Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Jurisdiction snapshot

Trends and climate Would you consider your national data protection laws to be ahead or behind of the international curve?

The key legislation governing personal information and data in Japan is the Act on the Protection of Personal Information (57/2003).

A recent amendment to the act, which came into effect on May 30 2017, has been updated to reflect modern society and international data protection laws, which includes the establishment of the Personal Information Protection Commission (PPC) as Japan’s privacy commissioner and introduction of certain restrictions on transfer of personal data outside Japan.

Through the detailed guidelines issued by the PPC, Japan’s national data protection laws have, to some extent, caught up with the international curve.

Are any changes to existing data protection legislation proposed or expected in the near future?

Other than the recent amendment, there are no proposed or expected changes.

Legal framework

Legislation What legislation governs the collection, storage and use of personal data?

The key legislation governing the collection, storage and use of personal information in Japan is the Act on the Protection of Personal Information. The act provides the general rules concerning the protection of personal information in the private sector and regulates the handling of personal information.

Scope and jurisdiction Who falls within the scope of the legislation?

The Act on the Protection of Personal Information applies to ‘business operators handling personal information’ – defined in the act as any person using a personal information database for business (for further details please see the following question). The act does not apply to:

  • state organs;
  • local governments;
  • incorporated administrative and similar agencies; and
  • local independent administrative institutions.

A foreign entity may comprise a ‘business operator handling personal information’ under the act if it collects and handles personal information in Japan. Further, even if a foreign entity has no existence within Japan and does not collect or handle personal data in Japan, some provisions of the act apply to such a foreign entity when it provides goods or services to individuals in Japan and acquires the personal information of such individuals.

What kind of data falls within the scope of the legislation?

The Act on the Protection of Personal Information applies to three categories of information and data, each of which is governed by different rules:

  • ‘Personal information’ – information about a living individual that falls under any of the following items:
    • information containing name, date of birth or other descriptions whereby a specific individual can be identified (including information that allows easy reference to other information that would thereby enable identification of the individual); or
    • information containing an individual identification code, which is a code, including characters, numerical characters and marks, that can be used to identify the specific individual and which is specified in a cabinet order (eg, biometric identifiers such as fingerprint data or face recognition data, passport or driving licence numbers).
  • ‘Personal data’ – personal information contained within a personal information database. A ‘personal information database’ is a collection of information, including:
    • a collection of information systematically arranged in such a way that enables specific personal information to be retrieved from it by a computer; and
    • any other collection of information designated by the cabinet order as being systematically arranged in such a way that enables specific personal information to be easily retrieved from it (ie, if the personal information is organised according to certain rules or if a table of contents, index or other arrangement aids retrieval of the personal information).
  • ‘Retained personal data’ – personal data that a business operator governed by the act has the authority to:
    • disclose;
    • correct;
    • add to or subtract from;
    • discontinue the use of;
    • erase; or
    • discontinue the provision of to a third party.

The cabinet order specifies certain data that is excluded from the definition of ‘retained personal data’ – namely because knowledge of it would be harmful to the public, another interest or because it will be erased within six months.

In addition, the act contains provisions regarding the processing method and handling of anonymised processed information, which is defined as ‘information about an individual obtained by processing personal information so as not to identify the specific individual’, and not to restore such personal information. Pursuant to the act and the Rules of Personal Information Protection Commission, anonymised processed information is not deemed ‘personal information’. As a result, handling anonymised processed information is not subject to the restrictions for personal information or personal data.

Are data owners required to register with the relevant authority before processing data?

No such requirement exists.

Is information regarding registered data owners publicly available?

Not applicable.

Is there a requirement to appoint a data protection officer?

There is no legal requirement to appoint a data protection officer under the Act on the Protection of Personal Information and applicable guidelines. However, business operators governed by the act must take security control measures concerning personal data and the appointment of a data protection officer is provided as an example of ‘organisational measures’, which is one of the security control measures provided for by some guidelines.

Enforcement Which body is responsible for enforcing data protection legislation and what are its powers?

Under the amended Act on the Protection of Personal Information, the Personal Information Protection Commission (PPC) will be responsible for its enforcement in the private sector. The PPC can request reports and issue recommendations and orders, as well as conduct on-the-spot inspections.

Non-compliance with a request or violation of an order, can result in fines, imprisonment or both.

Collection and storage of data

Collection and management In what circumstances can personal data be collected, stored and processed?

Processing

A business operator governed by the Act on the Protection of Personal Information must specify the purpose of use for personal information it handles (to the extent possible) and comply with the following rules:

  • it must not change the purpose of use beyond a scope which has a reasonably substantial relationship with the original purpose of use; and
  • it must not use the personal information beyond the scope necessary to achieve the purpose of use, without obtaining the individual’s prior consent.

Collection The following restrictions apply to the collection of personal information by business operators governed by the Act on the Protection of Personal Information:

  • proper acquisition – a business operator must not acquire personal information by deception or other wrongful means;
  • notice of purpose of use at time of acquisition – once a business operator has acquired personal information, it must notify the individual of or publicly announce the purpose of use, unless it has already been publicly announced or one of the following applies:
    • such notification or public announcement would likely cause harm to the life, body, property, rights or interests of an individual or third party;
    • such notification would likely harm the business operator’s rights or legitimate interests;
    • cooperation with a state agency, local government or third party commissioned by a state or local agency is necessary to conduct certain affairs specified by laws and regulations and the notification or public announcement of the purpose of use would likely impede the execution of such affairs; or
    • the purpose of use is evident from the circumstances around the collection of the personal information.

The guidelines issued by the Personal Information Protection Commission (PPC) include examples of how business operators can make such public announcement – namely, by posting it on their websites or displaying it in an easily viewable location within their places of business. Business operators must not obtain sensitive information without the individual’s prior consent. Sensitive information means personal information comprising a principal’s race, creed, social status, medical history, criminal record, the fact of having suffered damage as a result of a crime, or other descriptions described by the cabinet order as those of which the handling requires special care so as not to cause unfair discrimination, prejudice or other disadvantage to the principal.

Storage Business operators governed by the Act on the Protection of Personal Information must take security control measures in regards to personal data. The act imposes a broadly stated obligation on business operators to “take necessary and proper measures for the prevention of leakage, loss, or damage, and for other security control of the Personal Data”. The act provides no concrete measures to satisfy this requirement. However, it is generally understood that such security control measures include:

  • organisational measures;
  • employee-related measures (eg, personnel training);
  • physical measures; and
  • technical measures. 

Specific actions to be taken for each type of measure are stipulated in the various guidelines issued by the PPC.

Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?

Business operators governed by the act must endeavour to delete personal data without delay when its use is no longer required.

Do individuals have a right to access personal information about them that is held by an organisation?

A business operator governed by the Act on the Protection of Personal Information must make the following details accessible to individuals whose personal data it retains:

  • its name;
  • the purpose of use (except in specified circumstances);
  • the procedures for requesting correction, cessation of use, sharing or deletion of the retained personal data, as well as the procedures for other requests; and
  • other matters as specified by cabinet order that are necessary to ensure the proper handling of the retained personal data.

In addition, business operators governed by the act must disclose any relevant personal data without delay if:

  • an individual requests that the business operator disclose whether it has retained any personal data that could lead to the individual’s identification; or
  • an individual requests notification that the business operator holds no such personal data.

Do individuals have a right to request deletion of their data?

If an individual requests that a business operator governed by the Act on the Protection of Personal Information correct, expand or delete his or her retained personal data because it is inaccurate, the business operator must investigate the issue without delay. Based on the investigation results, the business operator must correct, expand or delete the personal data and notify the individual of its response to the request.

In addition, if an individual requests that a business operator stop using or disclosing retained personal data on the basis that it is violating the Act on the Protection of Personal Information, the business operator must stop using or disclosing the personal data if the request is reasonable.

Consent obligations Is consent required before processing personal data?

As a general rule, business operators governed by the Act on the Protection of Personal Information cannot handle personal information for reasons beyond the scope necessary to achieve the purpose of use without obtaining the individual’s prior consent.

As a general rule, business operators governed by the act may not provide such information to a third party without obtaining the individual’s prior opt-in consent.

If consent is not provided, are there other circumstances in which data processing is permitted?

Exceptions to the general rules above apply if:

  • the handling of personal information is required by laws and regulations;
  • the handling of personal information is necessary to protect an individual’s life, body or property and obtaining his or her consent would be difficult;
  • the handling of personal information is necessary to improve public health or promote the positive growth of children and obtaining the individual’s consent would be difficult; or
  • cooperation with a state agency, local government or third party commissioned by a state or local agency is necessary to conduct certain affairs specified by laws and regulations and obtaining the individual’s consent would likely impede the execution of such affairs.

What information must be provided to individuals when personal data is collected?

As a general rule, once a business operator governed by the Act on the Protection of Personal Information has acquired personal information, it must notify the individual of or publicly announce the purpose of use.

Data security and breach notification

Security obligations Are there specific security obligations that must be complied with?

Business operators governed by the Act on the Protection of Personal Information have a broad obligation to “take necessary and proper measures for the prevention of leakage, loss, or damage, and for other security control of the Personal Data”.

Breach notification Are data owners/processors required to notify individuals in the event of a breach?

Notifying individuals when a security breach has occurred is not required under the Act on the Protection of Personal Information. However, the guidelines issued by the Personal Information Protection Commission (PPC) provide that it is preferable to notify the individual of the fact of the incident or make the fact readily available for affected individuals in order to prevent secondary damage or recurrence of the incident. Moreover, the Guidelines Targeting Financial Sectors Pertaining to the Protection of Personal Information established by the PPC and the Financial Services Agency (FSA) state that if a personal information breach occurs, the business operator handling the personal information should immediately provide notice to the relevant individuals of the facts around the breach.

Are data owners/processors required to notify the regulator in the event of a breach?

This is not required under the Act on the Protection of Personal Information. However, the guidelines issued by the PPC provide that, as a general rule, a business operator handling personal information should strive to immediately notify the PPC of incidents of data security breach and the preventive measures taken. Moreover, the Guidelines Targeting Financial Sectors Pertaining to the Protection of Personal Information established by the PPC and the FSA state that if a personal information breach occurs, the business operator handling the personal information should immediately report the breach to the FSA and promptly make a public announcement addressing – among other things – the facts around the breach and the measures to be taken to prevent a recurrence.

Electronic marketing and internet use

Electronic marketing Are there rules specifically governing unsolicited electronic marketing (spam)?

The Act on Specified Commercial Transactions (57/1975) prohibits companies from advertising their sales terms by email without the customer’s prior request or consent. Further, the Act on the Regulation of Transmission of Specified Electronic Mail (26/2002) regulates the transmission of emails as a means of advertisement of sales activities. Under this act, in principle companies must not transmit such emails without the customer’s prior request or consent.

Therefore, sending unsolicited email marketing messages (ie, spam) is prohibited by the Act on Specified Commercial Transactions and the Act on the Regulation of Transmission of Specified Electronic Mail.

Cookies Are there rules governing the use of cookies?

There are no special rules regarding the use of cookies or similar technologies.

Data transfer and third parties

Cross-border data transfer What rules govern the transfer of data outside your jurisdiction?

In principle, the Act on the Protection of Personal Information restricts the provision of personal data to third parties in a foreign country without the subject individual’s prior consent.

The exceptions to the above restriction include the following:

  • With respect to a third party that is a recipient of personal data, the prior consent requirement will not apply to the transfer of personal data to such operators with a management system conforming to the standards set out in the Personal Information Protection Commission (PPC) rules. The PPC rules currently provides two categories of exempt recipient operators:
    • a recipient operator, together with another operator that is the transferor of personal data to such recipient operator, ensures compliance with relevant provisions of the Act on the Protection of Personal Information by taking appropriate and reasonable measures between the transferor operator; and
    • a recipient operator that has obtained recognition based on an international framework concerning the handling of personal information (eg, recognition by the APEC Cross-Border Privacy Rules).
  • With respect to a foreign country where a recipient is located, the prior consent requirement will not apply to countries that are specified in the PPC rules as having a system for the protection of personal information equivalent to that required under Japanese law. Nonetheless, as of November 1 2017, no such country has been specified by the PPC rules. In this regard, the PPC announced on July 4 2017, that it will initiate a procedure as soon as appropriate to amend its commission rules with a view to the possibility of designating EU member states as exempted countries within a targeted timeframe of early 2018. 

Are there restrictions on the geographic transfer of data?

The Act on the Protection of Personal Information and most guidelines include no restrictions on the geographic transfer of data. However, the guidelines regarding medical information systems provide that medical information systems (eg, servers including medical information) and medical data should be located in an area where Japanese laws can be enforced. 

Third parties Do any specific requirements apply to data owners where personal data is transferred to a third party for processing?

As a general rule, business operators governed by the Act on the Protection of Personal Information cannot provide personal information to a third party without obtaining the individual’s prior opt-in consent.

In addition, the Act on the Protection of Personal Information requires business operators providing personal data to third parties to record:

  • the date on which the data was provided;
  • the third party’s name; and
  • the matters specified in the PPC rules. 

Conversely, if a business operator receives such personal data from a third party, it must confirm:

  • the third party’s name and address;
  • the representative’s name; and
  • how the third party obtained the personal data.

In addition, the business operator must record the date on which the information was provided and any matters regarding such confirmation, as well as the matters specified by the PPC rules.

Exceptions Exceptions to the general rule above apply if:

  • the handling of personal data is required under laws and regulations;
  • the handling of personal data is necessary for the protection of the individual’s life, body or property and obtaining his or her consent would be difficult;
  • the handling of personal data is necessary to improve public health or promote the positive growth of children and obtaining the individual’s consent would be difficult; and
  • cooperation with a state agency, local government or third party commissioned by a state or local agency is necessary to conduct certain affairs specified by laws and regulations and obtaining the individual’s consent would likely impede the execution of such affairs.

The following exceptions also apply:

  • A business operator governed by the Act on the Protection of Personal Information can provide personal data (excluding sensitive information) to a third party (excluding those located outside Japan) without obtaining the individual’s prior consent if it notifies the individual in advance of the following information or makes such information readily available to the individual. In addition, it must also notify the PPC of all of the following information:
    • the fact that providing the personal data to a third party falls under the purpose of use;
    • the personal data that will be provided to the third party;
    • the means or methods of providing the personal data to the third party; 
    • the fact that the provision of the personal data – which will lead to the identification of the individual by a third party – will be discontinued on the individual’s request to opt out; and
    • the way in which an individual can make an opt-out request.

Once amended, the Act on the Protection of Personal Information will also require business operators to advise on the way in which an individual can make an opt-out request and to notify the PPC of all of the above information. They will also be prohibited from providing sensitive information to third parties by using the opt-out option.

  • If the personal data is to be transferred as a result of a merger, acquisition or similar succession transaction, the recipient does not constitute a third party.
  • If the personal data is to be transferred as a result of a third-party service provider’s commissioning of a business operator for all or part of the processing of the personal data that is necessary to achieve the purpose of use, and the service provider does not process the data for its own purpose of use, such service provider does not constitute a third party.
  • A business operator governed by the Act on the Protection of Personal Information can use the personal information jointly with another individual or entity without the individual’s prior consent if it notifies the individual of the following information or ensures that such information is made readily available to the individual, in advance:
    • the fact that the personal data may be shared with and used jointly by specific individuals or entities;
    • the personal data that will be jointly used;
    • the scope of the joint users;
    • the purpose for which the personal data will be used; and
    • the name of the joint user responsible for the management of the personal data (either an individual or a business operator).

Penalties and compensation

Penalties What are the potential penalties for non-compliance with data protection provisions?

Under the Act on the Protection of Personal Information, the Personal Information Protection Commission (PPC) may request reports on the handling of personal information and may issue recommendations or corrective orders if a business operator governed by the act breaches an individual’s privacy and violates the act.

Before issuing a corrective order, the PPC may take an incremental approach and instruct, advise and make recommendations to business operators governed by the act. A breach of a corrective order is a criminal offence and the person responsible is punishable by imprisonment with work for a maximum of six months, a maximum fine of Y300,000 or both. The business operator will also be subject to a maximum fine of Y300,000.

Compensation Are individuals entitled to compensation for loss suffered as a result of a data breach or non-compliance with data protection provisions by the data owner?

If an individual’s privacy is violated due to a business operator governed by the act’s data breach or non-compliance with data protection provisions, the individual may file a tort or breach of contract claim for compensation against the business operator.

Cybersecurity

Cybersecurity legislation, regulation and enforcement Has legislation been introduced in your jurisdiction that specifically covers cybercrime and/or cybersecurity?

Several laws cover different types of cybercrime and cybersecurity, such as:

  • the Penal Code (45/1907), which was amended in 2011 to regulate ‘illegal programming’, including malware (Articles 168-2 and 168-3);
  • the Act on the Prohibition of Unauthorised Computer Access (128/1999), which was enacted in 1999 and amended in 2012 to include phishing and the unauthorised obtainment of identifying information (eg, passwords); and
  • the Unfair Competition Prevention Act (47/1993), which prohibits unauthorised access to trade secrets and was amended in 2015 to strengthen penalties.

What are the other significant regulatory considerations regarding cybersecurity in your jurisdiction (including any international standards that have been adopted)?

The Basic Act on Cybersecurity (104/2014) was enacted in November 2014 to promote and enhance cybersecurity in Japan. The act sets out an overall national cybersecurity policy and the roles and responsibilities of the national and local governments. The act also provides that cyber businesses and infrastructure-related businesses should endeavour to take voluntary measures to enhance cybersecurity and cooperate with the government in implementing the relevant measures (Article 7).

Which cyber activities are criminalised in your jurisdiction?

The following cyber activities are criminalised in Japan, among others:

  • the creation, provision, release, acquisition and storage of malware with the intention of applying or using such malware in the electronic device of another person or entity (Articles 168-2 and 168-3 of the Penal Code);
  • phishing and the unauthorised obtainment of identifying information (eg, passwords and fingerprint data) via online access (Articles 2, 3, 4 and 7 of the Act on the Prohibition of Unauthorised Computer Access);
  • Unauthorised online access of computer systems or networks (Articles 2 and 3 of the Act on the Prohibition of Unauthorised Computer Access); and
  • the unauthorised acquisition, use or disclosure of trade secrets (including those that are electronically stored) in a physical or electronic manner with the intention of acquiring an illicit gain or causing injury to the owner (Article 2 of the Unfair Competition Prevention Act).

Which authorities are responsible for enforcing cybersecurity rules?

The Basic Act on Cybersecurity designates the Cybersecurity Strategic Headquarters as the control body to promote national cybersecurity strategy and the National Centre of Incident Readiness and Strategy for Cybersecurity as its secretariat.

With respect to cybercrime, the National Police Agency and the Prosecutor’s Office are responsible for enforcing the applicable laws.

Cybersecurity best practice and reporting Can companies obtain insurance for cybersecurity breaches and is it common to do so?

Yes, but it is uncommon, especially for small and medium-sized companies.

Are companies required to keep records of cybercrime threats, attacks and breaches?

There is no such legal obligation. However, the Act on the Prohibition of Unauthorised Computer Access provides that an administrator of computer systems or networks should endeavour to consistently check the integrity of its access control functions (Article 8). Therefore, it can be construed that companies endeavour to keep such records in order to properly control their computer systems.

Are companies required to report cybercrime threats, attacks and breaches to the relevant authorities?

There is no such legal obligation. If cybercrime entails a personal data breach, the company will be required to report it to the competent minister in accordance with the applicable guidelines.

Are companies required to report cybercrime threats, attacks and breaches publicly?

There is no such legal obligation. If cybercrime entails a personal data breach, the company will be required to report it to the individuals concerned in accordance with the applicable guidelines.

Criminal sanctions and penalties What are the potential criminal sanctions for cybercrime?

Criminal sanctions for the major types of cybercrime in Japan are as follows:

  • The creation, provision or release of malware can result in imprisonment with work for a maximum of three years or a maximum fine of Y500,000 (Article 168-2 of the Penal Code).
  • The acquisition or storage of malware can result in imprisonment with work for a maximum of two years or a maximum fine of Y300,000 (Article 168-3 of the Penal Code).
  • Phishing and the unauthorised obtainment of identifying information via an online system can result in imprisonment with work for a maximum of one year or a maximum fine of Y500,000 (Article 12 of the Act on the Prohibition of Unauthorised Computer Access).
  • Unauthorised online access of computer systems or networks can result in imprisonment with work for a maximum of three years or a maximum fine of Y1 million (Article 11 of the Act on the Prohibition of Unauthorised Computer Access).
  • The unauthorised acquisition, use or disclosure of a trade secret can result in imprisonment with work for a maximum of 10 years, a maximum fine of Y20 million or both (Article 21 of the Unfair Competition Prevention Act).

What penalties may be imposed for failure to comply with cybersecurity regulations?

There are no such penalties. However, if such failure also falls under non-compliance with data protection provisions, the relevant minister may issue recommendations and corrective orders and a breach of such corrective orders is a criminal offence.

Law stated date

Correct as of Please state the date of which the law stated here is accurate.

November 2017.