The Act on the Protection of Personal Information of Japan (Law Number: Act No. 57 of May 30, 2003, hereinafter the “Act”) was enacted in May 2003 reflecting the circumstances in the rapid development of information systems and resulting threat to personal rights and interests as well as international trends for establishing data protection laws. Ten years later, the development of data communication technology has enabled the collection and analysis of a huge variety of data (so-called big data), and among others; use of personal data is expected to contribute to innovations including the creation of new businesses and services. Therefore, on the basis of protecting personal data and privacy, the trend of the revision under the Act is considering maximizing the power of civil sectors by clarifying the rules on the utilization of personal data, the creation of new businesses and services and activation of existing industries.
The Personal Data Related Systems Division established in the Cabinet Secretary IT General Strategy Office plans to set down the fundamental principles of a bill for revising the Act by June 2014 and to receive public comments and submit the bill to the ordinary session of the National Diet in the beginning of 2015.
Personal information subject to protection under the Act
The term "personal information" as used in the Act means “information about a living individual which can identify the specific individual” (Article 2). Personal information subject to protection under the Act includes “such information as will allow easy reference to other information and will thereby enable the identification of the specific individual” (Article 2).
The trend of the revision under the Act includes the definition of “personal information” protected under the Act as personal data substantially enabling the identification of a specific individual, and clarification of such data on the basis of the basic principle of protection of privacy.
Also, “sensitive data” or extremely private data will include new types of data to be handled according to their nature.
As for the handling of personal data in a field requiring highly professional knowledge (including types of information deemed to contain many sensitive data), related organizations will consider such based on their knowledge and judgment.
Business operators handling personal data subject to the obligation under the Act
Business operators handling personal data subject to the obligation of protection under the Act (hereinafter the “Operators”) are those managing the personal data of more than 5,000 persons in their business activities. Therefore, private individuals and small-scale entrepreneurs are exempted from the restrictions of the Act.
The privacy of a person is not influenced by the volume of data but by the nature of the data handled by the Operators. Therefore, the trend of the revision under the Act is considering changing the requirement of personal data of fewer than 5,000 persons in a personal information database owned by Small Operators exempted from restrictions by the Act as well as reducing the burdens on Small Operators.
Obligations of operators handling personal information
Obligations of Operators under the Act include specifying the purposes for using personal information and notifying the principal of such personal information thereof, taking measures for maintaining the safety of such information and generally obtaining the consent of the principal when providing such information to a third party. But the Act provides for exceptions to the requirement of obtaining the consent of the principal when providing such information to a third party in cases in which it is (1) required by laws and regulations, (2) necessary for protecting personal life, body or property, (3) especially necessary for improving public health or promoting the sound growth of children and in cases where it is difficult to obtain the consent of the principal, or (4) necessary to cooperate with a state organ or a local government in executing those affairs prescribed by laws and regulations.
For promoting the use and distribution of personal data regarding the protection of personal information and privacy, the trend of the revision under the Act is considering stipulating the types of provision of personal data to a third party without the consent of the principal and obligations of Operators (providers and recipients) handling such types of data.
Matters considered for change in promoting international harmonization
Matters under consideration include improving the environment in which Japanese enterprises may smoothly and globally develop their business, the manner in which Japanese laws and regulations are applied to overseas enterprises, and cooperation by third party agencies in the international enforcement of laws and regulations.
Other considerations also include restricting the transfer of data to countries with less developed personal data protection systems by maintaining the balance between preventing the obstruction of global usage and distribution of data and the protection of privacy.