ARTICLE
10 April 2013

Data Protection Laws of the World Handbook: Second Edition - Japan

DP
DLA Piper Australia

Contributor

DLA Piper Australia logo
Explore
APPI Guidelines are not laws, but are very persuasive in Japan and are generally followed by certain business operators.
Japan Privacy
Person photo placeholder
Person photo placeholder
Person photo placeholder
Person photo placeholder
Person photo placeholder
Person photo placeholder
Person photo placeholder
Person photo placeholder
Person photo placeholder
Person photo placeholder
Authors
To print this article, all you need is to be registered or login on Mondaq.com.

LAW

The Act on the Protection of Personal Information ("APPI") requires business operators who utilize for their business in Japan a personal information database which consists of more than 5,000 individuals in total identified by personal information on any day in the past six months to protect personal information. In addition, various ministries, including the Ministry of Health, Labor and Welfare, the Japan Financial Services Agency and the Ministry of Economy, Trade and Industry have created guidelines regarding the APPI. These Guidelines are not laws, but are very persuasive in Japan and generally followed by business operators to which they apply.

DEFINITION OF PERSONAL DATA

Personal information is information about a living individual which can identify the specific individual by name, date of birth or other description contained in such information. Personal Information includes information which enables one to identify specific individual with easy reference to other information.

Personal data is personal information constituting a Personal Information Database, which is systematically arranged in a way that specific personal information can be easily retrieved by a computer, etc.

DEFINITION OF SENSITIVE PERSONAL DATA

The APPI does not have a definition of Sensitive Information. However, the Japan Financial Services Agency's "Guidelines for Personal Information Protection in the Financial Field" ("JFSA Guidelines") defines information related to political opinion, religious belief (religion, thought, creed), participation in a labor union, race, ethnicity, family origin, legal domicile (honsekichi), medical care, sexual life and criminal record as sensitive information. The JFSA Guidelines prohibit collecting, using or providing to a third party, sensitive information unless an exception provided for in the JFSA Guidelines applies.

NATIONAL DATA PROTECTION AUTHORITY

There is no one single central data protection authority in Japan. The Consumer Affairs Agency is a central authority of the APPI in general.

The Minister of Health, Labor and Welfare as well as the minister with the jurisdiction over the business operations of the business operator are the competent ministers for employment related personal information. The minister with jurisdiction over the business operations of the business operator is a competent minister for the handling of personal information other than employment related personal information.

REGISTRATION

Japan does not have a central registration system.

DATA PROTECTION OFFICERS

There is no specific legal requirement to appoint a data protection officer. However, some guidelines provide that specific employees should be assigned to control personal data (e.g. Chief Privacy Officer).

COLLECTION AND PROCESSING

  • Specifying the Purpose of Use

  • When handling personal information, a business operator must specify to the fullest extent possible the purpose of use of the personal information ("Purpose of Use"). Once a business operator has specified the Purpose of Use, it must not then make any changes to the said purpose which could reasonably be considered to be beyond the scope of what is duly related to the original Purpose of Use. In addition, when handling personal information, a business operator shall not handle the information beyond the scope that is necessary for the achievement of the Purpose of Use without a prior consent of the individual. In other words, the use of the information must be consistent with the stated Purpose of Use.

  • Public Announcement of the Purpose of Use

  • The Purpose of Use must be made known to the individual when personal information is collected or promptly thereafter and this can be made by a public announcement (such as posting the purpose on the business operator's website). When personal information is obtained by way of a written contract or other document (including a record made in an electronic or magnetic format, or any other method not recognisable to human senses), the business operator must expressly state the Purpose of Use prior to the collection.

    A business operator must "publicly announce" or "expressly show the Purpose of Use" in a reasonable and appropriate way. According to the "Guidelines for the APPI Concerning Fields of Economy and Industry" issued by the Ministry of Economy, Trade and Industry ("METI Guidelines"), the most appropriate method for a website to publicly announce the Purpose of Use of information collected, is a one click access on the homepage.

TRANSFER

  • Disclosing/Sharing Personal Data

Personal data may not be disclosed to a third party without the prior consent of the individual, unless permitted by the exceptions under the APPI. Even disclosing the data within group companies is considered disclosing the data to a third party and consent must be obtained.

The APPI does not provide any examples of how best to obtain consent from individuals before sharing information. Generally, written consent should be obtained whenever possible. When obtaining consent it would be prudent, to clearly disclose to the individual the identity of the third party to whom the personal data will be disclosed, the contents of the personal data and how the third party will use the provided personal data.

If personal data is to be used jointly, the business operator collecting the information could, prior to the joint use, notify the individuals providing the personal information of the following: the fact that the personal data will be used jointly, the items of the personal data used jointly, the scope of the joint users, the purpose for which the personal data will be used by them and the name of the individual or business operator responsible for the management of the personal data.

  • Consents

  • The METI Guidelines provide the following examples as appropriate methods of obtaining the consent for disclosing personal data from the individual:

    • receipt of confirmation of the oral or written consent (including a record created by electronically or magnetically methods or any other method not recognizable to human senses) from such person;
    • receipt of a consent email from such person;
    • the person's check of the confirmation box concerning the consents;
    • the person's click of a button on the website concerning the consents; and
    • the person's audio input, or touch of a touch panel concerning the consents.
  • Supervision of Trustees

When a business operator entrusts an individual or another business operator with the handling of personal data in whole or in part, it must exercise all necessary and appropriate supervision over the trustee to ensure that the use of the entrusted personal data is securely controlled.

Providing a trustee with personal data under these circumstances is not considered to be disclosing personal data to a third party under the APPI.

Even if this exception does apply, it should be noted that a business operator which entrusts a third party with the handling of personal data has a statutory obligation of supervision over the trustee.

SECURITY

The APPI requires that business operators prevent the leakage of personal data. The APPI does not set forth specific steps that must be taken. Ministry guidelines impose specific steps that business operators should take to ensure that personal data is secure. These necessary and appropriate measures generally include "Systematic Security Control Measures", "Human Security Control Measures", "Physical Security Measures" and "Technical Security Control Measures".

Guidelines often contain several specific steps or examples that entities subject to the Guidelines must take with respect to each of the security control measures such as developing internal guidelines pertaining to security measures, executing non-disclosure contracts with employees who have access to personal data, protecting machines and devices and developing a framework to respond to instances of leakage.

BREACH NOTIFICATION

The APPI does not explicitly require notification to a ministry or governmental authority in the event of a leak or security breach that may lead to a leak of personal data, although a ministry may request that a report be submitted.

However, the JFSA Guidelines provide that a business operator regulated by the JFSA must immediately produce a report when a leakage of personal information occurs. In addition, the business operator must promptly publicise the facts related to the leakage and the steps taken to prevent the reoccurrence of similar event. Finally, the JFSA Guidelines require that the business operator notify the individual whose information has been leaked of the leakage.

The METI Guidelines provide suggested measures that business operators, subject to the Guidelines, should take if there is a leak or breach of security with respect to personal data.

The METI Guidelines' measures include the following: (i) a business operator should notify the individuals whose personal data may have been compromised, although there may be circumstances where notifying individuals may not be necessary depending on the specific facts. Relevant factors to consider are the harm (including potential harm) to the individuals concerned; (ii) a business operator should voluntarily file a report of the incident with METI. METI will potentially make such reports public; and (iii) a business operator should make public the nature of the incident, the steps taken to ensure that it does not happen again.

ENFORCEMENT

Enforcement of the APPI is handled by the minister with jurisdiction over the business of the business operator; and Minister of Health, Labor and Welfare with respect to the employment.

The minister may:

  • require an business operator to submit reports regarding the handling of personal information;
  • provide necessary advice to the business operator with respect to the entity's handling of personal information;
  • recommend an business operator to cease violations or correct violations of the specific provisions of the APPI; and
  • order an business operator to take the recommended or necessary measures.

If the business operator does not provide a report as required by a minister or has made a false report the business operator is subject to a fine of up to JPY300,000. If the business operator fails to follow a corrective order by a minister, the business operator is subject to a fine of up to JPY300,000 or imprisonment with work of up to six months. In addition, the entity shall be sentenced to the fine if an officer or an employee of the entity commits any of the above violation concerning the business of the entity.

ELECTRONIC MARKETING

The Act on Specified Commercial Transactions ("ASCT") and the Act on the Regulation of Transmission of Specified Electronic Mail ("Anti-Spam Act") regulate the sending of unsolicited electronic commercial communications.

Under the ASCT, which focuses on internet-order services and mail-order services, a seller is prohibited from sending email advertisements to consumers unless they provide a prior request or consent (i.e. an opt-in requirement). The seller is also required to retain the records that show consumers' requests or consents to receive email advertisements for 3 years after the last transmission date of an email advertisement to the consumer.

If a seller has breached any of these obligations, such seller will be potentially subject to fine of up to JPY 1,000,000.

Under the Anti-Spam Act, which broadly covers commercial emails (e.g. an invitation email from a social network service), there are several regulations on sending email advertisements as follows:

  • The sender must retain records evidencing there was a request or consent to receive emails at least for 1 month after the last date the seller sent an email to the recipient.
  • For-profit entities or individuals engaged in business sending any email to advertise their own or another's business must obtain a request or consent to receive emails from intended recipients unless the recipient falls under certain exceptions (e.g. there is a continuous transaction relationship between a sender and a recipient) in the Anti-Spam Act.
  • An email is required to include a sender's email address or a URL so that recipients can send opt-out notices to the sender.
  • Senders must not send emails to randomly generated email addresses (with the hope of hitting an actual email address) for the purpose of sending emails to a large number of recipients.

The relevant ministry may order a sender to improve the manner of email distribution if the sender violates the requirements noted above. If the sender violates an order issued by the ministry (other than one related to the retention obligation), the sender is subject to imprisonment for up to 1 year or a fine of up to JPY 1,000,000. The entity will be subject to fine of up to JPY 30,000,000 if an officer or an employee of the entity commits any violation mentioned above. If the sender violates an order issued by the minister with respect to the retention obligation, the sender will be potentially subject to fine of up to JPY 1,000,000.

ONLINE PRIVACY (INCLUDING COOKIES AND LOCATION DATA)

There is no law in Japan that specifically addresses cookies and location data. However, if the information obtained through cookies may identify a certain individual in conjunction with other easily-referenced information (e.g. member registration) and it is utilised (e.g. for marketing purposes), such Purpose of Use of information obtained through the use of cookies must be disclosed under the APPI. METI takes the same position in its guidelines.

© DLA Piper

This publication is intended as a general overview and discussion of the subjects dealt with. It is not intended to be, and should not used as, a substitute for taking legal advice in any specific situation. DLA Piper Australia will accept no responsibility for any actions taken or not taken on the basis of this publication.


DLA Piper Australia is part of DLA Piper, a global law firm, operating through various separate and distinct legal entities. For further information, please refer to www.dlapiper.com

Authors
Person photo placeholder
Alec Christie
Person photo placeholder
Cameron Craig
Person photo placeholder
Jim Halpert
Person photo placeholder
Thomas Jansen
Person photo placeholder
Jennifer M. Kashatus
Person photo placeholder
Kate Lucente
Person photo placeholder
Richard Van Schaik
Person photo placeholder
Scott Thiel
Person photo placeholder
Carol A.F. Umhoefer
Person photo placeholder
Patrick Van Eecke
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More