- the address of a PIC is not available;
- delivery of its communications to an offshore PIC pursuant to the rules of the Code of Civil Procedure (i.e. the procedure for delivery via the foreign country's relevant authority or agency, or the Japanese embassy or council in the foreign country) is not available; or
- the PPC does not receive a certificate of delivery within six months after requesting the foreign country's authority agency to serve the notice;
4. Key Definitions
Data controller: Data controller is not defined by the APPI. A personal information controller ('PIC') is a business operator using a personal information database for its business. (The verbatim English translation is 'business operator handling personal information').
Data processor: Data processor is not defined by the APPI but for the purpose of this note and for ease of reference for readers who are familiar with the concept in other jurisdictions, it is an entity to which a PIC 'entrusts the handling of personal data in whole or in part within the scope necessary for the achievement of the purpose of utilization' (e.g. entrusting personal data to a service provider such as a cloud computing service provider or a mailing service provider for the purpose of having them provide the PIC with the services). The PPC has recently clarified in its Q&As that a data processor is a PIC but clarifies that where a cloud service provider has no access to the entrusted personal data stored on its computer server, it is not a data processor and is thus not a PIC.
Personal data: Personal information contained in a database (whether electronic or not) that enables easy retrieval of the personal information contained in a personal information database.
Sensitive data: Sensitive information includes personal information relating to matters such as race, creed, religion, physical or mental disabilities, medical records, medical and pharmacological treatment, arrest, detention, or criminal proceedings (whether as an adult or a juvenile), or criminal victimization. (The verbatim English translation is personal information requiring consideration). Industry-sector guidelines may apply additional categories of sensitive information.
Health data: There is no definition of health data, but it would likely into fall within the scope of sensitive Information.
Biometric data: There is no definition of biometric data, but it would likely into fall within the scope of personal information as 'personal identifier codes' and be sensitive information.
Pseudonymization: Information that has been processed from personal information in a manner that the data subject can no longer be identified solely from the data. Whilst the PPC has not published draft guidelines or commentaries that clarify how pseudonymously processed information and anonymized information are different, the current understanding in practice is that pseudonymously processed information is information that would still enable identification of the principal if other information was also referenced to, or combined together, and as such still constitutes personal information, whilst anonymized information is not.
Personal information: Information about a living individual in Japan from which the identity of the individual can be ascertained (including information which enables identification by easy reference to, or in combination with other information); 'personal information' includes 'personal identifier codes' which include items such as characters, numbers, symbols and/or other codes for computer use which represent certain specified personal physical characteristics (such as DNA sequences, facial appearance, finger, and palm prints), and which are sufficient to identify a specific individual, as well as certain identifier numbers, such as those on passports, driver's licenses, and residents cards, and the 'My Number' individual social security ID numbers.
Principal (i.e. data subject): The individual that is the subject of the personal information.
Anonymized information: In summary, information regarding an individual has been processed by deleting information (or replacing it with information that does not enable reversion to the original information) so that it cannot be used to identify the individual.
Anonymized information handling business operator: The verbatim English translation is a business operator handling anonymized information. This was added to the APPI in the 2017 revisions and means a PIC using for its business a database (whether electronic or not) that allows easy retrieval of specific anonymized information contained in it.
Opt-out: A system whereby a principal is notified of the proposed transfer of its personal information to a third party and given the opportunity to object to that transfer.
Person-related information: Information that is not personal information for the transferor as it cannot identify the principal from the information (even by easy reference to, or combination with, other information) but maybe for a transferee as it may be able to identify the data subject by reference to other information held by the transferee.
Personal number: A number processed from an individual's resident registry code number and a code corresponding to and used in lieu of such number ('My Number').
Pseudonymously processed information handling business operator: A business operator using a pseudonymously processed information database for its business.
Purpose of utilization: The purpose of use of personal information as specified by a PIC to the principal whose personal data is to be used by the PIC.
Specific personal information: Personal information that contains a personal number in it.
5. Legal Bases
The basic principles of the APPI require a PIC to notify the data subject of the purposes of utilization prior to the collection of personal data unless it has published the purposes of utilization in advance in a manner readily accessible by the data subject and does not use personal data for any other purpose without the consent of the data subject.
5.1. Consent
A PIC must obtain the principal's consent before acquiring the sensitive information of the principal unless one of the exceptions listed below under the section on transfers permitted by law applies to the acquisition.
5.2. Contract with the data subject
The principles specified in the section on legal bases above can be dealt with by a contract between the PIC and the data subject.
5.3. Legal obligations
There are very few and limited circumstances where a data controller can handle personal information other than in accordance with the principles outlined in the section on legal bases above. The prior consent of the data subject to a transfer of its personal data (including sensitive information) is not required if the transfer is specifically required or authorized by any laws or regulations of Japan.
5.4. Interests of the data subject
There is no such 'interests of the data subject' exception to the basic requirements for the use of personal information referred to in the section on legal bases above.
5.5. Public interest
The prior consent of the data subject to a transfer of its personal data (including sensitive information) is not required if the transfer:
- it is necessary for protecting the life, health, or property of an individual and consent of the data subject is difficult to obtain;
- is necessary for improving public health and sanitation, or promoting the sound upbringing of children, and the consent of the data subject is difficult to obtain; or
- is required by public authorities or persons commissioned by public authorities to perform their duties and obtaining the prior consent of the data subject carries the risk of hindering the performance of those duties (e.g. the disclosure is required by police investigating an unlawful act).
Otherwise, there is no 'public interest' exception to the basic requirements for the use of personal information referred to in the section on legal bases above.
5.6. Legitimate interests of the data controller
There is no such 'legitimate interest' exception to the basic requirements for the use of personal information referred to in the section on legal bases above.
5.7. Legal bases in other instances
6. Principles
The APPI was enacted as an implementation by Japan of the eight basic principles on the protection of privacy adopted in the Organisation for Economic Co-operation and Development ('OCED') Council recommendation on 23 September 1980 ('OECD's 8 Principles'):
- the Collection Limitation Principle;
- the Data Quality Principle;
- the Purpose Specification Principle;
- the Use Limitation Principle;
- the Security Safeguards Principle;
- the Openness Principle;
- the Individual Participation Principle; and
- the Accountability Principle.
Japan has strong core values for the protection of the rights of the individual and the fundamental principle of Japan's data protection laws is the protection of the right to privacy, but also recognizing the increased scope, nature, and volume of personal data and the ever-expanding use of personal information in various forms by businesses. Key elements of the legislation are to restrict the use of personal information to the purposes it was obtained for as made known to the data subject, to protect sensitive information, and to limit the dissemination of personal information without the data subject's consent.
Data controller
The following obligations under the APPI apply to PICs:
- to use personal information only to the extent necessary to achieve the purposes of utilization specified to the principal;
- to make efforts to delete the personal data when it is no longer needed for the purposes of utilization;
- to take reasonable steps to keep personal data as accurate and up-to-date as is necessary to achieve its purpose of utilization;
- to take all necessary security measures to avoid loss of or unauthorized access to personal data; and
- not to use personal information in a manner that may facilitate or prompt illegal or inappropriate acts.
7. Controller and Processor Obligations
Personal data management and security
A PIC must exercise necessary and appropriate supervision over its employees handling the personal data, or any persons or entities delegated to handle personal data (e.g. a personal information/data processor), so as to ensure they implement and comply with such security measures.
The PPC's General Guidelines illustrate high-level examples of security measures, which are categorized into:
- establishing basic principles;
- setting out internal rules;
- organizational security measures (e.g. appointment of a responsible person, the definition of each person's responsibility, the definition of the scope of data handled by each staff member, data processing operation, and incident reporting line, the definition of responsibilities between divisions, periodical internal and/or external audit, etc.);
- staffing security measures (e.g. staff education and training, confidentiality provisions in work rules, etc.);
- physical security measures (e.g. area access control (IC card, number keys), prevention of device theft, prevention of leakage from portable devices, and non-recoverable deletion of data); and
- technological security measures (e.g. system access control, access authorization (user ID, password, IC card, etc.) control, prevention of unauthorized access (security software installment and upgrading, encryption, access log monitoring, continuous review of system vulnerability, etc.).
The General Guidelines relax the standards for security measures for a 'small or medium-sized business operator', which is defined as a PIC with 100 or fewer employees but excluding:
- a person who has handled the personal data of more than 5,000 principals on a day in the past six months; and
- a person who processes personal data on behalf of another PIC under a contract.
The relaxed standards include the following measures:
- establishing basic principles;
- setting out the basic process for collecting, using, and storing personal data;
- for organizational security measures:
- clarifying who is responsible for handling personal data and who is not if, more than one staff member handles personal data;
- the person responsible for checking personal data is handled in accordance with the prescribed basic process; and
- checking the data breach reporting process in advance;
- clarifying which staff members are allowed to access devices;
- controlling access by user account control;
- keeping the devices' operating software up-to-date and introducing security software; and
- setting passwords for opening files when sending them by email.
Guidelines provided by the METI and the FSA set out further detailed requirements for security measures and provide specific examples for certain specified industry areas.
Pseudonymously processed information
When a PIC processes personal information into 'pseudonymously processed information', the processing must be in a manner that ensures the following information is deleted or irrecoverably replaced with other information:
- person-identifiable description;
- personal identifier codes; and
- data that would cause a financial risk in the case of unauthorized use (which the PPC has suggested includes credit card numbers, internet banking IDs, etc.).
As pseudonymously processed information is still personal information (as it would still enable identification of the principal if other information was also referenced to or combined together), a pseudonymously processed information controller is generally subject to the same obligations as a PIC regarding the management and security of personal information above (and transfers to third parties) in connection with pseudonymously processed information.
A PIC who processes pseudonymous information must:
- not disclose its methods for pseudonymization of the principal's personal information, the data removed during the pseudonymization process, or any process used to verify the pseudonymization ('removed data');
- implement security measures to prevent leakage of pseudonymously processed information and removed data;
- supervise and control a person contracted to process such information; or
- not refer to other information to re-identify the principal relevant to the pseudonymously processed information.
Anonymized Information
A PIC who creates anonymized information may not disclose its methods for anonymization of the principal's personal information, the data removed in the anonymization process, or any process used to verify the anonymization. A recipient of anonymized information may not seek to acquire any such information, whether from the transferor or otherwise.
When a PIC processes personal information into anonymized information, it must make public in an appropriate manner (such as via the internet) what categories of personal information (e.g. ages, shopping behavior, and travel habits, etc.) are included in the anonymized information so that principals are able to make inquiries with the PIC.
7.1. Data processing notification
There is no general requirement that a PIC be registered under the APPI or related regulations, or for any registration under the My Number Act. A PIC that wishes to use an opt-out for disclosure of personal data to a third party has to file the opt-out provision prescribed in the order described below in the section on data transfers under 'transfers pursuant to an opt-out' (but not the rest of its privacy policies) with the PPC. The PPC will then review the provision to ensure it is in accordance with the requirements of the APPI and make it available to the public. If the opt-out is not sufficient in terms of clarity, easy-readability, and formality the PPC may require it to be improved and re-filed.
7.2. Data transfers
Generally transferring personal data to third parties, including affiliated entities of the PIC, without the prior consent of the principal is prohibited unless an exception applies. The primary exceptions are listed below.
Transfers permitted by law
The prior consent of the principal to a transfer of their personal data (including sensitive information) is not required if the transfer:
- is specifically required or authorized by any laws or regulations of Japan;
- is necessary for protecting the life, health, or property of an individual, and consent of the principal is difficult to obtain;
- is necessary for improving public health and sanitation, or promoting the sound upbringing of children, and the consent of the principal is difficult to obtain; or
- is required by public authorities or persons commissioned by public authorities to perform their duties and obtaining the prior consent of the principal carries the risk of hindering the performance of those duties (e.g. the disclosure is required by police investigating an unlawful act).
Transfer pursuant to an opt-out
Personal data (other than sensitive information) can be transferred after the period necessary for the principal to exercise their opt-out right has expired and the PIC has notified the principal or made readily available to the principal, and opt-out filed with the PPC, including all of the following information:
- that the transfer is within the scope of the originally stated purpose of utilization;
- the specific personal data to be transferred;
- the means with which the personal data will be transferred;
- the fact that the transfer of the personal data is subject to an opt-out;
- where to provide such opt-out exercise notice;
- the name of the person who is the representative of the transferor PIC if the PIC is a corporate body, in addition to the name of the transferor PIC itself;
- how the transferor PIC has obtained the personal data that it will transfer pursuant to the opt-out rule; and
- other matters which the PPC will set out in regulations.
The PPC guidelines only state that the length of the 'expiration period' will vary depending on factors such as the nature of the business, how close the relationship between the principal and the PIC is, the nature of the personal data to be transferred, and how quickly the PIC can handle the principal's exercising of its opt-out rights.
Transfers pursuant to the opt-out rule will not be available for personal information which has been obtained:
- by fraudulent or other unlawful means; or
- from a preceding transferor pursuant to the opt-out rule.
This requirement is based on the PPC's finding that personal data has often been traded or shared between name-list brokers or peer business operators under the opt-out rules.
Transfer of sensitive information
A transfer of sensitive information to a third party requires the consent of the principal unless an exception as listed under 'Transfers permitted by law' above applies; such consent cannot be given through the use of an opt-out.
Transfer of anonymized information
Anonymized information may be transferred to a third party without the consent of the original principal, as it no longer constitutes personal information, provided that the transferor makes public both the fact of the transfer and what types of personal information are included in it and notifies the recipient that the information is anonymized information.
Transfer of pseudonymously processed information
As pseudonymously processed information is still personal information, for a transfer of such information the general requirement for prior consent from the principal, transfers permitted by law (e.g. a transfer required or authorized by laws or regulations of Japan), or transfers pursuant to an opt-out, the consent requirement for the transfer of sensitive information, the scope of third parties, the additional requirement for a transfer to a third party in a foreign country, and transfer due diligence and records, as described above, equally apply.
Transfer of person-related information
Although person-related information is not personal information for a transferor, it is for a transferee as the relevant principal identifiable by reference to other information held by the transferee. Therefore, the prior consent of the principal for a transfer of person-related information to a third-party transferee (where the consent must be based on the principal's understanding that the information) is generally required; in principle the transferee (rather than the transferor) should obtain written consent to the transfer directly from the data subject as it is the transferee who has contact with the data subject and uses the transferred data as personal data, though the transferor can instead obtain the consent on behalf of the transferee if it is practically feasible (provided the data subject needs to be informed of the name of the transferee when providing the consent). If the consent is obtained by the transferee, the transferor must have been provided with a written confirmation of the consent prior to the transfer being made.
- the exceptions for transfers permitted by law (e.g. a transfer required or authorized by Japanese laws or regulations) also apply;
- transfers under an opt-out are not permitted;
- it is currently understood that transfers to entities listed in the 'scope of third parties' section below will still generally require the principal's consent, subject to a future clarification by the PPC in guidelines, etc.; and
- the general rules on transfer due diligence and records will also apply but in addition, the transferor must create a record of the transfer which should contain:
- confirmation (from the transferee) that the above consent has been obtained;
- transfer date;
- transferee's name and address, and the transferee's representative name; and
- transferred data items.
To this end, the additional records must generally be kept for three years.
Cookies
APPI Regulations on Cookies
Cookies (which includes website browsing/web form entry history data associated with the cookies) are not personal information unless the relevant principal can be identified by easy reference to, or combination with, other information. However, even if a cookie is not personal information for a transferor in this sense, but if the cookie is transferred to a third-party transferee and would be, as a result of this the transfer, personal information for the transferee as it holds other information and the individual related to the cookie can be identified by reference to such other information (e.g. the cookie is a history of website browsing that suggests the individual's activity behavior, preference of goods or services, or information otherwise usable for profiling, and the transferee would use the cookie for targeted advertising, or assessment for a job position or financial services, etc.), this will now be a transfer of person-related information and will thus be subject to the general requirement for the prior consent of the principal and the transfer mechanisms outlined under 'transfer of person-related information' above.
Telecommunication Business Act’s Regulations on Cookies
Separately from the APPI, amendments to the Telecommunications Business Act (Act No. 86 of December 25, 1984, as amended) (only available in Japanese here) ('TBA') which were implemented on June 16, 2023, have introduced the following regulations on cookies:
The following persons are subject to the regulations:
- a telecommunication carrier licensed under the act (by having registered with, or filed a notification with MIC as such); or
- a provider of any of the following telecommunication services on software, browser,s or apps run on users' devices:
- intermediary of communications between other parties (e.g., email service, direct messaging service, closed chat service, web meeting service);
- dissemination of information provided by users to unspecified users (e.g., SNS, photo/video sharing platform);
- website search (e.g., Google's search engine service); or
- any other services of provision of information upon requests from/search by unspecified users (e.g., showing search results on online shopping platforms, online map/weather information service, sending news of categories selected by users, etc.).
If a person who provides any of the services listed above sends to users' devices any electronic communications that prompt the users' devices to send out any information related the user (whether or not personal information and whether or not person-related information as defined in the APPI) recorded on the devices to any third parties (except if the information will be sent only to that person, referred to as the First-Party Cookies Exemption, the person must implement one of the following measures in advance:
In addition, applicable person/organizations must:
- notify users of the following information, or make the information readily available to the users:
- what information related to users is prompted to be sent out by the cookie function;
- name of the business operator who will use the information above on the telecommunication facilities to which the information is sent; and
- the purpose of use of the information collected by the business operator above.
In the case of a cookie statement/policy available to the public (as opposed to individual notices to users), the policy must be available by 'one click' or less from the search page on the user's PC browser or smartphone app screen which uses cookies. In addition, at the link on the search page, a reference only to a 'link to privacy policy' is not sufficient even if the cookie policy is included in the privacy policy; it must also mention a 'link to privacy policy, including cookie statement' or an equivalent reference that enables users to recognize immediately on the search page that a cookie statement is available from there.
Furthermore, the regulations set out the following standards:
- the statement must be in the Japanese language;
- the statement must be in a plain style, avoid technical or specialized terms, and must be with a normal (or larger) font size; and
- MIC's guidelines advise that it is desirable to have a heading and/or table of contents if the cookie statement is contained in the privacy policy.
More generally, persons/organizations must only send cookies to users' devices upon users' informed consent or any opt-out arrangement, where the service provider will cease, upon a user's request, either (i) the send out information related to the user or (ii) use of information collected by cookies.
Scope of third parties
Under the APPI, the following entities are deemed not to be third parties (meaning that the transfer of personal data (including sensitive information) to such parties does not require the principal's consent):
- a personal information/data processor;
- a company that enters into a merger, a company split, or a business transfer with the PIC. (Disclosure in the process of negotiations for mergers and acquisitions is permissible if made upon execution of a non-disclosure agreement which requires the company to which the data is disclosed to implement appropriate safety measures); or
- a company designated to jointly use the personal data with the PIC. In this case, the PIC must notify, or make readily accessible to the principal:
- the fact of such joint use of the personal data;
- the scope of the personal data to be jointly used;
- the scope of the parties who will jointly use the personal data;
- the purpose of the joint use; and
- the name of a party among the joint users responsible for the management of the joint use of the personal data.
Such joint use is available by group companies business partners or affiliates that provide integrated services to common customers.
Though not a specified exception to the general consent requirement, a transfer of personal data between a Japanese company and its Japanese branch, or between a foreign company and its Japanese branch is not a transfer of personal data to a third party as in each case the branch and the company are the same legal entity. Whether a Japanese company and its foreign branch are a single legal entity would be determined in accordance with the laws of the jurisdiction under which the branch was formed.
Where a transfer of personal data is to a person or entity that is not a third party, a further transfer of the personal data by that person or entity would be subject to the consent rules and exceptions applicable to such transfers, as described in this note.
Transfer of personal data to a third party in a foreign country
The transfer by a PIC of personal data to a third party in a foreign country (other than in reliance on one of the exceptions listed above under 'transfers permitted by law') is subject to the following requirements in addition to those generally applicable to transfers of personal data:
- where consent to the transfer is given by the principal, it must be clear and cover the transfer to a third party in a foreign country, and the principal must be provided, when giving consent, with information necessary for judging whether to provide consent (e.g. the foreign country is identified, identifiable, or the circumstances where such a data transfer will be made are identified); or
- in the absence of such consent, if the transferor wishes to rely on an opt-out or the fact that the transfer is not to a third party, as an exception to the requirement to obtain the principal's consent to the transfer, it is also necessary that the transferee:
- is in a country on a list of countries issued by the PPC as having a data protection regime equivalent to that under the APPI; or
- is in a country that implements data protection standards equivalent to those that PICs subject to the APPI must follow.
As of the date of this note, only the UK and countries in the European Union (including the European Economic Area ('EEA')) are on the list of countries issued by the PPC as having equivalent data protection. If the transferee is not in any such country, a transferor PIC would have to rely on the transferee implementing equivalent standards to the APPI in order to affect a transfer of personal information offshore without the principal's consent or in reliance on an exception listed above in transfers permitted by law. The requirement for equivalent standards to the APPI can be satisfied by the transferor and the transferee:
- entering into a contract;
- if they are in the same corporate group, both being subject to binding standards of the group for the handling of personal data, in either case, pursuant to which the transferee is subject to all the obligations imposed by the APPI on PICs who are subject to it, and which must include certain specified matters, such as the purpose of use, record-keeping, and details of security measures;
- if the transferee is accredited under APEC's CBPR system; or
- if the transferor is accredited under the APEC's CBPR system (based on the fact that under the system the accreditation is issued only when the PIC has established measures to ensure a data transferee will implement data protection standards required under the system).
A transfer to the foreign branch of a Japanese third party is a transfer to an entity offshore.
Consent to transferring personal data to a third-party offshore
For transfers based on the principal's consent, the transferor must in general provide the principal with the following information when obtaining their consent:
- the name of the country the transferee is in irrespective of which country the data is to be stored in (but if the data is stored in another country, it is desirable to say which country);
- information about the foreign country's data protection laws which is obtained 'by appropriate and reasonable means'. The PPC has indicated that: 'information about the foreign country's data protection laws' means descriptions of the 'essential difference' between the data protection laws of Japan and the data protection system of the foreign country which shall be reasonably recognizable by data subjects. The following indicate the level of protection within the system:
- whether the foreign country has any system of personal information protection;
- the foreign country has obtained a General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') Article 45 adequacy decision;
- the foreign country is a member state of APEC's CBPR system;
- whether business operators' obligations or data subject's rights are in line with the OECD's 8 Principles (as described above) under the foreign country's system (e.g., existence or lack of 'limitation by specified purposes of utilization' rule, existence or lack of data subjects' rights, etc.); and/or;
- any rules in the foreign country which may materially affect data subjects' rights and interests, such as:
- a rule that business operators are subject to obligations to cooperate with the foreign country's government's data collection activities so that a broad range of personal information held by business operators are subject to collection by the foreign country's government;
- in this connection a draft revision to the PPC's General Guidelines (which will be implemented between later November and mid-December 2023) will be a reference to the OECD Declaration on Government Access to Personal Data Held by Private Sector Entities as a reference material in determining access by the foreign government exists; or
- a rule requiring the retention of personal information so that data subjects cannot effectively exercise their rights to deletion;
The PPC has published its own investigation reports of such information about a limited number of jurisdictions (note below) (only available in Japanese here) so that data transferors are relieved from the burden of obtaining such information by themselves by providing the PPC's webpage link to the data subjects. As of October 2023, the jurisdictions covered by the PPC's own investigation reports are US Federal and US States namely New York, California, Illinois, Canada, Mexico, Panama, Costa Rica, Brazil, Peru, People's Republic of China, Hong Kong, Singapore, Malaysia, Indonesia, Thailand, Vietnam, Myanmar, Cambodia, Laos, Philippines, South Korea, Taiwan, Mongolia, Australian Federal, New Zealand, India, Turkey, Israel, the UAE Federal and on the regional level Abu Dhabi Global Market, Dubai Healthcare City, and Dubai International Financial Centre, Qatar, Morocco, Tunisia, South Africa, Switzerland, Russia, and Ukraine.
If, at the time of obtaining a consent:
- the transferee's country is not identified, then, instead of the above information, the reason why it is not, and any other information that may be helpful to the data subject; or
- where the above is not available, then the reason why it is not.
If the transfer is allowed without the principal's consent because the transferee has established a level of personal data protection equivalent to that under the APPI, the transferor must:
- ensure the transferee's continuous maintenance of the protection level and:
- 'periodically' (which means annually or more frequently) check, by 'appropriate and reasonable means':
- the status of the transferee's implementation of the protection measures;
- the foreign country's law which may affect the transferee's implementation of the protection measures; and
- if it becomes difficult for the transferee to implement those measures:
- the transferee's protection measures;
- how frequently the transferor 'periodically' conducts the check above;
- the transferee's country name;
- any laws of the foreign country that may affect the transferee's implementation of the protection measures; and
- any problem with the transferee's continuous implementation of the measures.
Transfer due diligence and records
A transfer of personal data requires that the transferor PIC and the transferee (if a PIC, or if it becomes a PIC as a result of the transfer) keep specified records and the transferee is also required to make inquiries on the source of the personal data transferred unless the transfer was made in reliance on an exception listed above as a transfer permitted by law or the transferee is not a third party.
The transferor must keep a record of:
- (if the transfer was made in reliance on an opt-out) the transfer date;
- the name or other identifiers of the transferee and the principal, and the type(s) of data transferred (e.g. name, age, gender); and
- the principal's consent to the transfer, or, if consent has not been obtained and the transfer was made in reliance on an opt-out, of that fact.
The transferee must keep a record of:
- (if the transfer was made in reliance on an opt-out) the date the personal data was received;
- the name or other identifiers of the transferor and its address (and the name of its representative if the transferor is a legal entity), and the name of the principal;
- the type(s) of data transferred;
- the principal's consent to the transfer, or, if consent has not been obtained and if the transfer was made in reliance on an opt-out, of that fact;
- if an opt-out has been relied on, the fact that the opt-out has been filed with, and published by the PPC; and
- how the transferor acquired the personal information transferred.
See 'transfer of person-related information' above for additional record-keeping requirements.
7.3. Data processing records
There are no specific requirements to keep data processing records, though general record-keeping requirements may apply.
7.4. Data protection impact assessment
Under the APPI there are no requirements to conduct Data Protection Impact Assessments ('DPIA').
Under the My Number Act a business operator (as well as Japanese government agencies, municipal governments, and incorporated administrative agencies) who connects with the My Number managing network operated by the Japanese government (for example health insurance societies) in handling My Number must implement DPIAs pursuant to the DPIA Rules and DPIA Policy (including check sheets and report forms) published by the PPC (available only on Japanese here),
7.5. Data protection officer appointment
The APPI does not specifically require a PIC to appoint a data protection or similar officer. However, the General Guidelines which apply to all PICs provide that a PIC must take security measures for the handling of personal information, an example of such a security measure being 'the appointment of a person in charge of the handling of personal information and the definition of the responsibilities of the person'. The guidelines state that whether measures are mandatory depends on the materiality of the damage that may be suffered by principals in the event of a data breach, the size and nature of the business, and the general nature of the data handling (including the nature and volume of data handled).
Some sector-specific guidelines also provide data protection or similar officer requirements. Certain private organizations or associations have created qualifications such as 'data protection officer' ('DPO') or equivalent, and issue them to persons who have passed examinations set by them (e.g. Japan Consumer Credit Association issues a Personal Information Handling Officer qualification, and the Information-Technology Promotion Agency issues an Information Systems Security Administrator qualification). These qualifications are not acknowledged, supported, or required by law, but are industry-driven efforts to enhance data privacy.
7.6. Data breach notification
The amendments to the APPI which were implemented on April 1, 2022, have created statutory data breach notification provisions in law and regulations. (Before the amendments, data breach notification requirements were provided only in the General Guidelines.) Interpretation of the provisions in the APPI amended and regulations are provided in the General Guidelines.
Data breach that must be notified
A PIC must notify the PPC and affected data subjects of a data breach where the breach is a leakage:
- of personal data that contains sensitive information;
- of personal data that may cause financial damage by unauthorized use (e.g., if only the last four digits of payment card numbers were affected it usually does not trigger this category);
- caused or possibly caused by an intentional act (e.g., a malicious attack on a data server, or data theft) by a third party (or the PIC's internal staff) (i.e., as opposed to by error of the PIC), of personal data; or
- of personal data of more than 1,000 data subjects.
'Leakage,' means the occurrence or possible occurrence of:
- leakage (both by an intentional act or by error) (not only the transfer of data outside of the data controller or data processor, but also the availability of access and/or viewing of the content of the data from outside) (if the leaked personal data is retrieved before being seen by any third parties, or is highly encrypted, it will not constitute 'leakage');
- loss (e.g., personal data is lost or discarded by error within a PIC) (provided that back-up data is still available within the PIC, such event will not constitute 'loss');
- damage (e.g., a PIC lost a decryption key of personal data which it has encrypted or personal data was encrypted by ransomware so that the personal data becomes unavailable to be recovered by the PIC); or
- alteration of personal data by an unauthorized party.
As described above, a data breach that is generally subject to the notification requirement is leakage of personal data, which is slightly narrower than 'personal information', as described in the section on key definitions above. However, a draft revision to the APPI Enforcement Rules (which will be implemented on April 1, 2024) will provide, in connection with a category three data breach above (i.e., breach by an intentional act), that the leakage of personal data or personal information which a PIC has collected or is collecting to handle it as personal data is subject to the notification requirements. Given the change, the draft revision to the General Guidelines adds a comment that, where, for example, an online data entry (web entry form) page maintained by a PIC has been maliciously tampered with by a third party so that personal information entered by users on the page (which is yet to become 'personal data', by going onto the PIC's database would be immediately and automatically transferred to a third party's server would also fall under category three.
Action following a data breach
In the event of the leakage of personal data which must be notified, the affected PIC shall take the following steps:
- report the incident within the PIC;
- take measures to prevent the expansion/aggravation of any damage (to principals or third parties affected by the incident) due to the incident;
- conduct an investigation of relevant facts and the cause of the incident;
- identify the affected areas within the servers/systems of the PIC and of the principals whose data was affected;
- promptly planning and implementing measures to prevent the recurrence of the incident or further incidents that may otherwise occur due to the incident in question;
- 'promptly' notify the principals potentially affected or make the facts of the leakage easily available to those principals (depending on the facts of each case) for the purpose of preventing the principals or third parties incurring further damage (e.g. to give the principals opportunities to take actions to avoid or mitigate harms by third parties' use of the leaked information); and
- publicly announce the relevant facts and measures to be taken to prevent a recurrence of the incident (depending on the facts of each case).
A data breach notification to the PPC is done by completing an online form (only available in Japanese here).
Where a PIC has entrusted personal data to a personal information/data processor and the personal information/data processor was subject to the data breach, the obligations above also fall on the PIC. The general obligations to notify the PPC and the principals of a data breach are not applicable to pseudonymously processed information.
Notification and outsourcing
Where a PIC has entrusted personal information to a data processor and the data processor is subject to a data breach both the PIC and the data processor are now liable to report the breach, as both will be considered PICs.
Notification to the PPC
If the PIC thinks the data breach is not such as to require a formal report, it can seek informal guidance from the PPC on what action to take. If the data breach may be serious and the PIC is not certain what action to take the PIC should contact the PPC (and local counsel) at the earliest opportunity, without waiting to complete the formal report to the PPC. Should a data breach not be reported, and the PPC subsequently becomes aware of it, it may require a report to be submitted.
The first notification to the PPC must be made 'sumiyaka-ni' (promptly) upon becoming aware of the incident, which the PPC has advised as being three to five days (including holidays and weekends) depending on the facts, with an updated notification (including items such as the scope of the breach, the cause of the breach (e.g. a security vulnerability), the status of notifications to affected individuals and measures against recurrence) being made within 30 days (or, in the case of leakage, etc. caused by an intentional theft or similar act, 60 days) from the time of becoming aware of the incident. A PIC is deemed to become aware of a data breach when any person at the PIC other than the person responsible for the breach becomes aware of it.
Notifying affected principals
When considering whether to notify affected principals of a data breach directly, or by a more general notice, the two major factors for a PIC to consider are the seriousness of the loss and the harm it may cause, and the effectiveness of the means of notification. If a loss may cause serious harm, the prudent course would be to make it public promptly, and then notify affected parties individually (always subject to any directions from the PPC). Where a PIC has decided to give a general notification, it will need to evaluate how effective the means of notification is likely to be; for example, if notification is given on a website, how likely is it that the affected parties will visit the website and how long it should be kept active in order to notify an appropriate proportion of affected principals. A notification, individual or general, should include a description of the loss and the actions taken by the PIC to mitigate its effects, and it would be advisable to include a phone number or email address that the affected principals can use to obtain further information on the loss.
As noted, depending on the facts of each case, it might be appropriate for the PIC to publicly announce the relevant facts of the data breach, and the measures to be taken to prevent its recurrence; there is no guidance on what form this notice should take, and although it may also be sufficient as a notice to the affected principals, its effectiveness as such would need to be considered carefully.
Notifications, individual or general, should be given in Japanese, and if any affected principals may not understand Japanese, any other appropriate foreign language. Notifications should not be given only in a foreign language unless it is certain that all affected principals will understand that language.
Timing of the notification
Notification must be given 'sumiyaka-ni' (promptly) upon becoming aware of the incident; what constitutes as 'promptly' depends on situations of each case as the PPC suggests that there may be cases where an immediate notification would not be appropriate (e.g., the details of the incident are not identified at all, or where notifications to the data subjects would only cause confusion and would not help the protection of the data subject's rights).
Reporting of losses
Any loss of any specific personal information must be reported to the PPC in the same manner as described in the section on data processing notification 'Timing of the notification to the PPC' above though the form of the report is slightly different from that for other data breaches. The system for escalation of remedial orders by the PPC is the same as that for losses of other personal information, though failure to comply with an order for improvement could lead to more serious criminal sanctions against both the PIC and any of its officers responsible for the loss. Notification to the affected principals is still only 'desirable'.
Investigations
If a data breach has occurred and been reported to the PPC, voluntarily or at the request of the PPC, it may investigate the background to the loss, the PIC's data management procedures, and the actions taken (or not taken) by the PIC to notify the affected parties (and the PPC). Where the PPC finds defects in the PIC's data management or post-loss actions, it may give guidance to the PIC on what actions to take to improve its data management, or what further steps should be taken to notify affected principals of the loss. If the defects are material, the PPC may issue advice for improvement to the PIC and publish the advice on its website. If the PIC fails to follow advice for improvement, the PPC may then escalate the matter and issue an order for improvement. An order for improvement may be issued immediately without preceding advice for improvement in limited cases of a serious data breach.
If a PIC has not notified the PPC or the affected principals of the data breach (or has not publicized the loss if material in either scale or subject matter) and the PPC comes to know of the loss, it might be more likely to find the PIC's attitude to compliance unsatisfactory, and thus issue and publish advice for improvement.
Compensation
To date, PICs that have suffered a data breach have often voluntarily offered compensation to affected parties both to forestall any proceedings and to maintain good public relations. Compensation payments to principals (per person) have ranged from JPY 500 (approx. $3) of e-money or gift vouchers (see the Benesse incident discussed in the section on case law above), through gift vouchers of JPY 10,000 (approx. $67), to cash payments of JPY 35,000 (approx. $235). If an affected party brings an action before a court against a PIC for a data breach, any judgment by the court would likely be an order against the PIC to pay damages on the grounds of a breach of contract or tort theory. Save for cases such as the unauthorized use of affected payment card data or the disclosure of sensitive information affecting the personal lives of individuals, the amount of damages an affected party might be entitled to is frequently not large enough to warrant the commencement of proceedings once the costs of the proceedings are taken into consideration.
It should also be noted that in Japan it is often important to treat all affected parties equally. Even if a PIC does not publicize a data breach and communicates privately with each affected party individually, the widespread use of social media makes the risk of unequal treatment between affected parties being kept private increasingly unlikely and may have an associated negative impact on the PIC's reputation.
Sectoral
The Guidelines on Protection of Personal Information in the Financial Field, which have been issued jointly by the PPC and the FSA, provide that any 'leakage of Personal data (not limited to circumstances (i) to (iv) listed in the subsection on 'data breach that must be notified' above must be reported to the FSA in the financial service sector. Similarly, the Commentary issued by MIC, which gives guidance on the Telecommunications Business Act (Act No. 86 of December 25, 1984), provides that a breach of secrecy of communications must be reported to the authority.
7.7. Data retention
Storage and security
The My Number Act and related guidelines require an employer to establish appropriate systems for the secure storage and handling of specific personal information.
In practical terms, the employer should:
- draft and/or amend internal rules on data protection to ensure the handling of specific personal information in accordance with the My Number Act;
- ensure employees handling specific personal information are aware of the restrictions on their use and the scope of the related data protection regime, in particular, the areas where obligations are stricter than those currently generally implemented by the employer for data protection; and
- ensure its data protection systems are adequate to comply with the obligations under the My Number Act as they are likely to be stricter than under the employer's other data protection obligations (whether under the APPI or otherwise).
7.8. Children's data
Whilst there are no specific provisions in the APPI that regulate the processing of children's data, the General Guidelines indicate that, if a minor, adult ward, or person under curatorship has no capacity to understand the results of their own consent under the APPI, such consent should be obtained from their statutory guardians. The PPC further indicates in its Q&As that, whilst the ages of children who can understand the results of their own consents should be considered on an individual case base, it can generally be said that consents should be obtained from a statutory guardian (e.g., a parent) for a child in the age of 15 or lower.
7.9. Special categories of personal data
Yes, please see the items above relating to specific personal information and sensitive information.
7.10. Controller and processor contracts
Necessary and appropriate supervision must be exercised by a PIC over any third parties delegated to handle personal data. Such supervisory measures include the execution of agreements between a PIC and a service provider providing appropriate security measures that should be taken by the service provider, and the power of the PIC to instruct and investigate the service provider in connection with its handling of personal data entrusted to it.
In addition, the PPC has recently clarified in Q&As that a data processor is a PIC, provided that if a cloud service provider has no access to the entrusted personal data stored on its computer server, it is not a data processor and is thus not a PIC. If a data processor is a PIC, it is subject to the related obligations under the APPI.
8. Data Subject Rights
If requested by a principal, a PIC must disclose in writing and without delay to the principal, the principal's personal data held by it, unless the principal has agreed to receive it by other means (e.g. as electronic data). Access can be refused if it would result in:
- injury to life or bodily safety, property, or other rights and interests of the principal or any third party;
- a material interference with the PIC's business operations; or
- a violation of other Japanese laws prohibiting disclosure.
Principals also have the right to:
- revise, correct, amend, or delete their personal data;
- request the cessation of use of their personal data if it is used for a purpose other than the one originally stated, or if it was acquired by fraudulent or other unlawful means;
- access a PIC's record of data transfers to third parties; and
- require the PIC to cease using personal data or to cease transferring personal data to third parties if the PIC no longer needs to use the data, a data breach has occurred, there is a likelihood of infringement of the principal's rights, or lawful interests due to the PIC's handling of the personal data.
Notably, pseudonymously processed information is not subject to the principal's right to access or cessation of use.
If a principal requests a PIC to cease using their personal data, the PIC must do so unless the request is unreasonable, or the cessation would be costly or would otherwise be difficult (e.g. the recall of books already distributed). In this case, the PIC must take alternative measures to protect the rights and interests of the principal. The PIC must notify the principal without delay of whether the requested action has been taken, and, if not taken, must endeavor to explain the reasons why. A principal can enforce its rights to require revision, etc. of its personal data by civil action if such a request is not complied with within two weeks of being made.
Principals do not have any of the rights above if the principal or other person comes to know that there is such personal data held by the PIC which might result in:
- injury to the life or bodily safety, property, or other rights and interests of the principal or any third party;
- encouraging illegal or unjust acts;
- endangering national security, or damaging a trusted relationship with a foreign country or international organization;
- disadvantage the country's negotiation with a foreign country or international organization; or
- present an obstacle to the prevention, suppression, or investigation of crimes or otherwise impairing public safety and order.
8.1. Right to be informed
A PIC must make the following items readily accessible to each principal:
- name of the PIC;
- purpose of utilization of personal information retained;
- the procedure for the principal to require access, correction, etc. of their personal data;
- where to complain about the PIC's handling of personal data;
- whether the purpose of utilization of the personal information it handles includes 'profiling';
- the address of the PIC;
- the name of the representative person of the PIC; and
- the security measures taken by the PIC to protect personal information retained (including that a person has been appointed to be responsible for controlling how personal information is handled and that the scope of personal information to be handled by staff has been clarified).
The following descriptions are indicated by the PPC as examples of data security measures that satisfy the requirement (the PPC also indicates that the level of security measures can be relaxed for 'small or medium-sized business operators,' as described below):
- establishment of basic principles concerning compliance with applicable laws, handling inquiries and complaints, etc.;
- establishment of rules on the manner of data processing, staff in charge, their responsibilities, etc. on each step of collection, use, storage, transfer, and deletion of personal data;
- organizational security measures: appointment of staff in charge, their responsibilities, reporting line, external audit system, etc.;
- staffing security measures: staff training, confidentiality obligations of staff, etc.;
- physical security measures: room access control, access authorization control, restriction of bringing out devices or personal data, etc.; and
- technological security measures: access control, firewall from unauthorized access, etc.
8.2. Right to access
There is no specific right for a data subject to access its personal information; see the opening paragraph re disclosure of personal information held.
8.3. Right to rectification
Please see section on data subject rights above.
8.4. Right to erasure
Please see section on data subject rights above.
8.5. Right to object/opt-out
Please see the right to request cessation of use outlined in section on data subject rights above and the right to opt out in section on data transfers.
8.6. Right to data portability
8.7. Right not to be subject to automated decision-making
8.8. Other rights
9. Penalties
Please see the provision on penalties outlined section on breach notification and retention above.
In addition, many sector-specific regulations authorize the relevant regulators to enforce the regulations by rendering business improvement orders, or business suspension orders in the most serious cases, against providers of services that require licenses from the regulator, 'where necessary for ensuring the appropriate operation of the business'. 'Appropriate operation of the business' may include the management of the security of customer data. For example, the FSA may issue a business improvement order against a bank pursuant to the Banking Act (Act No. 59 of 1981), or against an investment manager pursuant to the Financial Instruments and Exchange Act (Act No. 25 of 13 April 1948), if the service provider failed to manage the security of customer data in the course of operation of the licensed businesses.
If a PIC (and where the PIC is an entity, its officer, representative person, or administrator) or any of its employees, or a person who was in such a position, provides to a third party or misappropriates a personal information database handled in the course of the business for the purpose of wrongful gain for themselves or a third party, the PIC (if a person) and any such person is liable to imprisonment for not more than one year or a fine of not more than JPY 100 million (approx. $674,090).
9.1 Enforcement decisions
Rikunabi scandal
Recruit Career Co., Ltd., a subsidiary of Recruit Co., Ltd. (the two companies together 'Recruit Companies'), operated an online platform service 'Rikunabi' for university students who were looking for information on job positions after graduation and companies who wanted to advertise their graduate recruiting information, as customers.
On August 26, 2019, the PPC issued 'advice' and 'instruction' against Recruit Career for improvement arising out of the company's breach of the APPI. On December 4, 2019, based on further facts found since the August advice, the authority issued further 'advice' for improvement against the Recruit Companies for their 'extremely inappropriate service to circumvent the APPI' and rendered 'instructions' for 35 companies (mostly leading listed companies) which were customers of the platform service for improvement of their inappropriate handling of personal data.
In summary, the PPC found in its August advice and instruction that on 'Rikunabi 2020' (i.e., the service in connection with students who would graduate from universities in 2020) personal data of 7,983 registered students was provided to customer companies (at which the students might apply for jobs) without the student's consent.
In its December advice and instruction, the PPC found that on 'Rikunabi 2019' and 'Rikunabi 2020' cookies that recorded registered students' business sector-based browsing histories were used for profiling and scoring such students to calculate their 'possibility [by percentage] of declining job offer'. The data on the 'possibility of declining job offer' was hashed and then provided to customer companies, though the recipient companies could re-identify the students from the data. The recipient companies used the data in selecting applicant students to hire. The Recruit Companies provided the data of 26,060 students to customer companies without the student's consent. The Recruit Companies conducted such data handling based on their understanding that the data would no longer be 'personal data' once hashed, which the PPC concluded was a 'wrong understanding' because the companies 'could still identify students from the hashed data by reference to other data held by them'.
The facts and issues found in particular in the December advice and instruction led to the PPC's drafting new rules on the transfer of 'person-related information' in the 2020 Amendments (see on the section on data transfers above).
- 'periodically' (which means annually or more frequently) check, by 'appropriate and reasonable means':