Key Points to Consider in Creating a Privacy Policy Based on the Japanese Act on the Protection of Personal Information

Recently, there has been a growing interest in the protection of personal information. It is safe to say that there are hardly any businesses that do not handle personal information, making it a very relevant issue for many companies and individual business owners. It is common for companies with websites to have a privacy policy posted on their site. A privacy policy is a document that discloses the guidelines for handling personal information in accordance with the Japanese Act on the Protection of Personal Information. Understanding the Japanese Act on the Protection of Personal Information is essential for properly formulating a privacy policy. Therefore, we will explain the key points to check when creating a privacy policy. Please note that the Japanese Act on the Protection of Personal Information was revised in 2015, and the revised law was implemented on May 30, 2017 (Gregorian calendar). In particular, there were significant revisions regarding the provision of personal information to third parties, which we will also explain.

What is a Privacy Policy?

Most corporate websites have a privacy policy. It may also be called a “Personal Information Protection Policy,” but they are essentially the same thing. A privacy policy not only shows the basic stance of the business operator on the handling of personal information, but it is also used to display items that are required to be disclosed under the Japanese Act on the Protection of Personal Information. Therefore, it is essential to cover the following items that are required to be disclosed under the Japanese Act on the Protection of Personal Information.

• Purpose of use of personal information
• Name or title of the personal information handling business operator
• Procedures for responding to requests for notification of purpose of use, disclosure, correction, suspension of use, etc. from the individual
• Complaint contact

In addition, in cases such as joint use within group companies, which is called sharing personal information, and handling anonymized processed information, which will be explained later, there are items that are required to be disclosed for each specific operation stipulated by law.

Business Operators Who Should Create a Privacy Policy

Prior to the enforcement of the revised law in 2017, the Japanese Act on the Protection of Personal Information applied only to business operators who held more than 5,000 pieces of personal information. Therefore, there were quite a few business operators, such as small businesses and those mainly engaged in BtoB business, who did not need to create a privacy policy. However, with the enforcement of the revised law in 2017, the Act on the Protection of Personal Information now applies to all business operators, regardless of the number of personal information items they hold. As a result, it is believed that basically all business operators will need to create a privacy policy. Even if a privacy policy is not created, it can be substituted by notifying the individual of the purpose of use of personal information and other items required to be disclosed under the Act on the Protection of Personal Information each time personal information is obtained. However, this is cumbersome, so a privacy policy is usually created.

Key Points for Creating a Privacy Policy

Definition of Personal Information

Article X
Personal information refers to information about a living individual that can identify a specific individual based on the name, date of birth, and other descriptions contained in the information (including information that can be easily compared with other information and can identify a specific individual as a result).

The definition of personal information can be sufficiently described as stipulated in the Japanese Act on the Protection of Personal Information. Typically, it includes information such as names and dates of birth as in the clause example, but it may also include age, gender, address, phone number, family structure, hobbies, preferences, email address, ID, IP address and timestamp, workplace, affiliation, workplace address, workplace phone number, credit card number, bank account number, visited homepage information, complaints, consultations or inquiries. Therefore, it may be a good idea to include in the definition of personal information in the privacy policy those items that are particularly likely to be obtained from your own customers and others in advance.

Purpose of Personal Information Use

Article X
1. Our company will use the personal information we collect for the following purposes. However, if we have separately defined the purpose of using personal information on our website, the description of that purpose will take precedence.
(1) To allow our company to respond to inquiries from our contact form
(2) To provide and introduce our web services, applications, and other services (hereinafter referred to as “this service”) and new services offered by our company
(3) To improve this service and develop new services
(4) For other purposes related to the above
2. In addition to the purposes defined in the previous paragraph, our company may compile personal information obtained from customers into statistical information in a manner and scope that does not identify or specify individuals, and use it for reference.

Purpose of Use

Under the Japanese Act on the Protection of Personal Information, it is required to disclose the purpose of using the collected personal information. The first paragraph of the above clause corresponds to this. What is important in defining the purpose of use is that it is not enough to describe it in an abstract and comprehensive manner, but it needs to be described specifically enough for the individual to understand how their personal information will be used. Therefore, it is necessary to note that the content of the purpose of use may vary depending on the business operator creating the privacy policy. Also, if there is any omission in the description, you will not be able to use personal information for that purpose, so make sure to thoroughly check for any omissions.

Anonymously Processed Information

The second paragraph of the clause is a provision regarding anonymously processed information. Anonymously processed information is information that has been processed so that the individual cannot be identified and cannot be restored. It is intended for the effective use of so-called big data.
If you handle anonymously processed information, you need to disclose items of personal information included in the anonymously processed information in your privacy policy, etc. The second paragraph of the clause stipulates that the personal information described in the “Definition of Personal Information” will be used as anonymously processed information. In addition, if you provide anonymously processed information to a third party, you also need to disclose the method of provision.

Use of Personal Information Beyond the Stated Purpose

Article X
Our company will handle the acquired personal information within the scope necessary to achieve the purpose of use stated in the previous article. If we handle personal information beyond the scope of its intended use, we will do so only after obtaining the consent of the individual concerned. However, this does not apply in the following cases:
(1) When required by law
(2) When it is necessary to protect the life, body, or property of an individual and it is difficult to obtain the person’s consent
(3) When it is particularly necessary for the improvement of public health or the promotion of sound child development, and it is difficult to obtain the person’s consent
(4) When it is necessary to cooperate with a national institution or local public body, or a person entrusted by them, in performing the affairs stipulated by law, and obtaining the person’s consent would likely hinder the performance of the affairs

As a principle, personal information cannot be used beyond the scope of its intended purpose. However, under the Japanese Act on the Protection of Personal Information, exceptions are allowed in cases that fall under the above clauses (1) to (4). Clauses (2) and (3) apply when there is a high demand to use personal information, but it is difficult to obtain prompt consent from the individual. Clauses (1) and (4) apply to the use of personal information based on the intentions of national or local public bodies, such as in criminal investigations. The clause regarding the use of personal information beyond its intended purpose is almost standard for all businesses, and it rarely changes depending on the nature of the business.

Provision of Personal Information to Third Parties

Article X
Our company, as a principle, does not provide personal information of our clients to third parties without obtaining the client’s consent. Exceptionally, we may provide information to third parties if we have identified the recipient and the content of the information and have obtained the client’s consent. However, this does not apply in the following cases:
(1) When required by law
(2) When it is necessary to protect a person’s life, body, or property, and it is difficult to obtain the client’s consent
(3) When it is particularly necessary for the improvement of public health or the promotion of sound child development, and it is difficult to obtain the client’s consent
(4) When it is necessary to cooperate with a national institution or local public body or a person entrusted by them in performing the affairs prescribed by laws and regulations, and obtaining the client’s consent would likely interfere with the performance of the affairs
(5) When it is necessary to provide personal information to a business contractor who has entered into a confidentiality agreement with our company for the purpose of use

Exceptions to the Provision of Personal Information to Third Parties

This clause example pertains to situations where a business operator provides personal information obtained to a third party. Under the Japanese Act on the Protection of Personal Information, consent must be obtained from the individual before providing their personal information to a third party. However, it is legally stipulated that personal information can be provided to a third party without the individual’s consent in the cases specified in clause examples (1) to (5). Therefore, like the clause on the use of personal information for purposes other than those intended, the clause on third-party provision also becomes a standard clause for most companies. In practice, the most commonly used is case (5), where personal information is provided to a business contractor. However, even if a business is outsourced, the business operator who obtained the personal information is responsible for supervising the contractor. Therefore, caution is required as the business operator who outsourced the work may also be held responsible if personal information is leaked from the contractor. Therefore, the selection of contractors and the management and supervision after outsourcing should be done carefully.

Difficulty in Opting Out Due to Legal Amendments

Regarding the provision of personal information to third parties, before the amendment law enacted in 2017 (Heisei 29), it was stipulated that personal information could be provided to third parties without obtaining the individual’s prior consent, on the condition that “the provision of personal information to third parties is stopped at the request of the individual”. This is called opting out. However, with the amendment law enacted in 2017, the rules have been tightened so that personal information cannot be provided to third parties by opting out unless a prior notification is made to the Personal Information Protection Commission.
It may seem that all you have to do is notify the Personal Information Protection Commission, but this notification system is primarily intended for business operators who deal with personal information itself as a product, such as list brokers, and the notifier is to be made public, so there are not many companies that have actually made the notification. Therefore, in practice, the provision of personal information to third parties without the individual’s consent has become difficult, except in cases where it is permitted as an exception, such as outsourcing.

Disclosure, Correction, etc. of Personal Information

Under the Japanese Act on the Protection of Personal Information, procedures for responding to requests from the individual for notification of the purpose of use, disclosure, correction, and suspension of use, etc. are also required to be published. Therefore, when creating a privacy policy, it is necessary to stipulate these matters as well. However, the clauses that stipulate these matters have become standard wording for many businesses. One thing to consider is whether or not to set a fee for responding to requests for disclosure, etc. from the individual. Setting an appropriate fee is one way to prevent business delays due to abusive requests. If a fee is required, it is important to note that the details must be stipulated in the privacy policy.

Summary: Make Sure to Check the Trends in Revision to the Act on the Protection of Personal Information to Update Privacy Policy

With the growing societal concern for personal information protection, legal regulations are gradually becoming stricter. Of course, it is necessary to manage information securely within the company to prevent leakage of personal information, but it is also important to establish privacy policies and internal regulations in accordance with these legal regulations. The Japanese Act on the Protection of Personal Information is scheduled to be revised regularly every three years. Each time the rules for handling personal information change, not only may changes to the internal system be necessary, but there may also be a need to reconsider the business methods themselves. In this sense, the Japanese Act on the Protection of Personal Information can be said to be a law that affects the core of the business, so it is especially important for businesses that handle a lot of personal information to always keep track of the revision trends.

Contract Creation and Review Services by Our Firm

At Monolith Law Firm, we leverage our strengths in IT, Internet, and business law to provide a wide range of services to our advisory and client companies, including the creation and review of various contracts, in addition to privacy policies.