1 Legal and enforcement framework

1.1 Which legislative and regulatory provisions govern data privacy in your jurisdiction?

The following laws and regulations govern data privacy in Japan:

  • the Act on Protection of Personal Information (APPI);
  • the Act on the Use of Numbers to Identify a Specific Individual in the Administrative Procedures (the 'My Number Act')

The APPI is the principal data protection law, and the obligations of private business operators that handle personal information ('handling operators') are stipulated in APPI.

The Personal Information Protection Commission (PPC) – the regulator primarily responsible for the APPI and the My Number Act – has published guidelines on the handling of personal information.

The amended APPI was enacted in 2020, and it became effective from April 1, 2022.

In the past, the public sector was regulated not by the APPI but by separate regulation. Each local government also has its own regulations regarding data protection in the public sector. Amendments necessary to integrate these public data protection laws into the APPI became law in 2021. Those provisions of the amended law applicable to the national government became effective from April 1, 2022. Provisions applicable to local governments will become effective from April 1, 2023.

1.2 Do any special regimes apply in specific sectors (eg, banking, insurance, telecommunications, healthcare, advertising) or to specific data types (eg, biometric data)?

Specific laws and guidelines apply in certain sectors or to specific types of data, as follows:

  • Finance:
    • the data protection guidelines for the financial sector jointly published by the PPC and the Financial Services Agency (FSA).
  • Healthcare:
    • the Act on Anonymous Medical Information for the Purpose of Contributing to Research and Development in the Medical Field; and
    • the data protection guidelines for the medical and nursing care sector jointly published by the PPC and the Ministry of Health, Labour and Welfare.
  • Telecommunications:
    • the Telecommunications Business Act; and
    • the data protection guidelines for telecommunications business jointly published by the Ministry of Internal Affairs and Communications.
  • Advertising:
    • the Act on the Regulation of Transmission of Specified Electronic Mail; and
    • the Act on Specified Commercial Transactions.
  • Genetic information:
    • the Data Protection Guidelines for Businesses Using Personal Genetic Information.

1.3 Do any bilateral and multilateral instruments on data privacy have effect in your jurisdiction?

  • Asia-Pacific Economic Cooperation (APEC): Japan joined the APEC Cross-Border Privacy Rules system in April 2014.
  • European Union: The Japan-EU mutual adequacy decision was adopted in January 2019, to facilitate cross-border personal data transfers between Japan and the European Union.

1.4 Which bodies are responsible for enforcing the data privacy legislation in your jurisdiction? What powers do they have?

The PPC is the regulator that is primarily responsible for enforcing the APPI and has the following powers:

  • The PPC may require a handling operator to report or submit materials regarding its handling of personal information, and may enter a handling operator's offices or other places to investigate, make inquiries and check records or other documents (Article 143 of the APPI);
  • The PPC may provide guidance or advice to a handling operator (Article 144 of the APPI);
  • The PPC may recommend that a handling operator cease any violation of the APPI and take other necessary measures to correct the violation (Article 145 of the APPI); and
  • The PPC may order a handling operator to take necessary measures to implement the PPC's recommendation mentioned above and to rectify certain violations of the APPI (Article 145 of the APPI).

The PPC may delegate certain powers to other governmental agencies – for example, it has delegated to the FSA the power provided for in Article 143 with respect to the financial sector (Article 147 of the APPI).

1.5 What role do industry standards or best practices play in terms of compliance and regulatory enforcement?

Accredited personal information protection organisations (APIPOs) – organisations accredited by the PPC – work to ensure that personal information is processed appropriately in each sector, such as healthcare or insurance (Article 47 of the APPI). APIPOs are mainly responsible for:

  • establishing guidelines for each sector (Article 54.1 of the APPI);
  • providing guidance or recommendations to their members in accordance with the guidelines (Article 54.2 of the APPI); and
  • handling complaints from data subjects made to members of the organisation (Article 53 of the APPI).

Further, the Japan Institute for Promotion of Digital Economy and Community (JIPDEC) – a non-profit organisation – operates the Privacy Mark system. JIPDEC undertakes the following activities:

  • It assesses business operators' frameworks and operations for the processing of personal information in a secure and appropriate manner;
  • It sets the Privacy Mark assessment criteria based on the Japan Industrial Standards (Personal Information Protection Management System ‒ Requirements (JIS Q 15001)), which provide for higher standards for the processing of personal information than the APPI; and
  • It permits business operators that meet these criteria to use the registered Privacy Mark logo in their business activities. By using the Privacy Mark, business operators can demonstrate to users and customers that they are processing personal information in a secure and appropriate manner.

2 Scope of application

2.1 Which entities are captured by the data privacy regime in your jurisdiction?

A handling operator is subject to the regulations set forth in the Act on Protection of Personal Information (APPI). Any business operator that uses a personal information database is deemed a handling operator.

2.2 What exemptions from the data privacy regime, if any, are available in your jurisdiction?

The obligations set forth in the APPI do not apply to news media, writers, religious groups and political parties, to the extent that the processing of personal information is for the purposes of journalism, writing, academic research or religious or political activities (Article 57 of the APPI). Before amendments of APPI, universities and other academic institutions were also included to the scope of exemptions above; however, now, there are exceptions for academic institutions with regards to some clauses of APPI, but other clauses are not exempted.

2.3 Does the data privacy regime have extra-territorial application?

Most of the provisions set forth in the APPI apply to entities outside Japan if they collect personal information directly from data subjects in connection with the provision of goods or services to individuals located in Japan (Article 166 of the APPI).

Under the amended APPI, all provisions of the APPI will apply to entities outside Japan if they collect personal information in connection with the provision of goods or services to individuals located in Japan (Article 166 of the APPI).

3 Definitions

3.1 How are the following terms (or equivalents) defined in your jurisdiction? (a) Data processing; (b) Data processor; (c) Data controller; (d) Data subject; (e) Personal data; (f) Sensitive personal data; and (g) Consent.

(a) Data processing

The Act on Protection of Personal Information (APPI) includes no definition of 'data processing'. The APPI is broadly applicable to the collection, use, provision and other general processing of personal information.

(b) Data processor

The APPI includes no definition of 'data processor'. Any business operator that uses a personal information database is considered a handling operator and is therefore subject to the regulations set forth in the APPI.

(c) Data controller

The APPI includes no definition of 'data controller'. Any business operator that uses a personal information database is considered a handling operator and is therefore subject to the regulations set forth in the APPI.

(d) Data subject

The APPI defines a 'data subject' as a specific individual identified by personal information (Article 2.4 of the APPI).

(e) Personal data

The APPI includes three definitions relevant to the concept of personal data:

  • 'Personal information' is information about a living individual which:
    • can identify a specific individual, including information which can be readily collated with other information to identify a specific individual; or
    • contains an individual identification code (Article 2.1 of the APPI) – that is, any character, number, symbol or other code into which a bodily feature of a specific individual (i.e., biometric features such as DNA, fingerprints, facial or vocal features) has been converted by computer for use and which can identify the specific individual; or which is assigned to services or goods provided to an individual or is stated or electromagnetically recorded on a card or other document issued to an individual, to identify him or her as a specific user, purchaser or recipient of the issued document (Article 2.2 of the APPI). The various types of individual identification codes are listed in the cabinet order to enforce the APPI and include driver's licence numbers, passport numbers and health insurance numbers.
  • 'Personal data' is personal information contained in a personal information database (Article 16.3).
  • A 'personal information database' is a collection of information (including personal information) that is systematically organised to enable a search for particular personal information using a computer or other methods. However, this term excludes a collection of information whose use by a handling operator is indicated by a cabinet order as having little possibility of harming an individual's rights and interests. Examples of collections of information that are excluded from this definition include a commercially available telephone directory or a car navigation system (Article 16.1 of the APPI).
  • 'Retained personal data' is personal data whose content a handling operator has the authority to disclose, correct, add to or delete, discontinue the use of, erase or discontinue provision to a third party (Article 16.4).

(f) Sensitive personal data

The APPI defines 'sensitive personal data' as personal information relating to the data subject's race, creed, social status, medical history, criminal record, status as a victim of crime or other information whose handling, as prescribed by cabinet order, requires special care so as not to cause unfair discrimination, prejudice or other disadvantage to the data subject (Article 2.3 of the APPI).

The descriptions prescribed by cabinet order are as follows:

  • information on a data subject's physical disabilities, intellectual disabilities, mental disabilities (including developmental disabilities), or other physical and mental functional disabilities prescribed by the rules of the Personal Information Protection Commission (PPC);
  • the results of a medical check-up or other examination for the prevention and early detection of a disease conducted on a data subject by a medical doctor or other person engaged in duties relating to medicine;
  • guidance on how to improve mental or physical conditions, or medical care or prescriptions given to a data subject by a doctor based on the results of a medical check-up or due to disease, injury or other mental or physical changes;
  • the fact that an arrest, search, seizure, detention, institution of prosecution or other procedure relating to a criminal case has been carried out against a data subject as a suspect or defendant; or
  • the fact that an investigation, measure for observation and protection, hearing and decision, protective measure or other procedure relating to a juvenile protection case has been carried out against a data subject as a juvenile delinquent or a person suspected thereof under the Juvenile Act.

(g) Consent

The PPC Guidelines define 'consent' as the indication of the data subject's intention to consent to the processing of his or her personal information in the manner indicated by the handling operator.

3.2 What other key terms are relevant in the data privacy context in your jurisdiction?

The APPI defines 'anonymously processed information' as information obtained through processing personal information such that an ordinary person could not:

  • identify a specific data subject using the processed information; or
  • restore any personal information from the processed information (Article 2.6).

Unlike personal information, anonymously processed information is not subject to certain regulations under the APPI, such as the obligation to notify or publicly announce the purposes for which it is used. However, certain special regulations – such as the obligation to anonymise personal information in accordance with the PPC Ordinance and the prohibition against restoring personal information – do apply.

The PPC Guidelines define 'statistical information' as information obtained by extracting data concerning a common element from the personal information of multiple persons and aggregating it into a common category. Statistical information is not personal information or anonymously processed information as long as it cannot be used to identify specific individuals; thus, it is not subject to regulation under the APPI.

The amended APPI introduced the concept of 'pseudonymised information' – that is, information that is processed so that it cannot be used to identify a specific individual without collation with other information (Article 2.5). Unlike personal information, pseudonymised information is not subject to certain regulations under the APPI, such as restrictions on changing the purpose of use and the obligation to comply with a data subject's request to disclose or cease use (Articles 41-42).

4 Registration

4.1 Is registration of data controllers and processors mandatory in your jurisdiction? What are the consequences of failure to register?

The Act on Protection of Personal Information (APPI) does not require handling operators to register the processing of the personal information with the Personal Information Protection Commission (PPC).

A handling operator that provides personal data under the 'opt-out' system must submit a notification to the PPC. Under the APPI, in principle, a handling operator may not provide personal data to a third party without obtaining the prior consent of the data subject. However, the handling operator may provide personal data (excluding sensitive personal information) to a third party without obtaining the prior consent of the data subject if the following requirements are satisfied (Article 27.2 of the APPI):

  • It notifies the data subject of certain information or makes this information easily accessible to the data subject;
  • It submits a notification of certain information to the PPC; and
  • It agrees to stop providing personal data to the third party upon the data subject's opt-out request.

The amended APPI strengthened the existing regulations on the opt-out system for data provision to third parties, require more information to be accessible to data subjects and prohibit the use of the opt-out system in certain cases.

4.2 What is the process for registration?

Under the opt-out system, the handling operator must submit a notification of the following information to the PPC (Article 27.2 of the APPI):

  • name and address of the handling operator to be provided to a third party, and in the case of a juridical person, name of its representative officer;
  • the purpose of use of the information to be provided to a third party;
  • categories of personal data to be provided to third parties;
  • method of acquisition of personal data provided to third parties;
  • method of provision to third parties;
  • cessation of provision to a third party of personal data that identifies the individual concerned at the request of the individual concerned;
  • method of accepting the data subject's request; and

other matters prescribed by the rules of the PPC as necessary to protect the rights and interests of data subjects.

According to the PPC Ordinance and the PPC's website, a handling operator must fill out the prescribed notification form and mail the completed notification together with a CD-ROM containing the notification in electronic form.

4.3 Is registered information publicly accessible?

The PPC will publish the submitted notification on its website.

5 Data processing

5.1 What lawful bases for processing personal data are recognised in your jurisdiction? Do these vary depending on the type of data being processed?

In general, a handling operator is not required to establish a legal basis for processing personal information. However, where sensitive personal information is to be collected or processed, or where personal data is to be provided to a third party, the handling operator is, in principle, required to obtain the data subject's prior consent.

5.2 What key principles apply (eg, notice) when processing personal data in your jurisdiction? Do these vary depending on the type of data being processed? Or on whether it is outsourced?

A handling operator is subject to the following regulations when processing personal information, which apply regardless of the type of personal information and whether the processing of the personal information is outsourced:

  • The handling operator must specify the purpose of use of the collected personal information to the extent possible (Article 17 of the Act on Protection of Personal Information (APPI)).
  • The handling operator must not use the personal information of a data subject beyond the scope necessary to achieve the specified purpose of use without the prior consent of the data subject, except in certain limited cases (Article 18).
  • The handling operator must not collect personal information by deceit or other improper means (Article 20).
  • The handling operator must publicly announce the purpose of use or, if the purpose of use is not publicly announced in advance, must notify the data subjects of the purpose of use promptly after collecting the personal information (Article 21.1). In addition, if the handling operator collects personal information in writing directly from the data subject (including through electronic means), it must expressly disclose the purpose of use, unless the personal information is urgently required to protect the life, body or property of an individual (Article 21.2).
  • The handling operator shall not use personal information in a manner that may encourage or induce illegal or unjust acts (Article 19).

5.3 What other requirements, restrictions and best practices should be considered when processing personal data in your jurisdiction?

The guidelines in specific sectors (ego, finance or healthcare) set by the Personal Information Protection Commission, the Financial Services Agency or the Ministry of Health, Labour and Welfare provide for higher standards for the processing of personal information than the APPI. A handling operator that processes personal information in such sectors must comply with the guidelines promulgated by the respective agency.

The Privacy Mark criteria set by the Japan Institute for Promotion of Digital Economy and Community also provide for higher standards for the processing of personal information than the APPI. Although the Privacy Mark criteria are not legally binding, a handling operator that uses the Privacy Mark must comply with such standards.

6 Data transfers

6.1 What requirements and restrictions apply to the transfer of data to third parties?

A handling operator cannot transfer personal data to a third party without the prior consent of the data subject, unless it meets the requirements of any of the exceptions provided by the Act on Protection of Personal Information (APPI) (Article 27), as outlined below.

Exceptions under Article 27.1: The provision of the personal data is required by law or regulation, or is necessary to protect the life, body or property of a person, and it is difficult to obtain the data subject's consent.

Opt-out: See question 4.

Outsourcing of data processing: If a handling operator outsources all or part of the processing of personal data to an individual or another entity, that individual or entity will not be considered a 'third party' within the context of Article 27 (Article 27.5(i)). For example, if the handling operator uses third-party vendors for its services, and shares personal data with those vendors for their use on its behalf and not for their own use, the transfer will be regarded as outsourcing and the restrictions on provision to a third party thus will not apply.

Where a handling operator outsources the processing of personal data, it must exercise the necessary and appropriate supervision of the outsourcing provider to ensure security control over the outsourced personal data (Article 25).

Business succession: A handling operator may provide personal data to a third party without the prior consent of the data subject if the provision of the personal data results from a business succession due to a merger or other legal reason (Article 27.5(ii)).

Joint use: A handling operator may share and jointly use personal data with specific individuals or entities if it notifies the data subject of the following information or makes this information easily accessible for the data subject (Article 27.5(iii)):

  • the fact that personal data will be used jointly with specific individuals or entities;
  • the personal data to be used jointly;
  • the identity of the joint users;
  • the purpose of the joint use; and
  • the name of the individual or entity responsible for managing the personal data, its address, and in the case of a juridical person, name of its representative officer.

Once these requirements have been complied with, the identified joint users will not be deemed 'third parties' within the context of Article 27 and the handling operator, and the identified joint users may thus share and jointly use specific items of personal data as if they were a single entity.

In addition, the amended APPI introduced the concept of provision of personally referable information. For details, please refer to 11.1 below.

6.2 What requirements and restrictions apply to the transfer of data abroad? Do these vary depending on the destination?

In principle, a handling operator must obtain the prior consent of the data subject in order to transfer its personal data to a third party located in a country other than Japan. The foregoing restriction also applied in the case of outsourcing, business succession and joint use, which are exceptions to local third-party data transfer restrictions.

The data subject's consent to an overseas data transfer is not necessary if:

  • the foreign country is designated by the Personal Information Protection Commission (PPC) as a country with a data protection regime with a level of protection equivalent to that of Japan (only member countries of the European Economic Area and the United Kingdom have been designated to date); and
  • the third-party recipient has a system of data protection that meets the standards prescribed by the PPC Ordinance – that is, either:
    • it provides assurance, through appropriate and reasonable methods, that it will treat the disclosed personal data in accordance with the spirit of the requirements for processing personal data under the APPI. Under the PPC Guidelines, 'appropriate and reasonable methods' include agreements between the data importer and the data exporter, or inter-group privacy rules, which ensure that the data importer will treat the disclosed personal data in accordance with the spirit of the APPI; or
    • it has been certified under an international arrangement, recognised by the PPC, regarding its personal data processing system. The PPC Guidelines have identified the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules as a recognised international framework on the handling of personal information.

The amended APPI strengthened the existing regulations on data transfers to third parties outside Japan. In short, certain information, such as the personal information protection system of a data-importing country and the security measures taken by the data importer, is required to be provided to data subjects. If handling operators rely on the consent of data subjects to establish legal grounds for the cross-border transfer of personal data, such information must be provided to data subjects before obtaining their consent. If handling operators use the assurance of appropriate and reasonable methods to protect personal information, such information can be provided to data subjects upon their request. In addition, regarding cross-border transfers based on the assurance of appropriate and reasonable methods to protect personal information,, the amended APPI mandates to "regularly monitor the establishment." The guidelines clarify this frequency requirement as once a year or more.

6.3 What other requirements, restrictions and best practices should be considered when transferring personal data, both within your jurisdiction and abroad?

The guidelines in specific sectors (e.g., finance and healthcare) set out by the PPC, the Financial Services Agency and the Ministry of Health, Labour and Welfare provide for higher standards for the transfer of personal data to third parties than the APPI. A handling operator that processes personal information in such sectors must comply with those guidelines.

In addition, the Privacy Mark criteria set out by the Japan Institute for Promotion of Digital Economy and Community also provide for higher standards for the transfer of personal data to third parties than the APPI. Although the Privacy Mark criteria are not legally binding, a handling operator that uses the Privacy Mark must comply with them.

7 Rights of data subjects

7.1 What rights do data subjects enjoy with regard to the processing of their personal data? Do any exemptions apply?

Disclosure: Data subjects may request a handling operator to disclose retained personal data which can identify them. The handling operator must comply with this request, unless:

  • it is possible that disclosure could harm the life, body, property or other rights and interests of the data subject or a third party;
  • it is possible that the disclosure could seriously interfere with the handling operator's business; or
  • the disclosure would violate other laws or regulations (Article 33).

The amended APPI introduced new provisions on the disclosure of retained personal data. In the past, APPI did not expressly allow data subjects to demand the disclosure of retained personal data by electronic means. The amended APPI, however, allows data subjects to require that their retained personal data be disclosed to them electronically.

Correction: Data subjects may also request a handling operator to correct, add to or delete retained personal data which can identify them where such data is incorrect. The handling operator must investigate without delay and, based on the results of the investigation, must comply with the request to the extent necessary to achieve the purposes of use of the retained personal data (Article 34).

Cessation of use: Further, data subjects may request a handling operator to cease the use of or delete retained personal data, and stop providing retained personal data to third parties, if such data is processed or obtained in violation of the Act on Protection of Personal Information (APPI). The handling operator must comply with any such request if there are reasonable grounds for such request. However, this obligation will not apply if:

  • it would be too costly or difficult to cease the use of or delete the retained personal data; and
  • the handling operator takes the necessary alternative measures to protect the rights and interests of the data subject (Article 35).

The amended APPI expanded the scope of data subjects' rights for cessation of use by allowing data subjects to exercise this right where their legitimate interests are likely to be infringed because of the data processing of business operators (e.g., where business operators no longer need to use the personal data).

7.2 How can data subjects seek to exercise their rights in your jurisdiction?

Data subjects may exercise their rights by submitting a request directly to the handling operator.

The handling operator may establish the procedure for the exercise of data subjects' rights in accordance with the cabinet order. In such case, the data subjects must exercise their rights in accordance with the procedure established by the handling operator.

7.3 What remedies are available to data subjects in case of breach of their rights?

A data subject may file a lawsuit against the handling operator in order to enforce its compliance with a request if:

  • two weeks have elapsed without response since the data subject submitted the request to the handling operator; or
  • the handling operator rejects the data subject's request.

8 Compliance

8.1 Is the appointment of a data protection officer mandatory in your jurisdiction? If so, what are the consequences of failure to do so?

Under the Act on Protection of Personal Information (APPI), there is no legal obligation to appoint a data protection officer.

However, the APPI requires that a handling operator take necessary and appropriate measures to ensure the security of the personal data it processes, including preventing it from being leaked, lost or damaged (Article 23). Further, the Personal Information Protection Commission (PPC) Guidelines state that the appointment of a person who is responsible for supervising the processing of personal data is an appropriate example of a 'necessary and appropriate measure', and it is common in practice to appoint a data protection officer.

Therefore, failure to appoint a data protection officer will not immediately result in a violation of the APPI. However, in determining whether the obligation under Article 23 has been fulfilled, the appointment of such person could be considered a factor in favour of the handling operator.

8.2 What qualifications or other criteria must the data protection officer meet?

Neither the APPI nor the PPC Guidelines require that a data protection officer have specific qualifications or meet any other requirements.

8.3 What are the key responsibilities of the data protection officer?

Neither the APPI nor the PPC Guidelines specify any responsibilities applicable to a data protection officer. In general, the data protection officer must verify that personal data is processed in accordance with the company's internal rules.

8.4 Can the role of the data protection officer be outsourced in your jurisdiction? If so, what requirements, restrictions and best practices should be considered in this regard?

The PPC has not issued any opinion regarding this issue. However, in practice, the data protection officer is typically an employee or director of the company. In practice, the outsourcing of this role is very rare in Japan.

8.5 What record-keeping and documentation requirements apply in the data privacy context?

The APPI requires a handling operator to create and maintain records on the provision of personal data to third parties and any receipt of personal data from third parties. The handling operator must create and keep a record of:

  • the categories of personal data that it has provided or received;
  • the date of provision or receipt;
  • the third party's name; and
  • certain other matters specified by the PPC Ordinance.

Unlike the General Data Protection Regulation, this record-keeping obligation applies only at the time of provision or receipt of the personal data.

8.6 What other requirements, restrictions and best practices should be considered from a compliance perspective in the data privacy context?

The Privacy Mark criteria set by the Japan Institute for Promotion of Digital Economy and Community provide for higher standards for the processing personal data than the APPI. A handling operator that uses the Privacy Mark must comply with such standards.

9 Data security and data breaches

9.1 What obligations apply to data controllers and processors to preserve the security of personal data?

A handling operator must take all necessary and appropriate measures to ensure the security of the personal data it processes, including ensuring that such data is not leaked, lost or damaged (Article 23). The Personal Information Protection Commission (PPC) Guidelines provide examples of such measures, which include:

  • organisational security measures, including the implementation of an organisational system (e.g., establishing internal rules for the processing of personal data, and appointing someone with responsibility for supervising the processing of personal data);
  • HR security measures, including education of employees;
  • physical security measures, including controlling the areas where personal data is processed, such as servers and offices; and
  • technical security measures, including controlling access to personal data.

A handling operator must also exercise necessary and appropriate supervision over those employees who process personal data, to further ensure its security (Article 24).

Further, if the handling operator outsources all or part of the processing of personal data, it must exercise necessary and appropriate supervision of the outsourcing provider, to further ensure the security of the outsourced personal data (Article 25). The PPC Guidelines outline the relevant measures in this regard, which include:

  • selecting and appointing an appropriate third party within the outsourcing provider;
  • entering into an agreement with the outsourcing provider regarding the outsourcing of personal data; and
  • having visibility on and supervising the processing of personal data by the outsourcing provider.

It is notable that the amended guidelines introduced a new security management measure: "understanding of the external environment." This means if a business processes personal data in a foreign country, the business must understand the foreign country's legal system of personal information protection and, paying attention to that legal system, take necessary and appropriate measures to ensure the security of personal data. More specifically, the Q&As explain "processing personal data in a foreign country" includes cases when a foreign branch, business establishment, employees who telework outside of Japan, server, processor, sub-processor or cloud service provider, etc., processes personal data outside of Japan. The guideline requires businesses to make available to data subjects the name of foreign countries where personal data is processed. It is also recommended to explain the personal information protection system of such foreign countries to data subjects.

9.2 Must data breaches be notified to the regulator? If so, what information must be provided and what is the process for doing so? If not, under what circumstances is voluntary notification of a data breach expected?

In the past, the submission of a data breach report to the PPC was merely a "duty to make an effort" and notifying data subjects is only a recommendation. Under the amended APPI, in the event of a data breach (leakage, loss or damage) or where there is recognition of a possible breach, a handling operator is required to report the breach to the PPC. The reporting obligation is in effect for breaches or potential breaches involving sensitive personal information, risk of property damage, improper use (i.e., cyberattack) and breaches involving more than 1,000 data subjects.

There are two stages of reporting obligations: a preliminary and a final report. The amended APPI requires a business operator to submit a preliminary report "promptly after the recognition of the occurrence of a potential data breach." The guidelines clarify this provision by stating that if the business operator is a corporation, in general the preliminary report must be filed within three to five days from the time when the data breach is recognized. The amended APPI requires a business operator to submit a final report within 30 days from the recognition of a data breach (60 days is the deadline for data breaches likely to have been committed for an improper purpose, such as a cyberattack). According to the PPC's enforcement rules, the final report must contain nine items. However, the guidelines further clarify that if certain items are not yet identified by the deadline despite reasonable efforts, a business operator is allowed to submit a final report containing only those items identified at the time of submission and subsequently complete the report as soon as the outstanding items are identified.

9.3 Must data breaches be notified to the affected data subjects? If so, what information must be provided and what is the process for doing so? If not, under what circumstances is voluntary notification of a data breach expected?

Under the amended APPI, when the obligation to report to the PPC is imposed, the handling operator is obliged, in principle, to notify the person in question of the occurrence of such a situation (Article 26.2). In cases where notification to data subjects is required, but notification to data subjects is difficult, taking alternative measures necessary to protect the rights and interests of the individual is permitted.

The timing of notification is as soon as possible after learning of the situation, depending on the circumstances of the situation.

Matters to be notified are, to the extent necessary to protect the rights and interests of the individual concerned, an outline, the items of personal data, the cause, the existence or non-existence of secondary damage or the threat thereof, and details, and other matters of reference.

9.4 What other requirements, restrictions and best practices should be considered in the event of a data breach?

In the event of a data breach, the guidelines require a business operator to (1) report the data breach internally to an appropriate person in charge of the business and take measures to prevent an increase in damage, (2) investigate the relevant facts and determine the causes, (3) identify the scope of impact, and (4) examine and implement measures to prevent recurrence.

10 Employment issues

10.1 What requirements and restrictions apply to the personal data of employees in your jurisdiction?

Employers must process the personal information of their employees in accordance with the Act on Protection of Personal Information (APPI).

In addition, employers must comply not only with the APPI, but also with the Industrial Safety and Health Act and the guidelines issued by the Personal Information Protection Commission (PPC) and the Ministry of Health, Labour and Welfare with regard to personal information relating to the physical and mental condition of employees. For example, the following regulations apply to an employer's processing of personal information about employees' physical and mental conditions:

  • The employer must collect and process an employee's health information only to the extent necessary to ensure the employee's health;
  • The employer must prepare internal rules for processing employees' health information in accordance with the guidelines; and
  • The employer may not treat its employees adversely (e.g., by dismissing them) if they do not consent to the processing of their health information or because of the content of their health information.

10.2 Is the surveillance of employees allowed in your jurisdiction? What requirements and restrictions apply in this regard?

An employer may conduct surveillance or monitoring of its employees (e.g., through cameras or email reviews). However, the employer must comply with the regulations prescribed by the APPI and take care not to infringe employees' privacy when carrying out surveillance or monitoring activities.

The PPC Guidelines recommend that employers do the following in connection with the monitoring of employees:

  • Specify the purpose of the monitoring;
  • Designate a person who is responsible for monitoring and establish his or her authority; and
  • Establish internal rules covering monitoring, ensure that they are disseminated to employees and periodically review to ensure that monitoring is conducted properly in accordance with the rules.

10.3 What other requirements, restrictions and best practices should be considered from an employment perspective in the data privacy context

The Privacy Mark criteria set out by the Japan Institute for Promotion of Digital Economy and Community provide for higher standards for personal data processing than the APPI. A handling operator that uses the Privacy Mark must comply with such standards.

11 Online issues

11.1 What requirements and restrictions apply to the use of cookies in your jurisdiction?

The use of cookies is not directly regulated under the Act on Protection of Personal Information (APPI). Cookies by themselves do not fall under the definition of 'personal information' and therefore are not subject to regulation under the APPI. However, if cookies can be readily collated with other personal information, they will constitute personal information and will be subject to the regulation of the APPI.

Under the current APPI, the transfer of personal data to third parties and the question of whether data is personal data are assessed based on the circumstances surrounding the transferor, not the transferee. In brief, if the data is not personal data in the hands of the transferor, regulations regarding the transfer of personal data to third parties will not apply. In recent years, some schemes have emerged whereby data management platforms provide non-personal information such as user data collected by cookies (e.g., browsing histories; user interests and preferences) to third parties, in the knowledge that the data will become personal data in the hands of the recipient. The Personal Information Protection Commission (PPC) is concerned about this kind of data sharing taking place without the involvement of data subjects. Therefore, the concept of 'personally referable information' was introduced in the amended APPI, defined as a collective set of information comprising individual-related information (e.g., information relating to a living individual which does not fall under the definition of 'personal information', 'pseudonymously processed information' or 'anonymously processed information') which has been systematically organised so that specific individual-related information can be searched using a computer or other similar information prescribed by cabinet order as systematically organised to facilitate searches for specific personally referable information. The amended APPI regulate the provision of personally referable information if the provider anticipates that the recipient will acquire the personally referable information as personal data. In this case, the transferor must confirm that the transferee has obtained the consent of the data subjects.

It should also be noted that the revised Telecommunications Business Law enacted in 2022 (to be enforced from June 16, 2023) introduces restrictions on the use of certain cookies for those operating telecommunications businesses.

11.2 What requirements and restrictions apply to cloud computing services in your jurisdiction from a data privacy perspective?

The PPC Guidelines state that the use of cloud computing services to store personal data does not constitute the provision of personal data or the outsourcing of the processing of personal data to third parties, as long as it is ensured – by contract or otherwise – that the service provider is properly restricted from accessing personal data stored on the servers. In this case, the handling operator is not required to exercise necessary and appropriate supervision over the service provider, as set out in Article 25 of the APPI; however, it is required to take necessary and appropriate measures to ensure the security of personal data stored on servers in accordance with Article 23 of the APPI.

In the absence of access restrictions, the use of cloud computing services to store personal data could constitute the provision of personal data or the outsourcing of the processing of personal data to third parties, and could thus be subject to the applicable regulations.

11.3 What other requirements, restrictions and best practices should be considered from a marketing perspective in the online and networked context?

The Japan Interactive Advertising Association has published guidelines on behavioural advertising. The guidelines require a business operator to notify data subjects or make it easy for them to learn of the fact that it collects cookies or other tracking technology, the purposes thereof and other information. Although the guidelines are not legally binding, a handling operator that collects or uses cookies or other tracking technology should comply with them.

12 Disputes

12.1 In which forums are data privacy disputes typically heard in your jurisdiction?

A data subject may file a lawsuit against a business operator claiming compensation for damages or distress caused by the processing of his or her data. Any such case is heard by the district court.

Further, a handling operator may file a lawsuit against the Personal Information Protection Commission (PPC) seeking the revocation of an administrative order issued by the PPC. Any such case is also heard by the district court.

12.2 What issues do such disputes typically involve? How are they typically resolved?

In general, a data subject can seek damages from a handling operator on the basis that his or her right of privacy has been infringed. In such case, the typical issues at stake are:

  • whether the data in question is subject to legal protection on the basis that it is private;
  • whether the business operator has infringed a right of privacy; and
  • whether the data subject has incurred damages.

A breach of the Act on Protection of Personal Information does not necessarily constitute an infringement of privacy.

Damages that may be awarded to a data subject are usually based on compensation for 'mental damages' (i.e., consolation money), because concrete economic damages are not typically incurred by the data subject. In past judicial precedents, damages awards generally ranged from several thousands to several tens of thousands Japanese yen per individual.

12.3 Have there been any recent cases of note?

In 2014, the unauthorised removal of personal information affecting 48,580,000 individuals occurred at one of the largest private distance-learning companies for children in Japan. Multiple lawsuits were filed by affected data subjects seeking damages, and some of these lawsuits were commenced by groups consisting of numerous plaintiffs. In a decision issued in October 2017, the Supreme Court found that the breach of a right to privacy may give rise to a claim for compensation for distress caused by the leakage of personal information (eg, names, birth dates, addresses, and telephone numbers). The case was remanded to the Osaka Appeal Court, which awarded JPY1,000 to the claimant on 20 November 2019. In addition, the Tokyo Appeal Court awarded JPY3,300 to other plaintiffs on 25 March 2020 for the same data breach. The Supreme Court denied appeals of these cases in December 2020; thus, these Appeal Court decisions are deemed final.

13 Trends and predictions

13.1 How would you describe the current data privacy landscape and prevailing trends in your jurisdiction? Are any new developments anticipated in the next 12 months, including any proposed legislative reforms?

In the past, the public sector was regulated not by the APPI but by separate regulation. Each local government also has its own regulations regarding data protection in the public sector. Amendments necessary to integrate these public data protection laws into the APPI became law in 2021. Those provisions of the amended law applicable to the national government already became effective from April 1, 2022, and provisions applicable to local governments will become effective from April 1, 2023.

As stated in 11.1 above, the revised Telecommunications Business Law enacted in 2022 (to be enforced on June 16, 2023) introduces restrictions on the use of certain cookies for those operating telecommunications businesses.

14 Tips and traps

14.1 What are your top tips for effective data protection in your jurisdiction and what potential sticking points would you highlight?

As a result of the General Data Protection Regulation, Japanese citizens and businesses are increasingly concerned about the protection and proper use of personal information. The amended Act on Protection of Personal Information (APPI) took effect in 2022, and business operators should pay attention to developments regarding the APPI and data protection legislation.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.