Data Privacy & Transfer in Investigations

Last verified on Monday 2nd November 2020

Data Privacy & Transfer in Investigations: Japan

Matsuda Akira, Koji Horita, Adachi Makoto, Akira Matsuda and Makoto Adachi

Iwata Godo

All questions

1. What laws and regulations in your jurisdiction regulate the collection and processing of personal data?

Japan

The laws and regulations in Japan regulating the collection and processing of Personal Data (defined in question 3) are as follows: 

Laws and local regulations

    • Act on the Protection of Personal Information (the APPI);
    • Act on the Protection of Personal Information Held by Administrative Organs;
    • Act on the Protection of Personal Information Held by Independent Administrative Agencies; and
    • Local regulations (jourei) adopted by local governments.

Guidelines (the Guidelines)

    • Guidelines on the principles of the APPI issued by the Personal Information Protection Committee (the PPC) (the Principle Guidelines);
    • Guidelines on the protection of Personal Information in the financial sector issued by the PPC and the Financial Service Agency;
    • Guidance on the protection of Personal Information in the medical sector issued by the PPC and the Ministry of Health, Labour and Welfare (the MHLW);
    • Guidelines on the protection of personal information in the labour management sector issued by the MHLW; and
    • Other guidelines issued by other ministries.

Tort law (which is incorporated in Chapter 5, Part 1 of the Civil Code)

Tort law in Japan provides that a person who has infringed any right of others or the legally protected interest of others shall be liable to compensate for any resulting damage (subject to an adequate causal relationship). In this connection, the Japanese Supreme Court has recognised, pursuant to article 13 of the Constitution of Japan, the right to privacy (the privacy rights) as the right of persons not to have their private life disclosed, exposed or invaded without a legitimate reason. Therefore, business operators are advised not to infringe the privacy rights of data subjects when collecting and handling information containing private information in the course of their investigations, in addition to complying with data protection requirements, laid down by, inter alia, the APPI and the relevant regulations and guidelines cited above. A business operator is any entity handling a personal data database regardless of the size of the business or volume of personal data. See question 3 for a definition.

Amendments to the APPI

On 5 June 2020, the House of Councillors of Japan passed a bill to amend the APPI. The amendments (the amendments) are part of the triennial statutory review process provided for under the APPI to give the legislator the opportunity to keep up with the rapid pace of innovation and technical change, and deal with the effects of the continuous expansion of the digital world and the ever-increasing volume of data handled by business operators. The amendments will come into force on a date yet to be determined but due to fall not later than 12 June 2022. This time frame – summarised in the table below – is intended to give enough time to business operators to get ready.

Summer 2020

Announcement of policies for administrative orders, rules guidelines and FAQs

Winter 2020

Public comments for administrative rules and orders

Spring 2021

Announcement of administrative rules and orders

Summer 2021

Announcement of guidelines and FAQs

Spring 2022

Entry into force of the amendments (part of the amendments will come into force earlier)

 

This chapter includes a brief summary of the amendments in each relevant subsection.

Answer contributed by Matsuda Akira, Koji Horita, Adachi Makoto, Akira Matsuda and Makoto Adachi

2. What other laws and regulations may prevent data sharing in the context of an investigation?

Japan

The APIPO Privacy Policy

An authorised or accredited personal information protection organisation (the APIPO) is an entity authorised by the PPC to handle complaints from individuals against business operators' handling of personal information. The APIPOs have published their privacy policy (the APIPO Privacy Policy) and relevant business operators including members of the relevant APIPO must comply with such policy. The All Banks Personal Data Protection Council is the most well-known APIPO.

The APIPO Privacy Policy provides for more detailed and comprehensive requirements than the laws and regulations referred to in question 1, and impose obligations stricter than the “best efforts” obligations contained in the laws and regulations.

Financial regulations

Financial regulations such as the Banking Act or the Insurance Business Act provide for specific obligations to be complied with by financial business operators relating to the collection and handling of personal data. In addition, such specific obligations applicable to the financial sector are also contained in the Comprehensive Guidelines for Supervision of Major Banks and the Comprehensive Guidelines for Supervision of Small to Medium or Local Banks (collectively, the Banking Guidelines).

Professionals duties and duty of confidentiality

The Attorney Act, Medical Practitioners' Act or certain other laws including provisions on professional duties may provide secrecy obligations and prohibit the transfer of certain data that may otherwise be regarded as lawful under the APPI. Furthermore, business operators in certain sectors such as the financial sector owe a duty of confidentiality to their clients.

Tort law (employee's privacy rights)

It is generally permissible for employers to investigate data saved in devices and equipment that employers provide to their employees for business use because employers are deemed to own and control such data (and device and equipment). However, if such investigation went beyond what is fair and reasonable (in the light of current socially acceptable behaviour and standards, considering various factors such as the purpose of the investigation or the manner in which it is conducted), employers may infringe on the employee's privacy rights and may be liable for damages under tort law or labour laws. Employers will not commit a tort or break labour laws as long as (i) they have a legitimate reason to investigate and (ii) they limit the scope and the manner of the investigation to an extent that is fair and reasonable. For example, employers should consider specifying a scope of investigation of their employees’ emails as narrow as possible to mitigate risks of infringement of the employee’s privacy rights (eg, by limiting the period of exchange of emails on which the investigation is focusing).

Unfair Competition Prevention Act

See question 15.

Other laws

In addition to the above, there are sector-specific regulations which provide for a prohibition of data sharing in the context of an investigation, such as the telecommunications sector or the medical care sector. For example, the Telecommunications Business Act prohibits telecommunications business operators from disclosing communications between the parties that should be kept secret, save in certain circumstances.

Answer contributed by Matsuda Akira, Koji Horita, Adachi Makoto, Akira Matsuda and Makoto Adachi

3. What can constitute personal data for the purposes of data protection laws?

Japan

Personal information and personal data

The APPI defines two different concepts: “personal information” and “personal data”. To better understand the concept of personal data, it is necessary to distinguish the two.

For a brief overview of these concepts, see below.

Personal information

    • (i) Information relating to a living individual by which a specific individual is identified (including information that can be readily combined with other information and make the identification of a specific individual possible); and
    • (ii) Information relating to a living individual containing an individual identification code (ie, passport number, driver’s licence number).

Personal data

    • personal information that constitutes a “personal information database” (a collective body of information comprising personal information systematically organised to be able to retrieve personal information).

When you are handling personal information only (ie, without using personal information in a systematically organised way), generally, you do not fall under the definition of "business operator". In this case, obligations on business operators such as the obligation to disclose the purpose of use of personal information (the purpose of use) prior to or upon its collection, and to limit the use of such information within the scope necessary to achieve the purpose of use (the scope of purpose) will not be applicable.

However, if you are using a personal information database for your business, this business entity will be classified as a business operator and various obligations will kick in under the APPI.

Examples of personal data are internal or external emails, email addresses, customer information and data extracted from business cards.

Answer contributed by Matsuda Akira, Koji Horita, Adachi Makoto, Akira Matsuda and Makoto Adachi

4. Does personal data protection relate only to natural persons or also legal persons?

Japan

Personal information and personal data only relate to a living individual. However, please note that the Banking Guidelines also cover the customer information of legal entities, unincorporated partnerships, etc, as well as that of individuals.

Answer contributed by Matsuda Akira, Koji Horita, Adachi Makoto, Akira Matsuda and Makoto Adachi

5. To whom do data protection laws apply?

Japan

Business operators

The APPI does not use the "controller" or "processor" concepts. The obligation under the APPI generally applies to any business operator which is using personal data for its business, regardless of whether such business operator is performing its business in an equivalent “controller” or “processor” position. 

If foreign entities have offices in Japan, they will also fall under the business operator definition and will have obligations under the APPI if they are using personal data for business.

Extraterritorial application

Activities conducted by foreign entities located in foreign countries without offices in Japan but trading in, or with, Japan are generally not covered by the APPI. However, certain provisions of the APPI have extraterritorial applications and are relevant if the foreign entity is collecting personal information on individuals in Japan in connection with a supply of goods or services. Accordingly, such foreign entities must take measures to comply with certain provisions of the APPI.

Answer contributed by Matsuda Akira, Koji Horita, Adachi Makoto, Akira Matsuda and Makoto Adachi

6. What acts or operations on personal data are regulated by data protection laws?

Japan

The APPI very broadly regulates acts and operations. Below is a list of key acts and operations covered by the APPI:

  • handling (a very wide concept covering most acts regarding personal data and fairly similar to processing under the EU GDPR);
  • collection;
  • update and deletion;
  • transfer to third parties (domestic or overseas);
  • receipt from third parties; and
  • disclosure to data subjects, rectification, deletion and discontinuity of use upon request of data subjects.

Answer contributed by Matsuda Akira, Koji Horita, Adachi Makoto, Akira Matsuda and Makoto Adachi

7. What are the principal obligations on data controllers to ensure the proper processing of personal data?

Japan

We describe obligations imposed on business operators below, since APPI does not use the "controller" concept (see question 5).

Collection

The APPI requires business operators to either publicly announce (including on their website) or notify the data subjects of the purpose of use before or upon collection of the personal information, subject to exceptions (eg, when such notification or public announcement is likely to impede the rights or legitimate interests of the business operator (the collection requirement exception)). Consent of the data subjects is not required generally, but consent is required in the case of sensitive personal data, the categories of which are listed in the APPI and its sub-legislation.

Handling

The APPI requires business operators to clarify the purpose of use and to make it specific as much as possible and not to use personal information without obtaining the prior consent of the data subjects beyond the scope of the purpose (we refer to such consent as the consent to use), subject to exceptions such as (these three exceptions are referred to as the common exceptions):

  • when the handling of personal information is based on laws and regulations;
  • when the handling of personal information is necessary for the protection of the life, body, or property of an individual or the property of a legal entity and it is difficult to obtain the consent of the data subjects; and
  • when (i) the handling of personal information is necessary to cooperate with a Japanese state organisation, a Japanese local government, or an individual or an entity entrusted by them with the execution of affairs prescribed by laws and regulations; and (ii) obtaining the consent of the person is likely to impede the execution of the affairs concerned

Transfer to third parties

The APPI prohibits business operators from transferring personal data to a third party (the transfer to third parties) without obtaining the prior consent of the data subjects (the consent to transfer), subject to certain exceptions such as:

  • the common exceptions (see above);
  • when a business operator entrusts the handling of personal data in whole or in part within the scope of purpose (entrustment/subcontracting); and
  • when personal data is used jointly between a business operator and a third party, and the business operator meets prior notification requirements: the business operator must inform  data subjects in advance of five statutory elements, or ensure that the data subjects can easily become aware of these statutory elements (joint use).

Obligations regarding entrustments

When a business operator provides personal data to an entrusted party as part of an entrustment, it must exercise necessary and appropriate supervision over the entrusted party to ensure the security control of the entrusted personal data.

Cross-border transfer

When a business operator transfers personal data to third parties in another country (the cross-border transfer), consent to such transfer including consent to the cross-border third-party transfer (the consent to cross-border transfer) must be obtained in addition to the consent to transfer, subject to certain exceptions such as:

  • the common exceptions;
  • when the third party is located in the EU (currently a white-listed area for cross-border transfers); and
  • when appropriate measures have been taken between the business operator in Japan and the third party abroad to ensure appropriate protection of the personal data in such third party’s organisation (ie, data transfer agreement or binding corporate rules).

In this regard, the amendments will introduce new obligations regarding cross-border transfers such as:

  • cross-border transfers based on the consent of data subjects, will require business operators (transferors) to provide data subjects with certain information (such as an overview of the personal information protection rules of the country in which the receiving party is located) before obtaining their consent; and
  • business operators which rely on method (iii) above for their cross-border transfers, will be required to provide data subjects on request with certain information regarding the manner in which the receiving party is handling personal information.

Note

From an investigation perspective, the collection requirement exception and the common exceptions are likely to apply in many cases. Accordingly, business operators should advisably check if these exceptions apply when it is difficult to take necessary steps regarding the collection, handling and transfer of personal data described above, bearing in mind that the availability of the common exceptions in the course of data processing (eg, handling) does not necessarily mean it will be available for another data processing operation (eg, transfer).

Answer contributed by Matsuda Akira, Koji Horita, Adachi Makoto, Akira Matsuda and Makoto Adachi

DATA EXTRACTION BY THIRD PARTIES FOR DATA COLLECTION PURPOSES

8. Before data extraction by third parties commences, should steps be taken to ascertain whether non-locally generated data was lawfully transferred to, or within, your jurisdiction in the first instance?

Japan

Unlawful data

If a business operator commences an investigation by having third parties extract data from digital devices such business operator owns and controls (we refer to such business operator as the investigating operator), the investigating operator needs to ascertain to the extent reasonable whether the data was lawfully obtained or transferred in the first instance. This is because inappropriately obtaining personal data from a data subject or a third party is prohibited under article 17 of the APPI (we refer to personal data so acquired as the unlawful data), and the use or transfer of unlawful data may lead to certain sanctions under the Civil Code of Japan and the APPI. Any personal data may be deemed unlawful data in the following cases (without limitation): (i) where the personal data is saved in a company’s mobile device together with the email that shows that such data were obtained in contravention of local data protection regulations, including the cross-border transfer restriction (where applicable), or (ii) where the investigating operator did not confirm certain designated statutory items (eg, how the transferor had obtained the personal data) pertaining to a receipt of such personal data from a third party (the relevant transferor) in violation of article 26 of the APPI, which imposes certain verification obligations on a business operator who receives personal data from a transferor. In particular, if this transferor has obtained the personal data from another third party (the previous transferor) located in the EU based on the European Commission’s determination (and adequacy decision) that Japan offers an "adequate level of protection", the investigating operator needs to trace and check whether the previous transferor located in the EU had obtained the personal data lawfully. Accordingly, the investigating operator should be more careful with personal data generated in a foreign jurisdiction.

However, the clearance procedure to distinguish unlawful data from personal data should be conducted "to the extent reasonable", and if there is no particular indication showing the personal data was unlawfully obtained, the personal data is unlikely to be deemed to be unlawful data for this purpose.

When the investigating operator finds that the personal data contains unlawful data, it shall obtain the data subject’s consent to use, consent to transfer and consent to cross-border transfer for the investigation, prior to the use and transfer of the unlawful data to a third party.

Answer contributed by Matsuda Akira, Koji Horita, Adachi Makoto, Akira Matsuda and Makoto Adachi

9. Are there additional requirements where third parties process the data on behalf of the entity to which data protection laws primarily apply?

Japan

No. There are no material and additional requirements where the third party processes the data on behalf of the entity to which the data protection laws primarily apply. However, the entity which entrusts processing of the personal data is subject to certain additional obligations (see question 7).

Answer contributed by Matsuda Akira, Koji Horita, Adachi Makoto, Akira Matsuda and Makoto Adachi

10. Is the consent of the data subject mandatory for the processing of personal data as part of an investigation? And how can consent be given by a data subject?

Japan

Consent is not always mandatory for the handling of personal data as part of an investigation (see question 7). However, to mitigate the risk of complaint by data subjects based on tort due to the infringement of their privacy rights, it is safer to obtain the consent of the data subjects whenever this is possible and realistic. The Japanese practice follows this approach, especially for personal data obtained from the employees of the investigating operator.

Any means used for obtaining the consent to use, consent to transfer, consent to cross-border transfer and consent to the handling of personal data relating to privacy rights (the consent regarding privacy right) including oral communication, emails, checking the corresponding boxes or items and clicking a button on a website will be permissible. It is desirable to use means allowing you to keep evidence of the consents. For example, if the consent is obtained orally, recording this consent in writing is strongly recommended.

Answer contributed by Matsuda Akira, Koji Horita, Adachi Makoto, Akira Matsuda and Makoto Adachi

11. If not mandatory, should consent still be considered when planning and carrying out an investigation?

Japan

See question 10.

Answer contributed by Matsuda Akira, Koji Horita, Adachi Makoto, Akira Matsuda and Makoto Adachi

12. Is it possible for data subjects to give their consent to such processing in advance?

Japan

Handling

It is possible for data subjects to give their consent to use in advance and through standard business terms and conditions provided that the purpose of use is sufficiently clear and specified. Insufficiently detailed purposes of use such as "investigation when necessary" cannot be regarded as sufficiently specific. From a data protection regulation perspective, a consent to use is generally not required in Japan, as long as the purpose of use is sufficiently disclosed beforehand. See question 7.

Transfer to third parties

It is possible for data subjects to give their consent to transfer in advance and through standard business terms and conditions. Data subjects may give a legally sufficiently comprehensive consent to a transfer to third parties if the third parties (or categories of third parties when further identification is not possible) are reasonably specified when consent is given.

Cross-border transfers

It is possible for business operators to obtain a data subject’s consent to a cross-border transfer in advance and through standard business terms and conditions. In this regard, the consent to a cross-border transfer shall include consent to the cross-border third-party transfer.

Privacy rights

The data subjects may give their consent regarding privacy rights in advance and through standard business terms and conditions. However, if the scope of consent is too wide and vague, such consent could be deemed to be void. Although this has not been tested before the courts, if such prior consent is obtained, compared to a situation where no consent is given prior to or at the time of the investigation, this would reduce the risk of infringement of privacy rights.

Answer contributed by Matsuda Akira, Koji Horita, Adachi Makoto, Akira Matsuda and Makoto Adachi

13. What rights do data subjects have to access or verify their personal data, or to influence or resist the processing of their personal data, as part of an investigation?

Japan

If a business operator has the authority to disclose or correct (or add, delete, etc) personal data to be retained by such business operator for more than six months (the personal data in this case is referred to as the retained personal data), such business operator must cope with the various requests made by the data subjects as a holder of retained personal data, such as disclosure, correction or ceasing to use. Personal data transferred from the EU based on the European Commission Determination, falls under retained personal data regardless of the retention period. In addition, after the amendments become effective, personal data will fall under retained personal data regardless of the retention period.

In connection with the data subject's right to object to the processing of retained personal data, the data subject may request a business operator to discontinue the handling or transfer to third parties of retained personal data, or to delete the retained personal data, if such handling or transfer of retained personal data is made in violation of the APPI (or, after the amendments become effective, if their rights or legitimate interests are likely to be infringed, for instance when the business operator no longer needs the personal data in light of the purpose of use or when substantial data breaches have occurred). The business operator must discontinue the handling or transfer of retained personal data upon the request of the data subjects if the request has reasonable grounds.

Answer contributed by Matsuda Akira, Koji Horita, Adachi Makoto, Akira Matsuda and Makoto Adachi

TRANSFER FOR LEGAL REVIEW AND ANALYSIS

14. How are law firms, and legal process outsourcing firms, generally characterised in your jurisdiction?

Japan

Professionals

It is generally accepted that the transfer of personal data to attorneys, certified public accountants, legal process outsourcing firms or other similar professions (the professionals) is permissible without the data subject's consent to transfer because the transfer of personal data to these professionals is deemed to be an entrustment (see question 7) (the consent to use and consent to cross-border transfer still need to be obtained unless statutory exceptions are available). 

These professionals will be business operators and therefore subject to legal obligations under the APPI.

Furthermore, please note that when a business operator provides personal data to  professionals as part of an entrustment, it will be subject to additional obligations (see question 7).

Attorney's inquiry

Attorneys have a statutory right through the bar association to request public offices or public or private organisations for information necessary in a case which they have been retained under article 23-2 of the Attorney Act (the attorney's inquiry). Attorneys may request information that could include personal data from business operators. From the business operators' point of view, those who are requested to submit such information by attorneys, giving such information could conflict with the rules governing purpose of use and transfers to third parties. One should carefully review whether giving such information containing personal data falls under the “based on laws and regulations” exception (see question 7). Lower court decisions in Japan suggest that a supply of information containing personal data as per the request would qualify as "based on laws and regulations" only when such provision is necessary and reasonable.

From the standpoint of business operators collecting personal data from third parties for investigation purposes, the attorney’s inquiry could be utilised as a means of collecting information for investigation. However, for the above reasons, the request may be rejected by the third parties who receive such a request.

Answer contributed by Matsuda Akira, Koji Horita, Adachi Makoto, Akira Matsuda and Makoto Adachi

15. Are there any additional requirements, beyond those specified above, that regulate the disclosure of data to third parties within your jurisdiction for the purpose of reviewing the content of documents, etc?

Japan

Unfair Competition Prevention Act

If information to be investigated includes (i) a production method, sales method, or any other technical or operational information useful for business activities that is controlled as a secret and is not publicly known (the trade secret) or (ii) technical or business data (excluding data which is treated as confidential) which is handled as part of a business as data to be provided to specific persons and is accumulated in substantial quantities by electric, magnetic or other methods that cannot be recognised by human perception (the data for limited provision, and together with trade secret, the trade secrets, etc), which were provided by the holder of the trade secrets, etc, it can be unlawful to disclose such information for the purpose of making an illicit gain or harming the interest of the information holder (the illegal purpose disclosure).

The Guidelines on Data for Limited Provision issued by Ministry of Economy, Trade and Industry make it clear that the disclosure of the trade secrets, etc, for investigations conducted under laws and regulations will not be an illegal purpose disclosure. Hence, a disclosure of trade secrets, etc (limited to what is strictly necessary) to professionals, forensic accountants or consultants for the purpose of conducting investigations might possibly not be treated as an illegal purpose disclosure because such disclosure would be made for a legitimate reason.

Answer contributed by Matsuda Akira, Koji Horita, Adachi Makoto, Akira Matsuda and Makoto Adachi

16. What rules regulate the transfer of data held in your jurisdiction to a third party in another country for the purpose of reviewing the content of documents, etc?

Japan

If the personal data is transferred from a Japanese investigating operator to third parties in another country, a consent to use, a consent to transfer and a consent to cross-border transfer must be obtained unless a statutory exception applies (see question 7).

Data sharing

However, even if the above consent to transfer or consent to cross-border transfer is not obtained, data sharing with third parties (commonly used for intra-group data sharing) could be permitted if (i) personal data is provided to the third party through the joint use method, and (ii) if the third party is located in the EU, or appropriate measures have been taken between the business operator in Japan and the third party abroad (see question 7). Accordingly, the investigating operator may share data with its group companies for the purpose of investigation by complying with these requirements.

Answer contributed by Matsuda Akira, Koji Horita, Adachi Makoto, Akira Matsuda and Makoto Adachi

TRANSFER TO REGULATORS OR ENFORCEMENT AUTHORITIES

17. Under what circumstances is the transfer of personal data to regulators or enforcement authorities within your jurisdiction permissible?

Japan

The regulations regarding the purpose of use and transfers to third parties are also applicable to the transfer of personal data to Japanese regulators or enforcement authorities. However, in most cases, the transfer of personal information will fall under exceptions where the consent to use and consent to transfer do not need to be obtained, for instance, when such transfer of personal data is based on Japanese laws and regulations or when such transfer of personal data is necessary to cooperate with a state organisation (see question 7).

Answer contributed by Matsuda Akira, Koji Horita, Adachi Makoto, Akira Matsuda and Makoto Adachi

18. Under what circumstances is the transfer of personal data held within your jurisdiction to regulators or enforcement authorities in another country permissible?

Japan

The regulations regarding purpose of use, transfers to third parties and cross-border transfers are also applicable to the transfer of personal data to regulators or enforcement authorities in another country (section 2-2 of the of Principle Guidelines regarding the provisions to a third party located in a foreign country) and it is necessary for the transferor to obtain the consent to use, consent to transfer and consent to cross-border transfer unless a statutory exception applies (see question 7).

Answer contributed by Matsuda Akira, Koji Horita, Adachi Makoto, Akira Matsuda and Makoto Adachi

19. What are some recommended steps to take on receipt of a request from a regulator for disclosure of personal data?

Japan

Upon receipt of a request from regulators (both Japanese and foreign), you should confirm which legal grounds (ie, obtaining consents from data subjects or satisfaction of certain exceptions such as the common exceptions) would authorise you to use and disclose personal data to the regulator.

Answer contributed by Matsuda Akira, Koji Horita, Adachi Makoto, Akira Matsuda and Makoto Adachi

20. What are the sanctions and penalties for non-compliance with data protection laws?

Japan

If a business operator has not taken the required steps under the APPI, the PPC may recommend the business operator to stop or rectify the APPI violation and take other necessary measures to cure the violation, and then formally order the business operator to take such measures if the recommendation was ignored. Failure to comply with a cease and desist order may be punished with imprisonment for up to six months (where the business operator is an individual) or a fine of up to Y300,000 (where the business operator is an individual or a legal entity). After the amendments become effective, failure to comply with a cease and desist order may give rise to (i) punishment consisting of (x) imprisonment for up to a year or a fine of up to Y1 million (where the business operator is an individual) or (y) a fine of up to Y100 million (where the business operator is a legal entity) and/or (ii) a sanction consisting of a public announcement by the PPC of the business operator's contravention of the cease and desist order (name and shame).

Extraterritorial application

If a business operator located in a foreign country (see question 5) has not taken the required steps under the APPI, the PPC may recommend the business operator to stop or rectify the violation of the APPI and to take other necessary measures to cure the violation, but cannot order the business operator to take the necessary measures. Failure to comply with such recommendation does not give rise to criminal sanctions. However, after the amendments become effective, a business operator located in a foreign country will also be subject to all penalties or sanctions described in the preceding paragraph.

Answer contributed by Matsuda Akira, Koji Horita, Adachi Makoto, Akira Matsuda and Makoto Adachi

CONTINUING OBLIGATIONS ON ORIGINAL AND INTERVENING DATA CONTROLLERS

21. What are the continuing obligations on the original data controller that apply in an investigation?

Japan

We describe obligations imposed on business operators below, since the APPI does not use the "controller" concept (see question 5).

Continuing obligations on the business operators are as follows:

  • the principal obligations of business operators (see questions 7);
  • the obligation to keep a record of certain designated statutory items in the case of a transfer to third parties (Article 25 of the APPI);
  • the obligation to confirm and keep a record of certain designated statutory items in the case of a receipt from third parties (Article 26 of the APPI); and
  • the obligation to supervise the entrusted party (see question 7).

However, these requirements could be exempted in many cases in an investigation context – please refer to question 7, "Note".

Answer contributed by Matsuda Akira, Koji Horita, Adachi Makoto, Akira Matsuda and Makoto Adachi

22. What are the continuing obligations on any intervening data controller that apply in an investigation?

Japan

We describe obligations imposed on business operators below, since the APPI does not use "controller" concept (see question 5).

Assuming that the third party who receives personal data from the investigating operator is a business operator, such third party is subject to the same continuing obligations as described in question 21 excluding the obligation to supervise the entrusted party ((iv)).

Answer contributed by Matsuda Akira, Koji Horita, Adachi Makoto, Akira Matsuda and Makoto Adachi

RELEVANT MATERIALS

23. Provide a list of relevant materials, including any decisions or guidance of the data protection authority in your jurisdiction regarding internal and external investigations, and transfers to regulators or enforcement authorities within and outside your jurisdiction.

Japan

PPC's webpage https://www.ppc.go.jp/en/

APPI https://www.ppc.go.jp/files/pdf/Act_on_the_Protection_of_Personal_Information.pdf

Overview of the Amendments to the APPI (Tentative English Translation) https://www.ppc.go.jp/files/pdf/overview_amended_act.pdf

Amendments to the APPI (Comparative table of the current and amended provisions of the APPI (Tentative translation)) https://www.ppc.go.jp/files/pdf/20200612_comparative_table_amended_APPI.pdf

Amendment to the Cabinet Order to Enforce the APPI https://www.ppc.go.jp/files/pdf/Cabinet_Order.pdf

Enforcement Rules for the APPI https://www.ppc.go.jp/files/pdf/PPC_rules.pdf

Overview of the APPI issued by PPC https://www.ppc.go.jp/files/pdf/280222_outline_v2.pdf

Current Legal Framework for the Protection of Personal Information https://www.ppc.go.jp/files/pdf/280222_Current_Legal_Framework_v2.pdf

Other relevant materials are available on the PPC's website (only in Japanese) https://www.ppc.go.jp/personalinfo/legal/.

Answer contributed by Matsuda Akira, Koji Horita, Adachi Makoto, Akira Matsuda and Makoto Adachi

Get unlimited access to all Global Investigations Review content