Ikigai LawIkigai LawIkigai LawIkigai Law
  • About Us
    • About
    • Our Team
    • FinTales
    • Tech Ticker
  • Practice Areas
  • Blog
  • News & Events
    • Ikigai Law in the news
    • Ikigai Law at events
    • Ikigailaw on the social media
  • Careers

Data protection in Japan

    Home Other Jurisdictions APAC Data protection in Japan
    NextPrevious

    Data protection in Japan

    By Ikigai Law | APAC, Other Jurisdictions | 0 comment | 18 May, 2020 | 2

    1. Introduction

    In the previous post, we examined the data governance framework in Singapore, an active player in the APAC region. In this post, we unpack Japan’s data protection framework, from the perspective of: grounds of processing data and the obligations imposed on organisations (II);rights guaranteed to individuals (III); rules governing cross-border data flows (IV);the penal and enforcement framework (V); and the exemptions given to law enforcement agencies (VI). Part VII concludes.

    Japan regulates data protection through the Act on the Protection of Personal Information (“APPI”).[1] The overall vision of the Act is to handle personal information in order to respect the personality of the individuals (‘principals’ under the APPI).[2] Compliance with the Act and complaints under the Act are mainly overseen by the Office of the Personal Information Protection Commission (“PPC”), an independent regulatory body.[3]

    The Japanese Cabinet has approved an amendment to the APPI, although it still has to be passed by Parliament.[4]

    II. Data processing and other obligations

    Scope of the Act

    The APPI applies to all business operators handling personal information (“business operators”).[5] It does not apply to central government organisations, local governments, and incorporated administrative agencies.[6]

    Pursuant to the Act,[7] the government has issued the Basic Policy on the Protection of Personal Information, 2004.[8] The policy sets out directions for entities handling personal information under the APPI.

    Consent

    Business operators do not need to get individuals’ consent to collect their personal information. The only limitation is that business operators cannot collect personal information through deceit or other improper means.[9] For sensitive personal information, however, business operators additionallyrequire the consent of the individual, unless the sensitive data is required by law; is for the protection of life; promotion of public hygiene; government cooperation; or it has been disclosed publicly by the individual.[10]

    Purpose limitation

    Before handling personal information, business operators must specify the purpose of utilising the personal information (“utilisation purpose”)as explicitly as possible. Any change in purpose has to be within the reasonable scope of the original purpose.[11] Consent is only required if the personal information is being used beyond what is necessary to achieve the utilisation purpose.[12]

    Notification

    Business operators must disclose the utilisation purpose in advance to the public[13] or inform the individual promptly after collection. However, notification may not be needed if there is an urgent need to protect a human life, body, or fortune; if the utilisation purpose is clear from the circumstances of data collection; or if the disclosure would harm the rights or legitimate interests of the business operator.[14]

    Storage limitation

    Business operators must delete data, without delay, once data has achieved its specified purpose.[15]

    Sharing of information

    Business operators can share personal information with a third party within Japan only with the prior consent of the individual, except if it is: required (i) by law or regulations; (ii) for the protection of life or fortune and consent is difficult to obtain; (iii) for enhancing public hygiene or fostering healthy children and consent is difficult to obtain; or (iv) needed for cooperation with central government organisations or local government and consent would interfere with performance of these affairs.[16] Certain other conditions apply to the transfer of such information.[17]

    III. Individual rights

    The following rights are provided under the APPI:

    • Accuracy – Businessoperators must keep personal data accurate and up to date.[18]
    • Security – Business operators must establish appropriate security safeguards to prevent the leakage, loss, or damage to personal information.[19]
    • Record keeping and confirmation – In case of third-party transfers, business operators must keep a record of certain information, such as name of third party, which shall be confirmed by such third party.[20]
    • Access and correction ­­– Individuals have the right to access certain data such as the name of the business operator and the utilisation purpose, or whether the data identifies them, subject to certain conditions. They can also seek a rectification of any errors in the retained data.[21]
    • Disclosure – Individuals can require business operators to disclose the retained personal data that identifies them, subject to certain conditions.[22]
    • Right to ceasure/deletion – When personal data that can identify individuals is handled contrary to law (i.e. if it is obtained through deceit or improper means or used beyond the specified purpose), the business operator can be asked to cease using (‘utilization cease’) or delete the data, and stop providing such data to third parties, subject to certain conditions.[23]

    At present, the APPI does not recognize a right to data portability, a right to be forgotten, right to withdraw consent, or a right to data breach notification (although there is voluntary guidance on data breach notification).[24] There is also no express data minimization or proportionality principle embedded in the law. The proposed amendment is expected to introduce a data breach notification principle in some form.[25]

    IV. Cross-border data flows

    The APPI permits the cross-border transfer of personal information by a business operator under any of the three conditions – (i) the individual/principal has consented to the transfer; or (ii) the foreign country has an equivalent standard of data protection; or (iii) the foreign country has an information/data protection system that meets the standards prescribed by PPC.[26]

    In January 2019, the European Commission granted adequacy approval to Japan based on its strong data protection guarantees, allowing personal data to move freely between the two regions.[27] A similar decision was taken on the Japanese side.[28] Incidentally, New Zealand is the only other country in the APAC region to have received an adequacy decision.[29]

    V. Enforcement framework


    Enforcement framework

    Ordinarily, an individual first submits a complain to the business operator itself. Business operators should deal with such complaints “appropriately and promptly”.[30] Other corporations can also get accredited to deal with complaints regarding handling of personal information.[31]

    Complaints can also be sent directly to the PPC, which will first try and mediate the dispute.[32] The PPC may also, in certain cases of rights violations, recommend that the business operator suspend or remedy the violating act.[33] In more serious cases of rights infringement, and when the recommendation is not acted upon, the PPC can also order the business operator to take certain action.[34]

    In addition, the central and local governments also have to take “necessary action” to enable and facilitate the resolution of complaints (including mediation).[35] For this, individuals may lodge a complaint with consumer centres established by local governments under Japan’s Consumer Safety Act or with the National Consumer Affairs Centre of Japan.

    Penal framework

    A fine of up to 500,000 yen, or up to one year imprisonment can be imposed on a business operator for providing or using the personal information database of the individual in stealth for their or a third party’s profit.[36] Fines of 300,000 yen can also be imposed for the violation of an order of the PPC or for submitting a false report to PPC.[37]

    VI. Exemption given to law enforcement agencies

    Law enforcement agencies are regulated more strictly in Japan than many other APAC countries discussed in this series.

    Interception Act

    Interception in Japan requires law enforcement agencies to get prior judicial authorisation. Even then, the duration of surveillance is limited to 10 days. In addition, law enforcement agencies must notify the subject of surveillance within 30 days of surveillance being completed. This time period can be extended by a judge, if they are of the view that the investigation may be compromised by the notification. Further, the intercepted communication shall be recorded appropriately and then submitted to judges, who can check its appropriateness.[38]

    In addition to judicial oversight, there is independent Parliamentary oversight since the government must submit an annual report of the record of interceptions to the Japanese Diet, and then make such data public.[39] Japan also has ‘wiretapping instructors’ to monitor that the investigations are being conducted appropriately.[40]

    Criminal Procedure Act

    The Japanese Criminal Procedure requires that any search and seizure take place only pursuant to a court warrant.[41]

    VII. Conclusion

    In general, Japan has a strong data protection framework, although it does not require consent for the collection of personal data. In general, the country promotes cross border data transfer and does not impose any data localisation restrictions. In fact, the framework for smooth and mutual transfer of personal data between Japan and the European Union has created the largest area of safe data flows in the world and is intended to improve operational efficiency, reduce costs, and benefit consumers.[42] Importantly, unlike several other APAC countries, Japan also has significant restrictions on the activities of law enforcement agencies.

    Japan is also one of the most active players in the APAC region, with Prime Minister Abe spearheading the Osaka Declaration and the idea of ‘Data Free Flow with Trust’, to create a set of global rules governing the free flow of cross-border data backed by strong data protection and cyber security measures.[43] This is in line with Japan’s idea of ‘Society 5.0’, a super-smart society where big data, AI, and the internet of things innovate to grow the economy and resolve social issues.[44] This is in some contrast to Vietnam – the next country that we will examine in our series.

    Authored by the Ikigai team.


    [1] Act on the Protection of Personal Information (as amended in 2016), available at https://www.ppc.go.jp/files/pdf/Act_on_the_Protection_of_Personal_Information.pdf

    [2] Article 3, APPI.

    [3] See Personal Information Protection Commission, Japan, Roles and Responsibilities, available at https://www.ppc.go.jp/en/aboutus/roles/.

    [4] The details of the proposed amendment to the APPI can be found here. For further information, see Hiroyuki Tanaka et al, Analysis of Cabinet of Japan’s approved bill to amend APPI (March 2020), IAPP, available at https://iapp.org/news/a/analysis-of-japans-approved-bill-to-amend-the-appi/.

    [5] The Act defines business operators as persons who provide a personal information database for use in business. See Article 2(5), APPI.

    [6] Article 2(5), APPI.

    [7] Article 7, APPI

    [8] Library of Congress, Online Privacy: Japan (2017), available at https://www.loc.gov/law/help/online-privacy-law/2017/japan.php#_ftn15.

    [9] Article 17(1), APPI. Notably, the Act does not define ‘deceit’ or ‘other improper means’.

    [10] Article 17(2), APPI.

    [11] Article 15, APPI

    [12] Article 16, APPI

    [13] As per PPC Guidelines, the appropriate method of announcing the utilization purpose to the public could be through the business operator’s website, such that an individual can easily find the utilization purpose before submitting their personal data. See DLA Piper, Data Protection Laws of the World: Japan (2020), available at https://www.dlapiperdataprotection.com/system/modules/za.co.heliosdesign.dla.lotw.data_protection/functions/handbook.pdf?country-1=JP  

    [14] Article 18, APPI.

    [15] Article 19, APPI.

    [16] Article 23(1), APPI.

    [17] Article 23(2), APPI.

    [18] Article 19, APPI.

    [19] Article 20, APPI.

    [20] Articles 25 and 26, APPI.

    [21] Articles 27 and 29, APPI.

    [22] Article 28, APPI.

    [23] Article 30, APPI

    [24] Deloitte, Unity in Diversity: The Asia Pacific Privacy Guide (2019), available at https://www2.deloitte.com/content/dam/Deloitte/nz/Documents/risk/apac-privacy-guide-interactive.pdf.

    [25] IAPP, supra note 4.

    [26] Article 24, APPI

    [27] European Commission, European Commission adopts adequacy decision on Japan, creating the world’s largest area of safe data flows (2019), available at  https://ec.europa.eu/commission/presscorner/detail/en/IP_19_421

    [28] The decision was taken under Article 24, APPI. See PPC, The framework for mutual and smooth transfer of personal data between Japan and the European Union has come into force (2019), available at https://www.ppc.go.jp/en/aboutus/roles/international/cooperation/20190123/

    [29] Deloitte, supra note 25.

    [30] Article 35, APPI.

    [31] Articles 47 and 52, APPI

    [32] Article 61(ii), APPI.

    [33] Article 42(1), APPI.

    [34] Article 42(2), APPI.

    [35] Articles 9 and 13, APPI.

    [36] Article 83, APPI

    [37] Articles 84 and 85, APPI.

    [38] Act on the Interception of Communications. See Permanent Mission of Japan, Information for OHCHR relating to “The right to privacy in a digital age” (2014), available at https://www.ohchr.org/Documents/Issues/Privacy/Japan.pdf. See also, UNODC, Current practices in electronic surveillance in the investigation of serious and organized crime (2009), available at https://www.unodc.org/documents/organized-crime/Law-Enforcement/Electronic_surveillance.pdf.

    [39] Id.

    [40] Police can use wiretapping devices to decrypt and record at prefectural HQs across Japan from June, Japan Times (April 2019), available at, https://www.japantimes.co.jp/news/2019/04/25/national/crime-legal/police-can-use-wiretapping-devices-decrypt-record-prefectural-hqs-across-japan-june/#.XqswLpMzY_U

    [41] Sections 106-113, Code of Criminal Procedure of 1948, available at http://www.japaneselawtranslation.go.jp/law/detail/?printID=&ft=2&re=02&dn=1&yo=criminal&ia=03&x=0&y=0&ky=&page=2&vm=02.

    [42] https://www.ppc.go.jp/en/aboutus/roles/international/cooperation/20190123/

    [43] Masumi Koizumi, Japan’s pitch for free data flows ‘with trust’ faces uphill battle at G20 amid ‘splinternet’ fears, Japan Times (June 2019), available at https://www.japantimes.co.jp/news/2019/06/27/business/tech/japans-pitch-free-data-flows-trust-faces-uphill-battle-g20-amid-splinternet-fears/#.XqsznJMzY_U.

    [44] Id.

    APAC, cross-border data transfer, data governance, Data localisation, Data Protection, digital economy, individual rights, Japan, Privacy, Surveillance

    Ikigai Law

    More posts by Ikigai Law

    Related Post

    • Data Governance in APAC: Findings

      By Ikigai Law | 0 comment

      I. Introduction The APAC region has been at the vanguard of digitisation, digital innovation, and digital governance.[1] However, differences in legal regimes in the region have meant that any regional or global privacy initiatives suchRead more

    • Data protection in Indonesia

      By Ikigai Law | 0 comment

      I. Introduction In this post, we examine the data governance framework of Indonesia, from the perspective of: data processing and other obligations imposed on organisations (II);rights guaranteed to individuals (III); rules governing cross-border data flowsRead more

    • Data protection in Vietnam

      By Ikigai Law | 0 comment

      I. Introduction In this post, we examine the data governance framework of Vietnam. We discuss: grounds of processing data and the obligations imposed on organisations (II);rights guaranteed to individuals (III); rules governing cross-border data flowsRead more

    • Data protection in Singapore

      By Ikigai Law | 0 comment

      I. Introduction In the previous post, we examined the data governance framework in Australia. In this post, we examine the data governance framework of another country in the APAC region, namely Singapore, from the perspectiveRead more

    • Data protection in Australia

      By Ikigai Law | 0 comment

      I. Introduction In the previous post we examined the applicable data governance frameworks in the APAC region, with a specific focus on the Osaka Declaration. The success of the Osaka Declaration depends on different APACRead more

    Leave a Comment

    Cancel reply

    Your email address will not be published. Required fields are marked *

    NextPrevious

    Tags

    #DataProtection #Fintales bitcoin Blockchain Budget Consent Consultation Consultation Paper cryptocurrency data Data Controllers data governance Data localisation Data Protection Data Subjects digital economy Digital India Drones E-Commerce Facebook Fintech Government Government of India healthtech Ikigai Law India Indian government Innovation MeITY Notice Payments Personal Data policy Privacy RBI Recommendation Regulation Srikrishna Committee Stakeholders Startups Surveillance Technology Tech Policy TechTicker TRAI

    Connect with Ikigai Law

    Copyright 2018 Ikigai Law | All Rights Reserved             

    Information

    • Practice Areas
    • Blog
    • Careers
    • Contact Us
    • Privacy Policy

    Contact us

    Office
    T-7/402, Commonwealth Games Village Apartment,
    New Delhi, Delhi 110092 India.

    Email Address

    contact@ikigailaw.com

    • About Us
      • About
      • Our Team
      • FinTales
      • Tech Ticker
    • Practice Areas
    • Blog
    • News & Events
      • Ikigai Law in the news
      • Ikigai Law at events
      • Ikigailaw on the social media
    • Careers
    Ikigai Law