1. What laws and regulations in your jurisdiction regulate the collection and processing of personal data?
The laws and regulations in Japan regulating the collection and processing of Personal Data (defined in question 3) are as follows:
Laws and local regulations
- Act on the Protection of Personal Information (the APPI);
- Act on the Protection of Personal Information Held by Administrative Organs;
- Act on the Protection of Personal Information Held by Independent Administrative Agencies; and
- Local regulations (jourei) adopted by local governments.
Guidelines (the Guidelines)
- Guidelines on the principles of the APPI issued by the Personal Information Protection Committee (the PPC) (the Principle Guidelines);
- Guidelines on the protection of Personal Information in the financial sector issued by the PPC and the Financial Service Agency;
- Guidance on the protection of Personal Information in the medical sector issued by the PPC and the Ministry of Health, Labour and Welfare (the MHLW);
- Guidelines on the protection of personal information in the labour management sector issued by the MHLW; and
- Other guidelines issued by other ministries.
Tort law (which is incorporated in Chapter 5, Part 1 of the Civil Code)
Tort law in Japan provides that a person who has infringed any right of others or the legally protected interest of others shall be liable to compensate for any resulting damage (subject to an adequate causal relationship). In this connection, the Japanese Supreme Court has recognised, pursuant to article 13 of the Constitution of Japan, the right to privacy (the privacy rights) as the right of persons not to have their private life disclosed, exposed or invaded without a legitimate reason. Therefore, business operators are advised not to infringe the privacy rights of data subjects when collecting and handling information containing private information in the course of their investigations, in addition to complying with data protection requirements, laid down by, inter alia, the APPI and the relevant regulations and guidelines cited above. A business operator is any entity handling a personal data database regardless of the size of the business or volume of personal data. See question 3 for a definition.
Amendments to the APPI
On 5 June 2020, the House of Councillors of Japan passed a bill to amend the APPI. The amendments (the amendments) are part of the triennial statutory review process provided for under the APPI to give the legislator the opportunity to keep up with the rapid pace of innovation and technical change, and deal with the effects of the continuous expansion of the digital world and the ever-increasing volume of data handled by business operators. The amendments will come into force on a date yet to be determined but due to fall not later than 12 June 2022. This time frame – summarised in the table below – is intended to give enough time to business operators to get ready.
Announcement of policies for administrative orders, rules guidelines and FAQs
Public comments for administrative rules and orders
Announcement of administrative rules and orders
Announcement of guidelines and FAQs
Entry into force of the amendments (part of the amendments will come into force earlier)
This chapter includes a brief summary of the amendments in each relevant subsection.
2. What other laws and regulations may prevent data sharing in the context of an investigation?
Financial regulations such as the Banking Act or the Insurance Business Act provide for specific obligations to be complied with by financial business operators relating to the collection and handling of personal data. In addition, such specific obligations applicable to the financial sector are also contained in the Comprehensive Guidelines for Supervision of Major Banks and the Comprehensive Guidelines for Supervision of Small to Medium or Local Banks (collectively, the Banking Guidelines).
Professionals duties and duty of confidentiality
The Attorney Act, Medical Practitioners' Act or certain other laws including provisions on professional duties may provide secrecy obligations and prohibit the transfer of certain data that may otherwise be regarded as lawful under the APPI. Furthermore, business operators in certain sectors such as the financial sector owe a duty of confidentiality to their clients.
Tort law (employee's privacy rights)
It is generally permissible for employers to investigate data saved in devices and equipment that employers provide to their employees for business use because employers are deemed to own and control such data (and device and equipment). However, if such investigation went beyond what is fair and reasonable (in the light of current socially acceptable behaviour and standards, considering various factors such as the purpose of the investigation or the manner in which it is conducted), employers may infringe on the employee's privacy rights and may be liable for damages under tort law or labour laws. Employers will not commit a tort or break labour laws as long as (i) they have a legitimate reason to investigate and (ii) they limit the scope and the manner of the investigation to an extent that is fair and reasonable. For example, employers should consider specifying a scope of investigation of their employees’ emails as narrow as possible to mitigate risks of infringement of the employee’s privacy rights (eg, by limiting the period of exchange of emails on which the investigation is focusing).
Unfair Competition Prevention Act
See question 15.
In addition to the above, there are sector-specific regulations which provide for a prohibition of data sharing in the context of an investigation, such as the telecommunications sector or the medical care sector. For example, the Telecommunications Business Act prohibits telecommunications business operators from disclosing communications between the parties that should be kept secret, save in certain circumstances.
3. What can constitute personal data for the purposes of data protection laws?
Personal information and personal data
The APPI defines two different concepts: “personal information” and “personal data”. To better understand the concept of personal data, it is necessary to distinguish the two.
For a brief overview of these concepts, see below.
- (i) Information relating to a living individual by which a specific individual is identified (including information that can be readily combined with other information and make the identification of a specific individual possible); and
- (ii) Information relating to a living individual containing an individual identification code (ie, passport number, driver’s licence number).
- personal information that constitutes a “personal information database” (a collective body of information comprising personal information systematically organised to be able to retrieve personal information).
When you are handling personal information only (ie, without using personal information in a systematically organised way), generally, you do not fall under the definition of "business operator". In this case, obligations on business operators such as the obligation to disclose the purpose of use of personal information (the purpose of use) prior to or upon its collection, and to limit the use of such information within the scope necessary to achieve the purpose of use (the scope of purpose) will not be applicable.
However, if you are using a personal information database for your business, this business entity will be classified as a business operator and various obligations will kick in under the APPI.
Examples of personal data are internal or external emails, email addresses, customer information and data extracted from business cards.
4. Does personal data protection relate only to natural persons or also legal persons?
Personal information and personal data only relate to a living individual. However, please note that the Banking Guidelines also cover the customer information of legal entities, unincorporated partnerships, etc, as well as that of individuals.
5. To whom do data protection laws apply?
The APPI does not use the "controller" or "processor" concepts. The obligation under the APPI generally applies to any business operator which is using personal data for its business, regardless of whether such business operator is performing its business in an equivalent “controller” or “processor” position.
If foreign entities have offices in Japan, they will also fall under the business operator definition and will have obligations under the APPI if they are using personal data for business.
Activities conducted by foreign entities located in foreign countries without offices in Japan but trading in, or with, Japan are generally not covered by the APPI. However, certain provisions of the APPI have extraterritorial applications and are relevant if the foreign entity is collecting personal information on individuals in Japan in connection with a supply of goods or services. Accordingly, such foreign entities must take measures to comply with certain provisions of the APPI.
6. What acts or operations on personal data are regulated by data protection laws?
The APPI very broadly regulates acts and operations. Below is a list of key acts and operations covered by the APPI:
- handling (a very wide concept covering most acts regarding personal data and fairly similar to processing under the EU GDPR);
- update and deletion;
- transfer to third parties (domestic or overseas);
- receipt from third parties; and
- disclosure to data subjects, rectification, deletion and discontinuity of use upon request of data subjects.
7. What are the principal obligations on data controllers to ensure the proper processing of personal data?
We describe obligations imposed on business operators below, since APPI does not use the "controller" concept (see question 5).
The APPI requires business operators to either publicly announce (including on their website) or notify the data subjects of the purpose of use before or upon collection of the personal information, subject to exceptions (eg, when such notification or public announcement is likely to impede the rights or legitimate interests of the business operator (the collection requirement exception)). Consent of the data subjects is not required generally, but consent is required in the case of sensitive personal data, the categories of which are listed in the APPI and its sub-legislation.
The APPI requires business operators to clarify the purpose of use and to make it specific as much as possible and not to use personal information without obtaining the prior consent of the data subjects beyond the scope of the purpose (we refer to such consent as the consent to use), subject to exceptions such as (these three exceptions are referred to as the common exceptions):
- when the handling of personal information is based on laws and regulations;
- when the handling of personal information is necessary for the protection of the life, body, or property of an individual or the property of a legal entity and it is difficult to obtain the consent of the data subjects; and
- when (i) the handling of personal information is necessary to cooperate with a Japanese state organisation, a Japanese local government, or an individual or an entity entrusted by them with the execution of affairs prescribed by laws and regulations; and (ii) obtaining the consent of the person is likely to impede the execution of the affairs concerned
Transfer to third parties
The APPI prohibits business operators from transferring personal data to a third party (the transfer to third parties) without obtaining the prior consent of the data subjects (the consent to transfer), subject to certain exceptions such as:
- the common exceptions (see above);
- when a business operator entrusts the handling of personal data in whole or in part within the scope of purpose (entrustment/subcontracting); and
- when personal data is used jointly between a business operator and a third party, and the business operator meets prior notification requirements: the business operator must inform data subjects in advance of five statutory elements, or ensure that the data subjects can easily become aware of these statutory elements (joint use).
Obligations regarding entrustments
When a business operator provides personal data to an entrusted party as part of an entrustment, it must exercise necessary and appropriate supervision over the entrusted party to ensure the security control of the entrusted personal data.
When a business operator transfers personal data to third parties in another country (the cross-border transfer), consent to such transfer including consent to the cross-border third-party transfer (the consent to cross-border transfer) must be obtained in addition to the consent to transfer, subject to certain exceptions such as:
- the common exceptions;
- when the third party is located in the EU (currently a white-listed area for cross-border transfers); and
- when appropriate measures have been taken between the business operator in Japan and the third party abroad to ensure appropriate protection of the personal data in such third party’s organisation (ie, data transfer agreement or binding corporate rules).
In this regard, the amendments will introduce new obligations regarding cross-border transfers such as:
- cross-border transfers based on the consent of data subjects, will require business operators (transferors) to provide data subjects with certain information (such as an overview of the personal information protection rules of the country in which the receiving party is located) before obtaining their consent; and
- business operators which rely on method (iii) above for their cross-border transfers, will be required to provide data subjects on request with certain information regarding the manner in which the receiving party is handling personal information.
From an investigation perspective, the collection requirement exception and the common exceptions are likely to apply in many cases. Accordingly, business operators should advisably check if these exceptions apply when it is difficult to take necessary steps regarding the collection, handling and transfer of personal data described above, bearing in mind that the availability of the common exceptions in the course of data processing (eg, handling) does not necessarily mean it will be available for another data processing operation (eg, transfer).