Keeping watch on Data Privacy: Japan

This article introduces the regulations of Japan’s Act on the Protection of Personal Information (APPI) to which foreign business entities including controllers and processors (“foreign business entities” or “foreign operators”) should pay particular attention when handling personal information of individuals located in Japan.

EXTRATERRITORIAL APPLICATION

If the APPI does not apply extraterritorially, there is no need to consider its regulations. The APPI stipulates that it applies extraterritorially if a business entity is located outside Japan:

1. handles the personal data of individuals located in Japan (“data subjects”); and

2. handles this personal data in connection with providing goods or services to corporations and/or individuals located in Japan (article 171 of the APPI).

It does not matter whether the “business entity” is domestic or foreign. “Individuals located in Japan” includes data subjects regardless of their nationality, and whether their stay is temporary. The key point is that it is limited to cases related to the provision of goods or services.

For example, if a foreign business entity handles the personal data of employees of its branch in Japan as part of its global employee information management, that activity does not fall within the extraterritorial application of the APPI since it is not related to the provision of goods or services.

CROSS-BORDER TRANSFERS

As described, acquiring personal information for services targeted at Japan falls under the APPI. The methods of acquisition can be directly from data subjects or from domestic business entities, with the latter scenario involving complicated regulations. Although the subjects of these regulations are the domestic business entities intending to provide personal information to foreign businesses, understanding these regulations is imperative for foreign operators as well.

The APPI prescribes that when the domestic business entities transfer the personal data of data subjects to third parties in other countries (“cross-border data transfer”), the domestic entities shall obtain the consent of the data subjects in advance after providing them with specific reference information about the other countries (“reference information”, article 28, paragraphs 1 and 2 of APPI).

1. 1. The information to be provided includes:

      1. The name of the country concerned: If the destination country cannot be specified at the time of obtaining consent, it is necessary to provide the reason for this, along with information alternative to the name of the country (e.g. if the range of potential foreign countries is determined, that range should be provided); and

      2. Information about the personal information protection system in the foreign country: This requirement is aimed at making data subjects aware of the differences between domestic and foreign legal systems. Japan’s Personal Information Protection Commission (PPC) publishes summaries of major foreign systems on its website, and domestic entities can comply with the requirement with the provision of this information. If the foreign country of the recipient is not listed, the domestic entities would be likely first to inquire about the legal system from the foreign operator.

      3. The protective measures implemented by the third party for safeguarding personal data: If the foreign operator has taken all measures corresponding to the eight principles of the OECD Privacy Guidelines, simply providing this information suffices. If the measures taken by the foreign operator are unclear, providing that fact and the reasons suffice, but it is desirable to add explanations as they become clear.

   2. Scope of “foreign country”. The EU and the UK are excluded from the definition of “foreign country” in article 28 of the APPI and are treated as equivalent to transferring inside of Japan under the APPI. The APPI requires consent from data subjects before transference of personal data to a domestic third party as well (article 27, paragraph 1), but the regulations for transferring to a domestic third party are not as complex.

   3. Scope of “third party”. Foreign operators that have taken appropriate measures are excluded from the definition of “third party” in article 28 of the APPI. Specifically, if the measures taken by a third party in the foreign country are verified to meet the standards required for domestic business entities under the APPI, or if the third party in the foreign country has obtained certification under the Cross Border Privacy Rules system of the APEC (Asia-Pacific Economic Co-operation), it qualifies as having taken appropriate measures.

      Even when the third party in the foreign country qualifies as having taken adequate measures, where obtaining consent from the data subjects is not necessary, the domestic provider must ensure that the third party in the foreign country maintains adequate measures (article 28, paragraph 3 of the APPI). This involves taking actions such as annual certification to ensure the ongoing implementation of adequate measures, which can significantly burden the domestic provider. Thus, the requirement for adequate measures is not user-friendly.

   4. Penalties for violations. For domestic business entities that violate these regulations, the PPC may recommend corrective actions and, if not complied with, issue orders (article 148 of the APPI). If domestic entities fail to comply with these orders, the representatives of the entities in breach could face imprisonment for up to one year or a fine of up to JPY1 million (USD6,700), and the entities employing those individuals could be fined up to JPY100 million (USD670,000) (articles 178 and 184, paragraph 1, item 1 of the APPI).

DATA BREACH RULES

In the event of leakage, loss or damage of personal data (“data breach”) because of ransomware attacks or other incidents, the businesses shall report the data breaches to the PPC and to the data subjects (article 26 of the APPI).

1. PPC reporting and notification to affected data subjects are required in situations where:

   1. Personal data including sensitive personal data about the data subject, including but not limited to race, creed, social status, medical history and criminal record (see article 2, paragraph 3 of the APPI), has resulted in a data breach or is at risk of a data breach;

   2. The breach, or potential breach, of personal data could lead to financial harm, such as with leaked credit card numbers;

   3. Personal data has been breached or is at risk of a breach, because of malicious intent, such as in a third-party attack; and

   4. Where the breach or potential breach of data involves the personal data of more than 1,000 individuals.

2. The responsibility for PPC reporting and notification to the affected data subjects lies with the business entity that experiences the breach. This is straightforward in a case where the controller (business entity) experiences the data breach. However, if a processor (the subcontractor) experiences a data breach, both the controller and the subcontractor are responsible for reporting and notification. To prevent duplicate reporting, if the subcontractor informs the controller of the data breach, the subcontractor’s obligation to report and notify is considered fulfilled.

3. Reporting to the PPC involves:

   1. A preliminary report made within three to five days on the discovery of the incident, detailing what is known;

   2. A detailed report to be submitted within 30 days (60 days if the incident involves malicious intent) of discovery of the incident, including an overview of the incident, the types of personal data involved, the number of data subjects affected, the cause of the incident, the presence and nature of secondary harm or the risk thereof, the status of responses to data subjects, the status of public disclosure, protective measures for preventing recurrence and other relevant information; and

   3. Reports typically use the online reporting form of the PPC (https://roueihoukoku.ppc.go.jp/incident/?top=r2.kojindata), which requires Japanese-language proficiency. The time to be spent for translation should be considered, especially for the preliminary report.

4. In notifying the affected data subjects:

   1. There is an expectation of prompt notification according to the situation. However, the timing should be determined case by case.

   2. The notification should include an overview of the incident, the types of personal data involved, the cause of the incident, the presence and nature of secondary harm or the risk of such, and other relevant information.

   3. Direct notification to data subjects through documentation or email is standard, but if direct contact is not feasible, public disclosure or other methods might be used.

5. Failure to report to the PPC or to notify affected data subjects as required can result in the same penalties previously outlined for cross-border data transfer violations discussed in section (4) under the above-mentioned section: “Cross-border data transfer”.

In conclusion, this article outlined the general regulatory framework of the APPI for foreign operators handling personal data of individuals located in Japan and emphasised the importance of compliance with the provisions of the APPI for protecting personal data of data subjects in Japan.