日本語 English

<br /> <b>Warning</b>: Undefined variable $sitetitle in <b>/home/xb675064/monolith.law/public_html/wp-content/themes/monolith_en/header.php</b> on line <b>100</b><br />

MONOLITH LAW OFFICE+81-3-6262-3248Weekdays 10:00-18:00 JST

MONOLITH LAW MAGAZINE

General Corporate

HOME > LAW MAGAZINE > General Corporate > Is Buying Customer Information Legal? Understanding Japanese Act on the Protection of Personal Information

Is Buying Customer Information Legal? Understanding Japanese Act on the Protection of Personal Information

General Corporate

Is Buying Customer Information Legal? Understanding Japanese Act on the Protection of Personal Information

On May 30, 2017, the Revised Act on the Protection of Personal Information came into full effect in Japan. Now, all businesses that handle personal data fall under the purview of this law, which is commonly referred to as the Japanese Personal Information Protection Law.

The legislation extends its reach to companies that obtain personal information through various means, including the purchase of customer lists. Consequently, anyone responsible for considering the acquisition of customer information must be fully aware of the guidelines, responsibilities, and restrictions associated with the purchase and use of such information.

In this article, we aim to provide a comprehensive overview of the Revised Act on the Protection of Personal Information as it pertains to the buying and utilization of customer information in Japan.

What is the Personal Information Protection Law?

What is the Personal Information Protection Law?

The formal name of what is commonly referred to as the Personal Information Protection Law is the “Japanese Act on the Protection of Personal Information.” Enacted in 2003, the law has undergone several revisions to adapt to evolving societal changes, such as the digitization of information.

It’s worth noting that the primary aim of this law is not to restrict the use of personal information. Rather, its main goal is to ensure both the “protection” and the “appropriate utilization” of such information.

Purpose of the Act on Protection of Personal Information

  • To protect individual rights and interests, and to establish rules for the appropriate use of personal information
  • To define the obligations and penalties of businesses handling personal information

Definition of Personal Information

The “personal information” defined by the Act on Protection of Personal Information refers to information about a living individual that falls under either of the following categories:

  1. Information that can identify a specific individual through the inclusion of their name, date of birth, or other descriptions
  2. Information that includes a personal identification code

What is a Personal Identification Code?

A personal identification code is a personality, number, symbol, or other code that can identify a specific individual and falls under either of the following categories, as individually specified by government ordinances and regulations:

  • Codes converted for computer use from physical attributes (DNA, face, iris, voice print, gait, finger veins, fingerprints, palm prints, etc.)
  • Codes assigned to each subject in service use or documents (passport number, basic pension number, driver’s license number, resident’s card code, My Number, various insurance certificates, etc.)

Is the Buying and Selling of Customer Information Legal?

For general businesses, excluding government agencies and public organizations, the buying and selling of customer information is not illegal as long as they comply with the Japanese Act on Protection of Personal Information.

Procedures for Providing Personal Information to Third Parties

When a business provides a database of personal information to a third party, the following procedures are required.

Obtain the Individual’s Consent in Advance as a Principle

However, there are exceptions in the following cases:

① When it is based on laws and regulations
② When it is difficult to obtain the individual’s consent and it is necessary for the protection of human life, body, property, public health, or the healthy upbringing of children
③ When cooperating with national or local public bodies

Provision to Third Parties through Opt-out Procedures

If a business has a policy of stopping the provision of personal information to third parties (opting out) at the request of the individual, it is possible to provide the information to third parties without the individual’s consent through the following procedures:

Notify the individual in advance of the following ① to ⑤, or make it easily known to the individual on a webpage or similar, and report it to the Personal Information Protection Commission.

① The purpose of providing to third parties.
② The items of personal data to be provided to third parties
③ The method of providing to third parties
④ The fact that the provision of personal data to third parties will be stopped at the request of the individual.
⑤ The method of accepting requests from the individual

It should be cautious that for “Sensitive Personal Information”, such as race, creed, social status, medical history, and criminal record, which may lead to unfair discrimination or prejudice if known to others, the principle of providing to third parties is only with the prior consent of the individual.

What to Consider When Purchasing Customer Information

What to Consider When Purchasing Customer Information

Legal Obligations

When you purchase customer information, you become a “personal information handler” and are legally obligated to follow certain rules when receiving personal information from third parties such as list brokers.

When purchasing customer information, you must confirm the following two points:

  • Name, address, and representative of the list broker
  • The circumstances under which the list broker obtained the personal information

When purchasing customer information, you must record the following items and keep them for three years:

  • The date you received the personal information
  • Name, address, and representative of the list broker
  • The circumstances under which the list broker obtained the personal information
  • The name and other sufficient information to identify the individual identified by the personal information
  • The items of the personal information
  • If the information is provided to a third party through an opt-out procedure, the necessary items have been published by the Personal Information Protection Commission (Japanese Personal Information Protection Commission).

※You can check the opt-out procedure notification on the Personal Information Protection Commission’s website.

Verification of Customer Information Acquisition

When purchasing customer information, it is also necessary to verify the information acquisition methods of list brokers. Even if you legally purchase customer information, if the method of obtaining the customer information is illegal, you may be subject to a claim for damages.

It is of course illegal for list brokers to obtain customer information by fraudulent means, but there are also the following obligations when obtaining information, so be sure to check before purchasing.

  • Whether the purpose of use is specifically identified
  • Whether the identified purpose of use has been announced or notified to the individual
  • Whether consent has been obtained from the individual when using the obtained personal information for other purposes
  • When receiving personal information from a third party, in addition to the provider’s name and address, check the circumstances under which the personal information was obtained, record the date of receipt, confirmation items, etc., and keep them for three years
  • Whether it includes “personal information requiring special care” for which the individual’s consent is always necessary

If you want to know more about personal information leakage and damage compensation, please see the detailed description below in conjunction with this article.

Guidelines for Using Customer Information

Do Not Exceed the Scope of the Intended Use

It is prohibited by law for list brokers and others to use customer information beyond the scope of the purpose for which they obtained the individual’s consent. Therefore, if you wish to use the information for a different purpose, you must obtain the individual’s consent again.

When Using for Sales Calls

When conducting “telephone solicitation sales,” which involve making phone calls to solicit product orders or conclude sales contracts, there are regulations stipulated by the Japanese Act on Specified Commercial Transactions as follows:

Before soliciting, you must inform the consumer of the following:

  • Company name
  • Name of the person in charge (the one who will be soliciting)
  • Type of product (rights, services) to be sold
  • The purpose is to solicit a contract

Prohibited Actions

  • Re-soliciting someone who has already declined
  • Giving explanations that differ from the truth
  • Intentionally not conveying the truth
  • Intimidating or confusing the other party

When Using for Email Distribution

When sending emails for advertising or promotion, the Japanese Act on Regulation of Transmission of Specified Electronic Mail prohibits sending to anyone other than those who have notified the sender that they ① wish to receive specified electronic mail, or ② agree to the sending.

Even if list brokers and others have obtained the above notifications ① and ②, the purchaser of the list must obtain new notifications ① and ②, making email use difficult.

Obligation to Implement Security Measures

When you obtain customer information, you are obligated as a personal information handling business operator to take necessary measures to prevent leakage, loss, or damage of personal information.

Furthermore, you must supervise employees who actually handle personal information in a necessary and appropriate manner to ensure the safe management of such information.

Summary: Understanding the Japanese Act on the Protection of Personal Information in Buying and Using Customer Information

Is it legal to purchase customer information?

In this article, we have discussed the relationship between the purchase of customer information and Japanese Act on the Protection of Personal Information, divided into the following four sections:

  1. What is the Japanese Act on the Protection of Personal Information?
  2. Is it legal to buy and sell customer information?
  3. What to consider when purchasing customer information
  4. What to consider when using customer information

However, when dealing with consumers overseas through the internet or other means, it is necessary to check not only domestic laws but also the laws and regulations of each country.

Therefore, if you are considering purchasing or using customer information, we recommend that you consult with a lawyer who has extensive knowledge and experience in this field, rather than making a decision on your own.

Introduction to Our Firm’s Measures

Monolith Law Office is a legal office with high expertise in both IT, particularly the internet, and law. In recent years, the Japanese Personal Information Protection Law has been attracting attention, and the need for legal checks is increasingly growing.

Managing Attorney: Toki Kawase

The Editor in Chief: Managing Attorney: Toki Kawase

An expert in IT-related legal affairs in Japan who established MONOLITH LAW OFFICE and serves as its managing attorney. Formerly an IT engineer, he has been involved in the management of IT companies. Served as legal counsel to more than 100 companies, ranging from top-tier organizations to seed-stage Startups.

Category: General Corporate

Tag:

Related Articles

Understanding the Criteria and Penalties (Imprisonment & Fines) for 'Trademark Infringement' Through Case Studies

Understanding the Criteria and Penalties (Imprisonment & Fines) for 'Trademark Infringement'.

General Corporate

Key Points to Check in Trademark Licensing Agreements in Brand Licensing

Key Points to Check in Trademark Licensing Agreements in Brand Licensing

General Corporate

Explanation of the 'Penalties' in the Revised Personal Information Protection Law in Reiwa 4 (2022)

Explanation of the 'Penalties' in the Revised Personal Information Protection Law in Reiwa 4 (20.

General Corporate

Legal Regulations on Advertising and Promotional Activities for Stem Cells in the Medical Field

Legal Regulations on Advertising and Promotional Activities for Stem Cells in the Medical Field

General Corporate

Key Points to Consider When Creating a Basic Recruitment Services Agreement

Key Points to Consider When Creating a Basic Recruitment Services Agreement

General Corporate

Explaining the Basics of the EU's Digital Markets Act (DMA): What is its Impact on Japan?

Explaining the Basics of the EU's Digital Markets Act (DMA): What is its Impact on Japan?

General Corporate

Foreign and Overseas Case Studies on Legal Regulations of ICOs

Foreign and Overseas Case Studies on Legal Regulations of ICOs

General Corporate

What is a 'Japanese Work-Made-for-Hire'? Explaining Disputed Court Cases and Precedents

What is a 'Japanese Work-Made-for-Hire'? Explaining Disputed Court Cases and Precedents

General Corporate

Cancellation of Applications in E-commerce by Minors

Cancellation of Applications in E-commerce by Minors

General Corporate


tag

Advertisement Review AI (ChatGPT AI (ChatGPT, etc.) Contract Drafting and Review Cross-border Crypto Assets and Blockchains Cybercrime etc.) General Corporate General Corporate Contract Drafting and Review ID of the Defamatory Statement Internet Internet Mitigating Reputational Damage IPO IT Legal Support for VTuber Legal Support for YouTuber M&A M&A of SNS Accounts Mitigating Reputational Damage Personal Information Protection System Development Terms of Use

Weekly Popular Articles

Return to Top