MONOLITH LAW OFFICE+81-3-6262-3248Weekdays 10:00-18:00 JST

MONOLITH LAW MAGAZINE

General Corporate

Breaking News: First Arrest for Violation of the Personal Information Protection Law in Business Card Data Breach Incident

General Corporate

Breaking News: First Arrest for Violation of the Personal Information Protection Law in Business Card Data Breach Incident

What are the legal issues associated with handling business card data in daily business activities? Although business cards are distributed to many people, taking this data for illicit gain could potentially be considered a criminal offense.

There was a case where a man in his forties was arrested by the Tokyo Metropolitan Police Department for illegally providing business card data from his former employer to the company he transferred to.

In this article, we will introduce this incident and explain the first arrest case for a violation of the Personal Information Protection Law.

The Course of the Business Card Data Leak Incident

On September 15, 2023, a man in his forties was arrested by the Tokyo Metropolitan Police Department on suspicion of violating the Japanese Act on the Protection of Personal Information (unauthorized provision) for illegally providing business card data from his former employer to his new workplace.

The man was employed at a construction-related staffing agency and is alleged to have shared his ID and password, which could access the business card information management system, with a colleague at his new job via a chat app when he changed jobs in June 2021. The system contained a large amount of business card data, and the shared ID and password allowed access to this information. It is believed that these personal details were actually used for sales activities at the new company.

Reference: Nikkei Inc. | Business Card Data, Risk Management, First Arrest for Suspicion of Providing Personal Information[ja]

Related Article: What is the Act on the Protection of Personal Information and Personal Information? Explained by a Lawyer[ja]

The Unfair Competition Prevention Act and the Personal Information Protection Act

Normally, the act of illicitly taking information is regulated by the Japanese Unfair Competition Prevention Act. The “trade secrets” protected under the Unfair Competition Prevention Act must meet all three of the following requirements:

  1. Managed as a secret (secrecy)
  2. Useful for business or similar purposes (utility)
  3. Not commonly known to the public (non-public knowledge)

In cases like business cards, which are inherently intended for distribution to third parties, the information listed on the cards is considered not to meet the requirement of non-public knowledge among the above criteria. Therefore, it appears that the Metropolitan Police Department did not treat the suspected facts as a violation of the Unfair Competition Prevention Act.

Related article: What is the relationship between the removal of trade secrets and the Unfair Competition Prevention Act?[ja]

However, the names and email addresses listed on business cards do fall under “personal information” as defined by the Japanese Personal Information Protection Act. Consequently, it is believed that the Metropolitan Police Department has treated the allegations in this case as a violation of the Personal Information Protection Act. The Personal Information Protection Act prohibits the act of providing a database of personal information for the purpose of obtaining an unjust profit, with penalties of imprisonment for up to one year or a fine of up to 500,000 yen (Personal Information Protection Act Articles 179 and 180).

This crime of unlawful provision was newly established by the amended Personal Information Protection Act, which came into effect in May 2017 (Heisei 29). Prior to this amendment, there was an issue where individuals who were not business operators could misappropriate personal information and provide it illicitly without being subject to any punishment. In fact, before this amendment, there were numerous cases where employees within a business illicitly took personal information and sold it to traders for profit. Notably, the incident where an employee of a subcontractor for a major correspondence education company illicitly took out about 30 million pieces of personal information and sold it to a list broker caused a significant social issue and served as a catalyst for the amendment.

Measures Necessary to Prevent Employee Data Breaches of Personal Information

In recent years, the digitization of business cards and cloud-based business card management have become widespread. Generally, employees are set up to access only the business card data they have registered, but it is also possible to share and utilize business card information across departments or teams.

If an employee leaks customer information, it can result in significant losses for the company, and the employee who unlawfully provided the information may also face criminal liability. It is essential for companies to implement measures such as training to improve employees’ awareness of information management.

Related article: Is It Legal to Purchase Customer Information? Explaining the Japanese Personal Information Protection Law[ja]

Summary: Consult a Lawyer for Personal Information Leak Prevention Measures

In this section, we introduced the first arrest case related to a business card data breach under the violation of the Japanese Personal Information Protection Act, and provided explanations about the Japanese Unfair Competition Prevention Act and the Japanese Personal Information Protection Act.

Utmost care is required in the handling of personal information within a company. To prevent the leakage of personal information, it is not only necessary to pay attention to the management of personal information within the company but also to implement various measures such as providing compliance training to employees. For more details, please consult a lawyer.

Guidance on Measures by Our Firm

Monolith Law Office is a law firm with extensive experience in both IT, particularly internet, and legal matters. In recent times, the leakage of personal information has become a significant issue. In the event that personal information is leaked, it can have a devastating impact on corporate activities. Our firm possesses specialized knowledge in preventing information leaks and in developing response strategies. Please refer to the article below for more details.

Areas of practice at Monolith Law Office: Japanese Personal Information Protection Law-related legal services[ja]

Managing Attorney: Toki Kawase

The Editor in Chief: Managing Attorney: Toki Kawase

An expert in IT-related legal affairs in Japan who established MONOLITH LAW OFFICE and serves as its managing attorney. Formerly an IT engineer, he has been involved in the management of IT companies. Served as legal counsel to more than 100 companies, ranging from top-tier organizations to seed-stage Startups.

Return to Top