ePrivacy | Marketing and cookies
- National Legislation
- Cookies
- Marketing by E-mail
- Marketing by Telephone
- Marketing by Fax
_____________________________________________________________________
General | Data Protection Laws _____________________________________________________________
General data protection laws
Japan is not an EU Member State and therefore has not implemented the Data Protection Directive. However, the Act on the Protection of Personal Information (Act No. 57 of 2003) (the “APPI”) contains similar provisions to those in the Data Protection Directive.
In May 2013, the Act on Use, etc. of Numbers to Identify Specific Individuals in Administrative Procedures (Act No. 27 of 2013) (the so-called “My Number Act”) was enacted, under which an ID number is allocated to every individual so that the government can manage social security and tax systems effectively. Whether the ID number system can be used by the private sector will be discussed in three years, although there are concerns about the potential for personal information being leaked.
Entry into force
The majority of the provisions of the APPI came into force on 1 April 2005.
It is expected that the bill to amend the APPI will be submitted to the Diet in 2015 and will, amongst others things, permit the transfer of so-called “big data” without obtaining data subject’s consent, establish an independent data protection authority and restrict data transfer to a third country where the level of data protection is insufficient.
_____________________________________________________________________ Top
Details of the competent national regulatory authority
The Consumer Affairs Agency has overall responsibility for the legal framework of the APPI.
Consumer Affairs Agency
Sanno Park Tower
11-1, Nagatacho 2-chome
Chiyoda-ku
Tokyo 100-6178
www.caa.go.jp
In addition, each regulatory authority, such as the Financial Services Agency and Ministry of Economy, Trade and Industry, has authority to advise, recommend or order the businesses it supervises to comply with the APPI.
Notification or registration scheme and timing
There is no requirement to make any notifications to the regulatory authority. However, the relevant authority can order an information handler to submit a report to the authority on the treatment of personal information.
Exemptions
Not applicable.
Appointment of a data protection officer
The APPI does not specifically require the appointment of data protection officers. However, the Financial Services Agency of Japan’s guidelines (the “FSA Guidelines”) require financial institutions to appoint data protection officers. The Ministry of Economy, Trade and Industry of Japan’s guidelines (the “METI Guidelines”) recommend that a company appoint a chief privacy officer.
_____________________________________________________________________ Top
What is personal data?
The APPI defines personal information as information about a living person that would allow identification of the person as an individual. This includes such information as will allow easy reference to other information and will thereby enable the identification of the specific individual.
Is information about legal entities personal data?
No.
What are the rules for processing personal data?
As a general rule, information handlers must: (i) specify so far as possible the purpose for which personal information will be processed (“purpose of use”); (ii) not change the purpose of use such that it no longer has a reasonable relationship to the original purpose of use; (iii) not process personal information except to the extent required to achieve the purpose of use without the prior consent of the data subject; and (iv) when they obtain personal information as a result of succession to the business of another information handler, not process personal information without the prior consent of the data subject, except to the extent required to achieve the purpose of use prior to the succession.
An information handler may not transfer personal information to a third party without prior consent of a data subject.
Are there any formalities to obtain consent to process personal data?
Consent is not generally required to process personal information. However, prior consent (oral or written) is needed for processing outside the scope of the original purpose of use.
Financial institutions handling personal information are required by the FSA Guidelines to obtain consent to a change of purpose of use in writing.
_____________________________________________________________________ Top
What is sensitive personal data?
The APPI does not distinguish between different types of personal information based on the sensitive nature of such data. However, certain guidelines (including the FSA Guidelines) stipulate additional rules for processing sensitive personal information such as information relating to an individual’s political views, faith, labour union membership, race, ethnic group, family status, physical/mental handicap, sex life, criminal records and medical records.
Are there additional rules for processing sensitive personal data?
Certain guidelines (including the FSA Guidelines) provide that the relevant information handlers may not acquire, hold, use or transfer sensitive personal information except where strictly necessary. The rules vary slightly in each guideline.
Are there any formalities to obtain consent to process sensitive personal data?
Not applicable.
_____________________________________________________________________ Top
What is the territorial scope of application?
The APPI applies to information handlers: (i) which have their residences or offices (for example, headquarters or a branch) in Japan; or (ii) which are non-Japanese companies and carry on business in Japan.
Who is subject to data protection legislation?
Japanese law does not contain the concepts data controller and data processor. The APPI instead uses the concept of an “information handler”. This is any person or entity that possesses and uses for its business in Japan a database which contains personal information on more than 5,000 individuals on any day in the most recent six month period.
The FSA Guidelines require financial institutions to make every effort to comply with the FSA Guidelines even if an entity possesses personal information on 5,000 or fewer individuals.
Are both manual and electronic records subject to data protection legislation?The APPI applies to both manual and electronic records.
Compensation
Data subjects have a right to compensation for damages, including mental distress.
Fair processing information
Information handlers are required to make available to data subjects the following information (and must reply to a data subject’s request for such information without delay): (i) the information handler’s name; (ii) purpose of use of the data subject’s personal information; (iii) procedures for requesting access to personal information held by the information handler (including the amount of any fees payable); and (iv) details of whom to contact in order to lodge complaints concerning the handling of their personal information.
An information handler who has acquired personal information is required to promptly notify data subjects of the purpose of use of their personal information, except in cases where the purpose of use has already been publicly disclosed. When an information handler has changed the purpose of use, it must notify the data subject of the changed purpose of use or publicly announce such changed purpose of use.
An information handler is required to publish the privacy policy on its website or post or display copies of the privacy policy in its reception or other prominent position at its offices.
Rights to access information
An information handler is required to notify data subjects of the purpose of use of their personal information upon their request.
An information handler is required, upon a data subject’s request, to disclose such retained personal information as may lead to the identification of the data subject without delay.
An information handler may collect reasonable charges for the notification or disclosure mentioned above.
Objection to direct marketing
The APPI does not provide any specific rights to reject direct marketing. However, information handlers must not process personal information except to the extent required to achieve the purpose of use, without the prior consent of the data subject.
Other rights
Data subjects may require an information handler to correct, add to or delete their personal information if such information is not factually correct.
Data subjects may require an information handler to cease using or erase their personal information if such personal information is being used beyond the purpose of use without their consent, or was obtained by unfair means. The information handler may refuse such request if compliance with such request would cause the information handler to incur excessive costs, or where it would otherwise be difficult for the information handler to discontinue using or to erase the personal information, provided that the information handler takes necessary alternative measures to protect the rights and interests of the data subject.
_____________________________________________________________________ Top
Security requirements in order to protect personal data
Information handlers are required to implement appropriate control measures in respect of the personal information in their possession to prevent unauthorised disclosure, loss or damage of such personal information.
Specific requirements for appropriate control measures are provided in the guidelines issued by the regulatory authorities.
Specific rules governing processing by third party agents (processors)
When an information handler entrusts a third party with the handling of personal information in whole or in part, the information handler must exercise necessary and appropriate supervision over the third party to ensure the security of the entrusted personal information.
Notice of breach laws
In general, there is no notice of breach obligation under the APPI. However, the FSA Guidelines require financial institutions handling personal information to: (i) report any incident including information leakage to the Financial Services Agency immediately; (ii) publish the factual details of the incident and measures to be taken to prevent a recurrence; and (iii) notify the facts of the incident to the relevant data subject. The METI Guidelines also recommend establishing a reporting system whereby any incident such as information leakage is notified to the relevant authority.
_____________________________________________________________________ Top
Restrictions on transfers to third countries
The APPI does not distinguish between third parties in Japan and overseas, and there are no specific provisions dealing with transborder dataflows.
Notification and approval of national regulator (including notification of use of Model Contracts)
There is no requirement to make any notifications to or obtain any approvals of the regulatory authority.
Use of binding corporate rules
No concept of binding corporate rules is used in the APPI.
_____________________________________________________________________ Top
Breaches of the APPI and/or related regulatory guidelines may result in civil liability or criminal sanctions, which include up to six months’ imprisonment or a fine of up to 300,000 Japanese yen.
A breach of the APPI and/or related regulatory guidelines would not, of itself, be a criminal offence. However, a breach of the APPI and/or related regulatory guidelines may result in the relevant regulatory authority issuing an enforcement notice ordering the information handler to cease or improve data handling. A failure by the information handler to comply with such enforcement notice would be a criminal offence.
Practice
The relevant regulatory authority normally first asks for further information, gives advice on proper data handling or recommends that an information handler cease the violation and take other necessary measures to correct the violation. If the information handler does not take the recommended measures without good reason, the relevant regulatory authority may then order the information handler to take the recommended measures.
The regulatory authorities issued 315 requests for report, 2 advices and 7 recommendations during the period since the APPI came into force until the end of March 2013.
Enforcement authority
The relevant regulatory authority in respect of an information handler is the government ministry with jurisdiction over the business of the information handler. The Ministry of Health, Labour and Welfare (as well as the relevant government ministry) has authority to regulate handling of personal data in relation to employment. That regulatory authority has no power to take direct enforcement action other than by issuing enforcement notices. Importantly, the regulatory authority itself has no ability to impose criminal penalties on information handlers.
A criminal prosecution against a person who fails to comply with an enforcement notice needs to be brought before a Japanese court.
_____________________________________________________________________ Top
ePrivacy | Marketing and Cookies _____________________________________________________________
ePrivacy laws
Japan is not an EU Member State and, therefore, has not implemented the Privacy and Electronic Communications Directive. However, the Act on Specified Commercial Transactions (Act No. 57 of 4 June 1976) (the “ASCT”) and the Act on Regulation of Transmission of Specified Electronic Mail (Act No. 26 of 17 April 2002) (the “ARTSEM”) provide restrictions on direct marketing.
_____________________________________________________________________ Top
Cookies
Conditions for use of cookies
There are no special rules for cookies. If information collected by using cookies allows identification of an individual by reference to other information already available to a website owner, the owner is required by the APPI to notify the individual directly or publish the purpose of use of the personal information.
Regulatory guidance on the use of cookies
Not applicable.
_____________________________________________________________________ Top
Marketing by E-mail
Conditions for direct marketing by e-mail to individual subscribers
It is only possible to send direct marketing e-mails to individual subscribers if they consent.
Conditions for direct marketing by e-mail to corporate subscribers
It is only possible to send direct marketing e-mails to corporate subscribers if they consent.
Exemptions and other issues
Under the ARTSEM, it is permitted to send e-mails for the purpose of direct marketing without consent if: (i) the recipient notifies the sender of its e-mail address in writing; (ii) the recipient has a business relationship with a person engaged in sales activities relating to the marketing; or (iii) the recipient is an organisation or an individual engaged in business who discloses its e-mail address on the Internet.
Under the ASCT, it is permitted to send e-mails for the purpose of direct marketing without consent in connection with certain types of sales transactions if: (i) such e-mail for direct marketing is sent in association with notifications of important matters relating to contracts; or (ii) such e-mail for direct marketing is sent together with emails from free email providers, such as Yahoo! or Google.
The sender of the e-mail must be identified by providing its name and address. The sender also needs to provide the receiver’s right to opt out of further marketing emails and provide email address or URL in order to opt out.
_____________________________________________________________________ Top
Conditions for direct marketing by telephone to individual subscribers (excludes automated calls)
It is not permitted to solicit a sales contract or a service contract from an individual subscriber who has expressed his/her intention not to enter into a sales contract or a service contract.
Conditions for direct marketing by telephone to corporate subscribers (excludes automated calls)
It is not permitted to solicit a sales contract or a service contract from a corporate subscriber which has expressed its intention not to enter into the sales contract or a service contract.
Exemptions and other issues
When a product seller or a service provider solicits customers for their products or services by means of telephone communication, it is required to inform the recipient of the following information prior to the solicitation: (i) its name and address; (ii) the name of the person in charge of the solicitation; (iii) the type of product or service being offered; and (iv) the purpose of the telephone call (i.e., to solicit the custom of the recipient).
_____________________________________________________________________ Top
Conditions for direct marketing by fax to individual subscribers
There are no specific rules relating to unsolicited direct marketing by facsimile.
Conditions for direct marketing by fax to corporate subscribers
There are no specific rules relating to unsolicited direct marketing by facsimile.
Exemptions and other issues
Not applicable.