Personal Information Protection
Business situations involving IT and the Internet often involve the handling of various types of personal information, including personal information databases, cookies, and the rest. Particular attention must be paid to those that may change due to legal revisions. MONOLITH LAW OFFICE provides highly specialised legal services related to the Japan privacy law.
The Japan Act on the Protection of Personal Information(APPI) is one of the most crucial law. It governs the handling of personal information in business activities. This Japan privacy law focuses on how personal data should be handled.
The article sets out the obligations that personal data providers must fulfil in order to protect the rights and interests of individuals. Companies are facing the challenge of complying with the revised APPI, which was forced in April 2022.
As an expertise in supporting IT and Internet businesses, MONOLITH LAW OFFICE has handled legal matters related to The Japan Act on the Protection of Personal Information for numerous companies, ranging from companies listed on the Prime Market of the Tokyo Stock Exchange (TSE) to seed-stage startups.
TOPICS
Example of support provided by our firm
Privacy Policy
We have handled the drafting of privacy policies for websites, services, apps, etc., as well as numerous revisions in response to legal amendments and other changes.
Business Manuals for Internal Use
We also help establish a Chief Privacy Officer (CPO) and maintain internal manuals and policies..
GDPR and Other Compliance
We also handle legal matters related to personal data protection, such as the EU General Data Protection Regulation (GDPR) in cross-border IT business opportunities.
Personal Data Breach
We can assist with reporting to the Personal Information Protection Commission and notifying individuals in case of a personal data breach.
Compliance with The Japan privacy law
The Japan Act on the Protection of Personal Information(APPI) imposes regulations on business operators handling personal information in relation to the provision or transfer of such personal information to third parties. This law imposes strict requirements on the purposes for which personal information may be used, how it may be obtained, and the security control measures that must be taken.
In addition, the law is frequently amended to provide new definitions and regulations, such as personal information databases, anonymously processed information and pseudonymised information.
Basic Obligations of Business Operator Handling Personal Data
The Japan privacy law establishes the following obligations for the “Business Operator Handling Personal Information” that handles personal information in particular. It is necessary to respond to these obligations and establish a compliance system.
Rules Regarding the Utilization Purpose of Use of Personal Data | Specify the utilization purpose as explicitly as possible (Article 15, Paragraph 1) Notification or disclosure of the utilization purpose (Article 18, Paragraph 1) Use within the specified utilization purpose (Article 16, Paragraph 1) Altered utilization purpose are not permitted in principle (Article 15, Paragraph 2) |
Acquisition by Appropriate Means | Prohibition of acquisition by deception or other wrongful means (Article 17, Paragraph 1) |
Appropriate security control actions | Prevention of data breaching, loss, or damage, etc. (Article 20) Supervision over employees and contractors (Article 20, 21) |
Provision to a third party and cross-border transfer | Necessary when providing information to a third party Obtaining the principal’s consent in advance (Article 23, Paragraph 1) So-called opt-out method (Article 23, Paragraph 2) |
Creating and Revising a Privacy Policy
When an IT service is launched, an appropriate privacy policy should be developed based on what type of personal information will be collected and how that information will be used. In addition, such policies must be revised as new business functions are added or as laws are revised.
As an IT, Internet and business law firm, we understand the behavior of such systems. We can help you create or revise appropriate privacy policies at minimal cost to your organization.
Examples of our experiences
BGM and sound effect distribution service, BGM playback app, SaaS based voice recognition service for BtoB use, D2C EC sites, EC platforms, Services for data integration between SaaS services, Integration services for SaaS businesses, Artist platforms, Sales support tools, Household account books Apps, Job-related web services, Job search services, Cloud-based expense reimbursement services, Cloud-based attendance management services, Cloud-based transportation expense reimbursement services, Supplement sales services, Politics-related SNS, Taxi dispatch apps, Outsourced data analysis services, Video SNS services, Business SNS, Business matching site, Hospital reservation platform, Programming school, Blockchain SNS, Blockchain ad network, Reference service, Travel concierge service, Safety confirmation service, Medical information network system, Virtual currency exchange (outside Japan), Orthodontic clinic database site, Support service for the disabled, Student recruitment, Employee management, Employee training cloud service, Authorized import car sales site, Lifestyle-related support service, Start-up support service, and Antisocial check service
Responding to a Personal Information Breach
The 2022 revision of the Japan Act on the Protection of Personal Information (APPI) established the obligation of business operators that handle personal information to report to the Personal Information Protection Commission and notify individuals when a breach or potential breach of personal information has occurred. The types of reports are preliminary reports and detailed reports. In particular, preliminary reports must be made within 3 to 5 days of the discovery of the data breach.
Response to the Japan Act on the Protection of Personal Information in 2022
In April 2022, the revised privacy law went into effect in Japan. This has created a need for all business owners to review their internal manuals and internal systems. In particular, for those business operators who handle short-term stored data that will be erased within 6 months or those who use opt-out, it is necessary to revise their privacy policies.
Amendments | Necessary Response | |
---|---|---|
All economic operators | Relaxed requirements for requests for cessation of use, erasure, and cessation of provision to third parties | Reinforcement of response to increased number of claims |
All economic operators | Enhancement of disclosure requests | Establishment of a system to determine no longer necessary |
Businesses that process short-term stored data to be deleted within 6 months | Expansion of the scope of retained personal data subject to disclosure, etc. | Revision of internal manuals and other handling procedures |
Business operators using opt-out | Strengthening of opt-out regulations: addition of matters to be notified, etc. | Revision of privacy policy, etc. |
Business operators using opt-out | Strengthening of opt-out regulations: prohibition of double opt-out | Verify means of acquisition/obtaining information, and change business schemes as necessary |
All economic operators | Obligation to report leaks, etc. and notify the individual | Establish internal manuals and other procedures to prepare for possible leakage |
Business operators using anonymously processed information | Establishment of new provision of pseudonymized processed information | Revision of privacy policy, etc |
Business operators providing DMP and related services | Regulation of personal-related information that becomes personal data at the destination of provision | Verify that the consent of the individual is obtained from the business to which the information is provided |
Business operators conducting cross-border transactions | Tighter regulation of cross-border transfers | Review whether the service is being provided or not, and switch services as appropriate. |
Drafts can be prepared with minimal hearings
Our founding lawyer is a former IT engineer.
In order to create privacy policies for apps and web services, it is necessary to understand their functions and screen transitions (in terms of what the user is supposed to agree to and by what method of operation). We can read the various documents and data that already exist in your company, such as requirement definitions, frameworks created with Adobe XD, LP, sales materials for potential clients.
Therefore, we can create a draft for your privacy policy, etc. with minimal time spent on interviews, effectively reducing communication costs and the time required for creation.
Terms of Use for Apps
At MONOLITH LAW OFFICE, we create and revise the terms of use for various apps, services, games, etc., and create privacy policies. It is also possible to create a privacy policy based on existing documents and data used for app development, such as requirement definitions, frameworks, LPs, and sales materials for prospective customers.
Examples of our client’s products
oVice
We have been an auditor for oVice Corporation, which realizes co-working spaces and event spaces in virtual spaces where you can feel close to people, as if you are talking next to them.
TOKIUM Expense Reimbursement
We have worked with TOKIUM Inc., the company behind the corporate finance app “TOKIUM Expense Reimbursement” as their Chief Legal Officer. We have provided legal support for their projects, including the release of their expense reimbursement system “TOKIUM Invoice”.
Securio
We have been an auditor for LRM Corporation, which releases Securio, which improves the perception of information security throughout the company.
TRIBEAU
We are in charge of a project for TRIBEAU Corporation, which releases “TRIBEAU,” an application for beauty care reviews and reservations, which is also available as a web service.
As well as these clients, we are responsible for many other products. Only the companies that have given us permission to disclose their client status or the businesses registered us as their executives are listed here. As a general rule, clients’ information is kept confidential under the confidentiality agreement.
Fee Structure
Hourly Rate
$300per hourIn certain instances, we may consider accepting a dispute or lawsuit with an initiation fee and a contingency fee. For more details, please feel free to contact us.Drafting Contracts
from$500to $2,000 or moreThe pricing structure is subject to variation based on the type and quantity of contracts. We are pleased to offer a preliminary estimate upon inquiry, thereby encouraging you to reach out to us for further details.Other Services
Contact UsWe offer a wide range of services including company formation, contract review, legal opinion, case review, or research letter. Should you have any inquiries or concerns, we cordially invite you to contact us and our knowledgeable team will be happy to assist you.