SCOPE OF DATA PROTECTION LAWS RELEVANT TO CROSS-BORDER INVESTIGATIONS
1. What laws and regulations in your jurisdiction regulate the collection and processing of personal data? Are there any aspects of those laws that have specific relevance to cross-border investigations?
The laws and regulations that regulate the collection and processing of personal data in Japan
- Act on the Protection of Personal Information (the APPI);
- Act on the Protection of Personal Information Held by Administrative Organs;
- Act on the Protection of Personal Information Held by Independent Administrative Agencies; and
- Local regulations (jourei) adopted by local governments.
- Guidelines on the principles of the APPI issued by the Personal Information Protection Committee (the PPC), guidelines on the provision of personal data to third parties located in foreign countries and guidelines on confirmation/recordkeeping obligation upon provision of personal data to third parties (the guidelines);
- Guidelines on the protection of personal information in the financial sector issued by the PPC and the Financial Service Agency;
- Guidance on the protection of personal information in the medical sector issued by the PPC and the Ministry of Health, Labour and Welfare (the MHLW);
- Guidelines on the protection of personal information in the labour management sector issued by the MHLW; and
- Other guidelines issued by the PPC or other ministries.
Tort law (which is incorporated in Chapter 5, Part 1 of the Civil Code)
Tort law in Japan provides that a person who has infringed any right of others or the legally protected interest of others shall be liable to compensate for any resulting damage (subject to an adequate causal relationship). In this connection, the Japanese Supreme Court has recognised, pursuant to article 13 of the Constitution of Japan, the right to privacy (the privacy rights) as the right of persons not to have their private life disclosed, exposed or invaded without a legitimate reason. Therefore, a business operator, that is any individual or legal entity handling a personal information database regardless of the size of the business or volume of personal data is advised not to infringe the privacy rights of data subjects when collecting and handling information containing private information in the course of their investigations, in addition to complying with data protection requirements, laid down by, inter alia, the APPI and the relevant regulations and guidelines cited above.
Amendments to the APPI
A law was passed in June 2020 to amend the APPI. The amendments will come into force on 1 April 2022. This chapter is entirely based on the amended APPI to enable readers to get ready for the new data protection regime which will apply from that date.
Aspects of those laws that have specific relevance to cross-border investigations
If a business operator, that is any individual or legal entity handling a personal information database regardless of the size of the business or volume of personal data located in Japan and seek to transfer (or receive) personal data to (or from) third parties in another country, the business operator should heed the new obligations applicable to cross-border transfers (ie the recipient’s obligations regarding collection of personal information, confirmation of certain statutorily designated items and record-keeping). Should the business operator be located outside Japan and seek to collect or handle personal information regarding individuals in Japan in connection with the provision of goods or services to such individuals, the APPI may also apply to the business operator on an extraterritorial basis.
2. What other laws and regulations, besides data protection laws, may prevent data sharing in the context of an investigation?
Financial regulations such as the Banking Act or the Insurance Business Act provide for specific obligations to be complied with by financial business operators relating to the collection and handling of personal data. In addition, such specific obligations applicable to the financial sector are also contained in the Comprehensive Guidelines for Supervision of Major Banks and the Comprehensive Guidelines for Supervision of Small to Medium or Local Banks (collectively, the Banking Guidelines).
Professionals duties and duty of confidentiality
The Attorney Act, Medical Practitioners' Act or certain other laws including provisions on professional duties may provide secrecy obligations and prohibit the transfer of certain data that may otherwise be regarded as lawful under the APPI. Furthermore, business operators in certain sectors such as the financial sector owe a duty of confidentiality to their clients.
Tort law/labour laws (employee's privacy rights)
It is generally permissible for employers to investigate data saved in devices and equipment that employers provide to their employees for business use because employers are deemed to own and control such data (and device and equipment). However, if such investigation went beyond what is fair and reasonable (in the light of current socially acceptable behaviour and standards, considering various factors such as the purpose of the investigation or the manner in which it is conducted), employers may infringe on the employee's privacy rights and may be liable for damages under tort law or labour laws. Employers will not commit a tort or break labour laws as long as (i) they have a legitimate reason to investigate and (ii) they limit the scope and the manner of the investigation to an extent that is fair and reasonable. For example, employers should consider specifying a scope of investigation of their employees’ emails as narrow as possible to mitigate risks of infringement of the employee’s privacy rights (eg, by limiting the period of exchange of emails on which the investigation is focusing).
Unfair Competition Prevention Act
If information to be investigated includes (i) a production method, sales method, or any other technical or operational information useful for business activities that is controlled as a secret and is not publicly known (the trade secret) or (ii) technical or business data (excluding data that is treated as confidential) that is handled as part of a business as data to be provided to specific persons and is accumulated in substantial quantities by electric, magnetic or other methods that cannot be recognised by human perception (the data for limited provision, and together with trade secret, the trade secrets, etc), which were provided by the holder of the trade secrets, etc, it can be unlawful to disclose such information for the purpose of making an illicit gain or harming the interest of the information holder (the illegal purpose disclosure).
The Guidelines on Data for Limited Provision issued by the Ministry of Economy, Trade and Industry make it clear that the disclosure of trade secrets, etc, for investigations conducted under laws and regulations will not be an illegal purpose disclosure. Hence, a disclosure of trade secrets, etc (limited to what is strictly necessary) to professionals, forensic accountants or consultants for the purpose of conducting investigations might possibly not be treated as an illegal purpose disclosure because such disclosure would be made for a legitimate reason.
In addition to the above, there are sector-specific regulations that provide for a prohibition of data sharing in the context of an investigation, such as the telecommunications sector or the medical care sector. For example, the Telecommunications Business Act prohibits telecommunications business operators from disclosing communications between the parties that should be kept secret, save in certain circumstances.
3. What constitutes personal data for the purposes of data protection laws?
Personal information and personal data
The APPI defines and uses two different concepts of information on individuals: “personal information” and “personal data”. To better understand the concept of personal data, it is necessary to distinguish the two.
For a brief overview of these concepts, see below.
- Information relating to a living individual by which a specific individual is identified (including information that can be readily combined with other information and make the identification of a specific individual possible); and
- information relating to a living individual containing an individual identification code (ie, passport number, driver’s licence number).
- Personal information that constitutes a “personal information database” (a collective body of information comprising personal information systematically organised to be able to retrieve personal information).
The legal effects of handling “personal information” may differ from the legal effects of handling “personal data” under the APPI. The difference between personal information and personal data is illustrated below. When you are handling personal information only (ie, without using personal information in a systematically organised way), you generally do not fall under the definition of "business operator" and you will not be subject to certain onerous obligations imposed on business operators by the APPI.
Examples of personal data are internal or external emails, email addresses, customer information and data extracted from business cards.
Personal information and personal data only relate to a living individual. However, please note that the Banking Guidelines also cover the customer information of legal entities, unincorporated partnerships, etc, as well as that of individuals.
4. What is the scope of application of data protection laws in your jurisdiction? What activities trigger the application of data protection laws, to whom do they apply and what is their territorial extent?
The APPI does not use the "controller" or "processor" concepts. The obligation under the APPI generally applies to any business operator, that is any individual or legal entity handling a personal information database regardless of the size of the business or volume of personal data, regardless of whether such business operator is performing its business in an equivalent “controller” or “processor” position. When you are handling personal information only (ie, without using personal information in a systematically organised way), generally, you do not fall under the definition of "business operator". However, if you are using a personal information database for your business, you will be classified as a business operator.
The main actions which trigger the application of obligations to business operators are listed below. Such obligations include the obligation to disclose the purpose of use of personal information (the purpose of use) prior to or upon its collection, and to limit the handling of such information to what is necessary to achieve the purpose of use (the scope of the purpose).
- handling (including any actions that do not fall under the definition of collection or transfer);
- transfer to third parties;
- entrustments; and
- cross-border transfer.
If foreign entities have offices in Japan, they will also fall under the business operator definition and will have obligations under the APPI if they are using personal data for business.
Extraterritorial application of the APPI
Activities conducted by foreign entities located in foreign countries without offices in Japan but trading in, or with, Japan are generally not covered by the APPI. However, all provisions of the APPI have extraterritorial applications and are relevant if the foreign entity is collecting or handling personal information on individuals in Japan (regardless of the provenance of the personal information, ie. whether collected from data subjects or third parties) in connection with a supply of goods or services by the foreign entity. Accordingly, if the said activities of the foreign entity conducted in the course of cross-border investigations involve personal information collected in connection with a supply of goods or services by the foreign entity, such foreign entities must take measures to comply with the APPI.
5. What are the principal requirements under data protection laws that are relevant in the context of investigations?
Disclosure/notification of the purpose of use
The APPI requires business operators to either publicly announce (including on their website) or notify the data subjects of the purpose of use before or upon collection of the personal information, subject to exceptions (eg, when such notification or public announcement is likely to impede the rights or legitimate interests of the business operator (the collection requirement exceptions)).
Consent – generally not required
Consent of the data subjects is not required generally in relation to the collection of personal information, but consent is required in the case of sensitive personal information subject to certain exceptions including the common exceptions defined below, the categories of which are listed in the APPI and its sub-legislation.
Prohibition of inappropriate collection
Inappropriately obtaining personal information from a data subject or a third party is prohibited under the APPI (we refer to personal information so acquired as unlawful information). Personal data obtained in breach of the confirmation obligation of the recipient in the case of the receipt of personal data (see below) will be deemed unlawful information.
The handling of unlawful information may fall under the definition of inappropriate use of personal data (see below).
Keeping use of personal information within scope of purpose
The APPI requires business operators (i) to clarify the purpose of use and to make it specific in a manner allowing data subjects to reasonably predict how their personal information will be handled and to do so as much as possible; and (ii) not to use personal information without obtaining the prior consent of the data subjects beyond the scope of the purpose (we refer to such consent as the consent to use), subject to exceptions such as (these three exceptions are referred to as the common exceptions):
- when the handling of personal information is based on Japanese laws and regulations;
- when the handling of personal information is necessary for the protection of the life, body, or property of an individual or the property of a legal entity and it is difficult to obtain the consent of the data subjects; and
- when (i) the handling of personal information is necessary to cooperate with a Japanese state organisation, a Japanese local government, or an individual or an entity entrusted by them with the execution of affairs prescribed by laws and regulations; and (ii) obtaining the consent of the person is likely to impede the execution of the affairs concerned.
Prohibition of inappropriate use of personal data
A business operator must not use personal information through methods that can potentially facilitate or prompt any unlawful or unfair conduct under the APPI. This may include cases of handling unlawful information.
Transfer to third parties
The APPI prohibits business operators from transferring personal data to a third party (the transfer to third parties) without obtaining the prior consent of the data subjects (the consent to transfer), subject to certain exceptions such as:
- the common exceptions;
- when a business operator entrusts the handling of personal data in whole or in part within the scope of the purpose (entrustment or subcontracting); and
- when personal data is used jointly between a business operator and a third party, and the business operator meets prior notification requirements: the business operator must inform data subjects in advance of five statutory elements, or ensure that the data subjects can easily become aware of these statutory elements (joint use).
Obligations regarding entrustments
When a business operator provides personal data to an entrusted party as part of an entrustment, it must exercise necessary and appropriate supervision over the entrusted party to ensure the security control of the entrusted personal data.
When a business operator transfers personal data to third parties in another country (the cross-border transfer), the business operator must (subject to certain exceptions – see below):
- obtain data subject's consent to such transfer including consent to the cross-border third-party transfer (the consent to cross-border transfer) in addition to the consent to transfer; and
- before obtaining consent to a cross-border transfer, provide the data subject with either (i) or (ii) below:
- (i) certain information listed below:
- Name of the foreign country;
- Information on the personal information protection regime of the foreign country (such as whether the foreign country has implemented any data protection regulations and other relevant information listed in the guidelines) that are obtained through reasonable and appropriate measures (eg, by way of reference to publicly announced information by Japanese or foreign country's authorities); and
- Information on whether the recipient takes sufficient measures in light of the eight basic principles described in the "OECD guidelines on the protection of privacy and transborder flows of personal data, part two. basic principles of national application" and if the recipient does not take sufficient measures, details on how they are insufficient.
- (ii) reasons why they are not able to provide the said information, and other relevant information listed in the guidelines.
- (i) certain information listed below:
The said certain exceptions include:
- the common exceptions;
- when the third party is located in the EU (currently included as a white-listed area for cross-border transfers); and
- when appropriate measures (the appropriate measures for cross-border transfers) have been taken between the business operator in Japan and the third party abroad to ensure appropriate protection of the personal data in such third-party’s organisation (ie, data transfer agreement or binding corporate rules). When this exception applies, the business operator must:
- confirm through necessary and appropriate means more than once a year (i) the status of the implementation of the said appropriate measures for cross-border transfers by the recipient and (ii) the details of the personal information protection regime of the foreign country which is likely to affect such implementation;
- take necessary and appropriate actions if the implementation of the appropriate measures for cross-border transfers by the recipient became hindered, and if such implementation becomes difficult, suspend the cross-border transfer; and
- upon a data subject's request, provide information on the appropriate measures for cross-border transfers (ie, seven statutory items listed in the guidelines (subject to certain exceptions)).
Record keeping obligation of transferor
In the case of transfer of personal data to third parties, the transferor must keep records of certain statutorily designated items (the transferor’s records) subject to certain exceptions including the common exceptions.
Confirmation and record keeping obligation of recipient
In case of receipt of personal data from third parties, the recipient must confirm and keep records of certain statutorily designated items (eg, how the transferor had obtained the personal data) (the recipient’s records) subject to certain exceptions including the common exceptions. In particular, if this transferor has obtained personal data from another third party (the previous transferor) located in the EU based on the European Commission’s determination (and adequacy decision) that Japan offers an "adequate level of protection", the recipient needs to trace and check whether the previous transferor located in the EU had obtained the personal data lawfully.
From an investigation perspective, the collection requirement exceptions and the common exceptions are likely to apply in many cases. Accordingly, business operators should advisably check if these exceptions apply when it is difficult to take necessary steps regarding the collection, handling and transfer of personal data described above, bearing in mind that the availability of the common exceptions in the course of data processing (eg, handling) does not necessarily mean it will be available for another data processing operation (eg, transfer).
6. Identify the data protection requirements relevant to a company carrying out an internal investigation and to a party assisting with an investigation.
Data protection requirements relevant to a company carrying out an internal investigation
Relevant requirements include:
- obligations regarding collection;
- obligations regarding handling;
- obligations regarding transfer to third parties;
- obligations regarding entrustment;
- obligations regarding cross-border transfers;
- record keeping obligation of transferor; and
- confirmation and record-keeping obligation of recipient.
Data protection requirements relevant to a party assisting with an investigation
It is generally accepted that the transfer of personal data from a business operator carrying out an internal investigation to attorneys, certified public accountants, legal process outsourcing firms or other similar professions (the professionals) is permissible without the data subject's consent to transfer because the transfer of personal data to these professionals is deemed to be an entrustment. However, the consent to use and consent to cross-border transfer still need to be obtained unless statutory exceptions are available.
These professionals will be business operators and therefore subject to legal obligations under the APPI ie, the obligations listed in 'Data protection requirements relevant to a company carrying out an internal investigation' above.
Furthermore, please note that when a business operator provides personal data to professionals as part of an entrustment, the business operator will be subject to additional obligations to exercise necessary and appropriate supervision over the professionals.
Attorneys have a statutory right through the bar association to request public offices or public or private organisations for information necessary in a case in which they have been retained under article 23-2 of the Attorney Act (the attorney's inquiry). Attorneys may request information that could include personal data from business operators. From the business operators' point of view, those who are requested to submit such information by attorneys, giving such information could conflict with the rules governing purpose of use and transfers to third parties. One should carefully review whether giving such information containing personal data falls under the “based on Japanese laws and regulations” exception. Lower court decisions in Japan suggest that a supply of information containing personal data as per the request would qualify as "based on Japanese laws and regulations" only when such provision is necessary and reasonable.
From the standpoint of business operators collecting personal data from third parties for investigation purposes, the attorney’s inquiry could be utilised as a means of collecting information for investigation. However, for the above reasons, the request may be rejected by the third parties who receive such a request.