DLA Piper Intelligence

Data Protection
Laws of the World

Law

Japan
Japan

The Act on the Protection of Personal Information ("APPI") requires business operators who utilize for their business in Japan a personal information database which consists of more than 5,000 individuals in total identified by personal information on any day in the past six months to protect personal information. Amendments to the APPI, which were passed in 2015 and go into effect no later than September 2017[1] (the "Amendments"), apply the APPI to all businesses in Japan, regardless of whether the business operator maintains a database of more than 5,000 individuals. 

Further, the Amendments clarify the definition of personal information, add two new classes of information, and introduce new requirements for "opt out" choice for business operators to disclosure personal information to third parties. Finally, as of January 1, 2016, the Amendments created a Privacy Protection Commission (the "Commission"), a central agency which will act as a supervisory governmental organization on issues of privacy protection.

[1] It was published on 20 December 2016 that the Amendments will be enacted on May 2017.

Last modified 26 Jan 2017
Law
Japan

The Act on the Protection of Personal Information ("APPI") requires business operators who utilize for their business in Japan a personal information database which consists of more than 5,000 individuals in total identified by personal information on any day in the past six months to protect personal information. Amendments to the APPI, which were passed in 2015 and go into effect no later than September 2017[1] (the "Amendments"), apply the APPI to all businesses in Japan, regardless of whether the business operator maintains a database of more than 5,000 individuals. 

Further, the Amendments clarify the definition of personal information, add two new classes of information, and introduce new requirements for "opt out" choice for business operators to disclosure personal information to third parties. Finally, as of January 1, 2016, the Amendments created a Privacy Protection Commission (the "Commission"), a central agency which will act as a supervisory governmental organization on issues of privacy protection.

[1] It was published on 20 December 2016 that the Amendments will be enacted on May 2017.

Last modified 26 Jan 2017
Definitions

Definition of personal data

Personal information is information about a living individual which can identify the specific individual by name, date of birth or other description contained in such information. Personal Information includes information which enables one to identify specific individual with easy reference to other information.

The Amendments clarify that personal information includes any "personal identifier code", which refers to any biometric data that identifies a specific individual, or any code uniquely assigned to an individual with respect to the receipt of goods or services, or instruments with which to purchase such goods or services.

Definition of sensitive personal data

The Amendments will add a new concept into the APPI: sensitive information. Sensitive information includes information about a person's race, creed, social status, medical history, criminal record, any crimes a person has been a victim of, and any other information that might cause the person to be discriminated against. Obtaining sensitive information generally requires consent from the data subject. Additionally, the "opt out" option (discussed below) is not available for sensitive information--prior consent is required from the party whose sensitive information would be given to a third party

Definition of anonymized information

In addition to sensitive information, the Amendments will add to the APPI the concept of anonymized information. "Anonymized information" refers to any information about individuals from which all personal information (i.e., the information that can identify a specific individual, including any sensitive information) has been removed and such removed personal information cannot be restored. As noted above, personal information includes personal identifier codes, so these must also be removed before information is considered anonymized. Business operators must ensure that the personal information cannot be restored.

If a business operator has sufficiently anonymized the information, it can be disclosed to third parties without requiring the consent of the individuals whose personal information has been removed from the documents. However, care must be taken in anonymizing the information before disclosure; a failure to completely sanitize the information could result in the disclosure of personal information. Additionally, before disclosing the anonymized information to a third party, a business operator must publicly state (likely in its privacy policy) the nature of information included in the anonymized information, and the means by which it is sharing the anonymized information. Finally, the Commission published rules for disclosure, including the standards of anonymization on 5th October 2016, and they will be enacted together with the Amendments.

Last modified 26 Jan 2017
Authority

The Amendments created the Privacy Protection Commission (the "Commission"), which will act as a supervisory governmental organization on issues of privacy protection. The Commission, as noted elsewhere, has also been tasked with providing many of the details necessary to bring the Amendments into effect.

Currently, privacy protection is managed by each of the ministries that supervise the various industries of the private sector. Each of these ministries has adopted its own guidelines for privacy protection, which has led to overlapping and conflicting rules. The Commission is expected to bring these guidelines into alignment. The new guidelines for general rules, offshore transfer, confirmation and record requirements upon provision of personal data to third parties and anonymized information were published on 30 November 2016 and will be enacted with the Amendments.

The Commission will be neutral and independent, and it will have the power to enforce the APPI. It is expected to adopt a more transparent and consistent approach to enforcement than what is currently in place with the various ministries. However, it will only have the right to perform audits and issue cease and desist orders; it will not have the power to impose administrative fines.

Last modified 26 Jan 2017
Registration

Japan does not have a central registration system.

Last modified 26 Jan 2017
Data Protection Officers

There is no specific legal requirement to appoint a data protection officer. However, some guidelines provide that specific employees should be assigned to control personal data (eg Chief Privacy Officer).

Last modified 26 Jan 2017
Collection & Processing

Specifying the Purpose of Use

When handling personal information, a business operator must specify to the fullest extent possible the purpose of use of the personal information (‘Purpose of Use’). Once a business operator has specified the Purpose of Use, it must not then make any changes to the said purpose which could reasonably be considered to be beyond the scope of what is duly related to the original Purpose of Use. In addition, when handling personal information, a business operator shall not handle the information beyond the scope that is necessary for the achievement of the Purpose of Use without a prior consent of the individual. In other words, the use of the information must be consistent with the stated Purpose of Use.

Public Announcement of the Purpose of Use

The Purpose of Use must be made known to the individual when personal information is collected or promptly thereafter and this can be made by a public announcement (such as posting the purpose on the business operator’s website). When personal information is obtained by way of a written contract or other document (including a record made in an electronic or magnetic format, or any other method not recognisable to human senses), the business operator must expressly state the Purpose of Use prior to the collection.

A business operator must ‘publicly announce’ or ‘expressly show the Purpose of Use’ in a reasonable and appropriate way. According to the ‘Guidelines for the APPI Concerning Fields of Economy and Industry’ issued by the Ministry of Economy, Trade and Industry ('METI Guidelines'), the most appropriate method for a website to publicly announce the Purpose of Use of information collected, is a one click access on the homepage. The new guidelines published by the Commission follow this.

Last modified 26 Jan 2017
Transfer

Disclosing/Sharing Personal Data

Currently, personal data may not be disclosed to a third party without the prior consent of the individual, unless permitted by the exceptions under the APPI. Even disclosing the data within group companies is considered disclosing the data to a third party and consent must be obtained, unless it meets the requirements of joint use. The APPI also has permitted the "opt out" method, whereby a business operator can as a default disclose personal information to third parties, unless individuals opt out of allowing the business operator to do so, however the Amendments newly require a business operator to notify the Committee of certain items concerning opt out. The Committeee will accept "opt-out" notification from 1st March 2017.

The APPI does not provide any examples of how best to obtain consent from individuals before sharing information. Generally, written consent should be obtained whenever possible. When obtaining consent it would be prudent to clearly disclose to the individual the identity of the third party to whom the personal data will be disclosed, the contents of the personal data and how the third party will use the provided personal data.

If personal data is to be used jointly, the business operator collecting the information could, prior to the joint use, notify the individuals providing the personal information of the following:

  • the fact that the personal data will be used jointly

  • the item of the personal data to be disclosed
  • the scope of the joint users

  • the purpose for which the personal data will be used by them, and

  • the name of the individual or business operator responsible for the management of the personal data.

The current METI Guidelines and new guidelines published by the Commission provide the following examples as appropriate methods of obtaining the consent for disclosing personal data from the individual:

  • receipt of confirmation of the oral or written consent (including a record created by electronically or magnetically methods or any other method not recognizable to human senses) from such person

  • receipt of a consent email from such person

  • the person's check of the confirmation box concerning the consents

  • the person's click of a button on the website concerning the consents, and

  • the person's audio input, or touch of a touch panel concerning the consents

    With the Amendments, a business operator will be able to disclose personal data to a third party without the individual's consent, so long as the following are publicly disclosed:

  • the purpose of use includes the provision of such information to third parties and the method of such provision;

  • the nature of the personal data being provided to third parties;

  • the method by which personal data is provided to third parties;

  • the matter that provision of such information to third parties will be stopped upon the request by the data subject; and

  • the method for an individual to submit an opt out request to the company.

 

If the individual does ask to opt out, the business operator must comply with this request. In addition to the public disclosure requirements, a business operator must provide advance notification to the Commission that it is doing so. Additionally, if the business operator changes the nature of the personal data being provided to a third party or the means by which it is providing the personal data, it must notify the Commission of the changes. The Commission will publicly disclose the notification.

Cross-border Transfer

Under the amended APPI, in addition to the general requirements for disclosure or joint use, prior consent of individuals specifying the receiving country is required for transfers to third parties in foreign countries except if the transfer is to (i) a receiver having a data protection system which is equivalent to the system required under the APPI, or (ii) a receiver located in a country that is designated by the Committee as providing an adequate level of protection. The details of requirements for (i) has been specified by the relevant ordinance of the Amendments but (ii) has not yet been specified by the Committee.

Last modified 26 Jan 2017
Security

The APPI requires that business operators prevent the leakage of personal data. The APPI does not set forth specific steps that must be taken. Ministry guidelines impose specific steps that business operators should take to ensure that personal data is secure. These necessary and appropriate measures generally include ‘Systematic Security Control Measures’, ‘Human Security Control Measures’, ‘Physical Security Measures’ and ‘Technical Security Control Measures’. The guidelines on this point are under preparation

Guidelines often contain several specific steps or examples that entities subject to the Guidelines must take with respect to each of the security control measures such as developing internal guidelines pertaining to security measures, executing non-disclosure contracts with employees who have access to personal data, protecting machines and devices and developing a framework to respond to instances of leakage.

Last modified 26 Jan 2017
Breach Notification

The APPI does not explicitly require notification to a ministry or governmental authority in the event of a leak or security breach that may lead to a leak of personal data, although a ministry may request that a report be submitted on a voluntary basis. The guidelines on this point are under preparation.

However, the JFSA Guidelines provide that a business operator regulated by the JFSA must immediately produce a report when a leakage of personal information occurs. In addition, the business operator must promptly publicise the facts related to the leakage and the steps taken to prevent the reoccurrence of similar event. Finally, the JFSA Guidelines require that the business operator notify the individual whose information has been leaked of the leakage.

The current METI Guidelines provide suggested measures that business operators, subject to the Guidelines, should take if there is a leak or breach of security with respect to personal data.

The current METI Guidelines’ measures include the following:

  • a business operator should notify the individuals whose personal data may have been compromised, although there may be circumstances where notifying individuals may not be necessary depending on the specific facts. Relevant factors to consider are the harm (including potential harm) to the individuals concerned
     
  • a business operator should voluntarily file a report of the incident with METI; and
     
  • a business operator should make public the nature of the incident, the steps taken to ensure that it does not happen again.
Last modified 26 Jan 2017
Enforcement

Enforcement of the APPI is currently handled by the minister with jurisdiction over the business of the business operator, and the Minister of Health, Labor and Welfare with respect to the employment.

The minister may:

  • require an business operator to submit reports regarding the handling of personal information
     
  • provide necessary advice to the business operator with respect to the entity’s handling of personal information
     
  • recommend a business operator to cease violations or correct violations of the specific provisions of the APPI, and
     
  • order a business operator to take the recommended or necessary measures.

If the business operator does not provide a report as required by a minister or has made a false report the business operator is subject to a fine of up to JPY300,000. If the business operator fails to follow a corrective order by a minister, the business operator is subject to a fine of up to JPY300,000 or imprisonment with work of up to six months. In addition, the entity shall be sentenced to the fine if an officer or an employee of the entity commits any of the above violation concerning the business of the entity.

The Commission will take over the power to enforce the APPI after the Amendments come into force. Although, it has the right to perform audits and inspections against business operators and to issue cease and desist orders; it does not have the power to impose administrative fines.

Finally, the Amendments will add a criminal penalty provision to the APPI. An unauthorized disclosure of personal information, for the benefit of the disclosing party or any third party, will be subject to a penalty of imprisonment for up to one year or a fine of up to JPY500,000.  If the party making the disclosure is a legal entity, the parties subject to this penalty will be the relevant officers, representatives, or managers responsible for the disclosure.

Last modified 26 Jan 2017
Electronic Marketing

The Act on Specified Commercial Transactions ('ASCT') and the Act on the Regulation of Transmission of Specified Electronic Mail (‘Anti-Spam Act’) regulate the sending of unsolicited electronic commercial communications.

Under the ASCT, which focuses on internet-order services and mail-order services, a seller is prohibited from sending email advertisements to consumers unless they provide a prior request or consent (ie an opt-in requirement). The seller is also required to retain the records that show consumers’ requests or consents to receive email advertisements for 3 years after the last transmission date of an email advertisement to the consumer.

If a seller has breached any of these obligations, such seller will be potentially subject to fine of up to JPY 1,000,000.

Under the Anti-Spam Act, which broadly covers commercial emails (eg an invitation email from a social network service), there are several regulations on sending email advertisements as follows:

  • the sender must retain records evidencing there was a request or consent to receive emails at least for 1 month after the last date the seller sent an email to the recipient
     
  • for-profit entities or individuals engaged in business sending any email to advertise their own or another’s business must obtain a request or consent to receive emails from intended recipients unless the recipient falls under certain exceptions (eg there is a continuous transaction relationship between a sender and a recipient) in the Anti-Spam Act
     
  • an email is required to include a sender’s email address or a URL so that recipients can send opt-out notices to the sender, and
     
  • senders must not send emails to randomly generated email addresses (with the hope of hitting an actual email address) for the purpose of sending emails to a large number of recipients.

The relevant ministry may order a sender to improve the manner of email distribution if the sender violates the requirements noted above. If the sender violates an order issued by the ministry (other than one related to the retention obligation), the sender is subject to imprisonment for up to 1 year or a fine of up to JPY 1,000,000. The entity will be subject to fine of up to JPY 30,000,000 if an officer or an employee of the entity commits any violation mentioned above. If the sender violates an order issued by the minister with respect to the retention obligation, the sender will be potentially subject to fine of up to JPY 1,000,000.

Last modified 26 Jan 2017
Online Privacy

There is no law in Japan that specifically addresses cookies and location data. However, if the information obtained through cookies may identify a certain individual in conjunction with other easily-referenced information (eg member registration) and it is utilised (eg for marketing purposes), such Purpose of Use of information obtained through the use of cookies must be disclosed under the APPI. METI takes the same position in its guidelines.

Last modified 26 Jan 2017
Contacts
Lawrence G. Carter
Lawrence G. Carter
Partner
T +81 3 4550 2800
Keitaro Uzawa
Keitaro Uzawa
Associate
T +81 3 4550 2800
Brian Caster
Brian Caster
Associate
T +81 3 4550 2800
Last modified 26 Jan 2017