of relevant records made in relation to third party transfers of Personal Data
A data subject may request the disclosure of relevant records made in relation to third party transfers of Personal Data.
Strengthening individual rights
The Amendments introduced new rules on individual rights as follows:
- Relaxation of the requirements for requesting suspension of use, deletion, and suspension of provision to a third party of Retained Personal Data
- Designation of disclosure method (e.g., a data subject may request a Business Operator which holds Retained Personal Data to disclose it electronically)
- Mandatory disclosure of relevant records made in relation to third party transfers of Personal Data
- Definition of Retained Personal Data
Are individual data privacy rights exercisable through the judicial system or enforced by a regulator or both?
The rights of a data subject regarding Retained Personal Data (see Q32) may be exercisable through the judicial system pursuant to the Code of Civil Procedure and could also be enforced by the PPC.
Does the law in your jurisdiction provide for a private right of action and, if so, in what circumstances?
See Q35.
Are individuals entitled to monetary damages or compensation if they are affected by breaches of data privacy laws? Is actual damage required or is injury of feelings sufficient?
Are individuals entitled to monetary damages or compensation if they are affected by breaches of data privacy laws?
If a Business Operator leaked the Personal Information of customers and a tort under the Civil Code has been committed, the customer may claim damages from the Business Operator.
In such cases, the number of individuals affected by the leakage could be large and the Civil Procedure Code includes a collective action system, yet different from the US-style class action, as claimants must generally opt-in to join the litigation (“Japanese-style class action”).
Is actual damage required or is injury of feelings sufficient?
According to lower court precedents, injury of feelings would suffice.
Benesse Corporation (“Benesse”) contracted with Synform Co Ltd (“Synform”) for the development and operation of a system to analyze the Personal Information of Benesse’s customers. In 2014, it became known that an employee of a subcontractor of Synform had leaked Personal Information of a large number of Benesse customers (such as name, gender, date of birth, address, telephone number and email address), and this incident attracted a lot of attention.
Regarding this case, several lawsuits (including a Japanese-style class action) were filed against Benesse and Synform by customers based on tort, claiming damages for mental suffering.
In one of these lawsuits, the Tokyo High Court held in a judgement on June 27, 2020 that “because the plaintiffs suffered from much discomfort and anxiety due to the leakage and the defendant failed to live up to the plaintiffs’ expectation that the defendant would process their Personal Information appropriately, the fact that the plaintiffs have suffered non-economic damage cannot be denied”, consequently ordering Benesse and Synform to pay ¥2,000 to each individual plaintiff.
In addition, the Osaka High Court held in a judgement on November 20, 2019 that the fact of leakage “would constitute the damage in itself”, ordering Benesse to pay ¥1,000 to each individual plaintiff.
Further, the Tokyo High Court held in a judgement on March 25, 2020 that “the fact that the personal information of the individuals was leaked without his/her knowledge caused him/her anxiety, discomfort, and disappointment in his/her private life, and he/she has suffered non-economic damage”, ordering to pay ¥3,000 to each individual plaintiff.
These cases demonstrate that it is important to comply with data protection regulations to mitigate litigation risks. Furthermore, Benesse has paid voluntary compensation to each victim (¥500 per person to approximately 35 million people). As a result of such voluntary compensation payments, Benesse recorded a ¥26 billion special loss in one fiscal year, including ¥6 billion to strengthen security controls and ¥20 billion to fund the voluntary compensation.
How are the laws governing privacy and data protection enforced?
See Q13.
What is the range of sanctions (including fines and penalties) for violation of these laws?
If a Business Operator has violated a provision of the APPI (e.g., used Personal Data beyond the Purposes of Use or disclosed Personal Data without taking the required steps under the APPI as described above), the PPC may require the Business Operator to cease the violation of the APPI and take other necessary corrective actions, and may order further measures if the recommendation is ignored. Failure to comply with such cease-and-desist order may be punished with imprisonment of up to one year or a fine of up to JPY 1,000,000. If a representative, agent or employee of a Business Operator has failed to comply with the above cease and desist order, in addition to such persons being punished as above, the Business Operator itself may also be punished with a fine of up to JPY 100 million.
If a director, representative, manager or employee of a Business Operator has provided or used personal information for a purpose of their own or a third party’s illegal profit, such person may be punished with imprisonment of up to one year or a fine of up to JPY 500,000, and the Business Operator may be punished with a fine of up to JPY 100 million.
If a Business Operator has failed to submit a report or material to the PPC under the APPI or has falsely submitted a report or material, or has failed to answer a question posed by the PPC staff concerned or has falsely answered a question, or refused, obstructed or evaded an inspection, this may be punished with a fine of up to JPY 500,000.
Are there any guidelines or rules published regarding the calculation of fines or thresholds for the imposition of sanctions?
See Q37.
Can personal data or PII owners/controllers appeal to the courts against orders of the regulators?
Recommendation
Generally, a Business Operator cannot appeal to the courts against a recommendation issued by the PPC. Failure to conform to the recommendation may trigger the issuance of an order, and a Business Operator may indirectly challenge the recommendation by appealing such order.
Order
In general, a Business Operator can appeal a PPC order before the courts within 6 months after the notification of the order pursuant to the Administrative Litigation Act.
Are there any proposals for reforming data protection or cybersecurity laws currently under review? Please provide an overview of any proposed changes and how far such proposals are through the legislative process.
The revised APPI went into effect in April 2022. At this time, no specific changes have yet been proposed for further amendments to the APPI and the Basic Cybersecurity Act.
Japan: Data Protection & Cyber Security
This country-specific Q&A provides an overview of Data Protection & Cyber Security laws and regulations applicable in Japan.
Please provide an overview of the legal and regulatory framework governing data protection and privacy in your jurisdiction (e.g., a summary of the key laws, who is covered by them, what sectors, activities or data do they regulate, and who enforces the relevant laws). Are there any expected changes in the data protection and privacy law landscape in 2022-2023 (e.g., new laws or regulations coming into effect, enforcement of any new laws or regulations, expected regulations or amendments)?
Are there any registration or licensing requirements for entities covered by these laws and, if so, what are the requirements? Are there any exemptions?
How do these laws define personal data or personally identifiable information (PII) versus special category or sensitive PII? What other key definitions are set forth in the laws in your jurisdiction?
What are the principles related to, the general processing of personal data or PII – for example, must a covered entity establish a legal basis for processing personal data or PII in your jurisdiction or must personal data or PII only be kept for a certain period? Please outline any such principles or “fair information practice principles” in detail.
Are there any circumstances where consent is required or typically used in connection with the general processing of personal data or PII?
What are the rules relating to the form, content and administration of such consent? For instance, can consent be implied, incorporated into a broader document (such as a terms of service) or bundled with other matters (such as consents for multiple processing operations)?
What special requirements, if any, are required for processing sensitive PII? Are there any categories of personal data or PII that are prohibited from collection?
How do the laws in your jurisdiction address children’s personal data or PII?
Does the law include any derogations, exclusions or limitations other than those already described? Please describe the relevant provisions.
Does your jurisdiction impose requirements of 'data protection by design' or 'data protection by default' or similar? If so, please describe the requirement and how businesses typically meet the requirement.
Are owners or processors of personal data or PII required to maintain any internal records of their data processing activities or to establish internal processes or written documentation? If so, please describe how businesses typically meet these requirements.
Do the laws in your jurisdiction require or recommend having defined data retention and data disposal policies and procedures? If so, please describe these data retention and disposal requirements.
When are you required to, or when is it recommended that you, consult with data privacy regulators in your jurisdiction?
Do the laws in your jurisdiction require or recommend conducting risk assessments regarding data processing activities and, if so, in what circumstances? How are these risk assessments typically carried out?
Do the laws in your jurisdiction require appointment of a data protection officer (or other person to be in charge of privacy or data protection at the organization) and what are their legal responsibilities?
Do the laws in your jurisdiction require or recommend employee training? If so, please describe these training requirements.
Do the laws in your jurisdiction require businesses to providing notice to individuals of their processing activities? If so, please describe these notice requirements (e.g., posting an online privacy notice).
Do the laws in your jurisdiction draw any distinction between the owners/controllers and the processors of personal data and, if so, what are they? (e.g., are obligations placed on processors by operation of law, or do they typically only apply through flow-down contractual requirements from the owners/controller?)
Do the laws in your jurisdiction require minimum contract terms with processors of personal data or PII or are there any other restrictions relating to the appointment of processors (e.g., due diligence or privacy and security assessments)?
Please describe any restrictions on monitoring, automated decision-making or profiling in your jurisdiction including the use of tracking technologies such as cookies. How are these terms defined and what restrictions are imposed, if any?
Please describe any restrictions on cross-contextual behavioral advertising. How is this term or related terms defined?
Please describe any laws in your jurisdiction addressing the sale of personal information. How is “sale” or related terms defined and what restrictions are imposed, if any?
Please describe any laws in your jurisdiction addressing telephone calls, text messaging, email communication or direct marketing. How are these terms defined and what restrictions are imposed, if any?
Please describe any laws in your jurisdiction addressing biometrics, such as facial recognition. How are these terms defined and what restrictions are imposed, if any?
Is the transfer of personal data or PII outside the jurisdiction restricted? If so, please describe these restrictions and how businesses typically comply with them (e.g., does a cross-border transfer of personal data require a specified mechanism? Does a cross-border transfer of personal data or PII require notification to or authorization from a regulator?)
What security obligations are imposed on personal data or PII owners/controllers and on processors, if any, in your jurisdiction?
Do the laws in your jurisdiction address security breaches and, if so, how does the law define “security breach”?
Does your jurisdiction impose specific security requirements on certain sectors, industries or technologies (e.g., telecoms, infrastructure, artificial intelligence)?
Under what circumstances must a business report security breaches to regulators, to individuals, or to other persons or entities? If breach notification is not required by law, is it recommended by the regulator and what is the typical custom or practice in your jurisdiction?
Does your jurisdiction have any specific legal requirement or guidance regarding dealing with cyber-crime, such as the payment of ransoms in ransomware attacks?
Does your jurisdiction have a separate cybersecurity regulator? If so, please provide details.
Do the laws in your jurisdiction provide individual data privacy rights, such as the right to access and the right to deletion? If so, please provide a general description of the rights, how they are exercised, what exceptions exist and any other relevant details.
Are individual data privacy rights exercisable through the judicial system or enforced by a regulator or both?
Does the law in your jurisdiction provide for a private right of action and, if so, in what circumstances?
Are individuals entitled to monetary damages or compensation if they are affected by breaches of data privacy laws? Is actual damage required or is injury of feelings sufficient?
How are the laws governing privacy and data protection enforced?
What is the range of sanctions (including fines and penalties) for violation of these laws?
Are there any guidelines or rules published regarding the calculation of fines or thresholds for the imposition of sanctions?
Can personal data or PII owners/controllers appeal to the courts against orders of the regulators?
Are there any proposals for reforming data protection or cybersecurity laws currently under review? Please provide an overview of any proposed changes and how far such proposals are through the legislative process.