Legal Guidelines for Japan's Online Shops: Understanding the Specified Electronic Mail Act and Personal Information Protection Act

The advent of buying and selling goods with just a smartphone has made online shopping an indispensable part of our lives. Various laws are involved in the operation of online shops. In this article, we will explain the relationship with the ‘Japanese Act on Regulation of Transmission of Specified Electronic Mail’ and the ‘Japanese Act on the Protection of Personal Information’.

Laws Related to All Aspects of Online Shops

When it comes to laws governing the operation of online shops in Japan, we consider two categories: general laws and industry-specific laws. The general laws include Japan’s Act on Specified Commercial Transactions, Unfair Competition Prevention Act, Act against Unjustifiable Premiums and Misleading Representations, Electronic Contract Act, Act on Regulation of Transmission of Specified Electronic Mail, and Personal Information Protection Act. While we’ve discussed the Act on Specified Commercial Transactions and the Unfair Competition Prevention Act, as well as the Act against Unjustifiable Premiums and Misleading Representations and the Electronic Contract Act, today we focus on Japan’s Act on Regulation of Transmission of Specified Electronic Mail and the Personal Information Protection Act.

Japanese Act on Regulation of Transmission of Specified Electronic Mail (Official name: Act on Regulation of Transmission of Specified Electronic Mail and Other Communications)

The Japanese Act on Regulation of Transmission of Specified Electronic Mail is a law that regulates the transmission of spam emails, enacted in response to the social problem of nuisance emails such as advertising promotions, false billing, fraud, and virus emails that are mass-sent to mobile phones.

When it was first implemented in 2002 (Heisei 14), an opt-out system was introduced that required the labeling of “unsolicited advertisements”, and the transmission to fictitious email addresses randomly generated by programs was prohibited. Subsequently, considering the maliciousness and sophistication of spam emails, the 2005 (Heisei 17) amendment strengthened the prohibition and penalties for spam email transmission, and in 2008 (Heisei 20), regulations were introduced through an opt-in system, and measures were taken against spam emails originating from overseas, leading to the current situation.

For advertising promotional emails, the “Japanese Act on Regulation of Transmission of Specified Electronic Mail” stipulates:

• Prohibition of transmission to persons other than those who have obtained consent in advance (Article 3, Paragraph 1 of the Japanese Act on Regulation of Transmission of Specified Electronic Mail)
• Obligation to display certain information such as the sender’s name, email address or URL for receiving refusal notifications (Article 4 of the Japanese Act on Regulation of Transmission of Specified Electronic Mail)
• Prohibition of sending emails with falsified sender information or impersonating the sender’s address (Article 5 of the Japanese Act on Regulation of Transmission of Specified Electronic Mail)

These are stipulated.

Emails that do not comply with these rules are illegal, and the Minister of Internal Affairs and Communications and the Director-General of the Consumer Affairs Agency can order the sender to take necessary measures to improve the method of sending emails when it is deemed necessary to prevent obstacles to the sending and receiving of emails (Article 7 of the Japanese Act on Regulation of Transmission of Specified Electronic Mail). If the sender information is falsified or if the sender does not comply with the orders of the Minister of Internal Affairs and Communications and the Director-General of the Consumer Affairs Agency, the sender can be sentenced to imprisonment for up to one year or a fine of up to 1 million yen (Article 34 of the Japanese Act on Regulation of Transmission of Specified Electronic Mail). In the case of a corporation, in addition to punishing the perpetrator, the corporation can be fined up to 30 million yen (Article 37 of the Japanese Act on Regulation of Transmission of Specified Electronic Mail).

Personal Information Protection Act (Official Name: Act on the Protection of Personal Information)

The Personal Information Protection Act is a crucial law when considering issues related to personal information in business activities, and it clearly defines the legal obligations of personal information handlers.

Until 2015, personal information handlers were limited to companies that held personal information of more than 5,000 individuals. However, after the amendment in 2015, this condition was removed, and almost all companies became personal information handlers.

In the Personal Information Protection Act, “personal information” is defined as “information about a living individual” and is “information that can identify a specific individual by the name, date of birth, and other descriptions included in the information (including information that can be easily matched with other information and can identify a specific individual)” (Personal Information Protection Act, Article 2, Paragraphs 1, 4, and 5).

The need for protection of personal information greatly varies depending on whether it is databased or not.

“Personal data” refers to personal information that has been databased by a computer, and among them, those that the business operator has held for more than six months are “retained personal data”. Personal data is personal information that is databased and systematically organized so that it can be easily searched, etc., and the possibility of infringement of rights is high, so it is given stronger protection than general personal information.

Retained personal data is given even stronger protection, and it is personal data that the personal information handler has the authority to disclose, correct, add or delete the content, stop the use, erase, and stop the provision to third parties (Personal Information Protection Act, Article 2, Paragraph 7). For retained personal data, requests for disclosure, correction, and cessation of use, etc., taking into account the demand that the individual can appropriately involve themselves in their own information, are recognized.

In order to prevent personal information from being used indiscriminately, it is necessary to clearly specify the purpose of using personal information and limit its handling to the range necessary to achieve the purpose.

Therefore, personal information handlers must:

• Specify the purpose of use as much as possible when handling personal information (Personal Information Protection Act, Article 15, Paragraph 1)
• Not handle personal information beyond the range necessary to achieve the purpose of use (Personal Information Protection Act, Article 16, Paragraph 1)
• Not acquire personal information by deception or other wrongful means (Personal Information Protection Act, Article 17, Paragraph 1)
• Notify or announce the purpose of use to the individual when personal information is acquired (Personal Information Protection Act, Article 18)

Although the method of announcement is not specifically designated, it is common to do so in the form of a “Privacy Policy” or “Personal Information Protection Policy”.

On the other hand, so-called sensitive information, or “Special Care-Required Personal Information”, is subject to heavier restrictions than regular personal information, and its acquisition is prohibited in principle without the consent of the individual (Personal Information Protection Act, Article 17, Paragraph 2).

Special Care-Required Personal Information is:

In this Act, “Special Care-Required Personal Information” refers to personal information that includes descriptions, etc., specified by a Cabinet Order as requiring special consideration in handling so as not to cause unfair discrimination, prejudice, or other disadvantages to the individual.

Personal Information Protection Act, Article 2, Paragraph 3

However, it also includes disabilities, results of health examinations, guidance, medical treatment, dispensing, etc., by doctors, etc., criminal procedures being carried out, and procedures related to juvenile protection cases being carried out.

Issues such as massive leaks of customer information often become social problems. Personal information handlers have an obligation to take necessary and appropriate measures (safety management measures) for the safe management of personal data (Personal Information Protection Act, Article 20), and when allowing employees to handle personal data, they must conduct necessary and appropriate supervision to ensure the safe management of the personal data (Personal Information Protection Act, Article 21).

Selling or taking out customer data by employees not only makes the employee themselves liable for tort (Civil Code, Article 709), but also the personal information handler themselves may be liable as an employer (Civil Code, Article 715).

The Personal Information Protection Act provides penalties for cases where a business operator leaks personal information.

If a business operator violates the Personal Information Protection Act and leaks information, they will first be “recommended by the country to take necessary measures to stop the violation and correct it” (Personal Information Protection Act, Article 42).

If they also violate this, the violating employee may be “sentenced to imprisonment for up to 6 months or a fine of up to 300,000 yen” (Personal Information Protection Act, Article 84), and the company employing the employee may also be “fined up to 300,000 yen” (Personal Information Protection Act, Article 85).

In addition, if they provide or steal for the purpose of unjust profit, they will be “sentenced to imprisonment for up to 1 year or a fine of up to 500,000 yen” without any recommendation (Personal Information Protection Act, Article 83).

The Personal Information Protection Act is a law that requires business operators handling personal information to handle personal information appropriately and take necessary and appropriate measures for safety management, and it is an important law that cannot be avoided in the operation of online shops.

Related article: What is the Personal Information Protection Act and Personal Information? Explained by a lawyer

Summary: Japan’s Online Shops requires Understanding the Specified Electronic Mail Act and Personal Information Protection Act and Other Industry-related Laws

When operating an online shop, it is essential to pay attention to relevant laws to prevent any legal issues.

While it is natural to be mindful of laws that pertain to online shops in general, it is also necessary to consider specific industry-related laws such as the ‘Japanese Antique Dealings Act’ and the ‘Japanese Pharmaceuticals and Medical Devices Act’.

Introduction to Our Firm’s Measures

Monolith Law Firm is a legal office with high expertise in both IT, particularly the internet, and law. In recent years, online shopping has become an indispensable part of our lives, and the need for legal checks is increasingly growing. Our firm provides solutions related to online shopping.