Japan - Data Protection Overview
1. THE LAW
1.1. Key Acts, Regulations, Directives, Bills
- The Act on the Protection of Personal Information (Act No. 57 of 2003 as amended in 2016) ('APPI'). The APPI was subject to substantial revisions which came into full effect on 30 May 2017. Unless stated otherwise, the discussion below relates to the APPI.
- The Act on the Use of Numbers to Identify a Specific Individual in the Administrative Procedure ('the My Number Act').
Key guidelines provided by the Personal Information Protection Commission ('PPC'), the regulatory body established pursuant to the APPI responsible for overseeing compliance with the APPI and relevant ministers are listed below; some of these guidelines are subject to 'Q&As' or 'Commentaries' which supplement the guidelines with practical guidance. The APPI delegates the power to require reports from Personal Information Controller ('PICs') (as defined in section 4 below) to the minister regulating each business sector or designated minister, etc. As such, each ministry provides, jointly with the PPC or individually, guideline(s) and Q&As and Commentaries with regard to the relevant business sector.
Guidelines issued by the PPC (only available in Japanese here) provide detailed guidance on the scope and meaning of the provisions of, and certain terms used in the APPI, and examples of their application, though the examples do not expand or limit the scope of the APPI. The guidelines also make it clear that a breach of a guideline which is expressed as an obligation, rather than a recommendation, would be deemed a breach of the APPI. The general guidelines provided by the PPC on the APPI (only available in Japanese here) ('the General Guidelines') are not comprehensive and limited additional guidelines have been issued for businesses and industries where there is a need for more stringent protection of personal information.
For credit card businesses and businesses which use genetic information, the Ministry of Economy, Trade and Industry ('METI') has issued the following guidance:
- guidelines for personal information protection in the credit industry (only available in Japanese here); and
- guidelines for the protection of personal information in the industry using genetic information of individuals in the economic and industrial sectors (only available in Japanese here).
For the financial sector (except the credit card industry, which is regulated by METI), the Financial Services Agency ('FSA') has issued the following guidance:
- guidelines for personal information protection in the financial industries (only available in Japanese here); and
- practical guidelines for security policies regarding personal information protection in the financial industry (only available in Japanese here).
For the medical sector, the Ministry of Health, Labour and Welfare ('MHLW') has issued the following guidance:
- guidance for the appropriate handling of personal information by medical or care-related service providers (only available in Japanese here);
- guidance concerning safety management of medical information systems (only available in Japanese here);
- ethical guidelines concerning medical research targeting humans (only available in Japanese here);
- ethical guidelines concerning analysis and research of the human genome and genes (only available in Japanese here);
- guidelines concerning gene therapy clinical research (only available in Japanese here); and
- ethical guidelines concerning research of assisted reproduction technologies that produce fertilised embryos (only available in Japanese here).
For employment and welfare areas, the MHLW has issued the following guidance:
- notice regarding the handling of health information in employment management (only available in Japanese here);
- guidance for the appropriate handling of personal information at health insurance societies, etc. (only available in Japanese here);
- guidance for the appropriate handling of personal information at national health insurance societies (only available in Japanese here);
- technical security measures regarding personal information in the private pension area (only available in Japanese here);
- guidelines for appropriate dealing by employment placement service providers, worker recruiters, worker recruitment agents or worker suppliers with equal treatment, statement of working terms, handling of personal information of job seekers, duties of employment placement service providers, correct statement of terms of recruitment (only available in Japanese here);
- guidelines concerning measures which staffing service providers are required to take (only available in Japanese here); and
- guidelines for appropriate dealing by supervising organisations with a statement of working terms, handling of personal information of implementers of intern training supervised by organisations or technical intern trainees at training supervised by organisations, etc. (only available in Japanese here).
For the telecommunication sector, the Ministry of Internal Affairs and Comminutions ('MIC') has issued the following guidance:
- guidelines concerning the protection of personal information in telecommunication businesses (only available in Japanese here);
- commentary on the guidelines concerning the protection of personal Information in telecommunication businesses (only available in Japanese here) ('the Commentary');
- guidelines concerning the protection of personal information of broadcast receivers (only available in Japanese here); and
- guidelines concerning the protection of personal information in the area of correspondence delivery business (only available in Japanese here).
The Ministry of Justice has issued the following guidance:
- guidelines concerning the protection of personal information in the debt collection service industry (only available in Japanese here).
The PPC has issued the following guidance:
- general guidelines for data leakages ('the Data Breach Guidelines') (only available in Japanese here);
- guidelines concerning appropriate handling of specific personal information (main body and separate volume: security measures concerning specific personal information) (only available in Japanese here); and
- guidelines concerning appropriate handling of specific personal information in financial businesses (only available in Japanese here).
1.3. Case Law
Benesse Leakage Incident
Benesse Holdings, Inc., a correspondence education service provider, disclosed that it suffered leakages of personal data of customer children and their parents, including names, addresses, phone numbers, the children's genders and dates of birth, and expected baby delivery dates of a limited number of expecting mothers (though not including payment card or bank account information and children's achievement information), affecting approximately 49 million individuals. In 2013 and 2014 an employee of a company subcontracted by Benesse's subsidiary ('the Subsidiary') engaged by Benesse to process its customers' data, who was engaged in the data processing work and authorised to use the Subsidiary's client PC to access the data, unlawfully downloaded the data onto his personal smartphone. The data was sold by him to name-list brokers and ultimately obtained by other correspondence service providers, who sent direct marketing mails to the affected parents and children. The Subsidiary had implemented security measures, but systems to send alerts to senior managers of unusual data transfer activity and control the exporting of data from the client PC onto external devices were not effective. As a gesture of apology, Benesse sent a JPY 500 (approx. €4) shopping voucher to each customer it identified as affected by the incident.
The following cases of individual or collective damages claim actions against Benesse on this incident are publicly available:
Supreme Court Judgment of 23 October 2017
The Supreme Court judgment of 23 October 2017 (only available in Japanese here) overturned the lower court's (Osaka High Court) judgment that the plaintiff should have established damages beyond a mere feeling of discomfort or anxiety. It instead found the plaintiff's privacy was infringed and remanded the case to the lower court to further review what the moral damage due to the privacy infringement was.
Tokyo District Court Judgment of 20 June 2018
The Tokyo District Court ('the TDC') judgment of 20 June 2018 found that:
- the Subsidiary breached its duty of care by failing to appropriately upgrade its controls against data being exported to new models of smartphones using Media Transfer Protocol ('MTP'); and
- Benesse breached its duty of care by failing to appropriately monitor what security software was used by the Subsidiary, and accordingly failing to recognise that it should require the Subsidiary to upgrade its controls against data exports to new types of smartphone.
However, the TDC also found, taking into account the type of leaked data, such data only being available to certain parties and not in the public domain (e.g. the Internet) in general, and Benesse's provision of JPY 500 in shopping vouchers, that the emotional distress sustained by the plaintiffs was still not enough to establish a 'pain and suffering' award, and accordingly dismissed the collective damages claims against both Benesse and the Subsidiary. The judgment was appealed and is currently being reviewed by the Tokyo High Court.
TDC Judgment of 27 December 2018
The TDC judgment of 27 December 2018 (only available in Japanese here) found that the Subsidiary could not have reasonably expected that its controls against data exports would not work against data exports to new Android smartphones using MTP and therefore was not in breach of its duty of care in not upgrading those controls to block data exports to such new models of smartphones. However, the TDC found that the Subsidiary was subject to the statutory 'Employer's Tort Liability,' which does not require a breach of duty of care but is based on the individual's tortious act and the defendant's supervision and control over the individual. The TDC awarded damages against the Subsidiary of JPY 3,000 (approx. €25) for pain and suffering plus JPY 300 (approx. €2) as lawyers' costs, per plaintiff. The TDC found that Benesse could also not have reasonably expected that the export controls would not work against data exports to new Android smartphones using MTP and therefore was not in breach of its duty of care in not requiring the Subsidiary to upgrade the export controls. As 'Employer's Tort Liability' also did not apply, as Benesse was not in a position to supervise and control the tortfeasor individual, the TDC dismissed the damages claims against the Benesse. The plaintiffs were reported to have appealed to the Tokyo High Court.
2. SCOPE OF APPLICATION
2.1. Who do the laws/regs apply to?
The APPI applies to every PIC in Japan, whether a person or entity; the exemption for a person or entity which has not handled personal information of more than 5,000 individuals in certain cases was abolished when the APPI was revised in 2017, though the APPI does enable exemptions to be provided by a cabinet order where the risk of infringement of individuals' rights and interests is limited.
The APPI only applies to persons or entities that handle personal information in the course of their business. For this purpose, a 'business' means activities which can be conducted repeatedly for a particular purpose and are regarded as a business under social conventions; a business can be for profit or not. A broadcasting institution, newspaper publisher or other press organisation, professional writer, university or other academic organisation, religious body, or political party are exempted from the obligations under the APPI in connection with such press, professional writing, academic, and political activities respectively.
An offshore PIC which is not otherwise subject to the APPI regime which acquires personal information of data subjects in Japan for the purpose of it supplying goods or services to those persons is now subject to the APPI even if it does not handle any personal information in Japan. Although the PPC cannot enforce its orders for compliance with the APPI, etc. against such an offshore PIC, it may provide information to foreign regulatory authorities for their own regulatory enforcement purposes.
2.2. What types of processing are covered/exempted?
The APPI applies to 'handling' of personal information by a PIC. 'Handling' is not defined in the APPI or the PPC's guidelines thereunder. However, it was explained in published discussions made at the government's committee regarding the outline of the original APPI in 2000 to mean collection (acquisition), retention, use, transfer and any other acts of handling personal information. 'Processing' was also explained at the discussions to include any such acts. The terms are understood in practice to be given such meanings.
For further information regarding the scope of the application of the law, see section 2.1 above.
3. DATA PROTECTION AUTHORITY | REGULATORY AUTHORITY
3.1. Main regulator for data protection
The PPC is the primary regulator under the APPI and the My Number Act.
3.2. Main powers, duties and responsibilities
- has the task of ensuring the appropriate handling of personal information and specific personal information so as to protect individuals' rights and interests;
- has the primary investigatory, advisory and enforcement powers under the APPI and the My Number Act, including the power to investigate the activities of a PIC, an Anonymised Information Controller (see section 4 below) and a person handling specific personal information, and in certain instances to render advice to and make orders against them, if the infringement of an individual's material rights or interests is imminent;
- (in connection with the protection of personal information under the APPI) may delegate its investigatory powers to the relevant minister, etc. in limited circumstances, but not its advisory or enforcement powers. The supervisory practices of the PPC and relevant ministers, etc. are clarified by a cabinet order in due course; and
- can provide information to foreign data protection regulators and in limited circumstances may allow information to be used for criminal investigations overseas.
4. KEY DEFINITIONS | BASIC CONCEPTS
Personal Data: Personal information contained in a database (whether electronic or not) that enables easy retrieval of the personal information contained in it (personal information database). Personal Information is that information that is about a living individual from which the identity of the individual can be ascertained (including information which enables identification by easy reference to, or combination with other information). Since the 2017 revision to the APPI, 'personal information' includes 'Personal Identifier Codes' which include items such as characters, numbers, symbols and/or other codes for computer use which represent certain specified personal physical characteristics (such as DNA sequences, facial appearance, finger and palm prints) and which are sufficient to identify a specific individual, as well as certain identifier numbers, such as those on passports, driver's licenses and resident's cards, and the 'My Number' individual social security ID numbers.
Sensitive Data: Sensitive Information was added to the APPI in the 2017 revisions and includes personal information relating to matters such as race, creed, religion, physical or mental disabilities, medical records, medical and pharmacological treatment, and arrest, detention or criminal proceedings (whether as an adult or a juvenile) or criminal victimisation. (The verbatim English translation is personal information requiring consideration). Industry-sector guidelines may apply additional categories of sensitive information.
Data Controller: Data Controller is not defined by the APPI. A Personal Information Controller ('PIC') is a business operator using a personal information database for its business and is a similar concept to a data contoller. (The verbatim English translation is 'business operator handling personal information').
Data Processor: Data Processor is not defined by the APPI but for the purpose of this note and for ease of reference for readers who are familiar with the concept in other jurisdictions, is an entity which a PIC 'entrusts the handling of personal data in whole or in part within the scope necessary for the achievement of the purpose of utilisation' (e.g. entrusting personal data to a service provider such as a cloud computing service provider or a mailing service provider for the purpose of having them provide the PIC with the services).
Anonymised Information: In summary, information regarding an individual which has been processed by deleting any information (or replacing it with information which does not enable reversion to the original information) so that it cannot be used to identify the individual.
Anonymised Information Controller: (The verbatim English translation is a business operator handling anonymised information) was added to the APPI in the 2017 revisions, and means a PIC using for its business a database (whether electronic or not) that allows easy retrieval of specific anonymised information contained in it.
Data Subject: The individual that is the subject of personal information.
Opt-Out: A system whereby a data subject is notified of the proposed transfer of its personal information to a third party and given the opportunity to object to that transfer.
Personal Number: a number processed from an individual's resident registry code number and a code corresponding to and used in lieu of such number ('My Number').
Purpose of Utilisation: The purpose of use of personal information as specified by a PIC to the data subject whose personal data is to be used by the PIC.
Specific Personal Information: Personal information which contains a Personal Number in it.
5. NOTIFICATION | REGISTRATION
5.1. Requirements and brief description
There is no general requirement that a PIC be registered under the APPI or related regulations, or for any registration under the My Number Act. A PIC which wishes to use an opt-out for disclosure of personal data to a third party has to file the opt-out provision prescribed in the order described below in section 6 under 'transfers pursuant to an opt-out' (but not the rest of its privacy policies) with the PPC. The PPC will then review the provision to ensure it is appropriate in accordance with the requirements of the APPI and make it available to the public. If the opt-out is not sufficient in terms of clarity, easy-readability and formality the PPC may require it to be improved and re-filed.
6. DATA CONTROLLER RIGHTS AND RESPONSIBILITIES
Collection & Use of Personal Information
A PIC must:
- not collect personal information by fraudulent or other unlawful means;
- notify the data subject of the purpose of utilisation prior to the collection of the personal information unless it has published the purpose of utilisation in advance in a manner readily accessible by the data subject; and
- obtain the data subject's consent before acquiring sensitive information of the data subject unless one of the exceptions listed below under transfers permitted by law applies to the acquisition.
A PIC must make the following items readily accessible to each data subject:
- name of the PIC;
- purpose of utilisation of personal information retained;
- the procedure for the data subject to require correction, etc. of their personal data; and
- where to complain about the PIC's handling of personal data.
Use of Personal Information
A PIC must use personal information only to the extent necessary to achieve the purposes of utilisation specified to the data subject and must make efforts to delete the personal data when it is no longer needed for the purposes of utilisation.
Personal Data Management & Security
A PIC must:
- take reasonable steps to keep personal data as accurate and up-to-date as is necessary to achieve its purpose of utilisation;
- take all necessary security measures to avoid loss of, or unauthorised access to personal data; and
- exercise necessary and appropriate supervision over its employees handling the personal data, or any persons or entities delegated to handle personal data (e.g. a personal information/data processor), so as to ensure they implement and comply with such security measures.
The PPC's General guidelines' illustrates high-level examples of security measures, which are categorised into:
- establishing basic principles;
- setting out internal rules;
- organisational security measures (e.g. appointment of a responsible person, the definition of each person's responsibility, the definition of the scope of data handled by each staff member, data processing operation and incident reporting line, the definition of responsibilities between divisions, periodical internal and/or external audit, etc.);
- staffing security measures (e.g. staff education and training, confidentiality provisions in work rules, etc.);
- physical security measures (e.g. area access control (IC card, number keys), prevention of device theft, prevention of leakage from portable devices, non-recoverable deletion of data); and
- technological security measures (e.g. system access control, access authorisation (user ID, password, IC card, etc.) control, prevention of unauthorised access (security software instalment and upgrading, encryption, access log monitoring), continuous review of system vulnerability, etc.).
Guidelines provided by the METI, FSA, etc. set out further detailed requirements for security measures and provide specific examples for certain specified industry areas.
A PIC which creates anonymised information may not disclose its methods for anonymisation of the subject's personal information, the data removed in the anonymisation process or any process used to verify the anonymisation. A recipient of anonymised information may not seek to acquire any such information, whether from the transferor or otherwise.
When a PIC processes personal information to anonymised information, it must make public in an appropriate manner (such as via the Internet) what categories of personal information (e.g. ages, shopping behaviour, travel habits, etc.) are included in the anonymised information so that data subjects are able to make enquiries with the PIC.
Please see section 13.1 for controller rights and responsibilities pertaining to data transfers.
7. DATA PROCESSOR RIGHTS AND RESPONSIBILITIES
Neither the APPI nor any related regulations impose any direct obligations on data processors. However, as explained above, necessary and appropriate supervision must be exercised by a PIC over any third parties delegated to handle personal data. Such supervisory measures include the execution of agreements between a PIC and a service provider providing appropriate security measures that should be taken by the service provider, and the power of the PIC to instruct and investigate the service provider in connection with its handling of personal data entrusted to it.
8. DATA CONTROLLER AND PROCESSOR AGREEMENTS
See section 7 above with regard to the requirement for a PIC to implement supervisory measures over any third parties delegated to handle personal data, which include the execution of agreements between a PIC and the service provider providing appropriate security measures.
9. DATA SUBJECT RIGHTS
If requested by a data subject, a PIC must disclose in writing and without delay to the data subject, the data subject's personal data held by it, unless the data subject has agreed to receive it by other means (e.g. as electronic data). Access can be refused if it would result in:
- injury to the life or bodily safety, property or other rights and interest of the data subject or any third party;
- a material interference with the PIC's business operations; or
- a violation of other Japanese laws prohibiting disclosure.
Data subjects also have the right to revise, correct, amend or delete their personal data, and to request the cessation of use of their personal data if this is used for a purpose other than the one originally stated, or if it was acquired by fraudulent or other unlawful means. If a data subject requests a PIC to cease using their personal data, the PIC must do so unless the request is unreasonable, or the cessation would be costly or would otherwise be difficult (e.g. the recall of books already distributed). In this case, the PIC must take alternative measures to protect the rights and interests of the data subject. The PIC must notify the data subject without delay of whether the requested action has been taken, and, if not taken, must endeavour to explain the reasons why. A data subject can enforce its rights to require revision, etc. of its personal data by civil action if such a request is not complied with within two weeks of being made.
Data subjects do not have any of the rights above if:
- the personal data will be deleted within six months of collection; or
- if the data subject or other person comes to know that there is such personal data held by the PIC which might result in:
- injury to the life or bodily safety, property or other rights and interest of the data subject or any third party;
- encouraging illegal or unjust acts;
- endangering national security, damage to a trusted relationship with a foreign country or international organisation, or the country's disadvantage on negotiation with a foreign country or international organisation; or
- obstacles to prevention, suppression or investigation of crimes or otherwise impairing public safety and order.
10. DATA PROTECTION OFFICER
10.1. DPO – compulsory appointment
The APPI does not specifically require a PIC to appoint a data protection or similar officer. However, guidelines issued by the PPC and which apply to all PICs provide that a PIC must take security measures for the handling of personal information, an example of such a security measure being 'appointment of a person in charge of the handling of personal information and the definition of the responsibilities of the person' (see section 6 above). The guidelines state that whether measures are mandatory depends on the materiality of the damage which may be suffered by data subjects in the event of a data leakage, the size and nature of the business, and the general nature of the data handling (including the nature and volume of data handled). Some industry-sector guidelines also provide such requirements.
Certain private organisations or associations have created qualifications as 'data protection officer' or equivalent, and issue them to persons who have passed examinations set by them (e.g. Japan Consumer Credit Association issues a Personal Information Handling Officer qualification, and the Information-Technology Promotion Agency issues an Information Systems Security Administrator qualification). These qualifications are not acknowledged, supported or required by law, but are industry-driven efforts to enhance data privacy.
See section 10.1 above.
11. DATA BREACH NOTIFICATION
11.1. General obligation
The Data Breach Guidelines are limited to setting out certain principles for handling leakages, leaving PICs to decide what specific action should be taken with regard to the facts of each case.
Action Following a Data Breach
The Data Breach Guidelines state that in the event of the leakage, destruction or damage of personal information or the likelihood of any of them:
- it is 'desirable' that the affected PIC takes the following steps:
- reporting of the incident within the PIC;
- taking measures to prevent expansion/aggravation of any damage (to data subjects or third parties affected by the incident) due to the incident;
- investigation of relevant facts and the cause of the incident;
- identification of the affected areas within the servers/systems of the PIC and of the data subjects whose data was affected;
- promptly planning and implementing measures to prevent the recurrence of the incident or further incidents that may otherwise occur due to the incident in question;
- unless the leaked data is encrypted at a high level, 'promptly' notify the data subjects potentially affected or make the facts of the leakage easily available to those data subjects (depending on the facts of each case) for the purpose of preventing the data subjects or third parties incurring further damage (e.g. to give the data subjects opportunities to take actions to avoid or mitigate harms by third parties' use of the leaked information); and
- publicly announce the relevant facts and measures to be taken to prevent a recurrence of the incident (depending on the facts of each case).
- the PIC must make efforts to promptly notify to the PPC of a breach unless:
- the leaked data is encrypted at a high level;
- all the leaked data has been collected by the PIC prior to being seen by third parties;
- there is no risk of any specific individual being identified from, or the affected data subjects being harmed by use of, the leaked data;
- the data breach was obviously only internal and not an external leakage; or
- the leakage is obviously insignificant (e.g. a mis-delivery of parcel where the personal information is only on the delivery address label on it).
The PPC published a reporting form on its website, only available in Japanese, here.
Where a PIC has entrusted personal data to a personal information/data processor and the personal information/data processor was subject to the data breach the obligations above fall on the PIC.
Leaked data is encrypted at a high level when:
- the encryption system is on the list of ISO/IEC 18033 or the Japanese government has confirmed the encryption system as being sufficiently secure; and
- the decryption key is remotely controlled or not usable by a third party, or the leaked data or decryption key can be remotely deleted.
'Desirable', 'promptly' and 'make efforts' are not defined or explained in the Data Breach Guidelines and their meaning will need to be determined by reference to their common definition, regulatory and best practice, and the facts of each case, in particular the risk of an innocent party suffering any loss.
It is not uncommon for obligations under Japanese laws and regulations to be expressed as being desirable or similar, and in the absence of factors which would dictate otherwise, best practice would be to comply with the obligation unless there is a good reason not to. In addition, the greater the harm non-compliance may cause, the more advisable compliance becomes.
Although 'promptly' is not defined, the nuance of the original Japanese term 'sumiyakani' would suggest four or five days in many cases, though this is subject to the facts of each case, and in particular how seriously the affected data subjects may be affected and accordingly how urgently they should be notified.
Examples of what might constitute 'making the fact of the leakage easily available to the affected data subjects' include:
- placing a sign in an office habitually attended by the data subjects; or
- adding a notice on an accessible webpage directly linked from the home page of the PIC's website.
Although what constitutes 'make effort' is not defined it would be given its normal meaning, although, as with 'promptly' and 'desirable', the greater the actual or potential harm of the data Breach, the more advisable compliance with the obligation becomes.
Reporting to the PPC
Whilst the obligation to report a data leakage to the PPC is only to make efforts, best practice would be to submit a report unless any of the exemptions above apply (in which case a report is not required). If the PIC thinks the data breach is not serious enough to warrant a formal report but it is not exempted from reporting, it can seek informal guidance from the PPC on what action to take. If the data breach is very serious, e.g. the loss of bank account details and passwords, or the PIC is not certain what action to take the PIC should contact the PPC (and local counsel) at the earliest opportunity, and without waiting to complete the formal report to the PPC. Should a data breach not be reported, and the PPC subsequently becomes aware of it, it may require a report to be submitted.
Notifying Affected Data Subjects
When considering whether to notify affected data subjects of a data breach directly, or by a more general notice, the two major factors for a PIC to consider are the seriousness of the loss and the harm it may cause, and the effectiveness of the means of notification. If a loss may cause serious harm, the prudent course would be to make it public promptly, and then notify affected parties individually (always subject to any directions from the PPC). Where a PIC has decided to give a general notification, it will need to evaluate how effective the means of notification is likely to be; for example, if notification is given on a website, how likely is it that the affected parties will visit the website and how long it should be kept active in order to notify an appropriate proportion of affected data subjects. A notification, individual or general, should include a description of the loss and the actions taken by the PIC to mitigate its effects, and it would be advisable to include a phone number or email address which the affected data subjects can use to obtain further information on the loss.
As noted, depending on the facts of each case, it might be appropriate for the PIC to publicly announce the relevant facts of the data breach, and the measures to be taken to prevent its recurrence; there is no guidance on what form this notice should take, and although it may also be sufficient as notice to the affected data subjects, its effectiveness as such would need to be considered carefully.
Notifications (individual or general) should be given in Japanese, and if any affected data subjects may not understand Japanese, any other appropriate foreign language. Notifications should not be given only in a foreign language unless it is certain that all affected data subjects will understand that language.
If a data breach has occurred and been reported to the PPC, voluntarily or at the request of the PPC, it may investigate the background to the loss, the PIC's data management procedures and the actions the PIC has taken (or not taken) to notify the affected parties (and the PPC). Where the PPC finds defects in the PIC's data management or post-loss actions, it may give guidance to the PIC on what actions to take to improve its data management, or what further steps should be taken to notify affected data subjects of the loss. If the defects are material, the PPC may issue advice for improvement to the PIC and publish the advice on its website. If the PIC fails to follow advice for improvement, the PPC may then escalate the matter and issue an order for improvement. An order for improvement may be issued immediately without preceding advice for improvement in limited cases of a serious data breach.
If a PIC has not notified the PPC or the affected data subjects of the data breach (or has not publicised the loss if material in either scale or subject matter) and the PPC comes to know of the loss, it might be more likely to find the PIC's attitude to compliance unsatisfactory and thus issue and publish an advice for improvement.
Neither the APPI nor the Data Breach Guidelines impose any sanctions for failure to make a report or notification of a data breach, and the Data Breach Guidelines only require a PIC to 'make efforts' to report a data breach. However, it should be noted that a PIC has presumably breached its duties for data security when it failed to prevent the data breach, and it would probably further be in breach of its obligation if it did nothing following the data breach where action was obviously required. These breaches will allow the PPC to issue advice for improvement. That said, and as noted here, it is advisable for PICs to report a data breach unless a report is clearly not required, and failure to report might be a factor the PPC would take into consideration when deciding whether to issue advice for improvement. The PPC will publish such advice once issued.
Failure to comply with an order for improvement would be ground for criminal imprisonment for up to 6 months or a criminal fine of up to JPY 300,000 (approx. €2,460) for an individual who is the PIC or the director or employee of the PIC entity in charge of the breach, and the same criminal fine for the PIC as an entity.
To date, PICs which have suffered a data breach have often voluntarily offered compensation to affected parties both to forestall any proceedings, and to maintain good public relations. Compensation payments to data subjects (per person) have ranged from JPY 500 of e-money or gift vouchers (see Benesse incident discussed in section 1.3 above), through gift vouchers of JPY 10,000 (approx. €80), to cash payments of JPY 35,000 (approx. €290). If an affected party brings an action before a court against a PIC for a data breach, any judgment by the court would be likely to be an order against the PIC to pay damages on the grounds of a breach of contract or tort theory. Save for cases such as the unauthorised use of affected payment card data or the disclosure of sensitive information affecting the personal lives of individuals, the amount of damages an affected party might be entitled to is frequently not large enough to warrant the commencement of proceedings once the costs of the proceedings are taken into consideration.
It should also be noted that in Japan it is often important to treat all affected parties equally. Even if a PIC does not publicise a data breach and communicates privately with each affected party individually, the widespread use of social media makes the risk of unequal treatment between affected parties being kept private increasingly unlikely, with its attendant negative impact on the PIC's reputation.
11.2. Sectoral obligations
Whilst the Data Breach Guidelines only provide that it is 'desirable' for an affected PIC to take actions, including giving notice to affected parties and publicising the incident, and that it should make 'efforts' to notify to the PPC, the Guidelines on Protection of Personal Information in the Financial Field, which have been issued jointly by the PPC and the FSA, provide that such actions are mandatory in the financial service sector. Similarly, the Commentary issued by MIC, which gives guidance on the Telecommunications Business Act (Act No. 86 of December 25, 1984), provides that a breach of secrecy of communications must be reported to the authority.
See sections 1.3, 11.1, and 13.3.
In addition, many sector-specific regulations authorise the relevant regulators to enforce the regulations by rendering business improvement orders, or business suspension orders in the most serious cases, against providers of services which require licences from the regulator, 'where necessary for ensuring the appropriate operation of the business'. 'Appropriate operation of the business' may include the management of the security of customers' data. For example, the FSA may issue a business improvement order against a bank pursuant to the Banking Act (Act No. 59 of 1981), or against an investment manager pursuant to the Financial Instruments and Exchange Act (Act No. 25 of 13 April 1948), if the service provider failed to manage the security of customers' data in the course of operation of the licensed businesses.
13. ADDITIONAL RELEVANT TOPICS
13.1. Data transfers and outsourcing
Generally transferring personal data to third parties, including affiliated entities of the PIC, without the prior consent of the data subject is prohibited unless an exception applies. The primary exceptions are listed below:
Transfers Permitted by Law
The prior consent of the data subject to a transfer of its personal data (including sensitive information) is not required if the transfer:
- is specifically required or authorised by any laws or regulations of Japan;
- is necessary for protecting the life, health or property of an individual and consent of the data subject is difficult to obtain;
- is necessary for improving public health and sanitation, or promoting the sound upbringing of children, and the consent of the data subject is difficult to obtain; or
- is required by public authorities or persons commissioned by public authorities to perform their duties, and obtaining the prior consent of the data subject carries the risk of hindering the performance of those duties (e.g. the disclosure is required by police investigating an unlawful act).
Transfer Pursuant to an Opt-out
Personal data (other than sensitive information) can be transferred after a period necessary for the data subject to exercise its opt-out right has expired and the PIC has notified the data subject or made readily available to the data subject, and filed with the PPC, all of the following information:
- that the transfer is within the scope of the originally stated purpose of utilisation;
- the specific personal data to be transferred;
- the means with which the personal data will be transferred;
- the fact that the transfer of the personal data is subject to an opt-out; and
- where to provide such opt-out exercise notice.
PPC guidelines only say that how long the 'expiration period' will be varies depending on factors such as the nature of business, how close the relationship between the data subject and the PIC is, the nature of the personal data to be transferred, and how quickly the PIC can handle the data subject's exercise of its opt-out rights.
Transfer of Sensitive Information
A transfer of sensitive information to a third party requires the consent of the data subject unless an exception as listed above applies; such consent cannot be given through the use of an opt-out.
Transfer of Anonymised Information
Anonymised information may be transferred to a third party without the consent of the original data subject (it no longer constitutes 'personal information'), provided that the transferor makes public both the fact of the transfer and what types of personal information are included in it and notifies the recipient that the information is anonymised information.
Scope of Third Parties
Under the APPI, the following entities are deemed not to be third parties (meaning that the transfer of personal data (including sensitive information) to such parties does not require the data subject's consent):
- a personal information/data processor;
- a company that enters into a merger, a company split or a business transfer with the PIC. (Disclosure in the process of negotiations for mergers and acquisitions is permissible if made upon execution of a non-disclosure agreement which requires the company to which the data is disclosed to implement appropriate safety measures); or
- a company designated to jointly use the personal data with the PIC. In this case, the PIC must notify, or make readily accessible to the data subject:
- the fact of such joint use of the personal data;
- the scope of the personal data to be jointly used;
- the scope of the parties who will jointly use the personal data;
- the purpose of the joint use; and
- the name of a party among the joint users responsible for the management of the joint use of the personal data.
Such joint use is available by group companies or business partners or affiliates which provide integrated services to common customers.
Though not a specified exception to the general consent requirement, a transfer of personal data between a Japanese company and its Japanese branch, or between a foreign company and its Japanese branch is not a transfer of personal data to a third party as in each case the branch and the company are the same legal entity. Whether a Japanese company and its foreign branch are a single legal entity would be determined in accordance with the laws of the jurisdiction under which the branch was formed.
Where a transfer of personal data is to a person or entity which is not a third party, further transfer of the personal data by that person or entity would be subject to the consent rules and exceptions applicable to such transfers, as described in this note.
Transfer of Personal Data to a Third Party in a Foreign Country
The transfer by a PIC of personal data to a third party in a foreign country (other than in reliance on one of the exceptions listed above under 'transfers permitted by law') is subject to the following requirements in addition to those generally applicable to transfers of personal data:
- where consent to the transfer is given by the data subject, it must be clear it covers the transfer to a third party in a foreign country and the data subject must be provided, when giving the consent, with information necessary for judging whether to provide the consent (e.g. the foreign country is identified or identifiable or the circumstances where such data transfer will be made have been clarified); or
- in the absence of such consent, if the transferor wishes to rely on an opt-out or the fact that the transfer is not a third party, as an exception to the requirement to obtain the data subject's consent to the transfer, it is also necessary that the transferee:
- is in a country from the list of countries issued by the PPC as having a data protection regime equivalent to that under the APPI; or
- implements data protection standards equivalent to those which PICs subject to the APPI must follow.
As of the date of this note, only the European Union (including the EEA) is on the list of countries issued by the PPC as having equivalent data protection. If the country of the transferee is not in the EU, a transferor PIC would have to rely on the transferee implementing equivalent standards to the APPI in order to effect a transfer of personal information offshore without the data subject's consent or in reliance on an exception listed above in transfers permitted by law. The requirement for equivalent standards to the APPI can be satisfied:
- by the transferor and the transferee:
- entering into a contract;
- if they are in the same corporate group, both being subject to binding standards of the group for the handling of personal data; pursuant to which the transferee is subject to all the obligations imposed by the APPI on PICs who are subject to it, and which must include certain specified matters, such as the purpose of use, record-keeping and details of security measures; or
- if the transferee is accredited under APEC's CBPR system.
Transfer Due Diligence and Records
A transfer of personal data now requires that the transferor PIC and the transferee (if a PIC, or if it becomes a PIC as a result of the transfer) keep specified records and the transferee is also required to make enquiries on the source of the personal data transferred, unless the transfer was made in reliance on an exception listed above as a transfer permitted by law or the transferee is not a third party.
The transferor must keep a record of:
- (if the transfer was made in reliance of an opt-out) the transfer date;
- the name or other identifier of the transferee and the data subject, and the type(s) of data transferred (e.g. name, age, gender); and
- the data subject's consent to the transfer, or, if the consent has not been obtained and the transfer was made in reliance on an opt-out, that fact.
The transferee must keep a record of:
- (if the transfer was made in reliance of an opt-out) the date the personal data was received;
- the name or other identifier of the transferor and its address (and the name of its representative if the transferor is a legal entity), and the name of the data subject;
- the type(s) of data transferred;
- the data subject's consent to the transfer, or, if the consent has not been obtained and if the transfer was made in reliance on an opt-out, that fact;
- if an opt-out has been relied on, the fact that the opt-out has been filed with, and published by, the PPC; and
- must ascertain and keep a record of how the transferor acquired the personal information transferred.
An employer is required by the Industrial Safety and Health Act (Act No. 57 of 1972) to engage a medical professional to conduct certain medical check-ups of their employees. In connection with diagnosis information obtained from the medical check-ups, it is generally understood that the medical professional is a PIC. In most cases, the medical professional should share with the employer the legally mandatory medical check-up information of the employees, and this sharing is generally permitted without the employees' consent as an exception to the general rule that the data subject's consent is required for the transfer and acquisition of sensitive information.
The MHLW's guidelines require an employer not to handle such diagnosis information beyond the scope necessary for the purpose of ensuring the employees' health.
My Number Act
Nature of My Numbers
The My Number Act introduced a national social security ID number system for all individuals resident in Japan (whether Japanese or foreign) under which they are allocated a unique individual number ('Personal Number' also known as 'My Number'). An individual's specific personal information, which is personal information containing My Number in it, is regarded as their confidential private information and its handling is subject to stringent regulation under the My Number Act. The My Number Act regime is entirely separate from the APPI.
My Numbers will be used, amongst other things, to track income, social security, taxes, welfare and benefits, and will be required by public bodies when dealing with annual tasks, such as tax filings, as specified by the My Number Act and related guidelines (together 'Specified Purposes').
All employers will need to collect their employees' specific personal information (which may, in relation to filing of certain social security documents, need to include those of employees' dependents), as they will be used in documentation when the employer files certain tax/social security documents for their employees with administrative offices, such as tax and pension offices.
Transfers and Outsourcing
The rules and exceptions that permit disclosure and transfer of an individual's personal data under the APPI do not apply to the disclosure of specific personal information.
The My Number Act and related guidelines require an employer to:
- not share an employee's specific personal information with any other person or entity, including any affiliate of the employer, even with the employee's consent (with certain limited exceptions), except a third party engaged by the employer to provide services for Specified Purposes (e.g. tax accountants, data managing service providers) ('Contracted Third Party'); and
- establish appropriate supervision over any Contracted Third Party.
In practical terms an employer should:
- if it provides employee information to a third party other than a Contracted Third Party, ensure that the information transferred does not include My Numbers; and
- if specific personal information is transferred to a Contracted Third Party, ensure that the transferee has appropriate systems in place for the protection of the confidentiality of the specific personal information and that the specific personal information is only used for a Specified Purpose.
According to the My Number Act and related guidelines an employer must:
- not obtain, store or use an employee's specific personal information for any purpose other than a Specified Purpose; and
- conduct identity verification of each employee (e.g. checking the employee's My Number card) as required by the My Number Act when obtaining the employee's specific personal information.
In practical terms the employer should:
- establish specific rules for the collection of specific personal information, including an identification process.
Banks, securities firms and insurance companies may also request their customers to provide specific personal information. The regulations under the My Number Act described above equally apply to such financial institutions' handling specific personal information.
13.3. Data Retention
Storage & Security
The My Number Act and related guidelines require an employer to establish appropriate systems for the secure storage and handling of specific personal information.
In practical terms the employer should:
- draft/amend internal rules on data protection to ensure the handling of specific personal information in accordance with the My Number Act;
- ensure employees handling specific personal information are aware of the restrictions on their use and the scope of the related data protection regime, in particular, the areas where the obligations are stricter than those currently generally implemented by the employer for data protection; and
- ensure its data protection systems are adequate to comply with the obligations under the My Number Act as they are likely to be stricter than under the employer's other data protection obligations (whether under the APPI or otherwise).
Reporting of Losses
Any loss of any specific personal information must be reported to the PPC, though there is no specified deadline for giving the notification; the form of the report is slightly different from that for other data breaches. The system for escalation of remedial orders by the PPC is the same as that for losses of other personal information, though failure to comply with an order for improvement could lead to more serious criminal sanctions against both the data controller and any of its officers responsible for the loss. Notification to the affected data subjects is still only desirable.
14. OTHER SPECIFIC JURISDICTIONAL ISSUES
The APPI applies extraterritorially when an overseas PIC which has obtained personal information of a data subject in Japan in relation to its provision of goods or services to the data subject in Japan and handles that personal information, or any anonymised information created from it, in a foreign country. The obligations which apply extraterritorially include:
- to specify and notify or publicise the purpose of utilisation of the personal information, and to use it within that purpose;
- to keep personal data accurate and up-to-date, and to delete it when no longer required;
- to take measures to protect the data against leakage, etc.;
- to supervise employees handling personal information and any service provider entrusted with the handling of personal data;
- the rules governing disclosure to a third party;
- to publicise privacy policies;
- the rights of a data subject to access, correct, and stop the illegal use of personal data; and
- certain rules regarding anonymised information.
Whilst the PPC can only render 'advice' to a PIC based overseas, it may provide information to foreign regulatory authorities for their own regulatory enforcement purposes.