Data Privacy & Transfer in Investigations

Last verified on Thursday 30th September 2021

Data Privacy & Transfer in Investigations: Japan

Akira Matsuda, Adachi Makoto and Kaori Fujinuma

Iwata Godo

SCOPE OF DATA PROTECTION LAWS RELEVANT TO CROSS-BORDER INVESTIGATIONS

1. What laws and regulations in your jurisdiction regulate the collection and processing of personal data? Are there any aspects of those laws that have specific relevance to cross-border investigations?

Japan

The laws and regulations that regulate the collection and processing of personal data in Japan

  • Act on the Protection of Personal Information (the APPI);
  • Act on the Protection of Personal Information Held by Administrative Organs;
  • Act on the Protection of Personal Information Held by Independent Administrative Agencies; and
  • Local regulations (jourei) adopted by local governments.
Guidelines
  • Guidelines on the principles of the APPI issued by the Personal Information Protection Committee (the PPC), guidelines on the provision of personal data to third parties located in foreign countries and guidelines on confirmation/recordkeeping obligation upon provision of personal data to third parties (the guidelines);
  • Guidelines on the protection of personal information in the financial sector issued by the PPC and the Financial Service Agency;
  • Guidance on the protection of personal information in the medical sector issued by the PPC and the Ministry of Health, Labour and Welfare (the MHLW);
  • Guidelines on the protection of personal information in the labour management sector issued by the MHLW; and
  • Other guidelines issued by the PPC or other ministries.
Tort law (which is incorporated in Chapter 5, Part 1 of the Civil Code)

Tort law in Japan provides that a person who has infringed any right of others or the legally protected interest of others shall be liable to compensate for any resulting damage (subject to an adequate causal relationship). In this connection, the Japanese Supreme Court has recognised, pursuant to article 13 of the Constitution of Japan, the right to privacy (the privacy rights) as the right of persons not to have their private life disclosed, exposed or invaded without a legitimate reason. Therefore, a business operator, that is any individual or legal entity handling a personal information database regardless of the size of the business or volume of personal data is advised not to infringe the privacy rights of data subjects when collecting and handling information containing private information in the course of their investigations, in addition to complying with data protection requirements, laid down by, inter alia, the APPI and the relevant regulations and guidelines cited above.

Amendments to the APPI

A law was passed in June 2020 to amend the APPI. The amendments will come into force on 1 April 2022. This chapter is entirely based on the amended APPI to enable readers to get ready for the new data protection regime which will apply from that date.

Aspects of those laws that have specific relevance to cross-border investigations

If a business operator, that is any individual or legal entity handling a personal information database regardless of the size of the business or volume of personal data located in Japan and seek to transfer (or receive) personal data to (or from) third parties in another country, the business operator should heed the new obligations applicable to cross-border transfers (ie the recipient’s obligations regarding collection of personal information, confirmation of certain statutorily designated items and record-keeping). Should the business operator be located outside Japan and seek to collect or handle personal information regarding individuals in Japan in connection with the provision of goods or services to such individuals, the APPI may also apply to the business operator on an extraterritorial basis.

Answer contributed by Akira Matsuda, Adachi Makoto and Kaori Fujinuma

2. What other laws and regulations, besides data protection laws, may prevent data sharing in the context of an investigation?

Japan

Financial regulations

Financial regulations such as the Banking Act or the Insurance Business Act provide for specific obligations to be complied with by financial business operators relating to the collection and handling of personal data. In addition, such specific obligations applicable to the financial sector are also contained in the Comprehensive Guidelines for Supervision of Major Banks and the Comprehensive Guidelines for Supervision of Small to Medium or Local Banks (collectively, the Banking Guidelines).

Professionals duties and duty of confidentiality

The Attorney Act, Medical Practitioners' Act or certain other laws including provisions on professional duties may provide secrecy obligations and prohibit the transfer of certain data that may otherwise be regarded as lawful under the APPI. Furthermore, business operators in certain sectors such as the financial sector owe a duty of confidentiality to their clients.

Tort law/labour laws (employee's privacy rights)

It is generally permissible for employers to investigate data saved in devices and equipment that employers provide to their employees for business use because employers are deemed to own and control such data (and device and equipment). However, if such investigation went beyond what is fair and reasonable (in the light of current socially acceptable behaviour and standards, considering various factors such as the purpose of the investigation or the manner in which it is conducted), employers may infringe on the employee's privacy rights and may be liable for damages under tort law or labour laws. Employers will not commit a tort or break labour laws as long as (i) they have a legitimate reason to investigate and (ii) they limit the scope and the manner of the investigation to an extent that is fair and reasonable. For example, employers should consider specifying a scope of investigation of their employees’ emails as narrow as possible to mitigate risks of infringement of the employee’s privacy rights (eg, by limiting the period of exchange of emails on which the investigation is focusing).

Unfair Competition Prevention Act

If information to be investigated includes (i) a production method, sales method, or any other technical or operational information useful for business activities that is controlled as a secret and is not publicly known (the trade secret) or (ii) technical or business data (excluding data that is treated as confidential) that is handled as part of a business as data to be provided to specific persons and is accumulated in substantial quantities by electric, magnetic or other methods that cannot be recognised by human perception (the data for limited provision, and together with trade secret, the trade secrets, etc), which were provided by the holder of the trade secrets, etc, it can be unlawful to disclose such information for the purpose of making an illicit gain or harming the interest of the information holder (the illegal purpose disclosure).

The Guidelines on Data for Limited Provision issued by the Ministry of Economy, Trade and Industry make it clear that the disclosure of trade secrets, etc, for investigations conducted under laws and regulations will not be an illegal purpose disclosure. Hence, a disclosure of trade secrets, etc (limited to what is strictly necessary) to professionals, forensic accountants or consultants for the purpose of conducting investigations might possibly not be treated as an illegal purpose disclosure because such disclosure would be made for a legitimate reason.

Other laws

In addition to the above, there are sector-specific regulations that provide for a prohibition of data sharing in the context of an investigation, such as the telecommunications sector or the medical care sector. For example, the Telecommunications Business Act prohibits telecommunications business operators from disclosing communications between the parties that should be kept secret, save in certain circumstances.

Answer contributed by Akira Matsuda, Adachi Makoto and Kaori Fujinuma

3. What constitutes personal data for the purposes of data protection laws?

Japan

Personal information and personal data

The APPI defines and uses two different concepts of information on individuals: “personal information” and “personal data”. To better understand the concept of personal data, it is necessary to distinguish the two.

For a brief overview of these concepts, see below.

Personal information
  • Information relating to a living individual by which a specific individual is identified (including information that can be readily combined with other information and make the identification of a specific individual possible); and
  • information relating to a living individual containing an individual identification code (ie, passport number, driver’s licence number).
Personal data
  • Personal information that constitutes a “personal information database” (a collective body of information comprising personal information systematically organised to be able to retrieve personal information).

The legal effects of handling “personal information” may differ from the legal effects of handling “personal data” under the APPI. The difference between personal information and personal data is illustrated below. When you are handling personal information only (ie, without using personal information in a systematically organised way), you generally do not fall under the definition of "business operator" and you will not be subject to certain onerous obligations imposed on business operators by the APPI.

Examples of personal data are internal or external emails, email addresses, customer information and data extracted from business cards.

Personal information and personal data only relate to a living individual. However, please note that the Banking Guidelines also cover the customer information of legal entities, unincorporated partnerships, etc, as well as that of individuals.

Answer contributed by Akira Matsuda, Adachi Makoto and Kaori Fujinuma

4. What is the scope of application of data protection laws in your jurisdiction? What activities trigger the application of data protection laws, to whom do they apply and what is their territorial extent?

Japan

Business operators

The APPI does not use the "controller" or "processor" concepts. The obligation under the APPI generally applies to any business operator, that is any individual or legal entity handling a personal information database regardless of the size of the business or volume of personal data, regardless of whether such business operator is performing its business in an equivalent “controller” or “processor” position. When you are handling personal information only (ie, without using personal information in a systematically organised way), generally, you do not fall under the definition of "business operator". However, if you are using a personal information database for your business, you will be classified as a business operator.

The main actions which trigger the application of obligations to business operators are listed below. Such obligations include the obligation to disclose the purpose of use of personal information (the purpose of use) prior to or upon its collection, and to limit the handling of such information to what is necessary to achieve the purpose of use (the scope of the purpose).

  • Collection;
  • handling (including any actions that do not fall under the definition of collection or transfer);
  • transfer to third parties;
  • entrustments; and
  • cross-border transfer.

If foreign entities have offices in Japan, they will also fall under the business operator definition and will have obligations under the APPI if they are using personal data for business.

Extraterritorial application of the APPI

Activities conducted by foreign entities located in foreign countries without offices in Japan but trading in, or with, Japan are generally not covered by the APPI. However, all provisions of the APPI have extraterritorial applications and are relevant if the foreign entity is collecting or handling personal information on individuals in Japan (regardless of the provenance of the personal information, ie. whether collected from data subjects or third parties) in connection with a supply of goods or services by the foreign entity. Accordingly, if the said activities of the foreign entity conducted in the course of cross-border investigations involve personal information collected in connection with a supply of goods or services by the foreign entity, such foreign entities must take measures to comply with the APPI.

Answer contributed by Akira Matsuda, Adachi Makoto and Kaori Fujinuma

5. What are the principal requirements under data protection laws that are relevant in the context of investigations?

Japan

Collection

Disclosure/notification of the purpose of use

The APPI requires business operators to either publicly announce (including on their website) or notify the data subjects of the purpose of use before or upon collection of the personal information, subject to exceptions (eg, when such notification or public announcement is likely to impede the rights or legitimate interests of the business operator (the collection requirement exceptions)).

Consent – generally not required

Consent of the data subjects is not required generally in relation to the collection of personal information, but consent is required in the case of sensitive personal information subject to certain exceptions including the common exceptions defined below, the categories of which are listed in the APPI and its sub-legislation.

Prohibition of inappropriate collection

Inappropriately obtaining personal information from a data subject or a third party is prohibited under the APPI (we refer to personal information so acquired as unlawful information). Personal data obtained in breach of the confirmation obligation of the recipient in the case of the receipt of personal data (see below) will be deemed unlawful information.

The handling of unlawful information may fall under the definition of inappropriate use of personal data (see below).

Handling

Keeping use of personal information within scope of purpose

The APPI requires business operators (i) to clarify the purpose of use and to make it specific in a manner allowing data subjects to reasonably predict how their personal information will be handled and to do so as much as possible; and (ii) not to use personal information without obtaining the prior consent of the data subjects beyond the scope of the purpose (we refer to such consent as the consent to use), subject to exceptions such as (these three exceptions are referred to as the common exceptions):

  • when the handling of personal information is based on Japanese laws and regulations;
  • when the handling of personal information is necessary for the protection of the life, body, or property of an individual or the property of a legal entity and it is difficult to obtain the consent of the data subjects; and
  • when (i) the handling of personal information is necessary to cooperate with a Japanese state organisation, a Japanese local government, or an individual or an entity entrusted by them with the execution of affairs prescribed by laws and regulations; and (ii) obtaining the consent of the person is likely to impede the execution of the affairs concerned.

Prohibition of inappropriate use of personal data

A business operator must not use personal information through methods that can potentially facilitate or prompt any unlawful or unfair conduct under the APPI. This may include cases of handling unlawful information.

Transfer to third parties

The APPI prohibits business operators from transferring personal data to a third party (the transfer to third parties) without obtaining the prior consent of the data subjects (the consent to transfer), subject to certain exceptions such as:

  • the common exceptions;
  • when a business operator entrusts the handling of personal data in whole or in part within the scope of the purpose (entrustment or subcontracting); and
  • when personal data is used jointly between a business operator and a third party, and the business operator meets prior notification requirements: the business operator must inform data subjects in advance of five statutory elements, or ensure that the data subjects can easily become aware of these statutory elements (joint use).

Obligations regarding entrustments

When a business operator provides personal data to an entrusted party as part of an entrustment, it must exercise necessary and appropriate supervision over the entrusted party to ensure the security control of the entrusted personal data.

Cross-border transfer

When a business operator transfers personal data to third parties in another country (the cross-border transfer), the business operator must (subject to certain exceptions – see below):

  • obtain data subject's consent to such transfer including consent to the cross-border third-party transfer (the consent to cross-border transfer) in addition to the consent to transfer; and
  • before obtaining consent to a cross-border transfer, provide the data subject with either (i) or (ii) below:
    • (i) certain information listed below:
      • Name of the foreign country;
      • Information on the personal information protection regime of the foreign country (such as whether the foreign country has implemented any data protection regulations and other relevant information listed in the guidelines) that are obtained through reasonable and appropriate measures (eg, by way of reference to publicly announced information by Japanese or foreign country's authorities); and
      • Information on whether the recipient takes sufficient measures in light of the eight basic principles described in the "OECD guidelines on the protection of privacy and transborder flows of personal data, part two. basic principles of national application" and if the recipient does not take sufficient measures, details on how they are insufficient.
    • (ii) reasons why they are not able to provide the said information, and other relevant information listed in the guidelines.

The said certain exceptions include:

  • the common exceptions;
    • when the third party is located in the EU (currently included as a white-listed area for cross-border transfers); and
    • when appropriate measures (the appropriate measures for cross-border transfers) have been taken between the business operator in Japan and the third party abroad to ensure appropriate protection of the personal data in such third-party’s organisation (ie, data transfer agreement or binding corporate rules). When this exception applies, the business operator must:
      • confirm through necessary and appropriate means more than once a year (i) the status of the implementation of the said appropriate measures for cross-border transfers by the recipient and (ii) the details of the personal information protection regime of the foreign country which is likely to affect such implementation;
      • take necessary and appropriate actions if the implementation of the appropriate measures for cross-border transfers by the recipient became hindered, and if such implementation becomes difficult, suspend the cross-border transfer; and
      • upon a data subject's request, provide information on the appropriate measures for cross-border transfers (ie, seven statutory items listed in the guidelines (subject to certain exceptions)).

Record keeping obligation of transferor

In the case of transfer of personal data to third parties, the transferor must keep records of certain statutorily designated items (the transferor’s records) subject to certain exceptions including the common exceptions.

Confirmation and record keeping obligation of recipient

In case of receipt of personal data from third parties, the recipient must confirm and keep records of certain statutorily designated items (eg, how the transferor had obtained the personal data) (the recipient’s records) subject to certain exceptions including the common exceptions. In particular, if this transferor has obtained personal data from another third party (the previous transferor) located in the EU based on the European Commission’s determination (and adequacy decision) that Japan offers an "adequate level of protection", the recipient needs to trace and check whether the previous transferor located in the EU had obtained the personal data lawfully.

Note

From an investigation perspective, the collection requirement exceptions and the common exceptions are likely to apply in many cases. Accordingly, business operators should advisably check if these exceptions apply when it is difficult to take necessary steps regarding the collection, handling and transfer of personal data described above, bearing in mind that the availability of the common exceptions in the course of data processing (eg, handling) does not necessarily mean it will be available for another data processing operation (eg, transfer).

Answer contributed by Akira Matsuda, Adachi Makoto and Kaori Fujinuma

6. Identify the data protection requirements relevant to a company carrying out an internal investigation and to a party assisting with an investigation.

Japan

Data protection requirements relevant to a company carrying out an internal investigation

Relevant requirements include:

  • obligations regarding collection;
  • obligations regarding handling;
  • obligations regarding transfer to third parties;
  • obligations regarding entrustment;
  • obligations regarding cross-border transfers;
  • record keeping obligation of transferor; and
  • confirmation and record-keeping obligation of recipient.

Data protection requirements relevant to a party assisting with an investigation

Professionals

It is generally accepted that the transfer of personal data from a business operator carrying out an internal investigation to attorneys, certified public accountants, legal process outsourcing firms or other similar professions (the professionals) is permissible without the data subject's consent to transfer because the transfer of personal data to these professionals is deemed to be an entrustment. However, the consent to use and consent to cross-border transfer still need to be obtained unless statutory exceptions are available.

These professionals will be business operators and therefore subject to legal obligations under the APPI ie, the obligations listed in 'Data protection requirements relevant to a company carrying out an internal investigation' above.

Furthermore, please note that when a business operator provides personal data to professionals as part of an entrustment, the business operator will be subject to additional obligations to exercise necessary and appropriate supervision over the professionals.

Attorney's inquiry

Attorneys have a statutory right through the bar association to request public offices or public or private organisations for information necessary in a case in which they have been retained under article 23-2 of the Attorney Act (the attorney's inquiry). Attorneys may request information that could include personal data from business operators. From the business operators' point of view, those who are requested to submit such information by attorneys, giving such information could conflict with the rules governing purpose of use and transfers to third parties. One should carefully review whether giving such information containing personal data falls under the “based on Japanese laws and regulations” exception. Lower court decisions in Japan suggest that a supply of information containing personal data as per the request would qualify as "based on Japanese laws and regulations" only when such provision is necessary and reasonable.

From the standpoint of business operators collecting personal data from third parties for investigation purposes, the attorney’s inquiry could be utilised as a means of collecting information for investigation. However, for the above reasons, the request may be rejected by the third parties who receive such a request.

Answer contributed by Akira Matsuda, Adachi Makoto and Kaori Fujinuma

RIGHTS OF INDIVIDUALS

7. Is the consent of the data subject mandatory for the processing of personal data as part of an investigation?

Japan

In handling personal data as part of an investigation, the collection requirement exceptions and the common exceptions are likely to apply, and therefore the data subject's consent is unlikely to be mandatory for the handling of personal data. If such exceptions do not apply, obligations listed below may require a business operator to obtain the data subject's consent or to disclose/notify the purpose of use.

  • obligations regarding collection;
  • obligations regarding handling;
  • obligations regarding transfers to third parties; and
  • obligations regarding cross-border transfers.

Answer contributed by Akira Matsuda, Adachi Makoto and Kaori Fujinuma

8. If not mandatory, should consent still be considered when planning and carrying out an investigation?

Japan

Consent is not always mandatory for the handling of personal data as part of an investigation. However, to mitigate the risk of complaint by data subjects based on tort due to the infringement of their privacy rights, it is safer to obtain the consent of the data subjects whenever this is possible and realistic. The Japanese practice follows this approach, especially for personal data obtained from the employees of the investigating business operator.

Answer contributed by Akira Matsuda, Adachi Makoto and Kaori Fujinuma

9. Is consent given by employees likely to be valid in an investigation carried out by their employer?

Japan

Consent under the APPI

Under the APPI, the consents of employees to the handling of their personal information given in the manners listed below will be deemed valid provided that the consents are obtained through reasonable and appropriate means and in a manner appropriately allowing data subjects to decide whether to give their consent.

  • Employee's consent obtained during the course of the investigation.
  • Employee's consent given in advance in a way that can be deemed to be sufficiently comprehensive from a legal standpoint to allow the future handling of his or her personal information by the investigating business operator for the purposes of the investigation.

Consent under tort law (which is incorporated in Chapter 5, Part 1 of the Civil Code)

Under tort law, data subjects may generally give their consent regarding privacy rights in either of the two methods listed in 'Consent under the APPI' above. However, if the scope of consent is too wide and vague, such consent could be deemed void.

Answer contributed by Akira Matsuda, Adachi Makoto and Kaori Fujinuma

10. How can consent be given by a data subject? Is it possible for data subjects to give their consent to processing in advance?

Japan

Consent under the APPI

General

A business operator must obtain the data subject's consent in relation to certain personal information handling activities. Such consent under the APPI is valid when the consent is obtained through reasonable and appropriate means and in a manner appropriately allowing data subjects to decide whether to give their consent.

Any means used for obtaining consent under the APPI including oral communication, email, checking the box or some other items and clicking a button on a website is permissible. It is desirable to use means allowing the business operator to keep evidence of the consents. For example, if the consent is obtained orally, recording this consent in writing is strongly recommended.

Collection of sensitive personal information

It is possible for data subjects to give their consent to the collection of sensitive personal information in advance and through standard business terms and conditions provided that the consent is obtained through reasonable and appropriate means.

Handling

Unless the purpose of use (eg, investigation) is sufficiently disclosed or notified before the collection of personal information, consent to use is required. In this regard, it is possible for data subjects to give their advance consent to the handling of their personal information (but after collection) and through standard business terms and conditions provided that consent is obtained through reasonable and appropriate means (ie, the purpose of use is sufficiently clear and specified when consent is given). Insufficiently detailed purposes of use such as "investigation when necessary" cannot be regarded as sufficiently specific.

Third-party transfers

It is possible for data subjects to give their consent to transfer in advance and through standard business terms and conditions provided that consent is obtained through reasonable and appropriate means. Data subjects may give a legally sufficiently comprehensive prior consent to a transfer to third parties if the third parties (or categories of third parties when further identification is not possible) are reasonably specified when consent is given.

Cross-border transfers

It is possible for business operators to obtain a data subject’s consent to a cross-border transfer in advance and through standard business terms and conditions provided that consent is obtained through reasonable and appropriate means. In this regard, the business operator must in general provide the data subjects with certain information prior to collection including the information on the personal information protection regime of the foreign country (or reasons they are not able to provide such information and other relevant information) to allow the data subjects to determine whether to give their consent.

Consent under tort law - Privacy rights

Even when data subjects' consent is not necessary under the APPI, the handling of personal information without such consent may infringe on employees' privacy rights. In this regard, courts are likely to consider whether the business operator has obtained the employees' valid consent to the handling of their personal information when they examine whether employees' privacy rights have been infringed in a given case.

The validity of such consents will be determined on a case-by-case basis, considering if the means through which the consents were given were fair and reasonable in light of the socially accepted norms. In general, the data subjects may give their consent regarding privacy rights in advance and through standard business terms and conditions. However, if the scope of consent is too wide and vague, such consent could be deemed void.

Answer contributed by Akira Matsuda, Adachi Makoto and Kaori Fujinuma

11. What rights do data subjects have to access or verify their personal data, or to influence or resist the processing of their personal data, as part of an investigation?

Japan

Retained personal data

If a business operator has the authority to disclose, correct, delete, cease to use, etc personal data (the personal data in this case is referred to as the retained personal data), such business operator must:

  • publicly disclose (or notify data subjects upon their requests of) the implemented security control measures regarding the retained personal data (excluding those which the business operator is unable to disclose from the security management perspective) to the extent necessary and appropriate, procedures to address the below various requests or other relevant matters; and
  • cope with the various requests made by the data subjects as a holder of retained personal data, such as disclosure, correction, deletion and ceasing to use.

In connection with the data subject's right to object to the handling of retained personal data, the data subject may request a business operator to discontinue the handling or transfer to third parties of retained personal data, or to delete the retained personal data, if:

  • such handling or transfer of retained personal data is made in violation of the APPI;
  • the business operator no longer needs the personal data in light of the purpose of use;
  • a notifiable data breach has occurred; or
  • their rights or legitimate interests are likely to be infringed.

The business operator must delete or discontinue the handling or transfer of retained personal data upon the request of the data subjects if the request has reasonable grounds; provided that the request may be rejected when addressing such request is difficult due to eg, the high cost and when reasonable alternative solutions are proposed by the business operator.

 

Disclosure of third-party transfer records

A business operator must disclose the transferor’s or recipient’s records that is created upon the provision/receipt of personal data (collectively, the third-party transfer records) upon the request of the data subjects, subject to certain exceptions eg, the disclosure of the third-party transfer records is likely to infringe data subjects' or others' rights or legitimate interests such as life, body and property.

Answer contributed by Akira Matsuda, Adachi Makoto and Kaori Fujinuma

EXTRACTION, LEGAL REVIEW AND ANALYSIS BY THIRD PARTIES, INTERNATIONAL TRANSFER

12. Are there specific requirements to consider where third parties are appointed to process personal data in connection with an investigation?

Japan

It is generally accepted that the transfer of personal data from a business operator carrying out an internal investigation to professionals is permissible without the data subject's consent to transfer because the transfer of personal data to these professionals is deemed to be an entrustment. However, the consent to use and consent to cross-border transfer still needs to be obtained unless statutory exceptions are available.

These professionals will be business operators and therefore subject to legal obligations under the APPI, ie, the obligations listed below:

  • obligations regarding collection;
  • obligations regarding handling;
  • obligations regarding transfer to third parties;
  • obligations regarding entrustments;
  • obligations regarding cross-border transfers;
  • record-keeping obligation of transferors; and
  • confirmation and record-keeping obligation of recipients.

Furthermore, please note that when a business operator provides personal data to professionals as part of an entrustment, the business operator will be subject to additional obligations to exercise necessary and appropriate supervision over the professionals.

Answer contributed by Akira Matsuda, Adachi Makoto and Kaori Fujinuma

13. Is it permitted to share personal data with law firms for the purpose of providing legal advice?

Japan

It is generally accepted that the transfer of personal data from a business operator carrying out an internal investigation to professionals is permissible without the data subject's consent to transfer because the transfer of personal data to these professionals is deemed to be an entrustment. However, the consent to use and consent to cross-border transfer still needs to be obtained unless statutory exceptions are available.

Answer contributed by Akira Matsuda, Adachi Makoto and Kaori Fujinuma

14. What is the position and status of law firms under data protection laws? Are law firms directly accountable for data processing under data protection laws, or is responsibility for processing by law firms shared between the law firm and the client?

Japan

It is generally accepted that the transfer of personal data from a business operator carrying out an internal investigation to the professionals belonging to law firms is permissible without the data subject's consent to transfer because the transfer of personal data to professionals is deemed to be an entrustment. However, the consent to use and consent to cross-border transfer still needs to be obtained unless statutory exceptions are available.

These professionals will be business operators and therefore subject to legal obligations under the APPI (ie, the obligations listed below), in addition to secrecy obligations under the Attorney Act.

  • obligations regarding collection;
  • obligations regarding handling;
  • obligations regarding transfer to third parties;
  • obligations regarding entrustments;
  • obligations regarding cross-border transfers;
  • record-keeping obligation of transferors; and
  • confirmation and record-keeping obligation of recipients.

Furthermore, when a business operator provides personal data to professionals as part of an entrustment, the business operator will be subject to additional obligations to exercise necessary and appropriate supervision over the professionals.

Responsibilities of the professionals

As such, violation of the APPI in relation to the handling by the professionals may simultaneously mean (i) the violation by the professionals of the obligations as individual business operators and (ii) the violation by the entrusting business operator of the obligations to exercise necessary and appropriate supervision over the professionals.

Answer contributed by Akira Matsuda, Adachi Makoto and Kaori Fujinuma

15. What is the position and status of legal process outsourcing firms under data protection laws?

Japan

It is generally accepted that the transfer of personal data from a business operator carrying out an internal investigation to the professionals belonging to legal process outsourcing firms is permissible without the data subject's consent to transfer because the transfer of personal data to professionals is deemed to be an entrustment. However, the consent to use and consent to cross-border transfer still needs to be obtained unless statutory exceptions are available.

These professionals will be business operators and therefore subject to legal obligations under the APPI ie, the obligations listed below.

  • obligations regarding collection;
  • obligations regarding handling;
  • obligations regarding transfer to third parties;
  • obligations regarding entrustments;
  • obligations regarding cross-border transfer;
  • record keeping obligation of transferor; and
  • confirmation and record keeping obligation of recipients.

Furthermore,  when a business operator provides personal data to professionals as part of an entrustment, the business operator will be subject to additional obligations to exercise necessary and appropriate supervision over the professionals.

Answer contributed by Akira Matsuda, Adachi Makoto and Kaori Fujinuma

16. Are there any additional requirements, beyond those specified above, that regulate the disclosure of data to third parties within your jurisdiction for the purpose of reviewing the content of documents, etc?

Japan

The business operator should consider requirements regarding trade secret, etc under the Unfair Competition Prevention Act or other relevant laws and regulations when it seeks the disclosure of personal data to third parties, which may be separately applied to the business operators from the APPI.

Answer contributed by Akira Matsuda, Adachi Makoto and Kaori Fujinuma

17. What rules regulate the transfer of data held in your jurisdiction to a third party in another country for the purpose of reviewing the content of documents, etc?

Japan

If the personal data is transferred from a Japanese investigating business operator to third parties in another country, consent to use, consent to transfer and consent to cross-border transfer must be obtained unless a statutory exception applies.

Answer contributed by Akira Matsuda, Adachi Makoto and Kaori Fujinuma

18. Are there specific exemptions, derogations or mechanisms to enable international transfers of personal data in connection with investigations?

Japan

Data sharing

Even if the consent to transfer or consent to cross-border transfer is not obtained, data sharing with third parties (commonly used for intra-group data sharing) could be permitted if (i) personal data is provided to the third party through the joint use method, and (ii) if the third party is located in the EU, or appropriate measures have been taken between the business operator in Japan and the third party abroad. Accordingly, the investigating business operator may share data with its group companies for the purpose of investigation by complying with these requirements.

Answer contributed by Akira Matsuda, Adachi Makoto and Kaori Fujinuma

TRANSFER TO REGULATORS OR ENFORCEMENT AUTHORITIES

19. Under what circumstances is the transfer of personal data to regulators or enforcement authorities within your jurisdiction permissible?

Japan

The regulations regarding the purpose of use and transfers to third parties are also applicable to the transfer of personal data to Japanese regulators or enforcement authorities. However, in most cases, the transfer of personal data will fall under exceptions where the consent to use and consent to transfer do not need to be obtained, for instance, when such transfer of personal data is based on Japanese laws and regulations or when such transfer of personal data is necessary to cooperate with a state organisation.

Answer contributed by Akira Matsuda, Adachi Makoto and Kaori Fujinuma

20. Under what circumstances is the transfer of personal data held within your jurisdiction to regulators or enforcement authorities in another country permissible?

Japan

The regulations regarding purpose of use, transfers to third parties and cross-border transfers are also applicable to the transfer of personal data to regulators or enforcement authorities in another country and it is necessary for the transferor to obtain the consent to use, consent to transfer and consent to cross-border transfer unless a statutory exception applies. However, notification to the Japanese authority, including the PPC, is not required to proceed to cross-border transfers to such regulators or enforcement authorities.

Answer contributed by Akira Matsuda, Adachi Makoto and Kaori Fujinuma

21. What are some recommended steps to take on receipt of a request from a regulator for disclosure of personal data?

Japan

Upon receipt of a request from regulators (both Japanese and foreign), a business operator should confirm which legal grounds (ie, obtaining consents from data subjects or satisfaction of certain exceptions such as the common exceptions) would authorise the business operator to use and disclose personal data to the regulator.

Answer contributed by Akira Matsuda, Adachi Makoto and Kaori Fujinuma

ENFORCEMENT AND SANCTIONS

22. What are the sanctions and penalties for non-compliance with data protection laws?

Japan

Notification obligations in case of data breach

General

When a leakage or loss of or damage to the personal data (the data breach) has occurred, a business operator may be obliged to notify the PPC and affected data subjects of a breach and provide them with a summary of the data breach or other relevant matters described in the guidelines (the data breach information) in Japanese under the APPI.

Report to the PPC

(a) Notifiable data breach

The data breach is notifiable when:

    • the personal data includes or is likely to include sensitive personal information;
    • proprietary damage is likely to arise in light of the nature of the personal data (eg, credit card number);
    • persons with malicious intentions are likely to be involved in the data breach; and
    • it has a significant scale (ie, 1000 or more individuals)

(b) Who notifies the data breach

In cases of entrustment, an entrusted business operator is exempted from the obligation to report to the PPC if it has reported data breach information to an entrusting business operator.

(c) Procedure of notification

(i) Preliminary report

Upon recognition of the data breach, the business operator must immediately (ie, within three to five days) report to the PPC data breach information based on the facts which are reasonably discovered at the time of such report.

(ii) Full report

The business operator must submit to the PPC a full report of data breach information within 30 (or 60 if certain requirements are met) days from the date of the recognition of the data breach.

Report to the affected data subjects

(a) Notifiable data breach

The business operator must also notify the affected data subjects of part of the data breach information if the data breach is notifiable (see 'Report to the PPC', (a) above), subject to certain exceptions.

(b) Procedure

Upon recognition of the data breach, the business operator must "immediately in light of the circumstances" notify the affected data subjects of that part of the data breach information described in the guidelines. The said requirement "immediately in light of the circumstances" means that the business operator may consider various factors such as the risk of public confusion when it determines the timing of the notification.

(c) Exceptions

The obligation to notify the affected data subjects does not apply when such notification is difficult and when the business operator takes necessary alternative measures for the protection of the data subjects' rights and legitimate interests.

Sanctions and penalties for non-compliance

General

If a business operator has not taken the required steps under the APPI, the PPC may recommend the business operator to stop or rectify the APPI violation and take other necessary measures to cure the violation, and then formally order the business operator to take such measures if the recommendation was ignored. Failure to comply with a cease and desist order may give rise to (i) punishment consisting of (x) imprisonment for up to a year or a fine of up to Y1 million against the accused (if the accused is an individual business operator, a director or an employee) and (y) a fine of up to Y100 million against the legal entity business operator and/or (ii) a sanction consisting of a public announcement by the PPC of the business operator's contravention of the cease and desist order (name and shame).

Extraterritorial application

A business operator located in a foreign country may also be subject to the sanctions and penalties for non-compliance described in 'General' above since all provisions of the APPI may be applicable on an extraterritorial basis.

Answer contributed by Akira Matsuda, Adachi Makoto and Kaori Fujinuma

RELEVANT MATERIALS

23. Provide a list of relevant materials, including any decisions or guidance of the data protection authority in your jurisdiction regarding internal and external investigations, and transfers to regulators or enforcement authorities within and outside your jurisdiction.

Japan

PPC's webpage

https://www.ppc.go.jp/en/

 

APPI (The amended Act fully put into effect on April 1, 2022)

https://www.ppc.go.jp/files/pdf/APPI_english.pdf

 

Overview of the Amendments to the APPI (Tentative English Translation)

https://www.ppc.go.jp/files/pdf/overview_amended_act.pdf

 

Other relevant materials are available on the PPC's website (only in Japanese)

https://www.ppc.go.jp/personalinfo/legal/

Answer contributed by Akira Matsuda, Adachi Makoto and Kaori Fujinuma

Get unlimited access to all Global Investigations Review content