The following laws and regulations govern the collection, use and disclosure of personal data.

• The Act on the Protection of Personal Information (APPI);
• The Act on the Use of Numbers to Identify a Specific Individual in the Administrative Procedures (“My Number Act”).

The APPI is the principal data protection law and establishes a framework for protecting individuals’ personal information held by both private and public entities. It covers principles such as purpose limitation, requiring organizations to specify how they will use the data, and security safeguards, mandating organizations to implement measures to protect data from unauthorized access or disclosure. The APPI also grants individuals rights to access, correct, and delete their personal data.

Separately, the My Number Act stipulates rules about “My Number”, which is system in which a unique 12-digit number is assigned to every resident of Japan.

Both these acts are administered by the Personal Information Protection Commission (PPC), and the PPC has published guidelines on the handling of personal information.

There are also specific laws and guidelines that apply in certain sectors such as finance, healthcare, and telecommunications, among others. 

In Japan, the Act on Access to Information Held by Administrative Organs, Japan’s freedom of information law, balances the public’s right to access government information with the need to protect certain types of information, including personal data and matters of national security. 

A handling operator, who uses a personal information database in the course of their business, is subject to the regulations set forth in the APPI.

However, broadcasting institutions, newspaper publishers, and other press organizations, as well as professional writers, religious organizations, and political parties are exempt from obligations under the APPI when engaged in press, professional writing, religious, and political activities respectively.

Unlike the General Data Protection Regulation (GDPR), the APPI does not include the concepts of “controller” and “processor”.

Under the APPI, all provisions of the APPI apply to entities outside Japan if they collect personal information in connection with the provision of goods or services to data subjects located in Japan (Article 171).

The PPC can render an order against a handling operator based overseas. The PPC has established certain administrative procedural details for the international delivery of written notices of any such advice or order (or effecting a deemed delivery if the location of an offshore handling operator is not known to the authority). The PPC may also provide information to foreign authorities for their own enforcement purposes (Article 172.1).

A handling operator, as defined in Question 2, above, is subject to the following regulations set out in Questions 7 and 8, below, in each data life cycle, such as the collection, use, retention, disposal, and transfer of personal data. There is no definition for any of these acts, and unlike the GDPR, the APPI does not have a definition for the term “processing”. Instead, obligations are specified individually for actions defined in each article, and these obligations must be followed according to each respective article.

There are various types of personal data that the APPI regulates. 

• Under the APPI, “personal information” is information relating to living individuals that can identify specific individuals or contains an individual identification code. An individual identification code is any character, number, symbol or other code (i) into which certain physical features (such as DNA, appearance and fingerprints) of a specific individual have been converted for use by computers and which can identify such specific individual, or (ii) which is assigned to individuals (such as a driver’s license number, number assigned under the My Number Act, or a passport number) (Article 2.1, 2.2).
• “Personal data” (Article 16.3) is personal information contained in a personal information database (Article 16.1) that allows for easy retrieval of the personal information contained within.
• “Retained personal data” is personal data whose content a handling operator has the authority to disclose, correct, add to or delete, discontinue the use of, erase or discontinue provision to a third party (Article 16.4).
• “Pseudonymized information” (Article 2.5) is information that has been processed by removing or replacing certain parts of personal information with random descriptions, making it impossible to identify any specific individual unless collated with other information. 
• “Anonymized information” (Article 2.6) is information that has been processed by removing or replacing certain parts of personal information with random descriptions, making it impossible to link said information to any specific individual by any means and to restore the original personal information. 
• “Individual related information” (Article 2.7) is information about a living individual that does not fall under personal information, pseudonymized information, and anonymized information. 

There are several types of personal data that are subject to a higher level of protection under the APPI.

These are known as “Sensitive personal information” and “Specific personal information.”

“Sensitive personal information” is defined in Article 2.3 as personal information relating to an individual’s race, creed, social status, medical history, criminal record, status as a crime victim, or other information that requires careful handling to prevent unfair discrimination, prejudice, or disadvantage.

The Cabinet Order for the APPI provides further detail on what constitutes Sensitive personal information: 

• Physical or mental disabilities. This includes information about a person’s disabilities, as well as the results of medical examinations conducted to determine the presence of disabilities.
• Medical history and treatment. This encompasses information about a person’s medical records, treatments, and consultations with medical professionals.
• Criminal records. Information about a person’s arrests, investigations into them, detention, indictments, or other involvement in criminal proceedings falls under this category.

Stricter requirements apply to Sensitive personal information:

• Explicit Consent for Collection (Article 20.2). Handling operators must obtain the data subject’s explicit consent before collecting Sensitive personal information, except:
  • if required by laws and regulations;
  • if necessary to protect the life, body, or property of a person and it is difficult to obtain the data subject’s consent;
  • if necessary to improve public health and promote the sound nurturing of the youth and it is difficult to obtain the data subject’s consent;
  • if necessary for governmental bodies to perform their duties and getting the data subject’s consent will likely impede the proper performance of duties;
  • if the handling operator is an academic research institute and the acquisition is necessary for an academic research purpose;
  • if acquired from an academic research institute and the acquisition is necessary for an academic research purpose;
  • for Sensitive personal information that has been disclosed to the public by the principal, governmental bodies, or certain parties designated by the PPC (e.g., foreign governments and international organisations);
  • if the Sensitive personal information is apparent from the appearance of the data subject and is collected through observation or video recording (e.g., a surveillance camera records a person using a wheelchair); or
  • if received from third parties as an entrustment of personal data, through a merger or other business reorganisation, or as joint use.
• No Opt-Out for Third-Party Transfers (Article 27.2). Sensitive personal information cannot be transferred to third parties under the opt-out mechanism; explicit consent is always required, except for specific legal exceptions as discussed above.

“Specific personal information” refers to personal information that includes My Number (Article 2.8 of the My Number Act.). Specific personal information can only be collected and used for purposes explicitly specified by law, such as taxation, social security administration, and disaster control measures.

Unlike the GDPR, the APPI does not require a legal basis for data processing in general, and concepts like “legitimate interest” do not exist. Consent is required only in certain cases, but the detailed requirements for this consent are not specified, nor is it explicitly stated that consent can be withdrawn. In practice, it is generally considered sufficient to obtain consent for the entire privacy policy, and there is no requirement for consent to individual items or an optional selection of consent/non-consent.

Collection:

• The handling operator must not collect personal information through deceit or other improper means (Article 20.1).
• The handling operator must specify the purpose of use of the collected personal information to the extent possible (Article 17.1).
• The handling operator must publicly announce the purpose of use or, if the purpose of use is not publicly announced in advance, must notify the data subjects of the purpose of use promptly after collecting the personal information (Article 21.1).
• In principle, the handling operator must not collect sensitive personal data without obtaining the data subject’s consent. For details, please see Question 6, above.

 Use:

• The handling operator must not use personal information for any other specified purpose without obtaining the data subject’s consent (Article 18.1).
• The handling operator must not use personal information in a manner that may encourage or induce illegal or unjust acts (Article 19).

Retention and disposal:

• The handling operator must take necessary and appropriate measures to protect personal data (Article 23). For details, please see Question 8, below.
• The handling operator must endeavour to keep the content of personal data accurate and up to date (Article 22).
• The handling operator must endeavour to delete the personal data when they no longer require it (Article 22).

Transfer:

• The handling operator must not transfer personal data to third parties without the prior consent of the data subject (Article 27.1). However, prior consent of the data subject is not required if:
  • the transfer of personal data is required by laws and regulations;
  • the transfer of personal data is necessary to protect the life, body, or property of a person and it is difficult to obtain the data subject’s consent;
  • the transfer of personal data is necessary to improve public health and promote the sound nurturing of the youth and it is difficult to obtain the data subject’s consent;
  • the transfer of personal data is necessary for governmental bodies to perform their duties and getting the data subject’s consent will likely impede the proper performance of duties;
  • the handling operator is an academic research institute and needs to transfer the personal data for academic research purposes; or
  • the recipient is an academic research institute and needs to handle the personal data for academic research purposes.
• As a general rule, for the transfer of personal data, both the provider and the recipient are required to keep records of specified matters, and the recipient is obligated to verify said specified matters.
• A handling operator may transfer personal data (other than sensitive personal information, as discussed in Question 6, above) to a third party without obtaining prior consent of the data subject if the following conditions are satisfied (Article 27.2):
  • it notifies the data subject of certain information or makes this information easily accessible to the data subject;
  • it submits a notification of certain information to the PPC; and
  • it implements a system to cease the transfer of personal data to the third party upon the data subject’s request.
• The following entities are deemed not to be third parties:
  • An entity that has been entrusted all or part of the handling of personal data by a handling operator (similar to the concept of a “processor”). A handling operator must exercise necessary and appropriate supervision over the entrusted person to ensure security control over the entrusted personal data (Article 27.5[i], 25).
  • An entity that inherits the personal data as a result of a merger or other succession of the business of the handling operator (Article 27.5[ii]).
  • An entity designated to jointly use the personal data with the handling operator. In this case, the handling operator must notify or make the following information accessible to the data subject (Article 27.5[iii]):
    • the fact of such joint use of the personal data;
    • the personal data to be used jointly;
    • the scope of the joint users;
    • the purpose of the joint use; and
    • the name of the individual or entity responsible for managing the personal data, its address, and in the case of a legal entity, name of its representative officer.
• The handling operator must not transfer personal data to a third party in a foreign country without prior consent of the data subject (Article 28.1). The exceptions under Article 27.1 (see above) apply. For details, please see Question 11, below.
• When transferring individual-related information to a third party, the handling operator (the provider) must confirm that the third party (the recipient) has obtained the data subject’s consent to receive the individual-related information as personal data. In other words, the third party must obtain consent from the data subject before receiving the individual-related information that will constitute personal data for the third party.

The handling operator is required to take necessary and appropriate measures for the security control of personal data, including preventing leakages, loss or damage of personal data and implementing other measures for security control of the personal data (Article 23). Under the PPC Guidelines, those measures should include the following:

• organizational security measures, such as establishing rules for handling personal data, defining the scope of data handled by each person, and appointing a person responsible for supervising the handling of personal data;
• human resource security measures, including educating and training employees;
• physical security measures, including controlling access to the area where personal data is handled, such as servers and offices, and the prevention of device theft;
• technical security measures, including controlling access to personal data and preventing unauthorized access; and
• understanding of the external environment — this security measure requires a handling operator who processes personal data in a foreign country to understand that foreign country’s legal system concerning the protection of personal information and to take necessary and appropriate measures for the secure management of personal data.

In the event of a data breach (leakage, loss or damage) or where there is recognition of a possible breach, a handling operator is required to notify both the PPC and affected data subjects (Article 26.1, 26.2). The reporting obligation is in effect for breaches:

• of personal data that contain Sensitive personal information;
• of personal data that may cause property damage by unauthorized use;
• of personal data (including personal information that has been or is about to be acquired and is expected to be handled as personal data) that was caused or possibly caused by an intentional act (e.g., cyberattack); and/or
• involving more than 1,000 data subjects.

As for reporting to the PPC, there are two stages of reporting obligations: a preliminary report and a final report. The APPI requires a handling operator to submit a preliminary report “promptly after becoming aware of the occurrence of a data breach or a potential data breach”, which is generally three to five days from the realization of the situation. The APPI requires a handling operator to submit a final report within 30 days (within 60 days in cases of Sensitive personal information) from the recognition of a data breach.

If a handling operator is entrusted by and processes personal data on behalf of another company, they can fulfill their reporting and notification obligations by informing that company, rather than having to report directly to the authorities or affected individuals themselves.

Right to Access and Disclosure (Article 33). The data subject can request the handling operator to disclose their retained personal data. The operator must comply unless exceptions apply, such as potential harm to the individual or a third party, significant interference with the operator’s business, or the violation of other laws. Data subjects can also request the disclosure of records related to the transfer of their personal data.

Right to Correction (Article 34). The data subject may request the operator to correct, add or delete retained personal data if the retained personal data is inaccurate.

Right to Request Cessation of Use (Article 35). The data subject may request the handling operator to discontinue the use of, erase, or cease transferring retained personal data to third parties if any of the below apply. However, this obligation will not apply if discontinuing the use of, erasing, or ceasing the transfer of the retained personal data will be too costly or difficult, and the handling operator takes necessary alternative measures to protect the rights and interests of the data subject:

• that the retained personal data was or is being acquired, processed or provided to a third party in violation of the APPI;
• the retention of retained personal data has become unnecessary;
• a data breach has occurred regarding the retained personal data; or
• there is a possibility that the handling of the retained personal data would harm the rights or legitimate interests of the data subject.

Commercial electronic marketing communications are primarily regulated by the Act on the Regulation of Transmission of Specified Electronic Mail (“Anti-Spam Act”). Article 3 of the Anti-Spam Act prohibits the sending of unsolicited marketing emails unless the recipient has:

• opted in (given prior consent to receive such emails);
• provided their email address in writing (e.g., on a business card);
• an existing business relationship (i.e., a pre-existing business relationship with the sender); and
• a publicly available email address for business purposes (i.e., made their email address available online for business purposes).

In addition, the Anti-Spam Act requires senders to allow the recipients to “opt out” (Article 3.3 of Anti-Spam Act). 

The Act on Specified Commercial Transactions also adopts the opt-in system for unsolicited marketing.

Article 28 of the APPI mandates that handling operators obtain the data subject’s prior consent before transferring their personal data to a third party located in a foreign country. This restriction applies even in cases of entrustment and joint use, which are exceptions to local third-party data transfer restrictions (please see Question 7, above). However, the data subject’s prior consent to overseas transfers of their personal data is not necessary if:

• the foreign country is specified in the PPC Ordinance as having a data protection regime with a level of protection equivalent to that of Japan (currently, only the European Economic Area (EEA) and the United Kingdom meet this criterion)
• the third-party recipient has a system of data protection that meets the standards prescribed by PPC Ordinance; or
• exceptions under Article 27.1 (please see Question 7, above) apply.

In short, certain information, such as the personal information protection system of a data-importing country and the security measures taken by the data importer, must be provided to data subjects.

If handling operators rely on the consent of data subjects to establish legal grounds for the cross-border transfer of personal data, such information must be provided to data subjects before obtaining their consent (Article 28.2).

Regarding cross-border transfers based on the assurance of appropriate and reasonable methods to protect personal information, the following information must be provided to data subjects upon their request:

• that the recipient party has an equivalent system of data protection;
• an outline of the equivalent measures taken by the recipient;
• the frequency and method of confirmation of the status of the equivalent measures and of the system in the foreign country that might affect the implementation of the measures;
• the name of the foreign country;
• the presence or absence of a system in that foreign country that might affect the implementation of the equivalent measures;
• the presence or absence of any impediment to the implementation of the equivalent measures; and
• an outline of the measures to be taken in response to such impediments.

In addition, the APPI mandates handling operators to “regularly monitor the establishment of the protection methods”. The guidelines clarify this frequency requirement to mean once a year or more. 

The PPC holds significant investigative and enforcement powers under the APPI.

Investigative powers:

• The PPC can require a handling operator to submit reports and documents regarding their personal data processing activities (Article 146.1).
• The PPC has the authority to enter and inspect the premises of a handling operator to investigate, inquire, and examine records (Article 146.1).

Enforcement powers:

• The PPC can provide guidance and advice to a handling operator regarding compliance with the APPI (Article 147).
• The PPC may recommend that a handling operator cease any acts constituting a violation of the APPI and take other necessary measures to correct the violation (Article 148.1).
• The PPC may order a handling operator to take necessary measures to implement the PPC’s recommendation mentioned above and to rectify certain violations of the APPI (Articles 148.2 and 148.3).

The PPC does not have the authority to conduct criminal investigations, and the APPI explicitly stipulates that the PPC’s power to conduct on-site inspections does not include criminal investigations (Article 146.3).

Non-compliance with the APPI can lead to several sanctions and remedies. 

Administrative sanctions:

• The PPC can publicize the fact of a handling operator’s non-compliance, potentially impacting its reputation (Article 148.4).
• The APPI does not, however, provide for administrative fines.

Criminal sanctions:

• Criminal sanctions may be imposed if the handling operator, its officers or employees:
  • refuse to cooperate with or make any false report in response to an investigation by the PPC (Article 182);
  • provide access to a personal information database to unauthorized persons or misuse the database for unlawful gains (Article 179); or
  • violate any order issued by the PPC (Article 178).

Civil remedies:

• A data subject may file a lawsuit against the handling operator to enforce its compliance with a request if:
  • two weeks have elapsed without response since the data subject submitted the request to the handling operator (Article 39.1); or
  • the handling operator rejects the data subject’s request (Article 39.1).