1 Legal and enforcement framework

1.1 Which legislative and regulatory provisions govern data privacy in your jurisdiction?

The following laws and regulations govern data privacy in Japan:

  • the Act on Protection of Personal Information (APPI);
  • the Act on the Use of Numbers to Identify a Specific Individual in the Administrative Procedures (the 'My Number Act')
  • the Act on the Protection of Personal Information Held by Administrative Organs;
  • the Act on the Protection of Personal Information Held by Independent Administrative Agencies; and
  • local regulations on the protection of personal information issued by local governments.

The APPI is the principal data protection law, and sets out the basic principles for the government's regulatory policies and authority, as well as the obligations of private business operators that handle personal information ('handling operators').

The laws and regulations outlined in the third to fifth bullets above set out the obligations of the public sector in handling personal information.

The Personal Information Protection Commission (PPC) – the regulator primarily responsible for the APPI and the My Number Act – has published guidelines on the handling of personal information.

The amended APPI was enacted June 5, 2020, and promulgated June 12, 2020. It will become effective April 1, 2022. However, stricter statutory penalties have already become effective, and the transitional measures for providing personal data to third parties through opt-out will become effective Oct. 1, 2021..

Currently, the public sector is regulated not by the APPI but by separate regulation. Each local government also has its own regulations regarding data protection in the public sector. A bill implementing the amendments necessary to integrate these public data protection laws into the APPI is expected to become law in 2021. Those provisions of the bill applicable to the national government are expected to become effective at the same time as the amended APPI. Provisions applicable to local governments are expected to become effective in 2023.



1.2 Do any special regimes apply in specific sectors (eg, banking, insurance, telecommunications, healthcare, advertising) or to specific data types (eg, biometric data)?

Specific laws and guidelines apply in certain sectors or to specific types of data, as follows:

  • Finance:
    • the data protection guidelines for the financial sector jointly published by the PPC and the Financial Services Agency (FSA).
  • Healthcare:
    • the Act on Anonymous Medical Information for the Purpose of Contributing to Research and Development in the Medical Field; and
    • the data protection guidelines for the medical and nursing care sector jointly published by the PPC and the Ministry of Health, Labour and Welfare.
  • Telecommunications:
    • the Telecommunications Business Act; and
    • the data protection guidelines for telecommunications business jointly published by the Ministry of Internal Affairs and Communications.
  • Advertising:
    • the Act on the Regulation of Transmission of Specified Electronic Mail; and
    • the Act on Specified Commercial Transactions.
  • Genetic information:
    • the Data Protection Guidelines for Businesses Using Personal Genetic Information.


1.3 Do any bilateral and multilateral instruments on data privacy have effect in your jurisdiction?

  • Asia-Pacific Economic Cooperation (APEC): Japan joined the APEC Cross-Border Privacy Rules system in April 2014.
  • European Union: The Japan-EU mutual adequacy decision was adopted in January 2019, to facilitate cross-border personal data transfers between Japan and the European Union.


1.4 Which bodies are responsible for enforcing the data privacy legislation in your jurisdiction? What powers do they have?

The PPC is the regulator that is primarily responsible for enforcing the APPI and has the following powers:

  • The PPC may require a handling operator to report or submit materials regarding its handling of personal information, and may enter a handling operator's offices or other places to investigate, make inquiries and check records or other documents (Article 40 of the APPI);
  • The PPC may provide guidance or advice to a handling operator (Article 41 of the APPI);
  • The PPC may recommend that a handling operator cease any violation of the APPI and take other necessary measures to correct the violation (Article 42.1 of the APPI); and
  • The PPC may order a handling operator to take necessary measures to implement the PPC's recommendation mentioned above and to rectify certain violations of the APPI (Articles 42.2 and 42.3 of the APPI).

The PPC may delegate certain powers to other governmental agencies – for example, it has delegated to the FSA the power provided for in Article 40 with respect to the financial sector (Article 44 of the APPI).



1.5 What role do industry standards or best practices play in terms of compliance and regulatory enforcement?

Accredited personal information protection organisations (APIPOs) – organisations accredited by the PPC – work to ensure that personal information is processed appropriately in each sector, such as healthcare or insurance (Article 47 of the APPI). APIPOs are mainly responsible for:

  • establishing guidelines for each sector (Article 53.1 of the APPI);
  • providing guidance or recommendations to their members in accordance with the guidelines (Article 53.2 of the APPI); and
  • handling complaints from data subjects made to members of the organisation (Article 52 of the APPI).

As of 1 August 2020, the PPC had certified 39 organisations as APIPOs.

Further, the Japan Institute for Promotion of Digital Economy and Community (JIPDEC) – a non-profit organisation – operates the Privacy Mark system. JIPDEC undertakes the following activities:

  • It assesses business operators' frameworks and operations for the processing of personal information in a secure and appropriate manner;
  • It sets the Privacy Mark assessment criteria based on the Japan Industrial Standards (Personal Information Protection Management System ‒ Requirements (JIS Q 15001)), which provide for higher standards for the processing of personal information than the APPI; and
  • It permits business operators that meet these criteria to use the registered Privacy Mark logo in their business activities. By using the Privacy Mark, business operators can demonstrate to users and customers that they are processing personal information in a secure and appropriate manner.


2 Scope of application

2.1 Which entities are captured by the data privacy regime in your jurisdiction?

A handling operator is subject to the regulations set forth in the Act on Protection of Personal Information (APPI). Any business operator that uses a personal information database is deemed a handling operator.



2.2 What exemptions from the data privacy regime, if any, are available in your jurisdiction?

The obligations set forth in the APPI do not apply to news media, writers, universities and other academic institutions, religious groups and political parties, to the extent that the processing of personal information is for the purposes of journalism, writing, academic research or religious or political activities (Article 76 of the APPI).



2.3 Does the data privacy regime have extra-territorial application?

Most of the provisions set forth in the APPI apply to entities outside Japan if they collect personal information directly from data subjects in connection with the provision of goods or services to individuals located in Japan (Article 75 of the APPI).

Under the amended APPI, all provisions of the APPI will apply to entities outside Japan if they collect personal information in connection with the provision of goods or services to individuals located in Japan (Article 75 of the APPI).



3 Definitions

3.1 How are the following terms (or equivalents) defined in your jurisdiction? (a) Data processing; (b) Data processor; (c) Data controller; (d) Data subject; (e) Personal data; (f) Sensitive personal data; and (g) Consent.

(a) Data processing

The Act on Protection of Personal Information (APPI) includes no definition of 'data processing'. The APPI is broadly applicable to the collection, use, provision and other general processing of personal information.

(b) Data processor

The APPI includes no definition of 'data processor'. Any business operator that uses a personal information database is considered a handling operator and is therefore subject to the regulations set forth in the APPI.

(c) Data controller

The APPI includes no definition of 'data controller'. Any business operator that uses a personal information database is considered a handling operator and is therefore subject to the regulations set forth in the APPI.

(d) Data subject

The APPI defines a 'data subject' as a specific individual identified by personal information (Article 2.8 of the APPI).

(e) Personal data

The APPI includes three definitions relevant to the concept of personal data:

  • 'Personal information' is information about a living individual which:
    • can identify a specific individual, including information which can be readily collated with other information to identify a specific individual; or
    • contains an individual identification code (Article 2.1 of the APPI) – that is, any character, number, symbol or other code into which a bodily feature of a specific individual (ie, biometric features such as DNA, fingerprints, facial or vocal features) has been converted by computer for use and which can identify the specific individual; or which is assigned to services or goods provided to an individual or is stated or electromagnetically recorded on a card or other document issued to an individual, to identify him or her as a specific user, purchaser or recipient of the issued document (Article 2.2 of the APPI). The various types of individual identification codes are listed in the cabinet order to enforce the APPI and include driver's licence numbers, passport numbers and health insurance numbers.
  • 'Personal data' is personal information contained in a personal information database (Article 2.6).
  • A 'personal information database' is a collection of information (including personal information) that is systematically organised to enable a search for particular personal information using a computer or other methods. However, this term excludes a collection of information whose use by a handling operator is indicated by a cabinet order as having little possibility of harming an individual's rights and interests. Examples of collections of information that are excluded from this definition include a commercially available telephone directory or a car navigation system (Article 2.4 of the APPI).
  • 'Retained personal data' is personal data whose content a handling operator has the authority to disclose, correct, add to or delete, discontinue the use of, erase or discontinue provision to a third party, excluding personal data which must be deleted within six months and certain other limited types of personal data (Article 2.7). Once the amended APPI takes effect, this definition will be extended to include personal data which is scheduled to be deleted within six months.

(f) Sensitive personal data

The APPI defines 'sensitive personal data' as personal information relating to the data subject's race, creed, social status, medical history, criminal record, status as a victim of crime or other information whose handling, as prescribed by cabinet order, requires special care so as not to cause unfair discrimination, prejudice or other disadvantage to the data subject (Article 2.3 of the APPI).

The descriptions prescribed by cabinet order are as follows:

  • information on a data subject's physical disabilities, intellectual disabilities, mental disabilities (including developmental disabilities), or other physical and mental functional disabilities prescribed by the rules of the Personal Information Protection Commission (PPC);
  • the results of a medical check-up or other examination for the prevention and early detection of a disease conducted on a data subject by a medical doctor or other person engaged in duties relating to medicine;
  • guidance on how to improve mental or physical conditions, or medical care or prescriptions given to a data subject by a doctor based on the results of a medical check-up or due to disease, injury or other mental or physical changes;
  • the fact that an arrest, search, seizure, detention, institution of prosecution or other procedure relating to a criminal case has been carried out against a data subject as a suspect or defendant; or
  • the fact that an investigation, measure for observation and protection, hearing and decision, protective measure or other procedure relating to a juvenile protection case has been carried out against a data subject as a juvenile delinquent or a person suspected thereof under the Juvenile Act.

(g) Consent

The PPC Guidelines define 'consent' as the indication of the data subject's intention to consent to the processing of his or her personal information in the manner indicated by the handling operator.



3.2 What other key terms are relevant in the data privacy context in your jurisdiction?

The APPI defines 'anonymously processed information' as information obtained through processing personal information such that an ordinary person could not:

  • identify a specific data subject using the processed information; or
  • restore any personal information from the processed information (Article 2.9).

Unlike personal information, anonymously processed information is not subject to certain regulations under the APPI, such as the obligation to notify or publicly announce the purposes for which it is used. However, certain special regulations – such as the obligation to anonymise personal information in accordance with the PPC Ordinance and the prohibition against restoring personal information – do apply.

The PPC Guidelines define 'statistical information' as information obtained by extracting data concerning a common element from the personal information of multiple persons and aggregating it into a common category. Statistical information is not personal information or anonymously processed information as long as it cannot be used to identify specific individuals; thus, it is not subject to regulation under the APPI.

The amended APPI will introduce the concept of 'pseudonymised information' – that is, information that is processed so that it cannot be used to identify a specific individual without collation with other information. Unlike personal information, pseudonymised information is not subject to certain regulations under the APPI, such as restrictions on changing the purpose of use and the obligation to comply with a data subject's request to disclose or cease use.



4 Registration

4.1 Is registration of data controllers and processors mandatory in your jurisdiction? What are the consequences of failure to register?

The Act on Protection of Personal Information (APPI) does not require handling operators to register the processing of the personal information with the Personal Information Protection Commission (PPC).

A handling operator that provides personal data under the 'opt-out' system must submit a notification to the PPC. Under the APPI, in principle, a handling operator may not provide personal data to a third party without obtaining the prior consent of the data subject. However, the handling operator may provide personal data (excluding sensitive personal information) to a third party without obtaining the prior consent of the data subject if the following requirements are satisfied (Article 23.2 of the APPI):

  • It notifies the data subject of certain information or makes this information easily accessible to the data subject;
  • It submits a notification of certain information to the PPC; and
  • It agrees to stop providing personal data to the third party upon the data subject's opt-out request.

The amended APPI will strengthen the existing regulations on the opt-out system for data provision to third parties, require more information to be accessible to data subjects and prohibit the use of the opt-out system in certain cases.



4.2 What is the process for registration?

Under the opt-out system, the handling operator must submit a notification of the following information to the PPC (Article 23.2 of the APPI):

  • the fact that the provision of personal data to a third party is specified as one of the purposes of use;
  • the categories of personal data provided;
  • the means or methods of provision;
  • the fact that it will cease to provide personal data to any third party in response to the data subject's request; and
  • the means or method of receiving the data subject's request.

According to the PPC Ordinance and the PPC's website, a handling operator must fill out the prescribed notification form and mail the completed notification together with a CD-Rom containing the notification in electronic form.



4.3 Is registered information publicly accessible?

The PPC will publish the submitted notification on its website.



5 Data processing

5.1 What lawful bases for processing personal data are recognised in your jurisdiction? Do these vary depending on the type of data being processed?

In general, a handling operator is not required to establish a legal basis for processing personal information. However, where sensitive personal information is to be collected or processed, or where personal data is to be provided to a third party, the handling operator is, in principle, required to obtain the data subject's prior consent.



5.2 What key principles apply (eg, notice) when processing personal data in your jurisdiction? Do these vary depending on the type of data being processed? Or on whether it is outsourced?

A handling operator is subject to the following regulations when processing personal information, which apply regardless of the type of personal information and whether the processing of the personal information is outsourced:

  • The handling operator must specify the purpose of use of the collected personal information to the extent possible (Article 15 of the Act on Protection of Personal Information (APPI)).
  • The handling operator must not use the personal information of a data subject beyond the scope necessary to achieve the specified purpose of use without the prior consent of the data subject, except in certain limited cases (Article 16).
  • The handling operator must not collect personal information by deceit or other improper means (Article 17).
  • The handling operator must publicly announce the purpose of use or, if the purpose of use is not publicly announced in advance, must notify the data subjects of the purpose of use promptly after collecting the personal information (Article 18.1). In addition, if the handling operator collects personal information in writing directly from the data subject (including through electronic means), it must expressly disclose the purpose of use, unless the personal information is urgently required to protect the life, body or property of an individual (Article 18.2).


5.3 What other requirements, restrictions and best practices should be considered when processing personal data in your jurisdiction?

The guidelines in specific sectors (eg, finance or healthcare) set by the Personal Information Protection Commission, the Financial Services Agency or the Ministry of Health, Labour and Welfare provide for higher standards for the processing of personal information than the APPI. A handling operator that processes personal information in such sectors must comply with the guidelines promulgated by the respective agency.

The Privacy Mark criteria set by the Japan Institute for Promotion of Digital Economy and Community also provide for higher standards for the processing of personal information than the APPI. Although the Privacy Mark criteria are not legally binding, a handling operator that uses the Privacy Mark must comply with such standards.



6 Data transfers

6.1 What requirements and restrictions apply to the transfer of data to third parties?

A handling operator cannot transfer personal data to a third party without the prior consent of the data subject, unless it meets the requirements of any of the exceptions provided by the Act on Protection of Personal Information (APPI) (Article 23), as outlined below.

Exceptions under Article 23.1: The provision of the personal data is required by law or regulation, or is necessary to protect the life, body or property of a person, and it is difficult to obtain the data subject's consent.

Opt-out: See question 4.

Outsourcing of data processing: If a handling operator outsources all or part of the processing of personal data to an individual or another entity, that individual or entity will not be considered a 'third party' within the context of Article 23 (Article 23.5(i)). For example, if the handling operator uses third-party vendors for its services, and shares personal data with those vendors for their use on its behalf and not for their own use, the transfer will be regarded as outsourcing and the restrictions on provision to a third party thus will not apply.

Where a handling operator outsources the processing of personal data, it must exercise the necessary and appropriate supervision of the outsourcing provider to ensure security control over the outsourced personal data (Article 22).

Business succession: A handling operator may provide personal data to a third party without the prior consent of the data subject if the provision of the personal data results from a business succession due to a merger or other legal reason (Article 23.5(ii)).

Joint use: A handling operator may share and jointly use personal data with specific individuals or entities if it notifies the data subject of the following information or makes this information easily accessible for the data subject (Article 23.5(iii)):

  • the fact that personal data will be used jointly with specific individuals or entities;
  • the personal data to be used jointly;
  • the identity of the joint users;
  • the purpose of the joint use; and
  • the name of the individual or entity responsible for managing the personal data.

Once these requirements have been complied with, the identified joint users will not be deemed 'third parties' within the context of Article 23 and the handling operator, and the identified joint users may thus share and jointly use specific items of personal data as if they were a single entity.



6.2 What requirements and restrictions apply to the transfer of data abroad? Do these vary depending on the destination?

In principle, a handling operator must obtain the prior consent of the data subject in order to transfer its personal data to a third party located in a country other than Japan. The foregoing restriction also applied in the case of outsourcing, business succession and joint use, which are exceptions to local third-party data transfer restrictions.

The data subject's consent to an overseas data transfer is not necessary if:

  • the foreign country is designated by the Personal Information Protection Commission (PPC) as a country with a data protection regime with a level of protection equivalent to that of Japan (only member countries of the European Economic Area and the United Kingdom have been designated to date); and
  • the third-party recipient has a system of data protection that meets the standards prescribed by the PPC Ordinance – that is, either:
    • it provides assurance, through appropriate and reasonable methods, that it will treat the disclosed personal data in accordance with the spirit of the requirements for processing personal data under the APPI. Under the PPC Guidelines, 'appropriate and reasonable methods' include agreements between the data importer and the data exporter, or inter-group privacy rules, which ensure that the data importer will treat the disclosed personal data in accordance with the spirit of the APPI; or
    • it has been certified under an international arrangement, recognised by the PPC, regarding its personal data processing system. The PPC Guidelines have identified the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules as a recognised international framework on the handling of personal information.

The amended APPI will strengthen the existing regulations on data transfers to third parties outside Japan, including through a requirement to provide certain information to data subjects. For instance, in the case of a transfer of personal data based on the data subject's consent, the data transferor must provide the data subject with relevant information, such as details of the data protection system in the foreign country to which the personal data is to be transferred and the data protection measures of the overseas recipient.



6.3 What other requirements, restrictions and best practices should be considered when transferring personal data, both within your jurisdiction and abroad?

The guidelines in specific sectors (eg, finance and healthcare) set out by the PPC, the Financial Services Agency and the Ministry of Health, Labour and Welfare provide for higher standards for the transfer of personal data to third parties than the APPI. A handling operator that processes personal information in such sectors must comply with those guidelines.

In addition, the Privacy Mark criteria set out by the Japan Institute for Promotion of Digital Economy and Community also provide for higher standards for the transfer of personal data to third parties than the APPI. Although the Privacy Mark criteria are not legally binding, a handling operator that uses the Privacy Mark must comply with them.



7 Rights of data subjects

7.1 What rights do data subjects enjoy with regard to the processing of their personal data? Do any exemptions apply?

Disclosure: Data subjects may request a handling operator to disclose retained personal data which can identify them. The handling operator must comply with this request, unless:

  • it is possible that disclosure could harm the life, body, property or other rights and interests of the data subject or a third party;
  • it is possible that the disclosure could seriously interfere with the handling operator's business; or
  • the disclosure would violate other laws or regulations (Article 28).

The amended APPI will introduce new provisions on the disclosure of retained personal data. The current APPI does not expressly allow data subjects to demand the disclosure of retained personal data by electronic means. The amended APPI, however, will allow data subjects to require that their retained personal data be disclosed to them electronically.

Correction: Data subjects may also request a handling operator to correct, add to or delete retained personal data which can identify them where such data is incorrect. The handling operator must investigate without delay and, based on the results of the investigation, must comply with the request to the extent necessary to achieve the purposes of use of the retained personal data (Article 29).

Cessation of use: Further, data subjects may request a handling operator to cease the use of or delete retained personal data, and stop providing retained personal data to third parties, if such data is processed or obtained in violation of the Act on Protection of Personal Information (APPI). The handling operator must comply with any such request if there are reasonable grounds for such request. However, this obligation will not apply if:

  • it would be too costly or difficult to cease the use of or delete the retained personal data; and
  • the handling operator takes the necessary alternative measures to protect the rights and interests of the data subject (Article 30).

The amended APPI will expand the scope of data subjects' rights for cessation of use by allowing data subjects to exercise this right where their legitimate interests are likely to be infringed because of the data processing of business operators (eg, where business operators no longer need to use the personal data).



7.2 How can data subjects seek to exercise their rights in your jurisdiction?

Data subjects may exercise their rights by submitting a request directly to the handling operator.

The handling operator may establish the procedure for the exercise of data subjects' rights in accordance with the cabinet order. In such case, the data subjects must exercise their rights in accordance with the procedure established by the handling operator.



7.3 What remedies are available to data subjects in case of breach of their rights?

A data subject may file a lawsuit against the handling operator in order to enforce its compliance with a request if:

  • two weeks have elapsed without response since the data subject submitted the request to the handling operator; or
  • the handling operator rejects the data subject's request.


8 Compliance

8.1 Is the appointment of a data protection officer mandatory in your jurisdiction? If so, what are the consequences of failure to do so?

Under the Act on Protection of Personal Information (APPI), there is no legal obligation to appoint a data protection officer.

However, the APPI requires that a handling operator take necessary and appropriate measures to ensure the security of the personal data it processes, including preventing it from being leaked, lost or damaged (Article 20). Further, the Personal Information Protection Commission (PPC) Guidelines state that the appointment of a person who is responsible for supervising the processing of personal data is an appropriate example of a 'necessary and appropriate measure', and it is common in practice to appoint a data protection officer.

Therefore, failure to appoint a data protection officer will not immediately result in a violation of the APPI. However, in determining whether the obligation under Article 20 has been fulfilled, the appointment of such person could be considered a factor in favour of the handling operator.



8.2 What qualifications or other criteria must the data protection officer meet?

Neither the APPI nor the PPC Guidelines require that a data protection officer have specific qualifications or meet any other requirements.



8.3 What are the key responsibilities of the data protection officer?

Neither the APPI nor the PPC Guidelines specify any responsibilities applicable to a data protection officer. In general, the data protection officer must verify that personal data is processed in accordance with the company's internal rules.



8.4 Can the role of the data protection officer be outsourced in your jurisdiction? If so, what requirements, restrictions and best practices should be considered in this regard?

The PPC has not issued any opinion regarding this issue. However, in practice, the data protection officer is typically an employee or director of the company. In practice, the outsourcing of this role is very rare in Japan.



8.5 What record-keeping and documentation requirements apply in the data privacy context?

The APPI requires a handling operator to create and maintain records on the provision of personal data to third parties and any receipt of personal data from third parties. The handling operator must create and keep a record of:

  • the categories of personal data that it has provided or received;
  • the date of provision or receipt;
  • the third party's name; and
  • certain other matters specified by the PPC Ordinance.

Unlike the General Data Protection Regulation, this record-keeping obligation applies only at the time of provision or receipt of the personal data.



8.6 What other requirements, restrictions and best practices should be considered from a compliance perspective in the data privacy context?

The Privacy Mark criteria set by the Japan Institute for Promotion of Digital Economy and Community provide for higher standards for the processing personal data than the APPI. A handling operator that uses the Privacy Mark must comply with such standards.



9 Data security and data breaches

9.1 What obligations apply to data controllers and processors to preserve the security of personal data?

A handling operator must take all necessary and appropriate measures to ensure the security of the personal data it processes, including ensuring that such data is not leaked, lost or damaged (Article 20). The Personal Information Protection Commission (PPC) Guidelines provide examples of such measures, which include:

  • organisational security measures, including the implementation of an organisational system (eg, establishing internal rules for the processing of personal data, and appointing someone with responsibility for supervising the processing of personal data);
  • HR security measures, including education of employees;
  • physical security measures, including controlling the areas where personal data is processed, such as servers and offices; and
  • technical security measures, including controlling access to personal data.

A handling operator must also exercise necessary and appropriate supervision over those employees who process personal data, to further ensure its security (Article 21).

Further, if the handling operator outsources all or part of the processing of personal data, it must exercise necessary and appropriate supervision of the outsourcing provider, to further ensure the security of the outsourced personal data (Article 22). The PPC Guidelines outline the relevant measures in this regard, which include:

  • selecting and appointing an appropriate third party within the outsourcing provider;
  • entering into an agreement with the outsourcing provider regarding the outsourcing of personal data; and
  • having visibility on and supervising the processing of personal data by the outsourcing provider.


9.2 Must data breaches be notified to the regulator? If so, what information must be provided and what is the process for doing so? If not, under what circumstances is voluntary notification of a data breach expected?

The Act on Protection of Personal Information (APPI) does not include specific and explicit mandatory obligations regarding reporting to the PPC in case of a data breach.

However, the PPC Guidelines state that, as a general rule, the handling operator must make an effort to promptly report to the PPC in the following cases:

  • where personal data retained by the handling operator is leaked, lost or damaged;
  • where the handling operator's method of processing anonymously processed information that it retains is leaked; or
  • where either of the above may have occurred.

With respect to the content and procedure of the report, the handling operator must report to the PPC information such as the following through a reporting form available on the PPC's website:

  • an overview of the data breach;
  • the number of affected data subjects; and
  • details of the handling operator's recurrence prevention measures.

With respect to the reporting timeline, the PPC Guidelines merely stipulate that "an effort must be made to promptly report to the PPC" and do not specify an exact timeframe.



9.3 Must data breaches be notified to the affected data subjects? If so, what information must be provided and what is the process for doing so? If not, under what circumstances is voluntary notification of a data breach expected?

The APPI does not provide specific and explicit mandatory obligations regarding the notification of affected data subjects in case of a data breach.

However, the PPC Guidelines state that, as a general rule, the handling operator must make efforts to promptly notify affected data subjects or make information on the breach easily accessible to affected data subjects (eg, by posting notification on a website accessible by the data subjects) in any of the following cases:

  • where personal data retained by the handling operator is leaked, lost or damaged;
  • where he handling operator's method of processing anonymously processed information that it retains is leaked; or
  • where either of the above may have occurred.

The PPC Guidelines do not specify the content and procedure for such notification.

With respect to the notification timeline, the PPC Guidelines merely stipulate that it should be made "promptly" and do not specify an exact timeframe.



9.4 What other requirements, restrictions and best practices should be considered in the event of a data breach?

Although the APPI does not impose specific and explicit mandatory obligations regarding reporting to the PPC or notification of affected data subjects in case of a data breach, in practice, handling operators typically report to the PPC and notify the affected data subjects if a significant data breach occurs.

The amended APPI will introduce mandatory obligations to report data breach incidents to the PPC and to notify the affected data subjects if their rights and interests are likely to be infringed.



10 Employment issues

10.1 What requirements and restrictions apply to the personal data of employees in your jurisdiction?

Employers must process the personal information of their employees in accordance with the Act on Protection of Personal Information (APPI).

In addition, employers must comply not only with the APPI, but also with the Industrial Safety and Health Act and the guidelines issued by the Personal Information Protection Commission (PPC) and the Ministry of Health, Labour and Welfare with regard to personal information relating to the physical and mental condition of employees. For example, the following regulations apply to an employer's processing of personal information about employees' physical and mental conditions:

  • The employer must collect and process an employee's health information only to the extent necessary to ensure the employee's health;
  • The employer must prepare internal rules for processing employees' health information in accordance with the guidelines; and
  • The employer may not treat its employees adversely (eg, by dismissing them) if they do not consent to the processing of their health information or because of the content of their health information.


10.2 Is the surveillance of employees allowed in your jurisdiction? What requirements and restrictions apply in this regard?

An employer may conduct surveillance or monitoring of its employees (eg, through cameras or email reviews). However, the employer must comply with the regulations prescribed by the APPI and take care not to infringe employees' privacy when carrying out surveillance or monitoring activities.

The PPC Guidelines recommend that employers do the following in connection with the monitoring of employees:

  • Specify the purpose of the monitoring;
  • Designate a person who is responsible for monitoring and establish his or her authority; and
  • Establish internal rules covering monitoring, ensure that they are disseminated to employees and periodically review to ensure that monitoring is conducted properly in accordance with the rules.


10.3 What other requirements, restrictions and best practices should be considered from an employment perspective in the data privacy context

The Privacy Mark criteria set out by the Japan Institute for Promotion of Digital Economy and Community provide for higher standards for personal data processing than the APPI. A handling operator that uses the Privacy Mark must comply with such standards.



11 Online issues

11.1 What requirements and restrictions apply to the use of cookies in your jurisdiction?

The use of cookies is not directly regulated under the Act on Protection of Personal Information (APPI). Cookies by themselves do not fall under the definition of 'personal information' and therefore are not subject to regulation under the APPI. However, if cookies can be readily collated with other personal information, they will constitute personal information and will be subject to the regulation of the APPI.

Under the current APPI, the transfer of personal data to third parties and the question of whether data is personal data are assessed based on the circumstances surrounding the transferor, not the transferee. In brief, if the data is not personal data in the hands of the transferor, regulations regarding the transfer of personal data to third parties will not apply. In recent years, some schemes have emerged whereby data management platforms provide non-personal information such as user data collected by cookies (eg, browsing histories; user interests and preferences) to third parties, in the knowledge that the data will become personal data in the hands of the recipient. The Personal Information Protection Commission (PPC) is concerned about this kind of data sharing taking place without the involvement of data subjects. Therefore, the concept of 'individual-related information' will be introduced in the amended APPI, defined as a collective set of information comprising individual-related information (eg, information relating to a living individual which does not fall under the definition of 'personal information', 'pseudonymously processed information' or 'anonymously processed information') which has been systematically organised so that specific individual-related information can be searched using a computer or other similar information prescribed by cabinet order as systematically organised to facilitate searches for specific individual-related information. The amended APPI will regulate the provision of individual-related data if the provider assumes that the recipient will acquire the individual-related information database as personal data. In this case, the transferor must confirm that the transferee has obtained the consent of the data subjects to the transfer of their data as personal data.



11.2 What requirements and restrictions apply to cloud computing services in your jurisdiction from a data privacy perspective?

The PPC Guidelines state that the use of cloud computing services to store personal data does not constitute the provision of personal data or the outsourcing of the processing of personal data to third parties, as long as it is ensured – by contract or otherwise – that the service provider is properly restricted from accessing personal data stored on the servers. In this case, the handling operator is not required to exercise necessary and appropriate supervision over the service provider, as set out in Article 22 of the APPI; however, it is required to take necessary and appropriate measures to ensure the security of personal data stored on servers in accordance with Article 20 of the APPI.

In the absence of access restrictions, the use of cloud computing services to store personal data could constitute the provision of personal data or the outsourcing of the processing of personal data to third parties, and could thus be subject to the applicable regulations.



11.3 What other requirements, restrictions and best practices should be considered from a marketing perspective in the online and networked context?

The Japan Interactive Advertising Association has published guidelines on behavioural advertising. The guidelines require a business operator to notify data subjects or make it easy for them to learn of the fact that it collects cookies or other tracking technology, the purposes thereof and other information. Although the guidelines are not legally binding, a handling operator that collects or uses cookies or other tracking technology should comply with them.



12 Disputes

12.1 In which forums are data privacy disputes typically heard in your jurisdiction?

A data subject may file a lawsuit against a business operator claiming compensation for damages or distress caused by the processing of his or her data. Any such case is heard by the district court.

Further, a handling operator may file a lawsuit against the Personal Information Protection Commission (PPC) seeking the revocation of an administrative order issued by the PPC. Any such case is also heard by the district court.



12.2 What issues do such disputes typically involve? How are they typically resolved?

In general, a data subject can seek damages from a handling operator on the basis that his or her right of privacy has been infringed. In such case, the typical issues at stake are:

  • whether the data in question is subject to legal protection on the basis that it is private;
  • whether the business operator has infringed a right of privacy; and
  • whether the data subject has incurred damages.

A breach of the Act on Protection of Personal Information does not necessarily constitute an infringement of privacy.

Damages that may be awarded to a data subject are usually based on compensation for 'mental damages' (ie, consolation money), because concrete economic damages are not typically incurred by the data subject. In past judicial precedents, damages awards generally ranged from several thousands to several tens of thousands Japanese yen per individual.



12.3 Have there been any recent cases of note?

In 2014, the unauthorised removal of personal information affecting 48,580,000 individuals occurred at Benesse Corporation, one of the largest private distance-learning companies for children in Japan. Multiple lawsuits were filed by affected data subjects seeking damages on the grounds that Benesse had deficiencies in its information security management. Some of these lawsuits were commenced by groups consisting of numerous plaintiffs. The cases are still pending. In addition, a shareholder representative lawsuit was filed to hold the officers of Benesse liable, but this case was dismissed.



13 Trends and predictions

13.1 How would you describe the current data privacy landscape and prevailing trends in your jurisdiction? Are any new developments anticipated in the next 12 months, including any proposed legislative reforms?

The Act on Protection of Personal Information (APPI) was partially amended on 5 June 2020 and the amended APPI will take effect on April 1, 2022. The amended APPI provides for the following, among other things:

  • the introduction of the concept of 'pseudonymised information';
  • expanded rights of data subjects;
  • the introduction of mandatory obligations to report data breach incidents to the Personal Information Protection Commission and to notify affected data subjects; and
  • stronger regulations on the provision of data to third parties by using the opt-out system and data transfers to third parties outside Japan.

A bill implementing the amendments necessary to integrate these public data protection laws into the APPI is expected to become law in 2021. Those provisions of the bill applicable to the national government are expected to become effective at the same time as the amended APPI. Provisions applicable to local governments are expected to become effective in 2023.



14 Tips and traps

14.1 What are your top tips for effective data protection in your jurisdiction and what potential sticking points would you highlight?

As a result of the General Data Protection Regulation, Japanese citizens and businesses are increasingly concerned about the protection and proper use of personal information. The amended Act on Protection of Personal Information (APPI) will take effect in 2022, and business operators should pay attention to developments regarding the APPI and data protection legislation.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.