In Japan, in cases of privacy violation or defamation, personal information/privacy was once protected mainly by injunctions or claims for damages based on tort law. However, the situation changed dramatically with the enactment of the Act on the Protection of Personal Information (the APPI) in 2005. When large-scale leakage of personal information occurs, a number of victims still bring collective lawsuits under tort law, however, the most routine and significant law for private business operators handling personal information is the APPI.
Outline of the APPI
The APPI was enacted in 2005 with the primary objective of protecting personal information. Subsequently, the APPI was significantly amended in 2015, and the amendments to the APPI took effect on 30 May 2017. In the past, the supervision of private business operators was carried out by the ministries and agencies that have jurisdiction over private business operators. However, as a result of the amendment, the supervision of private business operators was consolidated to the Personal Information Protection Commission (PPC) in principle. As a result, the PPC has published a number of new guidelines. In addition, the guidelines for certain fields of business, such as healthcare, finance, credit, and telecommunications, have been established by the PPC and/or the relevant governmental ministries. It is important to confirm the existence and content of such guidelines with respect to each field when conducting business in Japan.
Information and data subject to protection
The APPI defines ‘personal information’, ‘personal data’, and ‘retained personal data’, and the respective information/data differ with respect to duties owed. The broadest of these concepts is ‘personal information’. Under the APPI, ‘personal information’refers to information relating to a living individual that (i) contains a name, date of birth, or other description, etc, whereby a specific individual can be identified (including those which can be readily collated with other information and thereby identify a specific individual), or (ii) contains an individual identification code. Individual identification codes include passport numbers, driver’s licence numbers and fingerprint authentication data. However, terminal ID codes, mobile phone numbers, mailing addresses, and credit card numbers are not included.
Purpose of use
Having obtained personal information, a business operator must inform the relevant individual (or make public) the purpose of use, unless the purpose of use has been publicly announced in advance. Furthermore, it is provided that a business operator makes apparent/accessible all of the purposes of use of retained personal data to all relevant individuals. In order to comply with these regulations, many business operators publish ‘privacy policies’on their websites. Provision to a third party Under the APPI, in principle, a business operator is required to obtain the prior consent of the individual when providing their personal data to a third party. However, there are a number of exceptions, such as (i) cases based on laws and regulations, (ii) in the case there is a need to protect a human life, body, or the property of the person, and when it is difficult to obtain the consent of the person, (iii) when the person opts out, (iv) cases in which personal data is provided accompanied by a business operator entrusting the handling of the personal data. In practice, therefore, when it is difficult to obtain the prior consent of the relevant individual, personal data is often provided to a third party using these exceptions.
Provision of personal data to third parties in foreign countries is subject to additional regulations. Where a business operator provides personal data to a third party located in a foreign country, it shall, in principle, obtain the prior consent of the individual. This regulation does not apply when a foreign parent company receives personal data from a Japanese branch that does not have an independent legal personality.
Exceptions to these additional regulations include: (a) provision to a foreign country recognised by the PPC as having the same level of protection as Japan; (b) provision of personal data to a third party who has developed a system that conforms to the standards set forth by the APPI as necessary for the continuous implementation of measures equivalent to be taken by each business operator with regard to the handling of personal data; (c) cases described in (i) and (ii) above. With respect to (a), in January 2019, the PPC recognised EEA member countries as having the same level of protection as Japan.
Unlike the GDPR, the validity requirements for consent are not strictly construed and implied consent is permissible. Consequently, in Japanese practice, it is common to obtain consent from individuals in a variety of situations, including obtaining consent from employees.
Security control etc
Each business operator shall implement security control measures and assume the duty of supervising its employees and contractors. For this reason, in general, business operators often establish internal regulations for the handling of personal information and ask officers and employees to comply with these regulations.
The APPI stipulates the right to request disclosure of the retained personal data of individuals. Specifically, notice of the purpose of use, disclosure, correction, addition or deletion, suspension or deletion of use, and prohibition of provision to a third party are stipulated as the individual’s right to claim. Generally, however, these claims are not frequently exercised.
Breach of data protection
Under the APPI, there is no provision which stipulates the duty of reporting and notification to the PPC etc, or the impacted persons at the time of data breach. However, the PPC recommends that, when leakage, loss, or damage to personal data or the likelihood of such leakage is detected, the business operator should report to the PPC and communicate such issue to the relevant person unless certain exceptional circumstances described in their guidelines exist. While such reporting is not a legal obligation, PPC may provide ‘guidance/advice’to the business operator if it fails to comply with this recommendation and therefore, as a matter of practice, business operators are required to comply with the guidelines.
For so-called ‘sensitive data’, the following two special rules have been established; (i) in principle, business operators shall not obtain sensitive data without obtaining the prior consent of the person; and (ii) business operators shall not provide sensitive data to a third party based on the opt-out rule.
Provisions governing the extra-territorial application of a business operator located abroad have been established. Specifically, certain provisions will apply in those cases where a business operator who, in relation to supplying goods or services to a person in Japan, has acquired personal information relating to that person.
Data protection authority
Unlike the GDPR, the APPI does not have severe sanctions. The powers of the PPC with respect to the business operator are (i) calling for reports and onsite inspections, (ii) provision of guidance/advice, and (iii) recommendations, orders and urgent orders. In addition, criminal penalties are stipulated in extremely limited cases. Before the establishment of the PPC, the relevant authorities were very modest in exercising these powers. However, after the establishment of the PPC, the number of onsite inspections and guidance/advice has increased significantly (for example, in 2017, the PPC called 305 reports and provided 33 onsite inspections and 270 pieces of guidance/advice).