This country-specific Q&A provides an overview of Data Protection & Cyber Security laws and regulations applicable in Japan.
Please provide an overview of the legal and regulatory framework governing privacy in your jurisdiction (e.g., a summary of the key laws, who is covered by them, what sectors, activities or data do they regulate, and who enforces the relevant laws)?
The Act on the Protection of Personal Information (the “APPI”, Act No. 57 of 2003)
The APPI imposes obligations on business operators handling personal information (“Business Operators”). If a foreign company has a branch office or a business or liaison office in Japan, or if a foreign company conducts its business in Japan, and uses a Personal Information Database for its business in Japan, such foreign company will fall under the definition of a “Business Operator”.
Personal information (“Personal Information”) means:
Information by which a specific living individual is identified or identifiable (such information includes information which can be readily combined with other information and make the identification of a specific individual possible) (Article 2, Paragraph 2, Item1 of the APPI); and
Information containing an individual identification code (“lndividual ldentification Code”) which refers to any character, number, symbol or other code (i) into which a partial body feature of a specific individual has been converted by computers for use and which can identify such specific individual, or (ii) which is assigned to services or goods provided to an individual, or is stated or electromagnetically recorded on a card or other documents issued to an individual (such as a driver’s license number), to identify him/her as a specific user, purchaser, or recipient of the issued document (Article 2, Paragraph 2, Item2 of the APPI).
If such Personal Information is systematically organized to allow for its retrieval, such collective body of information will fall within the definition of a personal information database (“Personal Information Database”). Personal Information comprised in a Personal Information Database is defined as “Personal Data.”
The APPI (i) sets forth a basic framework regulating the responsibilities and policies of the national and local governments with respect to the protection of Personal Information; (ii) establishes the PPC (defined below) and defines its role as the national data protection authority in Japan; and (iii) provides for a set of enforcement measures such as imprisonment and criminal fines.
The Personal Information Protection Commission (the “PPC”) formulates basic policies on the protection of Personal Information in accordance with the APPI and promotes the protection of Personal Information in the public and private sectors. These basic policies include several guidelines that are updated from time to time (See Q11).
The APPI is not sector-specific but certain guidelines such as those described below may apply to certain
Main obligations under the APPI
Phase 1: Acquisition/collection of personal information
Disclosure of the purpose of use of the Personal Data (“Purpose of Use”) prior to collection of Personal Information
No obligation to obtain the individual’s consent (except for sensitive Personal Information (“SPI”))
Phase 2: Utilization of Personal Information/Personal Data
Duty to take reasonable security measures, including preventing the leakage, loss of, or damage to, Personal Data that is handled
No obligation to obtain the individual’s consent when utilizing Personal Data within the scope of a previously disclosed Purpose of Use
Phase 3: Disclosure (to third parties) of Personal Data
In principle, individual consent is required for disclosure to a third party.
An entity disclosing Personal Data to a third party must maintain records of its disclosures, unless exemption requirements are met.
An entity receiving Personal Data from a third party must confirm the disclosing party is the legitimate holder of the Personal Data and maintain records of its disclosures, unless exemption requirements are met.
Guidelines (The “Guidelines”)
Guidelines on APPI principles issued by the PPC
Guidelines on the protection of Personal Information in the financial sector issued by the PPC and the Financial Service Agency
Guidelines on the protection of Personal Information in the medical sector issued by the PPC and the Ministry of Health, Labour and Welfare (the “MHLW”)
Guidelines on the protection of Personal Information in the HR (labour management) sector issued by the MHLW
Other guidelines issued by other ministries
In addition to the APPI and the Guidelines, a Business Operator must comply with supplementary rules (“Supplemental Rules”) when it receives Personal Data from within the EU based on the European Commission’s determination (and adequacy decision).
The Supplemental Rules were introduced to facilitate the smooth transfer of Personal Data between Japan and EU member states pursuant to the European Commission’s decision designating Japan as a jurisdiction with the adequate level of protection for Personal Data. The PPC has also designated the EEA member states as foreign countries having an adequate system for the protection of Personal Data.
All prefectures and municipal governments in Japan have established local regulations dealing with protection of Personal Information in pursuance of Articles 5 and 11 of the APPI.
The PPC is the sole national data protection authority in Japan.
Are there any registration or licensing requirements for entities covered by these laws and, if so, what are the requirements? Are there any exemptions?
There are no specific registration or licensing requirements for Business Operators.
How do these laws define personal data or personally identifiable information (PII) versus special category or sensitive PII? What other key definitions are set forth in the laws in your jurisdiction?
Personal Information (PII)
Sensitive Personal Information (“SPI”)
SPI means information categorized and defined under the APPI which requires special handling measures including but not limited to information on an individual’s race, creed, social status, medical history, criminal record, status as the victim of a crime. See Q6 on SPI regulations.
What are the principles related to, the general processing of personal data or PII?
The laws of Japan and Guidelines do not explicitly contain principles relating to the processing of Personal Data, such as transparency under Article 5 of GDPR. However, in the interpretation of the provisions of the APPI, rules similar to such principles are often applied (for example, if Personal Information held by a Business Operator is found to be unnecessary in light of the Purpose of Use, it is obligated to make efforts to immediately delete the Personal Information in question). The purpose of the APPI is to protect the rights and interests of individuals while taking into consideration the usefulness of Personal Information, in view of the exponential use of Personal Information due to the rapid development and spread of information and communication technology with Japan aspiring to become a leading advanced information and telecommunications network society. This can be achieved by clarifying the responsibilities of the State and local governments, etc. i.e., by laying down basic principles, establishing basic policies to be pursued by the government and providing a framework for other measures regarding the protection of Personal Information.
Are there any circumstances where consent is required or typically used in connection with the general processing of personal data or PII and, if so, are there are rules relating to the form, content and administration of such consent?
In principle, individual consent is required for disclosure to a third party. However, the consent requirement is exempted in following cases:
(i) entrustment of Personal Data (subcontracting); (ii) disclosure upon business succession (i.e. M&A); and (iii) joint use.
Regarding (iii), if a Business Operator informs an individual in advance or ensures that he or she can easily become aware of five specific statutory elements, such Business Operator can jointly utilize Personal Data with a third party (such as a subsidiary) without obtaining any prior consent to the disclosure.
If a Business Operator satisfies the opt-out process requirements, such Business Operator does not need to obtain individual consent upon each disclosure of Personal Data (except for SPI).
Unless exemption requirements are met, a Business Operator disclosing Personal Data to a third party in a foreign country must obtain the individual’s prior consent. However, consent is not required in the following cases:
Transfer to a country which is designated by a ruling of the PPC as a foreign country having established a Personal Information protection system recognized as being subject to standards equivalent to those applicable in Japan with respect to the protection of an individual’s rights and interests (currently, only the EU is designated as such (since January 2019)).
The disclosing Business Operator ensures that the recipient develops and implements appropriate and reasonable measures for the handling of Personal Data consistent with those required to be taken under the APPI. Such measures may include:
Contracts between the disclosing Business Operator and the recipient; or
Internal rules commonly applied to the disclosing Business Operator and the recipient.
The recipient receives a certification based on the APEC cross-border privacy rules framework (CBPR). The PPC explicitly recognises such APEC-CBPR certification as meeting the standards for “recognition based on a cross-border privacy rules framework.”
What special requirements, if any, are required for processing sensitive PII? Are there any categories of personal data or PII that are prohibited from collection?
In principle, individual consent is required for acquisition/collection and disclosure to a third party (including the case where the Business Operator meets the opt-out process requirements).
How do the laws in your jurisdiction address children’s personal data or PII?
If a minor does not have the ability to properly assess the consequences of giving his or her consent to a Personal Information processing, the consent of a person who has parental authority or the legal representative, etc. must be obtained (Guidelines (General Rules), 2-12).
If the data subject is a minor, the legal representative may request disclosure, a correction, or suspension of use, etc. (Article 32, Paragraph 3, and Article 11, Item 1 of the Cabinet Order).
Does the law include any derogations, exclusions or limitations other than those already described? Please describe the relevant provisions.
Anonymously Processed Information
Anonymously processed information (“Anonymously Processed Information”) means information relating to an individual produced from the processing of Personal Information from which it is impossible to identify a specific individual by taking certain actions prescribed by the APPI and Guidelines and to restore the Personal Information.
Business Operators which handle Anonymously Processed Information (“Anonymously Processed Information Business Operators”) are subject to certain obligations. Also, a Business Operator that produces Anonymously Processed Information (“Anonymously Processed Information Producer”) is subject to numerous obligations in addition to the general obligations imposed on Business Operators.
Production of Anonymously Processed Information
The detail of processing methods for the production of Anonymously Processed Information is provided in the Guidelines (For materials in English, see the “Report by the Personal Information Protection Commission Secretariat: Anonymously Processed Information” (https://www.ppc.go.jp/files/pdf/The_PPC_Secretariat_Report_on_Anonymously_Processed_Information.pdf)).
Obligations of Anonymously Processed Information Producer and Anonymously Processed Information Business Operators
A Business Operator is required to comply with Article 36 of the APPI when producing and handling Anonymously Processed Information (limited to those comprising an Anonymously Processed Information database). An Anonymously Processed Information Producer must take security control measures to prevent the leakage of related information on processing methods, etc., has a disclosure obligation when producing Anonymously Processed Information and providing it to a third party, and is prohibited from seeking any re-identification.
In addition, an Anonymously Processed Information Business Operator that receives Anonymously Processed Information processed and produced from Personal Information from another Business Operator and uses it for its business is required to comply with Articles 37 to 39 of the APPI. An Anonymously Processed Information Business Operator that receives Anonymously Processed Information is subject to a prohibition on re-identification, must strive to take security control measures for Anonymously Processed Information, and has a disclosure obligation when providing Anonymously Processed Information to a third party.
The below figure is extracted from the Guidelines (page 29 of “Report by the Personal Information Protection Commission Secretariat: Anonymously Processed Information”) and shows the respective obligations arising under Articles 36 to 39 of the APPI.
A bill amending the APPI covering pseudonymized information (meaning information relating to an individual that can identify the individual only by collation with other information (produced by replacing personally identifiable material with artificial identifiers) in short) was approved by the Cabinet Office on March 10, 2020 and is expected to be enacted within 2020. The introduction of the concept of pseudonymized information is due to complaints from business circles arguing that the requirements applicable to Anonymously Processed Information are excessively strict and therefore not frequently utilized in Japan.
Does your jurisdiction impose requirements of 'data protection by design' or 'data protection by default' or similar? If so, please describe the requirement and how businesses typically meet the requirement.
Following the 2015 revisions to the APPI, the House of Representatives clearly expressed (as reflected in its Supplementary Resolution) the official position of the government which is to encourage privacy by design in the private sector.
In addition, the “Smartphone Privacy Initiative” paper published by the Ministry of Internal Affairs and Communications in 2012 provides that businesses involved in the provision of services related to smartphones must ensure their products and services are designed in advance so that users’ Personal Information and privacy will be respected and protected from the time new applications, services, application provision sites, software, and devices are developed. Privacy-by-design appears to be one of the aspirational goals behind these policies.
Although these principles are indicative and not legally binding, there are some instances in which operators of application provider sites develop and publish guidelines for the design of applications that incorporate considerations relating to technical measures to be taken at the earliest stages of the design in a way that safeguards privacy.
Are owners or processors of personal data or PII required to maintain any internal records of their data processing activities or to establish internal processes or written documentation? If so, please describe how businesses typically meet these requirements.
Are Business Operators required to maintain any internal records of their data processing activities?
The Guidelines provide that a Business Operator disclosing Personal Data to a third party must maintain records of its disclosures and log statutory disclosure items, unless exemption requirements are met.
The Guidelines also provide that a Business Operator receiving Personal Data from a third party must ensure the disclosing party is the legitimate holder of the Personal Data and maintain records and log statutory disclosure items, unless exemption requirements are met.
Best efforts obligations
The Guidelines obligate a Business Operator to make efforts to maintain internal records (such as daily operations records or records of access to the internal information system) of its data processing activities in order to confirm if Personal Information is being handled in accordance to relevant internal rules.
Are Business Operators required to establish internal processes or written documentation?
The Guidelines require a Business Operator to establish internal rules for the processing of Personal Data in order to ensure the prevention of Personal Data breach incidents, and other security controls applicable to Personal Data. As such, some Business Operators are developing rules for the processing of Personal Data that define how to process data, provide for the appointment of a manager in charge and a staff member in charge and define their tasks for each of the relevant stages, such as collection, utilization, retention, provision, deletion and destruction of the data.
When are you required to, or when is it recommended that you, consult with data privacy regulators in your jurisdiction?
Data Privacy Regulator in Japan – PPC
The PPC, the local watchdog, was set up as an authority independent from other governmental bodies. Pursuant to the terms of the APPI, the PPC chairperson and members exercise their judgement and authority independently. The main roles of the PPC are as follows:
Formulation and Promotion of Basic Policies
The PPC formulates basic policies on the protection of Personal Information in accordance with the APPI and promotes the protection of Personal Information in the public and private sectors. These basic policies include the Guidelines.
The PPC has the power to issue guidance and advice, request reports, conduct on-site inspections, make recommendations and issue orders to governmental institutions and Business Operators. The range of enforcement measures available is described in Article 42 of the APPI.
The PPC promotes cooperation with data protection authorities in foreign countries, through formal and informal exchanges of views with foreign data protection authorities.
Accredited Personal Information Protection Organization
For the purpose of ensuring the proper handling of Personal Information, the PPC accredits private organizations (“Accredited Personal Information Protection Organizations”), which provide services such as receiving complaints on the handling of Personal Information, advising those making a complaint and investigating the circumstances surrounding a complaint based on the APPI.
In addition, the PPC supervises Accredited Personal Information Protection Organizations. Concretely, the PPC requires Accredited Personal Information Protection Organization to report on the conduct of their services and may order Accredited Personal Information Protection Organizations to improve their services or to take any other necessary action.
When are you required to consult with Data Privacy Regulator?
In case a Business Operator has failed to comply with certain requirements under the APPI, the PPC may require the Business Operator to cease its violation of the APPI and take other necessary measures to remediate the violation, and may order further measures if the recommendation is ignored.
Specifically, the PPC has the power to require a Business Operator to submit information or materials relating to such Business Operator’s handling of Personal Information or have its officials enter a business office or other relevant facilities of a Business Operator in order to enquire about the handling of Personal Information or inspect books, documents and other properties.
As to corrective measures, the PPC has the power to:
issue guidance or advice against a Business Operator with regard to its handling of Personal Information;
recommend that a Business Operator cease the violation act or take other necessary action to rectify the violation when recognizing there is a need to protect an individual’s rights and interests in cases where the Business Operator has violated certain provisions of the APPI; and
order a Business Operator to take action in line with the recommendation when recognizing that a serious infringement of an individual’s rights and interests is imminent in cases where the Business Operator has received a recommendation but failed to take action in line with the recommendation without legitimate grounds.
Under the Guidelines on Personal Information Protection in the Financial Industry, a Business Operator in the financial sector must immediately report any leakage of Personal Information to the Financial Services Agency.
When is it recommended that you consult with PPC?
Under PPC Notification No.1 (2017), a Business Operator must make efforts to report a Personal Data breach incident to the PPC, an Accredited Personal Information Protection Organization, or any other supervising authority or organization unless exemption requirements (e.g., the incident has merely been minor misdirected transmissions of email or fax or dispatch of a package to the wrong person or wrong place) are met.
Although reporting to the PPC, etc. upon the occurrence of a Personal Data breach incident is not mandatory, the reporting of an incident to the PPC, etc. by a Business Operator is a socially acceptable practice and expected unless the exemption requirements are met.
The draft bill amending the APPI to be enacted within 2020 makes the reporting of Personal Data breach incidents which are likely to violate a data subject’s rights and interests mandatory.
Do the laws in your jurisdiction require or recommend conducting risk assessments regarding data processing activities and, if so, in what circumstances? How are these risk assessments typically carried out?
Japanese law does not lay down detailed rules dealing with risk assessments and the Guidelines (General Rules) 8-3(5) merely provide that Business Operators must make efforts to closely monitor their handling of Personal Data and to audit, review, and improve their security control measures. However, it is recommended that Business Operators voluntarily conduct risk assessments and establish appropriate systems according to the quantity, sensitivity, Purpose of Use, etc. of processed Personal Data.
Do the laws in your jurisdiction require appointment of a data protection officer (or other person to be in charge of privacy or data protection at the organization) and what are their legal responsibilities?
The APPI has no provision mandating the appointment of a data protection officer. However, a Business Operator is required to take necessary and appropriate action for the security and control of Personal Data including preventing the leakage, loss or damage of its handled Personal Data (Article 20 of the APPI). In connection with this provision, the Guidelines require a Business Operator to take security control measures which may include the following:
Organizational security control measures
For example, appointing a person responsible for handling Personal Data, establishing a system to respond to leakage, loss or damage, and conducting safety audits on systems that manage Personal Data.
Human security control measures
For example, employee training on the handling of Personal Data.
Physical security control measures
For example, access control to areas where important Personal Data is handled, and storage of documents containing Personal Data in a locked cabinet.
Technical security control measures
For example, installing a firewall on computers connected externally through networks, and putting restrictions on access to systems that handle Personal Data.
Do the laws in your jurisdiction require businesses to providing notice to individuals of their processing activities? If so, please describe these notice requirements (e.g. posting an online privacy notice).
Article 18 of the APPI imposes an obligation upon companies requiring that they notify the data subject of the Purpose of Use of their Personal Data when they collect the Personal Information. In principle, companies can use their websites to notify the data subjects of said purpose and in practice they often list the purpose on their privacy policies.
In addition, when acquiring Personal Information from a data subject via documents such as an application form or a questionnaire, companies need to clearly explain to the data subject the purpose behind the collection of Personal Information.
Do the laws in your jurisdiction draw any distinction between the owners/controllers and the processors of personal data and, if so, what are they? (E.g. are obligations placed on processors by operation of law, or do they typically only apply through flow-down contractual requirements from the owners/controller?)
Japanese law does not draw any distinction between owners/controllers and processors, but draws a distinction between the entrusting party and the entrusted party, as would be relevant in the context of processing activities. The APPI imposes on an entrusted party the same obligations as those imposed on a Business Operator (entrusting party), and the entrusting party must exercise necessary and appropriate supervision over an entrusted party (Article 22 of the APPI).
Do the laws in your jurisdiction require minimum contract terms with processors of personal data or PII or are there any other restrictions relating to the appointment of processors (e.g. due diligence or privacy and security assessments)?
When a Business Operator “entrusts” Personal Information, it must exercise necessary and appropriate supervision over the entrusted party to ensure security control over the entrusted Personal Data. The Business Operator must ensure that the entrusted party has taken the same appropriate measures that the Business Operator is required to take.
The Guidelines provide that the “necessary and appropriate supervision” includes:
the appropriate selection of the entrusted party;
the conclusion of contracts to ensure that security control measures based on Article 20 of the APPI are duly implemented and complied with by the entrusted party; and
the regular monitoring of the conditions under which the entrusted party is handling the entrusted Personal Data.
Minimum contract terms with processors of Personal Data
The Guidelines provide that it is preferable for the contractual terms and conditions agreed with the entrusted party to include provisions allowing the Business Operator (entrusting party) to reasonably monitor and audit the entrusted party’s handling of the entrusted Personal Data.
Any other restrictions relating to the appointment of processors (e.g. due diligence or privacy and security assessments)
When selecting an entrusted party, a Business Operator must confirm in advance that the measures itemized in the Guidelines (General Rules) 8 are implemented.
A Business Operator should advisably conduct inspections over an entrusted party including regular audits, and then appropriately assess the conditions under which Personal Data is handled by such entrusted party.
Please describe any restrictions on monitoring or profiling in your jurisdiction including the use of tracking technologies such as cookies. How are these terms defined and what restrictions are imposed, if any?
Under the APPI, online identifiers (IP address, cookies, etc.) and location information alone do not constitute Personal Information in general (Article 2, Paragraph 1, Item 1), unless such information becomes identifiable Personal Information by itself or in conjunction with other information.
If Business Operators acquire/collect Personal Information in monitoring or profiling, they are required to specify the Purpose of Use of the Personal Information to the extent possible and disclose it in advance. They are also required not to use the Personal Information of any person beyond the scope necessary to achieve the specified Purpose of Use of Personal Information without obtaining the prior consent of that person.
Please describe any laws in your jurisdiction addressing email communication or direct marketing. How are these terms defined and what restrictions are imposed, if any?
The Act on Specified Commercial Transactions
Under this act, sellers or service providers can only advertise to consumers via email when recipients opt in to receive emails; when sellers or service providers send email advertisements with notice of matters regarding contracts (i.e., finalization of an agreement and shipment of goods); or when sellers or service providers send an email advertisement with an email newsletter that is sent with the recipient’s consent.
The Act Regulating the Transmission of Specified Electronic Mail
Under this act, senders can only advertise via email when recipients opt in to receive such email; when recipients notify their email address to the sender in writing (for instance, by providing a business card); when recipients have a business relationship with the sender; or when recipients make their email address available on the internet for business purposes.
Please describe any laws in your jurisdiction addressing biometrics, such as facial recognition. How are these terms defined and what restrictions are imposed, if any?
Biometrics, such as facial recognition is regulated under the APPI as lndividual ldentification Code (See Q3).
Is the transfer of personal data or PII outside the jurisdiction restricted? If so, please describe these restrictions and how businesses typically comply with them (e.g., does cross-border transfer of personal data or PII require notification to or authorization form a regulator?)
What security obligations are imposed on personal data or PII owners/controllers and on processors, if any, in your jurisdiction?
Pursuant to the Guidelines, a Business Operator must implement the following measures as technical security control measures when Personal Data is processed through an information system (including devices such as personal computers), including if Personal Data is transmitted to external users through the Internet or other networks. A Business Operator must:
implement appropriate access controls to restrict the number of authorized users and the scope of the Personal Information Database, etc. to be processed by each user (e.g., limiting the scope of an information system that can process a Personal Information Database.).
use identification methods (e.g., User ID, password, magnetic and IC cards) to authenticate users of an information system that processes Personal Data as duly authorized.
introduce a mechanism designed to protect information systems processing Personal Data from unauthorized external access, including through unauthorized software, and manage such mechanism in an appropriate manner (e.g., setting up firewalls at access points between an information system and external networks to block any unauthorized access.).
take preventive measures against the occurrence of Personal Data breach incidents in connection with the use of an information system, and manage such measures in an appropriate manner (e.g., ensuring security in designing information systems and review security functions on a regular basis).
Do the laws in your jurisdiction address security breaches and, if so, how does the law define “security breach”?
Article 20 of the APPI provides that a Business Operator is required to take necessary and appropriate action for the security control of Personal Data including preventing leakage, loss, damage or corruption of Personal Data and any other similar incident, which are usually referred to as a “security breach”. However, the APPI does not specifically define a “security breach” which necessarily leads to certain legal consequences.
PPC Notification No.1 (2017)
On the other hand, PPC Notification No.1 (2017) defines a “Leakage Incident” to which the PPC will apply such notification. A Leakage Incident includes (i) leakage, loss or damage of Personal Data and risk thereof and (ii) leakage of anonymously processing method related information and risk thereof (See Q8 regarding Anonymously Processed Information).
In case a Personal Data breach is a Leakage Incident, a Business Operator must comply with certain rules described in Q11 and Q24.
Does your jurisdiction impose specific security requirements on certain sectors or industries (e.g. telecoms, infrastructure)?
In certain sectors, the government has established sector-specific guidelines that embody the content of security control measures listed in the general guidelines or impose tighter requirements in addition to ones already contained in the general guidelines.
In addition to Personal Data, which are covered by the general guidelines , the guidelines regarding the protection of Personal Information in the Telecommunications Sector also cover Personal Information which falls under the confidentiality of communications and require Business Operators in the sector to implement security control measures when handling such information.
In guidelines on the protection of Personal Information in the financial sector, security control measures listed in the general guidelines are generally more specifically described and strengthened.
Under what circumstances must a business report security breaches to regulators, to individuals, or to other persons or entities? If breach notification is not required by law, is it recommended by the regulator and what is the typical custom or practice in your jurisdiction?
Report to regulators
Notification to other persons or entities
PPC Notification No.1 (2017) provides that it is preferable for a Business Operator to notify data subjects who may be affected by the Personal Data breach incident in order to prevent further damage, and to publicly announce the occurrence of the Personal Data breach incident and its recurrence prevention measures in order to prevent further damage and Personal Data breach incidents of same kind.
After the approval of the draft bill amending the APPI (within 2020), in case of Personal Data breach incidents which are likely to violate data subjects’ rights and interests, said notification to data subjects will become mandatory.
Does your jurisdiction have any specific legal requirement or guidance regarding dealing with cyber-crime, such as the payment of ransoms in ransomware attacks?
Japan has a dedicated cybersecurity law called the Basic Cybersecurity Act. The primary task of the Basic Cybersecurity Act is to ensure cybersecurity while also ensuring the free distribution of information. The Basic Cybersecurity Act establishes basic principles including a national responsibility to move cybersecurity-related policies forward in a comprehensive and effective manner.
Japan has other substantive laws that cover cybercrime, such as the Unauthorised Computer Access Prohibition Act, the Unfair Competition Prevention Act, and the Copyright Act, etc.
Does your jurisdiction have a separate cybersecurity regulator? If so, please provide details.
There is no separate cybersecurity regulator.
Do the laws in your jurisdiction provide individual data privacy rights, such as the right to access and the right to deletion? If so, please provide a general description of the rights, how they are exercised, what exceptions exist and any other relevant details.
Retained Personal Data
The Business Operator may be required to respond to the data subject’s request regarding Retained Personal Data (defined below.)
Retained Personal Data is defined as Personal Data held by a Business Operator for more than 6 months (if the Personal Data is deleted within 6 months, such Personal Data does not fall under the Retained Personal Data) (Article 2, Paragraph 5 of the APPI).
Right to request disclosure
A data subject may request a Business Operator which holds Retained Personal Data to disclose such Retained Personal Data (Article 28, Paragraph 1 of the APPI). In principle, a Business Operator must disclose the Retained Personal Data without delay in writing following such a request (Article 28, Paragraph 2 of the APPI).
However, the Business Operator is exempt from disclosing the Retained Personal Data requested pursuant to Article 28, Paragraph 1 of the APPI, in whole or in part, if:
There is a possibility of harming a data subject or a third party’s life, body, assets or other rights and interests;
There is a possibility of seriously interfering with the Business Operator’s right to run its business properly; or
The disclosure violates other laws and regulations.
Right to request a correction, addition or deletion
A data subject may request a Business Operator to make a correction, addition or deletion (“Correction”) in relation to the content of Retained Personal Data when such Retained Personal Data is incorrect (Article 29, Paragraph 1 of the APPI). The Business Operator must conduct the necessary investigation without delay to the extent necessary to achieve the Purpose of Use and, based on the results thereof, make the Correction of the content of the Retained Personal Data following a request made pursuant to Article 29, Paragraph 1 of the APPI (Article 29, Paragraph 2 of the APPI).
However, the Business Operator is exempt from making the Correction where a special procedure concerning the Correction of the content is prescribed by other laws or regulations (Article 29, Paragraph 2 of the APPI).
Right to request suspension of use or deletion
A data subject may request the suspension of use or deletion (“Suspension of Use”) of the Retained Personal Data if such data is handled in violation of Article 16 (Restriction due to a Purpose of Use) of the APPI or if it has been acquired in violation of Article 17 (Proper Acquisition) of the APPI (Article 30, Paragraph 1 of the APPI). A Business Operator must give effect to the Suspension of Use of the Retained Personal Data to the extent necessary to remedy the violation without delay, following receipt of a request made pursuant to Article 30, Paragraph 1 of the APPI and when it has become clear that there is a valid reason for the request (Article 30, Paragraph 2 of the APPI).
However, the Business Operator is exempt from the Suspension of Use where such Suspension of Use of the Retained Personal Data requires significant costs and expenses or other cases where it is difficult to implement the Suspension of Use, and when the necessary alternative action is taken to protect rights and interests of the data subject (Article 30, Paragraph 2 of the APPI).
Are individual data privacy rights exercisable through the judicial system or enforced by a regulator or both?
The rights of data subject regarding Retained Personal Data (See Q27) may be exercised through the judicial system pursuant to the Code of Civil Procedure of Japan and could also be enforced by the PPC (Article 42 of the APPI).
Does the law in your jurisdiction provide for a private right of action and, if so, in what circumstances?
Are individuals entitled to monetary damages or compensation if they are affected by breaches of data privacy laws? Is actual damage required or is injury of feelings sufficient?
Are individuals entitled to monetary damages or compensation if they are affected by breaches of data privacy laws?
In case a Business Operator leaked the Personal Information of customers, if a tort under the Civil Code of Japan has been committed, the customer may claim damages from the Business Operator.
In such cases, the number of individuals affected by the leakage could be large and Civil Procedure Code of Japan includes a collective action system, yet different from the US-style class action, as claimants must opt-in to join the litigation in general (“Japanese-style class action”).
Is actual damage required or is injury of feelings sufficient?
According to lower court precedents, injury of feelings would suffice.
Benesse Corporation (“Benesse”) contracted with Synform Co Ltd (“Synform”) for the development and operation of a system to analyze the Personal Information of Benesse’s customers. In 2014, it became known that an employee of a subcontractor of Synform had leaked Personal Information of a large number of Benesse customers (such as name, gender, date of birth, address, telephone number and email address), and this incident attracted a lot of attention.
Regarding this case, several lawsuits (including Japanese-style class action) have been filed against Benesse and Synform by customers based on tort, claiming damages for mental suffering.
In one of these lawsuits, the Tokyo High Court entered a judgement on June 27, 2019 and held that “Because the plaintiffs suffered from much discomfort and anxiety due to the leakage in question and the defendant failed to live up to the plaintiffs’ expectation that the defendant would process their Personal Information appropriately, the fact that the plaintiffs have suffered non-economic damage cannot be denied”, consequently ordering Benesse and Synform to pay ¥2,000 to each individual plaintiff.
In addition, the Osaka High Court entered a judgement on November 20, 2019 and held that “the fact that plaintiff cannot control the scope of persons who process the plaintiffs’ Personal Information would constitute the damage in itself”, ordering Benesse to pay ¥1,000 to individual plaintiffs.
The case demonstrates that it is important to comply with data protection regulations to mitigate litigation risks. Furthermore, Benesse has paid voluntary compensation to each victim (¥500 per person to approximately 35 million people). As a result of such voluntary compensation payment, Benesse recorded a ¥26 billion special loss during the corresponding fiscal year, including ¥6 billion to strengthen security controls and ¥20 billion to fund voluntary compensation.
How are the laws governing privacy and data protection enforced?
What is the range of fines and penalties for violation of these laws?
If a Business Operator has used Personal Data beyond the scope of Purpose of Use or disclosed Personal Data without taking the required steps under the APPI as described above, the PPC may recommend that the Business Operator cease the violation of the APPI and take other necessary measures to cure the violation, and then order the Business Operator to take such measures if the recommendation was ignored. Failure to comply with such cease and desist order may be punished with imprisonment for up to six months or a fine of up to ¥1 million. After the 2020 amendments to the APPI, the fine for a corporate body will be up to ¥100 million.
Can personal data or PII owners/controller appeal to the courts against orders of the regulators?
Generally, a Business Operator cannot appeal to the courts against a recommendation issued by the PPC. Failure to conform to the recommendation will trigger the issuance of an order and a Business Operator may indirectly challenge the recommendation by appealing such order.
In general, a Business Operator can appeal a PPC order before the courts within 6 months after the notification of the order pursuant to the Administrative Litigation Act of Japan.