This is an Insight article, written by a selected partner as part of GDR's co-published content. Read more on Insight
Key statutes, regulations and adopted international standards
In Japan, data protection regulation of the private sector and public sector differ significantly. This chapter mainly focuses on the private sector.
Rules for business operators in the private sector
The Act on the Protection of Personal Information
The Act on the Protection of Personal Information (the APPI) (Act No. 57 of 2003) is the principal legislation in Japan dealing with data protection. The APPI came into force in 2005 and was drastically overhauled in 2017 and 2020 to take into account rapid technological developments (artificial intelligence, big data, etc) and globalisation, which have brought about new challenges and the increasing need to protect personal data. The 2020 revision came into effect as of 1 April 2022.
The APPI imposes obligations on ‘business operators’. As an exemption applicable to small and medium-sized enterprises was abolished as part of the 2017 amendments, almost all Japan-based business operators will be covered by the APPI, regardless of the amount of personal data they handle or the size of their business (see ‘The effect of local laws on foreign businesses’).
To clarify and ensure the enforcement of these obligations, the APPI:
- sets forth a basic regulatory framework (see ‘Regulatory bodies’ and ‘The effect of local laws on foreign businesses’);
- established the Personal Information Protection Commission (PPC) and defined its roles as the national data protection authority (see ‘Regulatory bodies’); and
- provides for a set of enforcement measures, such as imprisonment and fines.
The PPC has adopted guidelines to ensure the proper and effective implementation of the APPI by business operators. The PPC’s general guidelines supplement the APPI. Specific guidelines apply to certain sectors such as the finance, medical and telecommunications sectors.
Discipline for local public bodies
Currently, all prefectures and municipal governments in Japan have local regulations on the protection of personal information. The prefectures and municipal governments, public schools and public hospitals are covered by those local regulations. However, by the amendment of the APPI, which will come into force as of 1 April 2023, local regulations on the protection of personal information will be made uniform within the APPI.
The PPC is the sole national data protection authority in Japan and independent from other government bodies. The main roles of the PPC are as follows:
- The PPC formulates basic policies on the protection of personal information in accordance with the APPI and promotes the protection of personal information in the public and private sectors. These basic policies include guidelines that are updated from time to time.
- The PPC has the power to issue guidance and advice, request reports, conduct on-site inspections, make recommendations and issue orders to government institutions and business operators. The range of enforcement measures available is prescribed under the APPI.
- The PPC promotes cooperation with data protection authorities in foreign countries through formal and informal exchanges of views with foreign data protection authorities.
- For the purpose of ensuring the proper handling of personal information, the PPC accredits private organisations (ie, accredited personal information protection organisations) that provide certain data protection-related services, such as receiving complaints about the handling of personal information, the provision of advice to those making a complaint and the investigation of the circumstances surrounding a complaint. In addition, the PPC supervises these accredited organisations, requiring them to report on the conduct of their services, and may order them to improve their services or take any other necessary action.
The effect of local laws on foreign businesses
Foreign groups with an office located in Japan
The APPI imposes obligations on business operators handling personal information (ie, business operators). A business operator is defined as ‘an entity using a personal information database for use in its business’. Public entities are expressly excluded from this definition. However, there is no similar carve-out for the benefit of companies incorporated in a foreign country or entities having their head office located in a foreign country (ie, a foreign company). This definition reflects the official position of the PPC that the APPI obligations and provisions equally apply to foreign companies if those foreign companies fall under the definition of business operator in Japan.
The PPC takes the view that a foreign company is a business operator if it uses a personal information database for its business conducted in Japan, regardless of the place of incorporation or location of the head office.
Therefore, if a foreign company has a branch office or a business office in Japan, or if a foreign company conducts its business in Japan, and uses a personal information database for its business in Japan, this foreign company will fall under the definition of ‘business operator’. Furthermore, if a foreign company has a subsidiary in Japan using a personal information database for its business in Japan, this subsidiary falls within the definition of a business operator (although the foreign company itself might not necessarily be covered by the APPI). Accordingly, if a foreign company has an office in Japan, which falls under the definition of ‘business operator’, regardless of whether such office is branch, business office or subsidiary, APPI-complaint compliance systems must be put in place.
Foreign groups without an office in Japan
Even if a foreign company has no office in Japan, if this foreign company is collecting personal information from individuals in Japan in connection with a supply of goods or services to these individuals, certain obligations under the APPI would apply to them on an extraterritorial basis. Accordingly, these entities must take measures to comply with these provisions of the APPI.
Core principles on personal data
The APPI distinguishes between:
- personal information: information by which a specific living individual is identifiable or information containing an individual identification code (ie, a passport number or driver’s licence number). Personal information includes information that can be readily combined with other information and make the identification of a specific individual possible; and
- personal data: in summary, part of personal information constituting a collective body of personal information systematically organised to be able to easily search for particular personal information.
The APPI applies additional protection to certain sensitive personal information as categorised and defined under the APPI. That includes but is not limited to the individual’s race, creed, social status, medical history, criminal record, and status as the victim of a crime.
Overview of the main obligations under the APPI
The following table provides a brief outline of the obligations imposed on business operators for each phase during which personal information is handled.
|Phase||Type of information||Summary of duties|
|I Collection||Personal information|
Disclosure of the purpose of use prior to collection of personal information
No need to obtain the individual’s consent (except for sensitive personal information)
|II Utilisation||Personal information and personal data|
No need to obtain the individual’s consent when utilising within the scope of a previously disclosed purpose
Duty to take reasonable security measures including preventing the leakage, loss of, or damage to, personal data when handling personal data
|III Third-party disclosure||Personal data||Consent requirement|
In principle, individual consent is required for disclosure of personal data to a third party
No need to obtain the individual’s consent in case of entrustment of personal data, disclosure upon business succession (ie, M&A), and joint use
Regarding joint use, if a business operator informs in advance or ensures that the individual can easily become aware of five statutory elements, the business operator can jointly utilise personal data with a third party, such as a subsidiary, without obtaining any prior individual consent to the disclosure
If the business operator meets certain requirements, there is no need to obtain the individual’s consent upon each disclosure of personal data
An entity disclosing personal data to a third party must keep track (ie, records) of disclosure
An entity disclosing personal data to a third party must keep track (ie, records) of the disclosure
Cross-border transfer restrictions
In principle, individual consent is required for disclosure to a third party in a foreign country
No need to obtain the individual’s consent in the circumstances explained below
Cross-border transfer restrictions
Unless certain exemptions apply, a business operator disclosing personal data to a third party in a foreign country must obtain the individual’s prior consent. However, consent is not required in the following cases:
- transfer to a country that is designated by the PPC as having established a personal information protection system equivalent to Japan with regard to the protection of an individual’s rights and interests (as of July 2022, only the EU and the UK are designated as such);
- the disclosing business operator and the recipient ensure that the recipient develops and implements arrangements through appropriate and reasonable measures for the handling of personal data to be performed consistently with the APPI obligations provisions. These measures may include:
- contracts between the disclosing business operator and the recipient; or
- internal rules that are commonly applied to the disclosing business operator and the recipient; and
- the recipient receives certification based on the APEC cross-border privacy rules framework (CBPR).
Furthermore, a business operator disclosing personal data to a third party in a foreign country must follow restrictions as follows:
- the disclosing business operator must provide data subjects with certain information, including information on the data protection regime of the foreign country of destination, when seeking their consent; and
- the disclosing business operator must take necessary steps to ensure that recipients of personal data continuously implement appropriate processing and security measures, and must provide data subjects on request with relevant information on such necessary steps.
Overview of the main enforcement measures in the APPI
The main enforcement measures are:
- imprisonment or criminal fine;
- an order to cease, desist and take other necessary action to rectify a violation of the APPI against the business operators; or
- any other action deemed necessary by the PPC within its authority.
A business operator is obliged to report certain leakage or loss of, or damage to, personal data (a data breach) to the PPC and affected data subjects of a breach.
Reporting to the PPC is mandatory in the following cases:
- the personal data includes or is likely to include sensitive personal information;
- proprietary damage is likely to arise in light of the nature of the personal data (eg, credit card number);
- persons with malicious intentions are likely to be involved in the data dreach; or
- it has a significant scale (ie, 1,000 or more individuals).
A business operator is required to provide preliminary reports to the PPC within approximately three to five days of becoming aware of the events mentioned above. A business operator is also required to report to the PPC within 30 days (or 60 days in the case of ‘malicious persons who are likely to be involved in the data breach’) of the final report.
Automated processing, profiling and data analytics
There is currently no Japanese legislation specifically restricting automated processing, profiling and data analytics. Under the current interpretation of the APPI, even if information that is equivalent to sensitive personal information is generated or presumed as a result of profiling, this information does not qualify as sensitive personal information under the APPI.
Under the APPI, a business operator handling anonymously processed information is not allowed to collate this information with other information to identify an individual to whom the anonymously processed information relates. However, if a business operator identifies a certain individual as a result of profiling using anonymously processed information, the business operator is not considered to be subject to that restriction.
As part of the last review of the APPI, there were discussions on whether rules specifically restricting automated processing, profiling and data analytics should be added to the APPI. As an alternative to addressing these issues in the APPI, data subjects’ rights to obtain the deletion of their data or suspension of its use or transfer were strengthened. In particular, by the 2020 amendment of the APPI, data subjects are now able to make these requests if their rights or legitimate interests are likely to be infringed. Further, APPI guidelines clarify that if the processing of personal data exceeds what the data subject would have expected, such as in the case of profiling, the purpose of use must be disclosed in detail at the time of acquisition or prior to processing of such personal information.
Communications and marketing
Telecommunications businesses in Japan generally handle large amounts of personal information. Accordingly, the Ministry of Internal Affairs and Communications (MIC), acting as supervisory authority for the telecommunications sector, has issued the following guidelines.
Guidelines regarding the protection of personal information for the telecommunications sector
These guidelines contain rules that telecommunication business operators should comply with when they collect, use and transfer information such as communications history or information on callers (such as caller ID and location information for phone calls).
Guidelines regarding personal information of the caller in caller information notification service
Certain telecommunication business operators provide a service of notifying the caller’s information to the receiver of the call (the caller information notification service). Because caller information is treated as personal information, the MIC has adopted the ‘Guidelines regarding personal information of the caller in the context of caller information notification services’.
These guidelines contain rules that caller information notification service providers should comply with when they record, use and transfer caller information.
The MIC has established a working group regarding the handling of information stored in smartphones such as location information and history of communications (smartphone user information) and this working group has published a Smartphone Privacy Initiative paper that reports their conclusions on how smartphone user information should be protected.
The MIC has also established a committee for the review of the handling of location information in the case of emergency. This committee has reviewed how location information should be utilised for accident prevention. This committee has issued a non-binding report on how such information be protected.
The Act on Specified Commercial Transactions
Under this Act, sellers or service providers can only advertise to consumers via email when recipients opt in to receive emails. However, the following are exceptions:
- when sellers or service providers send email advertisements with notice of matters regarding contracts (ie, finalisation of an agreement and shipment of goods); or
- when sellers or service providers send email advertisements with email newsletters that are sent with consent from a recipient.
The Act on Regulation of Transmission of Specified Electronic Mail
Under this Act, senders can only advertise via email when recipients opt in to receive such emails. However, the following are exceptions:
- when recipients provide their email addresses to the sender in writing (for instance, by providing a business card);
- when recipients have a business relationship with the sender; or
- when recipients make their email addresses available on the internet for business purposes.
Right to request disclosure
A data subject may request disclosure of retained personal data to a business operator that holds such retained personal data. A business operator must disclose the retained personal data without delay in writing when having received such request.
However, the business operator is exempt from disclosing the retained personal data, in whole or in part, if:
- there is a possibility of harming a data subject or a third party’s life, body, assets or other rights and interests;
- there is a possibility of seriously interfering with the business operator from running its business properly; or
- the disclosure violates other laws and regulations.
Right to request correction, addition or deletion
A data subject may request a business operator make a correction, addition or deletion (collectively, correction) in relation to the content of retained personal data when that personal data is incorrect. The business operator must conduct a necessary investigation without delay to the extent necessary to achieve a purpose of use and, based on the result thereof, make a correction of the content of the retained personal data when having received the request pursuant to the APPI.
However, the business operator is exempt from that correction obligation under the APPI where a special procedure concerning a correction of the content is prescribed by other laws or regulations.
Right to request suspension of use, deletion or suspension of third-party transfers
A data subject may request a business operator suspend use, delete or suspend third-party transfers of retained personal data (collectively, ‘suspension and deletion measures’) if that data is handled in violation of the APPI, has been acquired in violation of the APPI, or has been disclosed to a third party in violation of the APPI. Subject to certain exemptions (see below), a business operator must make suspension and deletion measures to the extent necessary to remedy the violation without delay, following receipt of a request made pursuant to the APPI and when it has become clear that there is a reason for the request.
However, the business operator is not obligated to make suspension and deletion measures when it would require a large amount of expense or otherwise be difficult to carry out, and when necessary alternative action is taken to protect the rights and interests of the data subject.
In addition, recent amendments to the have relaxed the requirements for data subjects requesting suspension and deletion measures when there is a possibility of violating individual rights or legitimate interests.
The role of the data protection officer
The APPI has no provision mandating the appointment of a data protection officer. However, a business operator is required to take necessary and appropriate action to secure personal data including preventing the leakage, loss or damage of its handled personal data.
In connection with this provision, the PPC guidelines require a business operator to take security control measures, including the following:
- Organisational security control measures: appointing a person responsible for handling personal data, establishing a system to respond to leakage, loss or damage of personal data, and conducting safety audits on systems that manage personal data.
- Human security control measures: employee training on the handling of personal data.
- Physical security control measures: access control to areas where important personal data is handled, and storage of documents containing personal data in a cabinet that can be locked.
- Technical security control measures: for example, installing a firewall on computers connected externally through networks, and putting restrictions on access to systems that handle personal data.
Since the appointment of a person responsible for handling personal data is listed as one example of organisational security control measures in the PPC guidelines, it is the prevailing practice in Japan for a business operator to appoint a responsible person whose tasks or roles are similar to that of a data protection officer in many other jurisdictions.
Procedure for dealing with data protection breaches and the consequences
The PPC has the power to require a business operator to submit necessary information or materials relating to the handling of personal information or have its officials enter a business office or other necessary premises of a business operator, enquire about the handling of personal information, or inspect books, documents and other properties.
As to corrective measures, the PPC has the power to:
- issue guidance or advice to a business operator with regard to handling personal information;
- recommend a business operator suspend non-compliant activities or take other necessary action to rectify the violation when there is a need to protect an individual’s rights and interests in cases where the business operator has violated the various provisions of the APPI; and
- order a business operator to take action in line with the recommendation when a serious infringement of an individual’s rights and interests is imminent in cases where the business operator having received a recommendation pursuant to the APPI did not take action in line with the recommendation without legitimate excuse.
A business operator who has violated an order pursuant to the APPI may be punished by imprisonment with labour for not more than one year or a criminal fine of not more than ¥1 million. If a representative, agent or employee of a business operator has violated an order pursuant to the APPI, that individual may be punished as above, but the business operator itself may also be punished with a criminal fine of up to ¥100 million.
Images of individuals captured by a surveillance camera and facial recognition data obtained from these images fall under the definition of personal information if the images or data can be used to identify a specific individual.
In addition, when such images or facial recognition data are stored in a systematically organised manner, they fall under ‘personal information database’ and are treated as personal data.
Therefore, the regulations under the APPI would apply to the collection, use or transfer of images of individuals captured by a surveillance camera and facial recognition data obtained from those images.
Article 21, paragraph 2 of the Constitution of Japan guarantees the secrecy of any means of communications as a basic human right. In accordance with the Constitution of Japan, the Telecommunications Business Act, the Wire Telecommunications Act and the Radio Act contain provisions protecting the secrecy of telecommunications.
For example, the Telecommunications Business Act provides that ‘the secrecy of communications being handled by a telecommunications carrier shall not be violated’, which prohibits a third party other than originators and recipients from intentionally viewing communications managed by the telecommunications carrier. Any person who violates provisions of the Telecommunications Business Act is subject to criminal punishment. For example, any person who has violated the secrecy of communications handled by a telecommunications carrier may be punished by imprisonment with labour for up to two years or subject to a criminal fine of up to ¥1 million.
Accordingly, private organisations may not conduct email monitoring in principle. If a company investigates employees’ emails that are stored on an internal server to investigate misconduct in the company, this investigation may not violate the secrecy of communications or the right of privacy. However, when conducting an investigation, a cautious approach would be to obtain the consent of the data subject, and if that is not possible obtain qualified legal advice.
In addition, the revised Telecommunications Business Act was enacted on 13 June 2022, and will go into effect within one year of its promulgation date of 17 June 2022.
Benesse Corporation (Benesse) contracted Synform Co Ltd (Synform) for the development and operation of a system to analyse the personal information of Benesse’s customers. In 2014, it became known that an employee of a subcontractor of Synform had leaked personal information of multiple customers of Benesse (including details such as name, gender, date of birth, address, telephone number and email address). That incident attracted significant attention.
Regarding this case, several civil (Japanese-style) class action lawsuits have been filed against Benesse and Synform by customers based on tort, claiming damages for mental suffering. In one of these lawsuits, the Tokyo High Court entered a judgment on 27 June 2019, admitting the liability of Benesse and Synform and ordering them to pay ¥2,000 to each individual plaintiff. Additionally, in another separate lawsuit, the Tokyo High Court entered a judgment on 25 March 2020, confirming the liability of Benesse and Synform and ordering them to pay ¥3,300 to each individual plaintiff.
Furthermore, the Tokyo High Court referred to the fact that Benesse had paid voluntary compensation to each victim (¥500 per person to approximately 35 million people). As a result of the incident, Benesse recorded a ¥26 billion special loss during one fiscal year, including ¥6 billion to strengthen security controls and ¥20 billion to fund voluntary compensation.
This case demonstrates that it is important to comply with Japanese data protection regulations to mitigate risks of dispute.
 Guidelines for the Act on the Protection of Personal Information (General Rules); Guidelines for the Act on the Protection of Personal Information (Obligations of Confirmation and Recording at the Time of Provision of Personal Data to Third Parties); Guidelines for the Act on the Protection of Personal Information (Provision to a Third Party in a Foreign Country); Guidelines for the Act on the Protection of Personal Information (Pseudonymously Processed Information and Anonymously Processed Information); Guidelines for the Act on the Protection of Personal Information (Accredited Personal Information Protection Organisations); Guidelines on Personal Information Protection in the Credit Industry; Guidelines on Personal Information Protection in the Claim Management and Collection Business Industry; and Guidelines on Personal Information Protection in the Financial Industry, etc.
 Retained personal data is defined as personal data held by a business operator. Following amendment of the APPI, the personal data now falls under the category of retained personal data definition regardless of the length of period it is held by a business operator. As there is practical overlap with The Act on Specified Commercial Transactions, both regulations apply.
 Following amendment of the APPI, the requestor can choose the methods of disclosure, including provision through electronic means, such as e-mails.
 During fiscal year 2021, there were no cases where the PPC investigated business premises, but there were 328 cases where the PPC required business operators to submit information or materials.
 During fiscal year 2021, there were 217 cases where the PPC issued guidance or advice to business operators.
 The exact timing of the revised law coming into effect has not been determined as of July 2022.