1. Introduction
In the previous post, we examined the data governance framework in Singapore, an active player in the APAC region. In this post, we unpack Japan’s data protection framework, from the perspective of: grounds of processing data and the obligations imposed on organisations (II);rights guaranteed to individuals (III); rules governing cross-border data flows (IV);the penal and enforcement framework (V); and the exemptions given to law enforcement agencies (VI). Part VII concludes.
Japan regulates data protection through the Act on the Protection of Personal Information (“APPI”).[1] The overall vision of the Act is to handle personal information in order to respect the personality of the individuals (‘principals’ under the APPI).[2] Compliance with the Act and complaints under the Act are mainly overseen by the Office of the Personal Information Protection Commission (“PPC”), an independent regulatory body.[3]
The Japanese Cabinet has approved an amendment to the APPI, although it still has to be passed by Parliament.[4]
II. Data processing and other obligations
Scope of the Act
The APPI applies to all business operators handling personal information (“business operators”).[5] It does not apply to central government organisations, local governments, and incorporated administrative agencies.[6]
Pursuant to the Act,[7] the government has issued the Basic Policy on the Protection of Personal Information, 2004.[8] The policy sets out directions for entities handling personal information under the APPI.
Consent
Business operators do not need to get individuals’ consent to collect their personal information. The only limitation is that business operators cannot collect personal information through deceit or other improper means.[9] For sensitive personal information, however, business operators additionallyrequire the consent of the individual, unless the sensitive data is required by law; is for the protection of life; promotion of public hygiene; government cooperation; or it has been disclosed publicly by the individual.[10]
Purpose limitation
Before handling personal information, business operators must specify the purpose of utilising the personal information (“utilisation purpose”)as explicitly as possible. Any change in purpose has to be within the reasonable scope of the original purpose.[11] Consent is only required if the personal information is being used beyond what is necessary to achieve the utilisation purpose.[12]
Notification
Business operators must disclose the utilisation purpose in advance to the public[13] or inform the individual promptly after collection. However, notification may not be needed if there is an urgent need to protect a human life, body, or fortune; if the utilisation purpose is clear from the circumstances of data collection; or if the disclosure would harm the rights or legitimate interests of the business operator.[14]
Storage limitation
Business operators must delete data, without delay, once data has achieved its specified purpose.[15]
Sharing of information
Business operators can share personal information with a third party within Japan only with the prior consent of the individual, except if it is: required (i) by law or regulations; (ii) for the protection of life or fortune and consent is difficult to obtain; (iii) for enhancing public hygiene or fostering healthy children and consent is difficult to obtain; or (iv) needed for cooperation with central government organisations or local government and consent would interfere with performance of these affairs.[16] Certain other conditions apply to the transfer of such information.[17]
III. Individual rights
The following rights are provided under the APPI:
- Accuracy – Businessoperators must keep personal data accurate and up to date.[18]
- Security – Business operators must establish appropriate security safeguards to prevent the leakage, loss, or damage to personal information.[19]
- Record keeping and confirmation – In case of third-party transfers, business operators must keep a record of certain information, such as name of third party, which shall be confirmed by such third party.[20]
- Access and correction – Individuals have the right to access certain data such as the name of the business operator and the utilisation purpose, or whether the data identifies them, subject to certain conditions. They can also seek a rectification of any errors in the retained data.[21]
- Disclosure – Individuals can require business operators to disclose the retained personal data that identifies them, subject to certain conditions.[22]
- Right to ceasure/deletion – When personal data that can identify individuals is handled contrary to law (i.e. if it is obtained through deceit or improper means or used beyond the specified purpose), the business operator can be asked to cease using (‘utilization cease’) or delete the data, and stop providing such data to third parties, subject to certain conditions.[23]
At present, the APPI does not recognize a right to data portability, a right to be forgotten, right to withdraw consent, or a right to data breach notification (although there is voluntary guidance on data breach notification).[24] There is also no express data minimization or proportionality principle embedded in the law. The proposed amendment is expected to introduce a data breach notification principle in some form.[25]
IV. Cross-border data flows
The APPI permits the cross-border transfer of personal information by a business operator under any of the three conditions – (i) the individual/principal has consented to the transfer; or (ii) the foreign country has an equivalent standard of data protection; or (iii) the foreign country has an information/data protection system that meets the standards prescribed by PPC.[26]
In January 2019, the European Commission granted adequacy approval to Japan based on its strong data protection guarantees, allowing personal data to move freely between the two regions.[27] A similar decision was taken on the Japanese side.[28] Incidentally, New Zealand is the only other country in the APAC region to have received an adequacy decision.[29]
V. Enforcement framework
Enforcement framework
Ordinarily, an individual first submits a complain to the business operator itself. Business operators should deal with such complaints “appropriately and promptly”.[30] Other corporations can also get accredited to deal with complaints regarding handling of personal information.[31]
Complaints can also be sent directly to the PPC, which will first try and mediate the dispute.[32] The PPC may also, in certain cases of rights violations, recommend that the business operator suspend or remedy the violating act.[33] In more serious cases of rights infringement, and when the recommendation is not acted upon, the PPC can also order the business operator to take certain action.[34]
In addition, the central and local governments also have to take “necessary action” to enable and facilitate the resolution of complaints (including mediation).[35] For this, individuals may lodge a complaint with consumer centres established by local governments under Japan’s Consumer Safety Act or with the National Consumer Affairs Centre of Japan.
Penal framework
A fine of up to 500,000 yen, or up to one year imprisonment can be imposed on a business operator for providing or using the personal information database of the individual in stealth for their or a third party’s profit.[36] Fines of 300,000 yen can also be imposed for the violation of an order of the PPC or for submitting a false report to PPC.[37]
VI. Exemption given to law enforcement agencies
Law enforcement agencies are regulated more strictly in Japan than many other APAC countries discussed in this series.
Interception Act
Interception in Japan requires law enforcement agencies to get prior judicial authorisation. Even then, the duration of surveillance is limited to 10 days. In addition, law enforcement agencies must notify the subject of surveillance within 30 days of surveillance being completed. This time period can be extended by a judge, if they are of the view that the investigation may be compromised by the notification. Further, the intercepted communication shall be recorded appropriately and then submitted to judges, who can check its appropriateness.[38]
In addition to judicial oversight, there is independent Parliamentary oversight since the government must submit an annual report of the record of interceptions to the Japanese Diet, and then make such data public.[39] Japan also has ‘wiretapping instructors’ to monitor that the investigations are being conducted appropriately.[40]
Criminal Procedure Act
The Japanese Criminal Procedure requires that any search and seizure take place only pursuant to a court warrant.[41]
VII. Conclusion
In general, Japan has a strong data protection framework, although it does not require consent for the collection of personal data. In general, the country promotes cross border data transfer and does not impose any data localisation restrictions. In fact, the framework for smooth and mutual transfer of personal data between Japan and the European Union has created the largest area of safe data flows in the world and is intended to improve operational efficiency, reduce costs, and benefit consumers.[42] Importantly, unlike several other APAC countries, Japan also has significant restrictions on the activities of law enforcement agencies.
Japan is also one of the most active players in the APAC region, with Prime Minister Abe spearheading the Osaka Declaration and the idea of ‘Data Free Flow with Trust’, to create a set of global rules governing the free flow of cross-border data backed by strong data protection and cyber security measures.[43] This is in line with Japan’s idea of ‘Society 5.0’, a super-smart society where big data, AI, and the internet of things innovate to grow the economy and resolve social issues.[44] This is in some contrast to Vietnam – the next country that we will examine in our series.
Authored by the Ikigai team.
[1] Act on the Protection of Personal Information (as amended in 2016), available at https://www.ppc.go.jp/files/pdf/Act_on_the_Protection_of_Personal_Information.pdf
[2] Article 3, APPI.
[3] See Personal Information Protection Commission, Japan, Roles and Responsibilities, available at https://www.ppc.go.jp/en/aboutus/roles/.
[4] The details of the proposed amendment to the APPI can be found here. For further information, see Hiroyuki Tanaka et al, Analysis of Cabinet of Japan’s approved bill to amend APPI (March 2020), IAPP, available at https://iapp.org/news/a/analysis-of-japans-approved-bill-to-amend-the-appi/.
[5] The Act defines business operators as persons who provide a personal information database for use in business. See Article 2(5), APPI.
[6] Article 2(5), APPI.
[7] Article 7, APPI
[8] Library of Congress, Online Privacy: Japan (2017), available at https://www.loc.gov/law/help/online-privacy-law/2017/japan.php#_ftn15.
[9] Article 17(1), APPI. Notably, the Act does not define ‘deceit’ or ‘other improper means’.
[10] Article 17(2), APPI.
[11] Article 15, APPI
[12] Article 16, APPI
[13] As per PPC Guidelines, the appropriate method of announcing the utilization purpose to the public could be through the business operator’s website, such that an individual can easily find the utilization purpose before submitting their personal data. See DLA Piper, Data Protection Laws of the World: Japan (2020), available at https://www.dlapiperdataprotection.com/system/modules/za.co.heliosdesign.dla.lotw.data_protection/functions/handbook.pdf?country-1=JP
[14] Article 18, APPI.
[15] Article 19, APPI.
[16] Article 23(1), APPI.
[17] Article 23(2), APPI.
[18] Article 19, APPI.
[19] Article 20, APPI.
[20] Articles 25 and 26, APPI.
[21] Articles 27 and 29, APPI.
[22] Article 28, APPI.
[23] Article 30, APPI
[24] Deloitte, Unity in Diversity: The Asia Pacific Privacy Guide (2019), available at https://www2.deloitte.com/content/dam/Deloitte/nz/Documents/risk/apac-privacy-guide-interactive.pdf.
[25] IAPP, supra note 4.
[26] Article 24, APPI
[27] European Commission, European Commission adopts adequacy decision on Japan, creating the world’s largest area of safe data flows (2019), available at https://ec.europa.eu/commission/presscorner/detail/en/IP_19_421
[28] The decision was taken under Article 24, APPI. See PPC, The framework for mutual and smooth transfer of personal data between Japan and the European Union has come into force (2019), available at https://www.ppc.go.jp/en/aboutus/roles/international/cooperation/20190123/
[29] Deloitte, supra note 25.
[30] Article 35, APPI.
[31] Articles 47 and 52, APPI
[32] Article 61(ii), APPI.
[33] Article 42(1), APPI.
[34] Article 42(2), APPI.
[35] Articles 9 and 13, APPI.
[36] Article 83, APPI
[37] Articles 84 and 85, APPI.
[38] Act on the Interception of Communications. See Permanent Mission of Japan, Information for OHCHR relating to “The right to privacy in a digital age” (2014), available at https://www.ohchr.org/Documents/Issues/Privacy/Japan.pdf. See also, UNODC, Current practices in electronic surveillance in the investigation of serious and organized crime (2009), available at https://www.unodc.org/documents/organized-crime/Law-Enforcement/Electronic_surveillance.pdf.
[39] Id.
[40] Police can use wiretapping devices to decrypt and record at prefectural HQs across Japan from June, Japan Times (April 2019), available at, https://www.japantimes.co.jp/news/2019/04/25/national/crime-legal/police-can-use-wiretapping-devices-decrypt-record-prefectural-hqs-across-japan-june/#.XqswLpMzY_U
[41] Sections 106-113, Code of Criminal Procedure of 1948, available at http://www.japaneselawtranslation.go.jp/law/detail/?printID=&ft=2&re=02&dn=1&yo=criminal&ia=03&x=0&y=0&ky=&page=2&vm=02.
[42] https://www.ppc.go.jp/en/aboutus/roles/international/cooperation/20190123/
[43] Masumi Koizumi, Japan’s pitch for free data flows ‘with trust’ faces uphill battle at G20 amid ‘splinternet’ fears, Japan Times (June 2019), available at https://www.japantimes.co.jp/news/2019/06/27/business/tech/japans-pitch-free-data-flows-trust-faces-uphill-battle-g20-amid-splinternet-fears/#.XqsznJMzY_U.
[44] Id.
