What is the 'Japanese Personal Information Protection Law' and Personal Information? An Explanation by a Lawyer

The Personal Information Protection Act, which was revised in 2015 (enforced from 2017), is an important law when considering issues related to personal information in corporate activities. It clearly defines the legal obligations of personal information handlers. Until 2015 (Heisei 27), personal information handlers were limited to those who held personal information of more than 5,000 individuals. Therefore, there were many businesses, such as small-scale businesses, that were not personal information handlers. However, after the 2015 revision, this condition was removed, and almost all businesses have become personal information handlers, making it an unavoidable law for small business owners. For mail order, newsletters, direct mail issuance, and point cards for physical stores, it is necessary to handle personal information such as customer names and email addresses. Therefore, it is essential to understand the basics of the Japanese Personal Information Protection Act.

Purpose and Definition of the Japanese Personal Information Protection Act

What exactly is the Japanese Personal Information Protection Act? Let’s take a look at its overview. Firstly, the purpose of this law is clearly stated in Article 1.

Japanese Personal Information Protection Act Article 1
This law aims to protect the rights and interests of individuals while considering the usefulness of personal information, by establishing the basic principles and government’s basic policies on the proper handling of personal information, clarifying the responsibilities of the national and local public entities, and defining the obligations that businesses handling personal information should comply with, in light of the significant expansion of the use of personal information accompanying the advancement of the information and communication society. The proper and effective use of personal information contributes to the creation of new industries and the realization of a vibrant economy and a rich life for the citizens.

It states.

In Article 2, personal information, personal data, and retained personal data are defined (Article 2, Paragraphs 1, 4, and 5).
In the Japanese Personal Information Protection Act, “personal information” refers to “information about a living individual” that can “identify a specific individual” through “names, dates of birth, and other descriptions” included in the information (including information that can be easily compared with other information and can identify a specific individual). “Personal data” is the database of the above personal information by a computer, and those that the business operator has retained for more than six months are “retained personal data”.

The necessity of protection for personal information greatly varies depending on whether it is databased or not. Personal data is systematically organized personal information that is databased and can be easily searched, etc., and the possibility of rights infringement is high, so it is given stronger protection than general personal information.

Retained personal data, which is given even stronger protection, is personal data that the personal information handling business operator has the authority to disclose, correct, add or delete the content, stop the use, erase, and stop providing to third parties (Article 2, Paragraph 7). For retained personal data, requests for disclosure, correction, and cessation of use are recognized, taking into account the demand that the individual should be able to appropriately involve in their own information (described later).

Rules Regarding the Handling of Personal Information

In order to prevent the misuse of personal information, it is necessary to clearly specify the purpose of its use and limit its handling within the scope necessary to achieve that purpose, as rules for proper handling.

Therefore, businesses handling personal information must:

• Specify the purpose of use as much as possible when handling personal information (Article 15, Paragraph 1 of the Japanese Personal Information Protection Act)
• Not handle personal information beyond the scope necessary to achieve the purpose of use (Article 16, Paragraph 1)
• Not acquire personal information by deception or other fraudulent means (Article 17, Paragraph 1)
• Notify or announce the purpose of use to the individual when personal information is acquired (Article 18)

The Japanese Personal Information Protection Act requires businesses to use the personal information they hold in accordance with the purpose they have specified and announced in advance. In other words, it is necessary to “specify and announce the purpose of use, and then use the personal information as you like”. For example, it is not illegal to “use personal information to display advertisements tailored to the user’s attributes”, but you must announce the purpose of use in advance. The method of announcement is not specified, but it is common to do this in the form of a “privacy policy” or “personal information protection policy”.

On the other hand, the acquisition of sensitive information, or “Special Care-Required Personal Information”, is prohibited without the consent of the individual, which is a stricter rule than for regular personal information (Article 17, Paragraph 2).

Special Care-Required Personal Information is defined as:

Article 2, Paragraph 3
In this Act, “Special Care-Required Personal Information” refers to personal information that includes descriptions specified by Cabinet Order as requiring special care in handling to prevent unfair discrimination, prejudice, or other disadvantages to the individual, such as race, creed, social status, medical history, criminal record, and facts of being harmed by a crime.

This also includes disability, results of health examinations, guidance, medical treatment, dispensing by doctors, etc., criminal procedures being carried out, and procedures related to juvenile protection cases.

Strict regulations are imposed that prohibit the “acquisition” of Special Care-Required Personal Information without the consent of the individual, unless there are certain exceptions. This is because it is considered that such information, which is unlikely to be necessary to acquire, could lead to discrimination and prejudice if it is acquired and handled.

Regulations on Management and Supervision

Many people are concerned and anxious about the possibility of personal information being leaked or tampered with. Especially with the digitization of personal data, there have been numerous instances of mass leakage of customer information, causing social problems. Therefore, businesses handling personal information are obliged to take necessary and appropriate measures (safety management measures) for the secure management of personal data (Article 20 of the Japanese Personal Information Protection Act).

Violation of Safety Management Obligations

In reality, in cases where personal information has been leaked or disseminated online, a violation of safety management obligations is often recognized. Considering that the content of safety management measures, taking into account the personalityistics of small and medium-sized businesses, is clearly stated in the “Guidelines on the Act on the Protection of Personal Information (General Rules)” (Personal Information Protection Commission), it is important to comply with these guidelines. This is not only to comply with Article 20 of the Japanese Personal Information Protection Act, but also to avoid situations where one is held liable for tortious acts due to privacy infringement caused by leakage incidents, including those on the Internet.

However, no matter how well the system is established, its proper operation ultimately depends on people. Therefore, it is stipulated that “businesses handling personal information must, when allowing their employees to handle personal data, conduct necessary and appropriate supervision over the employees to ensure the secure management of the personal data” (Article 21 of the Japanese Personal Information Protection Act).

https://monolith.law/corporate/trends-in-personal-information-leakage-and-loss-accidents-in-2019[ja]

Furthermore, it should be noted that if an employee sells or takes out customer data, not only the employee himself/herself may be held liable for tortious acts (Article 709 of the Japanese Civil Code), but the business handling personal information may also be held liable as an employer (Article 715 of the Japanese Civil Code).

“Third-Party Provision” and “Outsourcing”

Under the Japanese Personal Information Protection Act, even if it is for a purpose that has been publicly announced in advance, it is generally prohibited to provide customers’ personal information to a “third party” without their consent. However, if this rule is strictly enforced, it would be illegal to store a database of customer information on a rental server, because the rental server is a “third party” for the business.

However, “outsourcing” is exceptionally allowed in “third-party provision”, and it is permitted to “outsource” to those who do not use the information. For example, a rental server simply stores the information and does not use it. This kind of outsourcing of personal information handling to a third party is frequently done, but in order to prevent situations such as inappropriate handling by the outsourcing party or unclear responsibility due to repeated hierarchical outsourcing, it is stipulated that “when a business handling personal information outsources all or part of the handling of personal data, it must conduct necessary and appropriate supervision over the outsourcing party to ensure the secure management of the outsourced personal data” (Article 22 of the Japanese Personal Information Protection Act).

Proper Handling of Personal Information through Individual Involvement

The Japanese Personal Information Protection Law allows individuals, under certain conditions, to request personal information handling businesses to disclose (Article 28), correct, add, or delete (Article 29), or suspend the use of (Article 30) their personal data. These rights of the individual are clearly defined as civil rights, and if a personal information handling business does not comply with these requests, the individual can enforce their rights through litigation.

Personal information handling businesses must disclose personal data when requested by the individual, must correct any errors if found, and must stop using the information if it is being handled in violation of legal obligations such as unauthorized use, improper acquisition methods, or if it is being provided to third parties without the individual’s consent. As such, the Japanese Personal Information Protection Law is a law that aims to protect the rights of citizens by imposing various obligations on businesses handling personal information.

Penalties for Personal Information Leakage

The Japanese Personal Information Protection Act stipulates penalties for businesses that leak personal information.

If a business violates the Japanese Personal Information Protection Act and leaks information, it will first be recommended by the government to “take necessary measures to stop the violation and correct it” (Article 42). If this recommendation is also violated, the offending employee may be sentenced to “imprisonment for up to 6 months or a fine of up to 300,000 yen” (Article 84), and the company employing that employee may also be subject to “a fine of up to 300,000 yen” (Article 85). Furthermore, if the information is provided or stolen for the purpose of gaining illegal profits, it will be punished with “imprisonment for up to 1 year or a fine of up to 500,000 yen” (Article 83), without any recommendation.

https://monolith.law/corporate/risk-of-company-personal-information-leak-compensation-for-damages[ja]

Summary

The Japanese Personal Information Protection Law is a crucial legislation that all businesses must adhere to. It mandates businesses handling personal information to manage it appropriately and take necessary and suitable measures for its safekeeping.