Data Protected - Japan
Last updated February 2024
General | Data Protection Laws
National Legislation
National Supervisory Authority
Scope of Application
Personal Data
Sensitive Personal Data
Data Protection Officers
Accountability and Privacy Impact Assessments
Rights of Data Subjects
Security
Transfer of Personal Data to Third Countries
Enforcement
ePrivacy | Marketing and cookies
National Legislation
Cookies
Marketing by E-mail
Marketing by Telephone
_____________________________________________________________________
General | Data Protection Laws
____________________________________________________________
National Legislation
General data protection laws
Japan is not an EU Member State and therefore has not implemented the GDPR. However, the Act on the Protection of Personal Information (Act No. 57 of 2003) (the “APPI”) contains similar provisions.
In October 2015, the Act on Use, etc. of Numbers to Identify Specific Individuals in Administrative Procedures (Act No. 27 of 2013) (the so-called “My Number Act”) came into force, under which an ID number is allocated to every individual so that the government can manage social security and tax systems effectively. Please note that this memo does not cover the My Number Act, which is a special law of the APPI.
Entry into force
The APPI came into force fully on 1 April 2005 (followed by several amendments).
_____________________________________________________________________ Top
National Supervisory Authority
Details of the competent national supervisory authority
The Personal Information Protection Commission (the “PPC”) has overall responsibility for the legal framework of the APPI.
Personal Information Protection Commission
Kasumigaseki Common Gate West Tower 32nd Floor
3-2-1, Kasumigaseki
Chiyoda-ku
Tokyo, 100-0013
Japan
TEL: +81-(0)3-6457-9680
Although the PPC has centralised authority to supervise certain businesses, it may delegate its authority to other regulatory authorities. For example, the PPC delegated its authority to the Financial Service Agency regarding incident reports to be received from financial institutions in the event of data leakage.
Notification or registration scheme and timing
A notification to the PPC is required to rely on the opt-out exemption regarding the transfer of data to a third party.
Exemptions to notification
None.
_____________________________________________________________________ Top
Scope of Application
What is the territorial scope of application?
The APPI applies to overseas information handlers who have acquired personal information of data subjects in Japan in connection with the offering of their goods or services, even if they deal with such personal information outside Japan.
The PPC can also exercise its authority regarding the overseas information handlers, e.g. issuing an order to take certain actions or requesting a report, etc. If they fail to follow the order issued by the PPC, the PPC may publish their name and they may be subject to criminal sanctions.
Is there a concept of a controller and a processor?
Japanese law does not recognise the concept of data controller or data processor. However, Japanese law does have the concept of “retained personal data”, which is personal information with respect to which an information handler has the responsibility to disclose, correct, add or delete, cease utilisation of, erase, and cease the provision to third parties.
Some of the provisions in the APPI apply only to information handlers who have “retained personal data”. For example, the obligation to disclose retained personal data to the relevant data subject only applies to an information handler with respect to its “retained personal data”. It is therefore fair to say that Japanese law has a distinction that is similar to the distinction of data controller and data processor under EU law.
Are both manual and electronic records subject to data protection legislation?
The APPI applies to both manual and electronic records.
Are there any national derogations?
The APPI applies to government entities but provides for the different rules from private entities – e.g., a government entity can possess personal information only to the extent necessary for the performance of its affairs or duties under the jurisdiction.
Further, some of the provisions under the APPI do not apply to press organisations, writers, academic organisations, religious organisations or political organisations when they deal with personal information solely for those purposes. For example, if a newspaper discloses the name of a person in an article describing a crime committed by such person, that will fall outside the scope of the APPI.
_____________________________________________________________________ Top
Personal Data
What is personal data?
The APPI defines personal information as information about a living person that would allow identification of the person as an individual, and such information contains an identifier for personal identification, such as fingerprint data and/or passport number. This information also includes information that could easily be combined with other information to identify a specific individual, even though the information by itself cannot enable identification of that individual.
The APPI also defines several categories of personal information to which different restrictions will apply, namely: (i) “Anonymous Processed Information” is information obtained from personal information from which it is impossible to identify a specific individual even by referring to other information; (ii) “Pseudonymously Processed Information” is information obtained from personal information from which it is impossible to identify a specific individual without referring to other information; and (iii) “Person-related Information” is information relating to an individual, which is neither personal information, Anonymously Processed Information, nor Pseudonymously Processed Information (please see the section “Cookies” below).
Is information about legal entities personal data?
No.
What are the rules for processing personal data?
As a general rule, information handlers must: (i) specify so far as possible the purpose for which the personal information will be processed (“purpose of use”); (ii) not change the purpose of use such that it no longer has a reasonable relationship to the original purpose of use; and (iii) not process personal information except to the extent required to achieve the purpose of use without the prior consent of the data subject.
An information handler may not transfer personal information to a third party without prior consent of a data subject. However, there are some exceptions to this requirement, for example where: (i) the disclosure is allowed or required under Japanese law; (ii) the disclosure is necessary for cooperating with a Japanese government entity in executing its legal duties, and obtaining the consent of a data subject is likely to impede the execution of such duties; (iii) the disclosure is for health or public hygiene purposes and it is difficult to obtain consent; (iv) the disclosure is part of a merger or other business succession, subject to it being used for the same purposes of use; (v) the disclosure is to a third-party processor; (vi) the disclosure is to a joint user and the data subjects are informed; or (vii) the information handler informs the data subjects of the transfer of the information intended to be provided to a third party and those data subjects do not object (this last condition being the “opt-out exemption”).
Are there any formalities to obtain consent to process personal data?
Consent is not generally required to process personal information. However, prior consent (oral or written) is needed for processing outside the scope of the original purpose of use.
Financial institutions handling personal information are required by the guidelines of the Financial Services Agency (the “FSA Guidelines”) to obtain consent in writing (including an electronic record).
Are there any special rules when processing personal data about children?
No. However, if a data subject is a minor, consent must be obtained from its legal representative.
Are there any special rules when processing personal data about employees?
No. However, the PPC has issued a notice which regulates the processing of employees’ health information. For example, the notice requires an information handler (employer) to obtain prior consent from employees when it obtains employees’ health information.
_____________________________________________________________________ Top
Sensitive Personal Data
What is sensitive personal data?
Sensitive personal information is any information that contains the data subject’s race, beliefs, social status, medical history, criminal record, whether the data subject has been a victim of crime, and any description on the data subject designated by the relevant cabinet order (for example, mental or physical disability, and record of medical treatment and prescription drugs).
Are there additional rules for processing sensitive personal data?
Information handlers in principle must obtain a prior consent of the data subject to acquire sensitive personal information. The opt-out exemption to transfer data to a third party is not available for the provision of sensitive personal information.
Further, the FSA Guidelines provide that the relevant information handlers may not acquire, use or transfer sensitive personal information defined under the FSA Guidelines except where strictly necessary.
Are there additional rules for processing information about criminal offences?
The rules are the same as for sensitive personal information.
Are there any formalities to obtain consent to process sensitive personal data?
No.
_____________________________________________________________________ Top
Data Protection Officers
When must a data protection officer be appointed?
The APPI does not specifically require the appointment of data protection officers. However, the Guidelines on the APPI (General Rules) published by the PPC (the “APPI Guidelines”) state that the appointment of a person responsible for dealing with personal data is one example of the security measures that information handlers must take under the APPI.
What are the duties of a data protection officer?
Not applicable.
_____________________________________________________________________ Top
Accountability and Privacy Impact Assessments
Is there a general accountability obligation?
Under the APPI, information handlers are required to take necessary and appropriate measures to ensure the security of personal data. What measures will be appropriate in each case will depend on the nature, scope, context and purpose of the use or processing of the relevant personal data as well as the risks for the rights and freedoms of individuals.
The APPI Guidelines provide some guidance on such measures, but that guidance is not decisive. In summary, each information handler is expected to: (i) have a basic privacy policy in place; (ii) have internal rules and other internal documentary arrangements that are designed to protect personal data; (iii) have organisational structures that are designed to protect personal data (e.g. appointing data protection officers); (iv) fully educate its officers and employees on data protection requirements; (v) have appropriate physical security systems; and (vi) take appropriate measures in relation to information technology systems.
Are privacy impact assessments mandatory?
As mentioned above, under the APPI, information handlers are required to take necessary and appropriate measures for the security of personal data. As part of such requirements, information handlers are expected to carry out routine investigations of their security measures.
_____________________________________________________________________ Top
Rights of Data Subjects
Privacy notices
Information handlers are required to make available to data subjects the following information (or must reply to a data subject’s request for such information without delay): (i) the information handler’s name, address and representative’s name; (ii) the purpose of use of the data subject’s retained personal data; (iii) procedures for a request by a data subject to access their retained personal data held by the information handler and/or other pertinent requests (including the amount of any fees payable); (iv) details of whom to contact in order to lodge complaints concerning the handling of their retained personal data; (v) security measures implemented by the information handler to protect the retained personal data; and (vi) the name of the personal information protection organisation (nintei kojin jouhou hogo dantai) recognised by the PPC and the address for lodging complaints (if the information handler consents to being supervised by such organisation).
An information handler who has acquired personal information is required to promptly notify the data subjects of the purpose of use of their personal information, except in cases where the purpose of use has already been publicly disclosed. When an information handler has changed the purpose of use, it must notify the data subject of the changed purpose of use or publicly announce such changed purpose of use.
It is common practice for an information handler to publish the privacy policy on its website or post or display copies of the privacy policy in its reception or other prominent position at its offices to satisfy the above requirements and also to provide other additional information to their clients or employees.
Rights to access information
An information handler is required to notify the data subjects of the purpose of use of their retained personal data upon their request.
An information handler is required, upon a data subject’s request, to disclose such retained personal data of the data subject without delay.
An information handler may collect reasonable charges for the notification or disclosure mentioned above.
Rights to data portability
There is no concept of “data portability” under the APPI.
Right to be forgotten
Data subjects may require an information handler to cease using or erase their retained personal data: (i) if such retained personal data is being used beyond the purpose of use without their consent; (ii) if there is no longer a need to use the data; (iii) if such retained personal data was obtained by unfair means or if such retained personal data falls within the sensitive personal information and it has acquired without obtaining an approval from the data subjects; (iv) if a material personal data leakage incident occurs; and (v) in any other situation where the rights or justifiable interests of the data subjects are being threatened.
The information handler may refuse such request if compliance with such request would cause the information handler to incur excessive costs, or where it would otherwise be difficult for the information handler to discontinue using or to erase the retained personal data, provided that the information handler takes the necessary alternative measures to protect the rights and interests of the data subject.
Objection to direct marketing and profiling
The APPI does not provide any specific rights to reject direct marketing. However, information handlers must not process personal information except to the extent required to achieve the purpose of use, without the prior consent of the data subject.
Please see the section “Marketing by Email” below for direct marketing by email.
Other rights
Data subjects may require an information handler to correct, add to or delete their retained personal data if such data is not factually correct.
_____________________________________________________________________ Top
Security
Security requirements in order to protect personal data
Information handlers are required to implement appropriate control measures in respect of the personal data in their possession to prevent unauthorised disclosure, loss or damage of such personal data.
Specific requirements for appropriate control measures are provided in the APPI Guidelines and the guidelines issued by the regulatory authorities (when applicable).
Specific rules governing processing by third-party agents (processors)
When an information handler outsources the handling of personal data in whole or in part to a third party, the information handler must exercise necessary and appropriate supervision over the third party to ensure the security of the outsourced personal data.
Notice of breach laws
If there is a personal data leakage which may have a large impact on an individual’s rights and interests, such leakage must be promptly notified to the PPC or the relevant authority (when delegated by the PPC). This normally means within three to five days of the leakage being discovered for the preliminary report, and within 30 days for the final report (in certain designated cases. within 60 days)
The leakage must be also notified to the relevant data subjects unless it is difficult for an information handler to notify the relevant data subjects of the data leakage (e.g. no contact details are available). Where these difficulties exist, instead of notifying the relevant data subjects of the incident, the information handler must take alternative measures such as making a public announcement.
_____________________________________________________________________ Top
Transfer of Personal Data to Third Countries
Restrictions on transfers to third countries
An information handler must obtain prior consent from the data subject for any transfer of personal data to a recipient in a foreign country (including a jurisdiction, the same hereinafter in this section) unless that country’s data protection system is considered by the PPC to provide the protection equivalent to Japanese regime or when the recipient third party has established a sufficient data protection system.
At present, only the member countries of the EU and the UK have been recognised as having a level of data protection that is equivalent to or stricter than Japanese regime.
A consent must specifically relate to the transfer to that particular recipient in the foreign country, rather than being general in nature. When the information handler obtains consent from the data subject, it is required to provide the data subject with information that the data subject can utilise to assess whether they should give consent to the proposed transfer, which includes: (i) the name of the country to which the personal data is to be transferred; (ii) information on the data protection regime of such country; and (iii) information on the data protection measures taken by the data recipients.
Notification and approval of national regulator (including notification of use of Model Contracts)
There is no requirement to make any notifications to, or obtain any approvals from, the relevant regulatory authority except as explained in other sections.
Use of binding corporate rules
No concept of binding corporate rules is used in the APPI.
_____________________________________________________________________ Top
Enforcement
Fines
Breaches of the APPI and/or related regulatory guidelines may result in civil liability or criminal sanctions, which include up to one year's imprisonment or a fine of up to 100 million Japanese yen.
Further, the APPI has recently created a direct criminal sanction prohibiting an information handler or its employees from providing or stealing personal information for a dishonest purpose, which includes up to one year’s imprisonment or a fine of up to 100 million Japanese yen.
Imprisonment
Breach of the APPI and providing or stealing personal information for a dishonest purpose can lead to imprisonment for up to one year.
Compensation
Data subjects may request/demand compensation for damages, including mental distress based on the general principle under the Civil Code.
Other powers
A breach of the APPI and/or related regulatory guidelines may result in the PPC issuing an enforcement notice ordering the information handler to cease or improve data handling. A failure by the information handler to comply with such enforcement notice would be a criminal offence.
In addition, the relevant authority can order an information handler to submit a report to the relevant authority on the treatment of personal information.
Practice
Fines: It is not common for fines to be imposed on information handlers under the APPI.
Other enforcement action: The PPC normally first asks for further information, gives advice on proper data handling or recommends that an information handler cease the violation and take other necessary measures to correct the violation. If the information handler does not take the recommended measures without justifiable reasons, the PPC may then order the information handler to take the recommended measures.
The regulatory authorities issued 176 requests for reports, offered advice on 115 occasions, made one recommendation, issued one order, and conducted 26 onsite inspections during the period from 1 April 2022 to 31 March 2023.
_____________________________________________________________________ Top
ePrivacy | Marketing and cookies
_____________________________________________________________
National Legislation
ePrivacy laws
Japan is not an EU Member State; accordingly, it has not implemented the Privacy and Electronic Communications Directive. However, the Act on Specified Commercial Transactions (Act No. 57 of 4 June 1976) (the “ASCT”) and the Act on Regulation of Transmission of Specified Electronic Mail (Act No. 26 of 17 April 2002) (the “ARTSEM”) provide restrictions on direct marketing.
_____________________________________________________________________ Top
Cookies
Conditions for use of cookies
There are no special rules for cookies under the APPI. However, cookies will be treated as Person-related Information if the cookies are processed separately from personal information (if processed in conjunction with personal information, then the cookies are subject to the regulations applied to personal information) and thus be subject to the regulations applied to the Person-related Information. This means that when such cookies are provided to a third party and it is expected that the recipient will use it as personal data, the provider is required to confirm that the third party has obtained consent from the data subjects.
Further, the amendments to the Telecommunications Business Act, promulgated on 17 June 2022, have newly introduced regulations for the use of cookies by certain telecommunication business operators. It has become effective as of 16 June 2023.
The Japan Fair Trade Commission has published “Guidelines Concerning Abuse of a Superior Bargaining Position in Transactions between Digital Platform Operators and Consumers that Provide Personal Information, etc.” (the “JFTC Guidelines”), which was recently amended in April 2022. Under the JFTC Guidelines, if the digital platform operators collect and use browsing history or location information without notifying consumers that they are using such information in a way to identify a specific person, then they could be deemed to be making an abusive use of their superior bargaining power.
Regulatory guidance on the use of cookies
JFTC Guidelines mentioned above.
_____________________________________________________________________ Top
Marketing by E-mail
Conditions for direct marketing by e-mail to individual subscribers
It is only possible to send direct marketing e-mails to individual subscribers if they consent.
Conditions for direct marketing by e-mail to corporate subscribers
It is only possible to send direct marketing e-mails to corporate subscribers if they consent.
Exemptions and other issues
Under the ARTSEM, it is permitted to send e-mails for the purpose of direct marketing without consent if: (i) the recipient notifies the sender of its e-mail address in writing; (ii) the recipient has a business relationship with a person engaged in sales activities relating to the marketing; or (iii) the recipient is an organisation or an individual engaged in business who discloses its e-mail address on the Internet.
Under the ASCT, it is permitted to send e-mails for the purpose of direct marketing without consent in connection with certain types of sales transactions if: (i) such e-mail for direct marketing is sent in association with notifications of important matters relating to contracts; or (ii) such e-mail for direct marketing is sent together with emails from free email providers, such as Yahoo! or Google.
The sender of the e-mail must be identified by providing its name and address. The sender also needs to provide the receiver’s right to opt out of further marketing emails, and to provide an email address or URL in order to opt out.
Additional regulations might apply depending on the exact nature of the products or services to which the marketing relates.
_____________________________________________________________________ Top
Marketing by Telephone
Conditions for direct marketing by telephone to individual subscribers (excludes automated calls)
It is not permitted to solicit a sales contract or a service contract from an individual subscriber who has expressed his/her intention not to enter into a sales contract or a service contract.
Conditions for direct marketing by telephone to corporate subscribers (excludes automated calls)
It is not permitted to solicit a sales contract or a service contract from a corporate subscriber which has expressed its intention not to enter into the sales contract or a service contract.
Exemptions and other issues
When a product seller or a service provider solicits customers for their products or services by means of telephone communication, it is required to inform the recipient of the following information prior to the solicitation: (i) its name of such seller or provider; (ii) the name of the person in charge of the solicitation; (iii) the type of product or service being offered; and (iv) the purpose of the telephone call (i.e., to solicit the custom of the recipient). Additional regulations might apply depending on the exact nature of the products or services to which the marketing relates
_____________________________________________________________________ Top