[Latest Edition] What is the Personal Information Protection Law? Essential Basics You Should Know, Clearly Explained

In recent times, there has been a growing societal concern regarding the handling of personal information and privacy. However, the realm of the Personal Information Protection Act and related laws in Japan is one filled with numerous provisions that must be known, and it is often complex, making it not easily navigable. Furthermore, the Personal Information Protection Act is frequently amended to keep pace with changing social conditions, making it crucial to stay updated with the latest information daily.

This article provides a clear explanation of the fundamental knowledge that anyone handling personal information should at least be aware of, based on the latest amendments to the Personal Information Protection Act enacted in 2022 (this article is written based on laws and information as of January 2025).

The Purpose and Background of Amendments to the Japanese Personal Information Protection Act

In the digital society, the importance of preventing the misuse of personal information has been increasing, and the Japanese Personal Information Protection Act has been amended several times. Here, we will explain the purpose of the Personal Information Protection Act and the background to these amendments.

Purpose of the Personal Information Protection Act

The Japanese Personal Information Protection Act primarily establishes the rules for the proper handling of personal information.

Services utilizing personal information and data have become commonplace for us. While personal information is used for business efficiency and digital transformation (DX) in companies, the risk of personal information leaks and misuse has also increased.

The purpose of the Personal Information Protection Act can be succinctly stated as “considering the utility of personal information” while “protecting the rights and interests of individuals” (Article 1). When studying the Personal Information Protection Act, it is very important to consider the balance between these two aspects.

This law, in light of the significant expansion in the use of personal information accompanying the advancement of the digital society, establishes the basic principles and the creation of basic policies by the government, as well as other fundamental matters concerning the protection of personal information, clarifies the responsibilities of the national and local governments, and sets forth obligations that businesses and administrative agencies must comply with according to their personalityistics. It also establishes the Personal Information Protection Commission to ensure the proper and smooth operation of administrative agencies and businesses, and to contribute to the creation of new industries and a vibrant economic society, as well as the realization of a rich national life, while considering the utility of personal information and protecting the rights and interests of individuals.

Quoted: Japanese Personal Information Protection Act, Article 1

Note that the Personal Information Protection Act does not define all the rules regarding the handling of personal information; detailed rules are prescribed by government ordinances and regulations.

Furthermore, for the operation of the Personal Information Protection Act, there are various guidelines and Q&As set by the Personal Information Protection Commission that provide specific legal interpretations and points to note. Although they do not have legal binding force, they serve as de facto standards and are referenced by many companies.

Reference: Personal Information Protection Commission | Laws and Guidelines

Background of the Amendments

The Japanese Personal Information Protection Act was first enacted in Heisei 17 (2005).

Since then, with the development of information and communication technology and globalization, the use of personal information in ways not anticipated at the time of its original enactment has increased. In light of these changes in social conditions, the Personal Information Protection Act underwent a major amendment in Heisei 27 (2015) and was amended again in Reiwa 2 (2020).

Moreover, the Personal Information Protection Commission has been reviewing the Personal Information Protection Act every three years in accordance with the “Outline of System Reforms for the So-Called Triennial Review of the Personal Information Protection Act.”

According to the reform outline, perspectives such as “protection of individual rights and interests,” “balance between protection and use,” “harmony with international trends,” “response to risk changes by foreign businesses,” and “adaptation to the AI and big data era” are mentioned.

The latest amendment, which is currently in force, namely the Reiwa 2 (2020) amendment, was enacted in April 2022. However, according to the review plan of the Personal Information Protection Commission, a further amendment may be considered in 2023 (or 2024), three years after 2020.

Below, we will provide an overview of the definitions and classifications of the Personal Information Protection Act articles based on the Reiwa 2 amendment, as well as the main provisions.

Definitions and Classifications Under the Japanese Personal Information Protection Law

Understanding the provisions (rules) of the Japanese Personal Information Protection Law begins with navigating its unique terminology. Unlike the words we use in everyday conversation, many provisions are given based on legal definitions, so it is crucial to first understand the definitions (significance, meaning) of the terms.

This article will outline the following terms:

• Personal Information
• Personal Data
• Retained Personal Data

Some of these terms may seem similar in meaning, but under the Japanese Personal Information Protection Law, they have clear differences, with distinct provisions set for each definition. Remember that the obligations regarding handling increase in the order of “Personal Information” → “Personal Data” → “Retained Personal Data”.

Personal Information Under Japanese Law

Personal information, as defined under Japanese law, refers to information related to a living individual that can identify a specific person or contains a personal identification code (Article 2, Paragraph 1, Items 1 and 2).

Deceased individuals or fictional personalitys do not fall under the category of “living,” and information about corporations or statistical data is not considered “information related to an individual.”

Information that can identify a specific person typically includes names, telephone numbers, addresses, dates of birth, and photographs. However, any information linked to a specific individual collectively constitutes personal information. This means that information that cannot identify an individual on its own, such as IDs or purchase histories, becomes capable of identifying a specific person when combined with other identifying details like names or telephone numbers, thus qualifying as personal information.

Furthermore, a “personal identification code” (Article 2, Paragraph 2) typically refers to unique public numbers such as My Number (social security and tax number system in Japan), driver’s license numbers, passport numbers, and insurance card numbers (Item 2). Data converted from biometric information like fingerprints or DNA also falls under personal identification codes (Item 1).

In addition, the requirement for information to be able to identify a specific person includes the concept of “ease of cross-referencing,” which means that the information can be easily matched with other information to identify a specific individual.

For example, a browsing history database may contain user IDs and browsing information, but this alone does not allow someone to identify a specific individual. However, if a user management database (another database) contains the same user IDs along with names and addresses, matching the common user IDs enables the identification of specific individuals. Therefore, in this case, the browsing information, although not capable of identifying an individual on its own, is included as personal information due to its “ease of cross-referencing.” This implies that the actual handling of information by a company can determine whether certain data qualifies as “personal information,” necessitating caution.

Article 2: In this law, “personal information” refers to information related to a living individual that falls under any of the following items:

1. Information that can identify a specific individual through names, dates of birth, or other descriptions contained in the information (including information that can be easily cross-referenced with other information, thereby identifying a specific individual).

2. Information that contains a personal identification code.

Act on the Protection of Personal Information, Article 2, Paragraph 1, Items 1 and 2

Personal Data

The collection of personal information that has been organized into a database or made searchable is referred to as “Personal Information Database, etc.” under Article 16, Paragraph 1, Items 1 and 2 of the Japanese law.

For example, the information on a single business card is considered “personal information,” but when multiple business cards are stored in a file with an alphabetical index or organized into a database using software like Excel, it becomes a systematically structured “Personal Information Database, etc.” that allows for the search of specific personal information.

Each piece of personal information that makes up this “Personal Information Database, etc.” is called “personal data” (as defined in Article 16, Paragraph 3). When information qualifies as personal data, it is subject to additional regulations compared to “personal information,” such as restrictions on third-party provision and obligations for safety management measures (more details will be provided later).

The reason for these additional regulations is that personal data, once databased, poses a higher risk of mass leakage and is more easily linked with other methods, which increases the potential for infringement of individual rights.

Retained Personal Data

In the context of Japanese data protection, ‘Retained Personal Data’ refers to personal information that a business entity manages and has the authority to disclose, correct, or delete upon request from the individual concerned, as stipulated under Article 16, Paragraph 4 of the Act on the Protection of Personal Information (APPI).

Typically, this includes customer and employee information directly collected in the course of business. Conversely, information entrusted to a business by another party, such as through outsourcing, does not fall under ‘Retained Personal Data’ since the business does not have the authority to disclose or manage it.

When information qualifies as Retained Personal Data, the business must promptly publish specified matters, respond to inquiries from the individual without delay, and comply with requests for disclosure, correction, or deletion (details will be discussed later).

Under the Japanese Personal Information Protection Act, ‘Personal Information’ is the broadest concept, followed by more narrowly defined ‘Personal Data’ and ‘Retained Personal Data,’ with additional regulations applied to each. As the applicable regulations vary with each definition, careful attention is required. Let’s clarify these definitions with the diagram below.

Different Rules Apply Depending on the Classification of Information

As shown in the diagram below, the main provisions of the Japanese Personal Information Protection Law are established in response to the distinctions between “personal information,” “personal data,” and “retained personal data.”

Citation: Personal Information Protection Commission, “Basics of the Personal Information Protection Law” (2022), page 25

In the following, we will provide an overview of:

• Specifying and notifying the purpose of use of personal information
• Security management measures for personal data, and management of contractors
• Provision of personal data to third parties and its exceptions
• Handling requests for disclosure of retained personal data

in the context of the Japanese legal system.

Specifying and Notifying the Purpose of Personal Information Use

Firstly, under the Japanese Personal Information Protection Act, when acquiring personal information, it is necessary to specify the purpose of use as much as possible (Article 17, Paragraph 1), and it is prohibited to handle personal information beyond the scope necessary to achieve the specified purpose of use (Article 18, Paragraph 1).

Furthermore, if the purpose of use is to be changed, it cannot be done beyond the scope that is reasonably recognized as related to the original purpose of use (within a predictable range) (Article 17, Paragraph 2).

In addition, the specified purpose of use must be notified to the individual or made public (Article 21, Paragraph 1).

Although the Japanese Personal Information Protection Act does not specify the method of notification or publication, it is common to do so in the form of a “Privacy Policy” or “Personal Information Protection Policy”.

The guidelines of the Personal Information Protection Commission state the following:

The purpose of use should not be specified merely in an abstract, general manner; rather, it is desirable to specify it concretely to the extent that the individual can generally and reasonably assume how the personal information will ultimately be used in the business of the personal information handler and for what purpose.

Personal Information Protection Commission ‘Guidelines General Provisions’ 3-1-1

The same guidelines also provide examples of what constitutes a specific identification of the purpose of use.

In other words, it is necessary to specify the purpose of use in such a way that the individual can understand how the personal information will be specifically used in which business activities.

Moreover, when acquiring personal information directly recorded on a document (including electronic records), it is necessary to explicitly state the purpose of use to the individual in advance (Article 21, Paragraph 2).

Safeguarding Personal Data and Managing Contractors

Business operators handling personal information are required to take necessary and appropriate measures to prevent leakage, loss, or damage of personal data and to ensure its secure management (Article 23 of the Act).

Furthermore, the safety management measures taken for retained personal data must be made available to the individual in a state where they can be known (including responding without delay upon the individual’s request) as stipulated by Article 32, Paragraph 1, Item 4 of the Act and Article 10, Item 1 of the Personal Information Protection Law Enforcement Order.
Specific examples of the safety management measures that should be taken are listed in the Guidelines.

10-1 Development of Basic Policy

10-2 Establishment of Rules for Handling Personal Data

10-3 Organizational Safety Management Measures

10-4 Human Safety Management Measures

10-5 Physical Safety Management Measures

10-6 Technical Safety Management Measures

10-7 Understanding the External Environment

Source: Personal Information Protection Commission ‘General Guidelines‘ 10

However, it is not required that all business operators implement the same safety management measures to the same standard. For example, a large IT-related corporation handling personal data of tens of millions of individuals will have different required measures compared to small and medium-sized enterprises that handle limited personal data. Safety management measures should be considered comprehensively based on factors such as the scale and nature of the business, the nature and volume of personal data handled, and the anticipated risks, and should be appropriately tailored to these factors.

In addition to the above, business operators have a duty to properly supervise their employees and contractors to ensure the secure management of personal data (Articles 24 and 25 of the Act).

Third-Party Provision of Personal Data and Its Exceptions Under Japanese Law

Under Japanese law, when providing personal data to a third party, it is generally required to obtain the consent of the individual concerned (Article 27, Paragraph 1).

Depending on the specific case, obtaining appropriate consent from the individual through terms of use, contracts, privacy policies, etc., that include provisions for third-party provision, can be considered as having obtained consent for the third-party provision.

However, there are exceptional cases where consent from the individual is not required for third-party provision due to public reasons (Article 27, Paragraph 1, each item).

Article 27: Personal Information Handlers must not provide personal data to third parties without obtaining prior consent from the individual, except in the following cases:

1. When required by law.
2. When necessary to protect a person’s life, body, or property, and it is difficult to obtain the individual’s consent.
3. When particularly necessary for improving public health or promoting the healthy development of children, and it is difficult to obtain the individual’s consent.
4. When necessary to cooperate with national institutions or local public entities, or their delegates, in executing affairs prescribed by laws, and obtaining the individual’s consent could impede the performance of such affairs.
5-7 (Excerpts omitted)

Quoted: Personal Information Protection Act, Article 27

Furthermore, the following outlines the provision of personal data to third parties located in foreign countries.

In principle, when providing personal data to third parties in foreign countries (including entrustment and joint use), in addition to the regulations on the provision of personal data to third parties mentioned above, consent is required for the provision to “third parties in foreign countries” (Article 28 of the Act). Additionally, before obtaining consent, it is necessary to provide the following information (Article 17, Paragraph 2 of the Regulations):

1. The name of the relevant foreign country.
2. Information about the system for the protection of personal information in the relevant foreign country, obtained through appropriate and reasonable methods.
3. Information about the measures taken by the third party for the protection of personal information.

For detailed instructions on how to provide this information, the Personal Information Protection Commission’s Guidelines on the Personal Information Protection Law (Provision to Third Parties in Foreign Countries Edition) 5-2 can be a reference.

However, there are two exceptions to the above.

If the third party in the destination country is recognized by the Personal Information Protection Commission as having a personal information protection system equivalent to Japan’s (Standard Conformity System, as of November 2023, this includes EEA member states and the UK), then the third party is not considered “foreign.” Therefore, the regulations on cross-border transfers do not apply, and the provision is treated the same as providing to a third party within Japan.

Next is the case of cross-border transfers based on the Standard Conformity System. That is, if (1) “necessary measures are taken to ensure the continuous implementation of appropriate measures” and (2) “information on such necessary measures” is provided to the individual upon request, there is no need to obtain consent (Article 28, Paragraph 1 and Paragraph 3 of the Act).

Regarding the above (1), it is prescribed in Regulation Article 18, Paragraph 1.
“Ensuring Continuous Implementation of Adequate Measures by Third Parties Abroad Under Japanese Personal Information Protection Law”

Article 18: The necessary measures to ensure the continuous implementation of adequate measures by third parties abroad, as stipulated in Article 28, Paragraph 3 (including cases where it is applied mutatis mutandis in accordance with Article 31, Paragraph 2), shall be as follows:

1. Regularly verify, through appropriate and reasonable methods, the status of the implementation of the adequate measures by the said third party, as well as the existence and content of any foreign systems that may affect the implementation of the said adequate measures.

2. In the event that the implementation of the adequate measures by the said third party is hindered, take necessary and appropriate measures; and if the continuous implementation of the said adequate measures becomes difficult, cease the provision of personal data (or personal related information in cases applied mutatis mutandis in accordance with Article 31, Paragraph 2) to the said third party.

Reference: Personal Information Protection Law Enforcement Regulations, Article 18, Paragraph 1

According to the guidelines, the “regular verification” mentioned in item 1 refers to checking at least once a year or more frequently.

Furthermore, there is no need for prior notification or other such procedures to the Personal Information Protection Commission to confirm that the necessary systems are in place.

For details on the above item 2, please refer to Article 18, Paragraph 3 of the law.

3. When a personal information handling business operator is requested pursuant to the provisions of Article 28, Paragraph 3 of the Act, they must provide the individual with information on the following items without delay. However, if providing such information is likely to cause significant impediments to the proper execution of the business operator’s tasks, they may choose not to provide all or part of the information.

– The method of establishing a system as stipulated in Article 28, Paragraph 1 by the said third party.
– An outline of the reasonable measures implemented by the said third party.
– The frequency and method of verification pursuant to the provisions of Item 1 of Paragraph 1.
– The name of the said foreign country.
– The presence or absence and an outline of the system in the said foreign country that may affect the implementation of the reasonable measures by the said third party.
– The presence or absence and an outline of any impediments related to the implementation of the reasonable measures by the said third party.
– An outline of the measures taken by the personal information handling business operator pursuant to the provisions of Item 2 of Paragraph 1 concerning the impediments mentioned in the preceding item.

Citation: Personal Information Protection Act Enforcement Regulations, Article 18, Paragraph 3

When transferring personal information across borders based on a compliance system, it is necessary to provide information to the individual post-transfer (upon request).

Responding to Requests for Disclosure of Personal Data Held

Article 33 of the Japanese Personal Information Protection Act allows individuals to request the disclosure of personal data that can identify them from businesses handling personal information.

Businesses handling personal information must make procedures for responding to requests for disclosure and the amount of fees for such disclosure requests available to the individual in a manner that they can understand, including responding promptly upon request (Article 32, Paragraph 1 of the Act).

In other words, businesses can establish specific procedures for making a disclosure request, including where to submit the request, the format of the request form, methods for verifying the identity of the requester, and the amount and method of collecting fees. Requesters must then follow these procedures to make their disclosure request.

For example, by including a business’s telephone number, email address, or physical address in the privacy policy, it is possible to accept requests for disclosure through telephone, email, or postal mail only.

Beyond disclosure requests, users can also request corrections, additions, or deletions (corrections, etc.) of their data (Article 34 of the Act) and requests for suspension of use or deletion (suspension of use, etc.) of their data (Article 35 of the Act).

Conclusion: Consult Experts Regarding the Handling of Personal Information

In this article, we have outlined the fundamental knowledge you should have about the Personal Information Protection Law in Japan. In addition to the points mentioned in the article, the specific handling of personal information varies from company to company. Therefore, it is necessary to refer to the relevant laws and guidelines and consider the appropriate response.

The Personal Information Protection Law is a crucial piece of legislation for almost all companies, as it requires businesses handling personal information to manage it appropriately and to take necessary and proper measures for its safekeeping.

If you have concerns about how to handle personal information or the measures your company should take, we recommend consulting with an attorney.

Related article: Key Points of the Revised Personal Information Protection Law in Reiwa 6 (2024): Understanding the Changes and Measures to Take

Guidance on Measures by Our Firm

Monolith Law Office is a law firm with high expertise in both IT, particularly the internet, and legal matters. In recent times, personal information and privacy have become significant social concerns. For instance, should a company’s personal information be leaked, it could have a devastating impact on business operations. Our firm possesses specialized knowledge in compliance with the Japanese Personal Information Protection Act. The details are described in the article below.

Areas of practice at Monolith Law Office: Services Related to the Japanese Personal Information Protection Act