---

Introduction

Japan’s new Law Concerning the Protection of Personal Information (the "Law") went into effect as to the private sector on April 1, 2005,[1] and already companies are facing greater scrutiny by the government of their privacy and security practices.  The government’s aggressive stance is largely due to the growing number of privacy and data leakages that have occurred in recent months, particularly in the financial services sector.  As a result, many organizations are scrambling to come into compliance with the new law but, as they are now discovering, the process of coming into compliance is complex and time-consuming.  Even those companies that have harmonized their privacy policies on a global or enterprise-wide basis to satisfy the EU standard – typically considered to be the highest privacy standard – may find that they need to revise their privacy policies in some areas to meet more stringent Japanese requirements.

The complexity stems from the fact that the Law is only one part of a body of laws, policies, guidelines, and ordinances promulgated by the Japanese government to regulate the collection, use, and transfer of personal information.  While the Law tracks to some extent the principles set forth in the 1980 OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data,[2] the Law and its implementing guidelines depart in some significant ways from the OECD Guidelines and the regulatory schemes of the United States and the European Union.  To help you understand this seemingly complex regulatory scheme, we summarize the major obligations imposed by the Law and accompanying guidelines and offer some practical suggestions for compliance for businesses operating in Japan.   

The Regulatory Scheme

In contrast to the U.S. privacy approach which relies on a mixture of sector specific regulation along with public declaration, in the form of published privacy policies, and government enforcement of such privacy policies, and the EU’s comprehensive legislative approach, the Japanese approach is a hybrid, relying on a detailed regulatory framework as well as private sector self-regulation.  As mentioned above, the Law is only one part of a body of laws, policies, guidelines, and ordinances promulgated by the Japanese government to regulate the collection, use, and transfer of personal information.  Consistent with Japanese legal tradition, the Law, as a statute, only outlines general requirements, leaving the details of regulation to the executive branch to develop through the adoption of administrative guidelines.  Once the Law was enacted, the Prime Minister, through his Cabinet, then issued a Basic Policy in April 2004 to serve as a guide for the various ministries charged with the enforcement of the Law within their respective industry sectors (the "Competent Ministries"). [3]   The Basic Policy was also intended "to promote comprehensive and consistent measures concerning the protection of Personal Information."[4]  The Competent Ministries relevant to most businesses operating in Japan and their respective jurisdictions include:

Ministry	Jurisdiction
Ministry of Economy, Trade and Industry (METI)	General commercial transactions; consumer credit
Ministry of Health, Labor and Welfare (MHLW)	Employment; healthcare institutions; clinical research
Financial Services Agency (FSA)	Financial services
Ministry of Finance	Export/import; salt; tobacco; alcohol; licensed tax accountants (zeirishi)
Ministry of Internal Affairs and Communications (MIC) (formerly the Ministry of Public Management, Home Affairs, Posts and Telecommunication)	Telecommunications; broadcasting
Ministry of Land, Infrastructure and Transport (MLIT)	Construction (including construction consulting); real estate; land assessment; travel and tourism; airlines, railroads, buses, taxis; automobile inspection (shaken); storage; logistics and distribution; shipping (trucking companies); weather forecasting; land surveying; geologic inspection
Ministry of Justice	Public interest corporations (kōeki hōjin, e.g., universities); legal scriveners (shihōshoshi); registered land and building investigators (tochikaokuchōsashi); loan servicing

Each Competent Ministry, in turn, has promulgated guidelines that detail specific obligations and recommendations.  The guidelines contain both mandatory and voluntary provisions, and businesses operating in Japan must carefully examine the guidelines issued by the Competent Ministries under whose jurisdiction they operate.  A business may be subject to multiple guidelines depending on the scope of its business operations, and the provisions of such guidelines may not be the same, and may actually conflict.

Key concepts

A.  Personal Information

The Law defines "personal information" as "information that relates to living individuals and that can be used to identify specific individuals by name, date of birth, or other description (including that which can be easily compared with other information and thereby used to identify specific individuals)."[5]  This definition is very broad and essentially means any information that can identify a specific individual.  This includes publicly available information, business contacts, professional designation and registration (e.g., license or bar registration number), employee (human resources) information, and patient data.[6] 

B.  Personal Information Databases

The Law sets forth specific duties for businesses that use "Personal Information Databases" for their business operations.  "Personal Information Databases" include both computer databases and non-computerized data that can be easily retrieved using a table of contents or index (e.g., a card catalog).[7]

C.  Businesses Handling Personal Information

The Law targets businesses to the extent that such businesses are considered "Businesses Handling Personal Information."[8]  A Business Handling Personal Information ("Business") refers to any person (natural person or legal entity) who uses Personal Information Databases.[9]  Excluded from this definition are national and local government agencies, independent administrative corporations, and other persons designated by government ordinance as being little or no threat to the rights or welfare of individuals with respect to their processing or use of Personal Information.[10]  The Japanese government has issued an ordinance that, if not more than 5,000 individuals can be specified in the past six months in the Personal Information Databases that a Business uses, the Business is not such a threat and is not subject to the requirements of the Law.[11]

D.  Principal

The "Principal" (sometimes called the "data subject" in other jurisdictions) is the specific individual identified by the Personal Information.[12]  It is important to note that the Principal is not defined as the owner of the Personal Information.  This reflects a policy decision by the Japanese government to avoid a regulatory scheme that dictates or depends on ownership of Personal Information as a guiding principle, and, unlike in other jurisdictions, the Law does not set forth "rights" that attach to ownership of Personal Information.  Rather, the Principal is the person to whom the data relates.

E.  Third Parties

Under the Law and the associated guidelines, corporate affiliates are considered to be third parties.[13]  However, the definition of third parties excludes entities that process data on behalf of a business ("delegates").[14]  The definition also excludes other companies acquired by or that acquire a business through a merger or acquisition.[15]  Further, other entities that jointly use data held by a business (e.g., co-marketing partners) are not considered third parties, provided that certain notification requirements are met.[16]

General Requirements of the Law

The Law specifically requires that Businesses:

• Specify the purposes of use in the handling of Personal Information.
• Limit use to that which is necessary to achieve such purposes.
• Acquire information fairly.
• Provide notice regarding purposes of use.
• Maintain accurate data and keep such data up-to-date as necessary to achieve the purposes of use.
• Adopt security control measures.
• Supervise employees and delegates handling Personal Information.
• Obtain consent prior to sharing data with third parties (subject to a "joint use," as well as an "opt-out," exception).
• Permit access to and correction of Personal Information by the Principal.
• Create a system for handling complaints.

We discuss the major requirements in greater detail below.

F.  Notice

Businesses are required to provide notice directly to the Principal (e.g., by letter) or by public announcement (e.g., on a website).  They must specify the purpose of data processing and the intended use (the "Purpose of Use") of Personal Information they collect or acquire from third parties.   The Purpose of Use must be set forth with specificity – general statements will not likely be considered to sufficiently place Principals on notice.[17]  Notice must be given promptly after the acquisition of Personal Information unless prior notice was given or the Purpose of Use was previously announced. 

Each of the Ministries’ guidelines highlights how notice must be given in particular situations.  For example, the MHLW Employment Guidelines require that the Purpose of Use notice be specific and detailed enough that an employee can reasonably foresee the ultimate use of his or her Personal Information.[18]   The FSA Guidelines require that the Purpose of Use indicate the particular financial product or service to be provided.[19]  The FSA Guidelines also require that Businesses identify third-party recipients of Personal Information individually in the notice – it is not sufficient to list categories of third-party recipients.[20]     METI requires that, if Businesses monitor employees, such Businesses must: (i) notify employees in advance of the Purpose of Use of any Personal Information acquired during such monitoring, (ii) disclose internally in advance the rules concerning such monitoring; and (iii) supervise the monitoring.[21] 

The Law generally requires that Businesses limit their use of Personal Information to that use which is necessary to achieve the stated Purpose of Use.[22]  Any change to the Purpose of Use requires new notice, and consent of the Principal is required if the new Purpose of Use is not connected with the original purpose.[23]

In addition, the Business must place Principals in circumstances whereby Principals can easily find out (such as by placing on a website or distributing pamphlets, etc.) the name of the Business, and the procedures the Business will follow to respond to requests for access to and correction of their Personal Information, as well as where to submit complaints regarding the handling of Personal Information.[24]  In contrast, privacy laws in other jurisdictions only require that individuals be notified about their access and correction rights; these laws do not require that Businesses describe in detail the process by which they will respond to access requests. 

The guidelines provide that notice to Principals and the appropriate Ministry or governmental body also should be given in the event of a data leak or breach.  Neither the Law nor the guidelines, however, distinguish between data that are leaked and data that are lost or destroyed.[25]  This breach notification requirement, the first of its kind to be included in national privacy regulations, raises a number of issues for Businesses that are not fully addressed in the guidelines.[26]  For example, it is not clear how promptly such notice must be given, particularly if an investigation into the breach is ongoing, or how much information about the breach must be provided. 

Overall, the degree of notice specificity surpasses that required by the OECD Guidelines, the EU Directive,[27] and many other national privacy laws.  Businesses in Japan, therefore, will need to draft privacy notices that are far more detailed than those they are accustomed to drafting in other jurisdictions.

G.  Third-Party Disclosures

Consistent with third-party disclosure requirements imposed in other jurisdictions, Businesses in Japan must: (i) provide notice (discussed above); and (ii) obtain prior opt-in consent to share information with third parties, unless such sharing was included in (x) a previous notice or (y) the stated Purpose of Use.  Unlike in some jurisdictions, however, such as Australia, Canada, and the United States, any separate legal entity – even an affiliate – is considered a third party under the Law. 

In addition, with respect to Personal Information used in employment management, the METI Guidelines and the MHLW Employment Guidelines suggest that Businesses should always remain accountable for the treatment of Personal Information by third parties even if the Principal has expressly consented to the transfer.  In particular, METI and MHLW recommend that Businesses confirm with third-party recipients that such recipients will: (i) not use such Personal Information outside the stated purpose of use; (ii) obtain approval from the Business making the disclosure before any further disclosure to another third party; (iii) prohibit duplication of any Personal Information; and (iv) return, delete, or destroy Personal Information after the purpose of use has been achieved.  Such accountability exceeds that which is required under the EU Directive and in most other jurisdictions, so Businesses will want to review their existing agreements with third parties to ensure that they meet these requirements.

H.  Joint Use Exception

Because the definition of third parties is so broad that it includes affiliates, the Law provides an exception to permit joint use of Personal Information among third parties without the consent of the Principal where the conditions of the joint use are disclosed to the Principal prior to the commencement of the joint use.[28]   In order to take advantage of the joint use exception, the joint users must disclose: (i) the fact that Personal Information is to be jointly used; (ii) the items of Personal Information to be jointly used; (iii) the parties who are to jointly use the Personal Information; (iv) the purpose of the joint use of the Personal Information; and (v) the name or title of the entity or person responsible for the management of the Personal Information.[29]  Because it is uncertain how the Competent Ministries will deal with liability among the joint users, it is likely that the joint use exception will primarily be used by corporate affiliates and not unrelated entities.[30]

I.  Opt-Out Exception

Another important exception to the general rule requiring prior opt-in consent before sharing Personal Information with third parties is the opt-out exception.[31]  In order to avail itself of this exception, a Business must provide notice to the Principal of the following or place the Principal in circumstances whereby such things can be easily known prior to the sharing: (1) providing personal data[32] to third parties is included in the purpose of use; (2) the items of personal data to be provided to third parties; (3) the method to be used in order to transfer personal data to third parties; and (4) upon request by the Principal, provision to third parties of personal data that identifies the Principal shall cease.[33] 

In certain contexts, however, this exception is not available.  For example, the FSA Guidelines provide that this opt-out exception cannot be used for the sharing of credit information with credit bureaus.[34] 

J.  Data Security

The Law generally requires that Businesses adopt appropriate measures to prevent unauthorized disclosure, loss, or destruction of Personal Information.[35]  The implementing guidelines, with varying degrees of specificity, provide for the implementation of organizational, personnel, physical, and technical security control measures.  The FSA, for example, has issued very detailed separate guidelines regarding security control measures to be taken by financial institutions, such as specific handling rules for every stage of handling of personal data – from acquisition and input, to processing and use, and to transfer and deletion.[36]  In addition, the FSA requires internal inspection and external audits to measure compliance as well as setting up a ledger book so that the current state of the handling of personal data can be recorded and confirmed.[37]  The FSA also requires appointment of a Chief Privacy Officer ("CPO") and that the CPO be a top-level executive or director.[38]

Whereas the FSA security control provisions are for the most part mandatory, the METI Guidelines regarding security control set forth general requirements for organizational, personnel, physical, and technical security control, and provide detailed examples of how to meet such requirements, although they make it clear that such examples are not the only way to comply with such requirements and are thus not mandatory.

The Law further requires the supervision of employees and delegates who handle Personal Information to ensure that they comply with security obligations.[39]  In the case of third-party outsourcing, agreements that set out the respective responsibilities of customers and vendors are required,[40] and vendors should have in place protective measures to protect leaks.  Further, the implementing guidelines indicate that it is desirable or mandatory for Businesses to adopt criteria for selecting delegates that take into account security and supervision concerns.[41]

Compared to security measures required in other jurisdictions such as Italy, Spain, and Korea, which are known for having special security provisions, the security control measures in the various guidelines are far more comprehensive and prescriptive.  Businesses should review thoroughly their security procedures and practices and, where necessary, implement new procedures to come into compliance with Japanese security requirements.

K.  Access and Correction

1.  General Requirements

The Law requires that Businesses provide Principals with access to their Personal Information.[42]  In this connection, Businesses must respond promptly to access requests.[43]  A Business may deny an access request only if: (i) life, safety, or property, or another right or the welfare, of an individual or third party would be harmed; (ii) appropriate execution of business operations would be markedly impaired; or (iii) another law or ordinance would be violated.[44]  If a Business denies an access request, the reasons for such denial must be provided to the Principal without delay.[45]

If it is appropriate to do so, a Business must make a correction requested by the Principal,[46] and a Business must promptly notify the Principal whether the requested action was taken, and the substance of any corrections, additions, or deletions.[47]  If a Business denies a request to make a correction, the Business must provide the Principal with the reasons for such denial.[48]

2.  Guidelines

The FSA and MHLW provide voluntary guidelines regarding access and correction.  The FSA Guidelines recommend that a Business publicly announce access procedures together with any privacy policy.[49]  The MHLW Employment Guidelines recommend that a Business: (i) provide written reasons for a denial of access and an explanation of the Business’s dispute resolution system;[50] (ii) establish a committee responsible for making decisions about whether to grant access;[51] and (iii) indicate in its records the name of the person making any correction, the contents of the correction, and the date of the correction.[52]

L.  Cessation of Use

The Law generally provides that a Principal may request that a Business cease use of or delete his or her Personal Information, if such acquisition or use is unlawful.[53]  A Business must respond to such requests to either cease use of or delete Personal Information.[54]  If such a request is found to be reasonable, the Business must either stop using or delete the Personal Information, as requested.[55]

M.  International Transfers

Unlike the EU Directive, the Law does not impose additional requirements on cross-border data transfers.  In fact, the Law makes no distinctions between transfers to entities within or outside the country.  The third-party disclosure and joint use rules apply regardless of the jurisdiction in which the third party or joint user is located, and Businesses are accountable for the acts of their delegates or joint users, even if such delegates or joint users are located outside Japan.  The "accountability" approach to cross-border transfers in Japan is similar to that used in Canada.[56]

N.  Complaint Handling System

The Law also generally provides that Businesses are required to establish systems to process complaints.[57]  Approved Personal Information Protection Organizations[58] will also be required to respond promptly to individual complaints.[59]  The Law also contemplates that local public entities will mediate when complaints cannot be resolved by Businesses and/or the Approved Personal Information Protection Organizations.[60]

Liabilities and Risks

Failure to comply with the Law and its associated guidelines can expose a Business to a variety of sanctions and liabilities.  Enforcement of the regulatory scheme rests primarily in the hands of the Competent Ministries.  Violations of ministry guidelines may result in advice, admonishment, or ministerial order, depending on the nature and severity of the violation.[61]  Failure to comply with a ministerial order can result in imprisonment for not more than six months or a fine of not more than ¥300,000.[62]  Corporations are also subject to fines.[63]  Failure to comply with the Law may also expose a Business to contractual and tort liabilities, keeping in mind that Japanese law provides for vicarious liability for employers.[64]  A significant liability that cannot be underestimated is the damage to the goodwill of a Business that can result from a data leak or other mishandling of Personal Information.  Such damage to reputation is often difficult to repair. 

Compliance

With limitless funds, it may be possible to implement every desirable measure in the implementing guidelines, as well as all the mandatory measures of the Law and the implementing guidelines.  However, more realistically speaking, before determining what measures a Business will take for the protection of Personal Information under the Law and the implementing guidelines, a Business needs to assess the nature and value of the Personal Information that it holds, and the potential harm that could be caused by a leak or other unauthorized use or disclosure, and assess the risk factors associated with the Personal Information that the Business holds.  The appropriate measures to take will vary depending on the industry in which the Business operates, the size of the Business’ operations, the amount of Personal Information that it holds, and the sensitivity of the personal data held.

The following is a simple checklist to assist a Business in determining how to comply with the Law and the implementing guidelines:

• Review internal and external data flows, particularly for points at which your business collects or transfers Personal Information.
• Review what kinds of Personal Information are being collected (e.g., is there any particularly sensitive information – credit card numbers, race/ethnicity, religion/faith, membership in labor union, or health-related information - that is being gathered and used by the Business?).
• Review current privacy policies/statements and collection notices, if any presently exist, and revise or draft as necessary.
• Consider the system needed to receive inquiries, requests, and complaints from Principals.
• Review current data security practices and make sure necessary organizational, personnel, physical, and technical security control measures are taken.
• Review internal rules and implement new rules prohibiting misuse or unauthorized disclosure of Personal Information during and after employment and disciplinary measures to be taken in case of violation.
• Train employees on new rules and security measures.
• Consider whether confidentiality agreements are needed with employees.
• Review contracts with third parties (including affiliates) for compliance with data security provisions.
• Make sure your IT, compliance, and communications departments know how to react in case of a data leak.