Protection of personal information in Japan – core issues for foreign businesses

Japan’s Act on the Protection of Personal Information (APPI), the primary data protection legislation, was substantially revised in May 2017 bringing the regime more up-to-date for the era of Big Data, the changes expanding the scope of “personal information”, adopting a regime for anonymised data, implementing rules for the transfer of personal information and establishing the Personal Information Protection Commission (PPC), the regulatory body responsible for overseeing compliance with the APPI. The PPC subsequently issued guidelines on the handling of data losses (Data Loss Guidelines). The changes have seen a very significant increase in enquiries from foreign businesses on Japan’s data protection regime and in this article we briefly outline the aspects of the APPI usually of most interest to them, being:

• the extraterritorial applicationof the APPI;
• data transfers; and
• the handling of data losses.

Certain obligations of the APPI apply extraterritorially to an overseas data controller which has obtained personal information of a data subject in Japan in relation to its provision of goods or services to that data subject and handles that personal information, or any anonymised information created from it, in a foreign country. The obligations include specifying the purpose of utilisation of the personal information and taking measures to protect against data leakages. Although the PPC’s powers against a data controller based overseas are limited, it may provide information to foreign regulatory authorities for their own regulatory enforcement purposes.

Data transfers
Transferring personal information to third parties requires the prior consent of the data subject unless an exception applies, the primary exceptions being transfers:

• specifically required or authorised by any Japanese laws/regulations; and
• pursuant to an opt-out whereby a data subject is notified of the proposed transfer of its personal information to a third party and given the opportunity to object to that transfer.
• However, a transfer of sensitive information always requires the consent of the data subject unless an exception applies and the consent cannot be given through an opt-out. A transfer of anonymised information to a third party does not require the consent of the data subject, provided that the transferor gives certain notifications.

Certain entities are not regarded as third parties so the transfer of personal information (including sensitive information) to them does not require the data subject’s consent; these include a personal information/data processor and a company which jointly uses the personal information with the data controller. A transfer of personal information between a company and its branch may also not constitute a transfer of personal information to a third party where they are a single legal entity under the laws of the jurisdiction under which the branch was formed.

In addition, where a transfer of personal information is to a third party in a foreign country either the consent to the transfer must make clear it covers the transfer to a third party in a foreign country, or in the absence of consent and if either an opt-out is to be used or the transfer is not to a third party, the transferee must:

• be in a country specified by the PPC as having a data protection regime equivalent to the APPI’s (at the date of this article only the EU (including the EEA) is specified); or
• implement data protection standards equivalent to the APPI’s (e.g. by contract, or intra-group binding standards on handling personal information).

The APPI also introduced duediligence and record-keeping requirements on transfers of personal information.

Data loss notifications

Although the Data Loss Guidelines are a welcome step in clarifying the obligations of a data controller in handling data losses, the obligations are expressed in very general terms leaving data controllers to decide what specific action should be taken based on the facts of each case, and except in the most obvious cases guidance from the PPC will likely be required. For example, it is ‘desirable’ that the affected data controller report the incident within the data controller and take measures to prevent aggravation of any damage due to the incident, and ‘promptly’ notify the data subjects potentially affected unless the leaked data is encrypted at a high level. The data controller should also ‘make efforts’ to ‘promptly’ notify the PPC, unless, e.g., the leaked data is encrypted at a specified level, the data loss was obviously only internal, there is no risk of the affected data subjects being harmed, or the leakage is obviously insignificant.

While the obligation to report a data leakage to the PPC is only to make efforts, best practice would be to submit a report, or at least seek guidance from the PPC, unless an exemption clearly applies. If the data loss is very serious, e.g. the loss of bank account details and  passwords, or the data controller is not certain what action to take it should promptly contact the PPC (and local counsel) for guidance. How data subjects are notified of a data loss would depend on the seriousness of the loss and the harm it may cause; notifications to affected parties should be given in Japanese, and if any affected data subjects may not understand Japanese, any other appropriate foreign language.

The PPC may investigate a data loss and the related actions of the data controller and if it finds defects in the data controller’s systems or actions it may give guidance to the data controller on improvement of its data management, or what steps to take to notify affected data subjects.

There are no sanctions under the APPI for failure to make a report or notification of a data loss, but if the PPC issues an order for improvement failure to comply with it may render any responsible person to imprisonment and/or a fine, and a responsible entity to a fine. Similarly, data controllers are not required to pay compensation to data subjects unless ordered by a court, though many do so voluntarily, the amounts paid per data subject to date being quite small.

Ryuichi Nozaki
Atsumi & Sakai

Mr. Ryuichi Nozaki has been a partner of Atsumi & Sakai since 2007. He leads the privacy and data protection team at the firm, and has over 10 years’ experience advising on data protection and digital/technology issues. Mr. Nozaki has substantial experience in advising foreign-headquartered multinational clients, including a major sports apparel brand, a major credit card brand, and global online flight/hotel booking sites on data mapping, data security planning, drafting/reviewing privacy policies, handling data losses and communications with data privacy authorities. He co-authored Data Protection & Privacy (3rd Edition), Japan Chapter, Thomson Reuters (2016). He was admitted as an attorney (Bengoshi) in Japan in 2000, and worked at the London office of Mayer Brown for one year from the fall of 2007. He was resident partner at Atsumi & Sakai’s London office from January 2015 to January 2018.