Basic Legal Information on Japan
– Protection of Personal Information Law in Japan

Basic Legal Information on Japan – Protection of Personal Information Law in Japan

This is the first in a series of articles from GVA LPC providing basic legal information to foreign companies and individuals that are planning to do business in Japan. This series of articles will highlight Japanese laws and regulations which are central to their need to smoothen their business venture into the Japanese market.


For foreign companies that are planning to venture into the Japanese market, among the most important laws that they need to look into before initiating their venture into Japan is the Act on the Protection of Personal Information (“APPI”). The APPI regulates privacy protection issues in Japan, it was originally enacted in 2003 but was recently amended and came into force on 30 May 2017. Pursuant to the enactment of APPI, the Personal Protection Commission (“PPC”) was established. PPC, established on 1 January 2016, has the main duty as a cross-sectoral, independent governmental body to oversee the APPI.


Both APPI and PPC play an important role in the protection of personal information in Japan. Where the APPI set for the principal obligations for business in handling personal information and the PPC acts as a 'watchdog' to ensure proper implantation is taken by such business. Foreign companies that are planning to expand their business operation into Japan, should seriously look into APPI and the guidelines issued by PPC before initiating their business operation into Japan market.


For references, the following are some of the basic points of APPI that foreign companies should take note concerning personal information protection in Japan. Please note that the following is only for references, it is advisable to consult a legal professional to understand in detail the implication of APPI.



A. Scope of APPI

APPI applies to all business entities that handle the personal information of individuals in Japan. It shall apply to entities outside Japan if they acquire personal information of an individual in Japan in connection to the provisions of goods or service, and that personal information or the de-identified information created using that personal information is handled outside of Japan.



B. What is Personal Information under APPI

APPI defined personal information as information about a living individual who can be specifically identified by the name, date of birth, or other description contained in such information. APPI also stress that personal information shall include information that enables an individual to identify a specific individual with easy reference to other information.



C. How to observe APPI

When handling personal information, a business entity must fully specify the purpose of use of personal information as detail as possible. Changes to the purpose of use must not go beyond the reasonable scope of the original purpose of use. Prior consent is required if usage is beyond the scope of the purpose of use.


The Purpose of Use must be made known to the data subjects when personal information is collected or promptly thereafter and this can be made by a public announcement (such as posting the purpose on the business entity’s website)


Prior consent is required to transfer personal information to a third party; however, consent is not necessary if (i) the personal information is disclosed according to laws and regulations, (ii) the personal information is disclosed in order to protect the life, body, or property of an individual and it is difficult to obtain the consent of the person, (iii) provision of the personal information is necessary for improving public health or promoting the sound growth of children and it is difficult to obtain the consent of the person, and (iv) the provision of the personal information is necessary for cooperating with a state organ, a local government, or an individual or a business operator entrusted by one in executing the affairs prescribed by laws and regulations and obtaining the consent of the person are likely to impede the execution of the affairs.


When provided personal information to a third party, a business entity (both provider and recipient) must keep a record including detail on the date of the personal information provision, the name or appellation of the third party, and other matters prescribed by PPC.



D. Rights granted by APPI to Data Subjects

APPI provides the right of disclosure to data subjects. Under the APPI, business entities MUST (upon request for disclosure from the data subjects) disclose the retained personal information to the data subjects without delay. However, if one of the following applies, the business entities may choose not to disclose all or part of the retained personal information: (i) if the disclosure is likely to harm the life, body, property, or other rights or interests of the person or a third party; (ii) if the disclosure is likely to seriously interfere with the proper implementation of the business entity handling personal information; (iii) if the disclosure would violate any other law or regulation.


Data subjects also can request for the correction of their information and the business entities must comply with such request. A business entity MUST comply with request to correct the information.


APPI also allows data subject to request to discontinue the use or delete the retained personal information to the owner of the personal information. A business entity MUST comply (upon request of such) when (i) the collection made by deception or other wrongful means, or (ii) the handling of the personal information goes beyond the scope necessary to achieve the purpose of use without obtaining prior consent.


E. Penalty under APPI

Any violation or potential violation of the APPI would allow PPC to request a business entity to submit a report, conduct on-site inspection and request or order the business entity to take remedial actions. A business entity who fails in submitting the report and materials or reports false information will be punished of a fine up to JPY 300,000.


Failure of the business entities to follow an order from the PPC will be subject to a penalty of imprisonment for up to six months or a fine of up to JPY 300,000.