Data Protection Regulation in Japan

The priority for safety of private information was a major concern long before the digital age. More often than not, governments prefer to limit their citizens’ privacy by justifying their actions with counter terrorism practices and dangers of war, or simply because the country’s regime allows such restrictions. IDM is a next step in data protection; powered by its own patented data protection technology called SIZE, we are preparing to launch a global decentralised ecosystem that connects users who want to store information safely and miners who provide memory on their devices to generate income. In this series of articles, we will introduce you to the development of data security through the ages. This week’s feature is — data protection in Japan.

Before looking at data protection laws in Japan, we have to take a look at how Japan cooperates with EU on data protection. On July 6 2017, the European Commission and the Japanese government published a joint statement on international transfers of personal data. The statement mentions that the EU and Japan will continue their cooperation to recognize each other as having adequate levels of personal data protection. If this does indeed occur, it would mean there would be compliant transfers of personal data between the EU and Japan without the need for instruments such as standard contractual clauses, binding corporate rules or privacy certifications.

The EU Commission has an existing “white list” of countries it has recognized in the past as having an adequate level of personal data protection to the EU. However, Japan was not one of those recognized countries. Japan’s reformed privacy law came into full force May 30, 2017. Along with a significant number of changes, the new law also introduced a similar white-list concept. The mutual recognition will add Japan to EU’s white list and make the EU Japan’s first “white listed” jurisdiction.

Even so, there remains a large number of differences between the privacy laws of the EU and Japan. However, particularly with Japan’s recent reforms, the significance of the differences is less. In particular, the establishment of the Personal Information Protection Commission in Japan, which is dedicated to the establishment and enforcement of privacy regulations, significantly enhances Japan’s privacy law system. Now let’s take a closer look at the data protection regulation in Japan.

APPI (the “APPI Amendment”) came into force fully on 30 May 2017. The purpose of the law is to protect the rights and interests of individuals while ensuring due consideration for the usefulness of personal information by basic principles for the proper handling of personal information. There is no concept of a “Data Controller” under Japanese law. However, the APPI uses the term “business operator,” which essentially refers to the entity responsible for the proper handling of all “Personal Information.” This is similar to the concept of data controller under EU law. There is no concept of a “Data Processor” under Japanese law. As such, handling of personal data under the APPI should pertain to how a “business operator” treats and manages the personal information or personal data in its possession.

The APPI Amendment, amongst other things, permits the disclosure of so-called “big data” without obtaining data subjects’ consent and restricts data transfers to a third country without obtaining data subjects’ consent where the level of data protection is insufficient. In October 2015, the Act on Use, etc. of Numbers to Identify Specific Individuals in Administrative Procedures. The so-called “My Number Act” came into force, under which an ID number is allocated to every individual so that the government can manage social security and tax systems effectively. Please note that this memo does not cover the My Number Act, which is a special law of the APPI.

The APPI defines personal information as information about a living person that would allow identification of the person as an individual. This includes such information as will allow easy reference to other information and will thereby enable the identification of the specific individual. Although the APPI Amendment does not change the coverage of personal information, it clarifies that information containing the code for personal identification, such as fingerprint data and passport number, is categorised as personal information.

As a general rule, information handlers must: specify so far as possible the purpose for which personal information will be processed; not change the purpose of use such that it no longer has a reasonable relationship to the original purpose of use; and not process personal information except to the extent required to achieve the purpose of use without the prior consent of the data subject.

An information handler may not transfer personal information to a third party without prior consent of a data subject. However, there are some exceptions to this requirement, for example where: (i) the disclosure is based on Japanese law; (ii) the disclosure is necessary for cooperating with a Japanese government entity in executing its legal duties, and obtaining the consent of a data subject is likely to impede the execution of such duties; (iii) the disclosure is for health or public hygiene purposes and it is difficult to obtain consent; (iv) the disclosure is part of a merger or other business succession, subject to it being used for the same purposes of use; (v) the disclosure is to a third party processor; (vi) the disclosure is to a joint user and the data subjects are informed; or (vii) the information handler informs data subjects of the transfer of information intended to be provided to a third party and those data subjects do not object (this last condition being the “opt out exemption”).

The APPI Amendment defines anonymous processed information (the “Anonymous Processed Information”) as the information obtained from personal information from which it is impossible to identify a specific individual. An information handler may transfer Anonymous Processed Information to a third party without obtaining the prior consent of the data subject, provided that it makes a public announcement and clarifies to the third party recipient that the data to be provided is categorised as Anonymous Processed Information.

Information handlers are required to implement appropriate control measures in respect of the personal information in their possession to prevent unauthorised disclosure, loss or damage of such personal information. When an information handler entrusts a third party with the handling of personal information in whole or in part, the information handler must exercise necessary and appropriate supervision over the third party to ensure the security of the entrusted personal information.

Notice of breach laws.

In general, there is no notice of breach obligation under the APPI. However, an Announcement issued by the PIPC requires an information handler to exercise efforts to report any data breach to the PIPC (or, in some cases, a regulatory authority to which the authority to receive a report is delegated or a business association of which the information handler is a member).

Even in Japan, where blockchain technology is so developed, data protection is far from ideal. Don’t rely on someone else to protect you, come and join IDM!