Japan Act on the Protection of Personal Information

Kojin jōhō hogo-hō [Act on the Protection of Personal Information], Act No. 57 of 2003 (Japan).

Highlights

Scope:

The APPI lists various requirements for the national government and for persons or entities handling (i.e., collecting, retaining, using, transferring, etc.) information in the course of business. The APPI also applies to businesses in foreign countries that handle the Personal Information of identifiable Japanese persons if such businesses are supplying goods or services to people in Japan.

Exemptions:

Certain provisions of the APPI do not apply to:

• Broadcasting organizations, newspapers, news services, and other journalistic organizations (including individuals who work in news reporting) handling information for use in news reporting;
• Literary businesses handling information for use in the creation of literary works;
• Religious organizations handling information for use in a religious activity (including incidental activities);
• Political organizations handling information for use in a political activity (including incidental activities).

The APPI also provides certain exemptions for some specific cases involving the handling of Personal Information for purposes of academic research.

Obligations of Businesses Handling Personal Information:

• Specify the purpose of using Personal Information.
• Not handle Personal Information beyond the scope necessary for achieving the purpose of use without obtaining the Identifiable Person’s consent to do so in advance (with some exceptions).
• Not utilize Personal Information in a way that there is a possibility of fomenting or inducing an unlawful or unjust act.
• Not acquire Personal Information by deception or other wrongful means.
• Not acquire Sensitive Personal Information without obtaining the Identifiable Person’s consent in advance (with some exceptions).
• Promptly notify the Identifiable Person of the specific purpose of use or disclose this to the public once the Business Handling Personal Information has acquired Personal Information.
• Notify Identifiable Persons of altered purposes of use or disclose this to the public (with some exceptions).
• Maintain the accuracy of Personal Data, within the scope necessary for achieving the purpose of use and delete the Personal Data without delay if no longer required.
• Take the necessary and appropriate measures for managing the security of Personal Data including preventing the leaking, loss, or damage of the Personal Data they handle.
• Exercise the necessary and adequate supervision over employees handling Personal Data or other persons entrusted with handling Personal Data.
• Report leaks, loss, or damage and other situations concerning the security of the Personal Data, which are prescribed by Order of the Personal Information Protection Commission as those likely to harm individual rights and interests, to the Personal Information Protection Commission and notify the identifiable person of the occurrence.
• Not provide Personal Data to a third party without obtaining the Identifiable Person’s consent in advance (with some exceptions).
• Adhere to certain restrictions on the provision of Personal Data to third parties in foreign countries.
• Prepare records on the provision of Personal Data to third parties.
• When receiving Personal Data from a third party, provide confirmation and prepare records documenting the receipt of Personal Data.
• Make certain required disclosures to Identifiable Persons about the Personal Data the business holds.

Obligations of Businesses Handling Pseudonymized Personal Information:

• Process Pseudonymized Personal Information such that it is impossible to identify a specific individual unless collated with other information.
• Take measures for the management of the security of deleted or other related information.
• Not handle Pseudonymized Personal Information beyond the necessary scope to achieve the purpose of use.
• Delete Pseudonymized Personal Information without delay if such information is no longer necessary.
• Not collate Pseudonymized Personal Information with other information that identifies the individual.
• Provide required disclosures and notices regarding purpose of use and applicable third-party transfers.
• Not use contact addresses and other information contained in the Pseudonymized Personal Information for correspondence.
• Establish procedures for identifiable persons to submit requests concerning their Personal Data and ensure that the procedures do not impose an excessive burden on identifiable persons.

Obligations of Businesses Handling Anonymized Personal Information:

• Process Anonymized Personal Information such that it is impossible to identify a specific individual and restore that information to its original state.
• Take measures for the management of the security of information relating to identifiers or their equivalent and deleted individual identification codes.
• Disclose the categories of information on an individual that is contained in the Anonymized Personal Information.
• Disclose the categories of information on an individual that is contained in the Anonymized Personal Information prior to providing the Anonymized Personal Information to a third party.
• Not collate Anonymized Personal Information with other information identifying that identifies the individual.
• Takes measures for processing complaints about the preparation or handling of the Anonymized Personal Information.

Identifiable Person Rights:

• Right to request that a Business Handling Personal Information disclose Personal Data the business holds that can identify that person through electronic or magnetic records or other means as prescribed by Order of the Personal Information Protection Commission.
• Right to correction, addition, or deletion of the Personal Data the business holds.
• Right to request cessation of Personal Data use.

A Business Handling Personal Information must provide an Identifiable Person with an explanation of its reasoning when denying or denying in part an Identifiable Person’s request.

More Details

Definitions:

• Anonymized Personal Information: Information relating to an individual that can be prepared in a way that makes it not possible to identify a specific individual by taking any of the measures prescribed in each following item in accordance with the divisions of Personal Information set forth in those items; and also makes it not possible to restore that Personal Information: (i) deleting a part of the identifiers or their equivalent contained in the Personal Information (including replacing the part of the identifiers or their equivalent with other identifiers or their equivalent without following patterns that enable its restoration); (ii) deleting all individual identification codes contained in the Personal Information (including replacing the individual identification codes with other identifiers or their equivalent without following patterns that enable restoration of the individual identification codes).
• Business Handling Anonymized Personal Information: A person that uses a collective body of information consisting of Anonymized Personal Information for business, which has been systematically organized to be searchable using a computer or is the equivalent prescribed by Cabinet Order as systematically organized in order to be easily searchable for particular Anonymized Personal Information (referred to as an “Anonymized Personal Information Database or the Equivalent”); provided, however, that this excludes persons as set forth in the definition of “Business Handling Personal Information.”
• Business Handling Personal Information: A person that uses a Personal Information Database or the Equivalent for business; provided, however, that this excludes persons set forth as follows: (i) national government organs; (ii) local governments; (iii) incorporated administrative agencies or other prescribed corporations; (iv) local incorporated administrative agencies.
• Business Handling Pseudonymized Personal Information: A person that uses a collective body of information consisting of Pseudonymized Personal Information for business, which has been systematically organized to be searchable using a computer or is the equivalent as prescribed by Cabinet Order as systematically organized in order to be easily searchable for particular Pseudonymized Personal Information (referred to as a “Pseudonymized Personal Information Database or the Equivalent”); provided, however, that this excludes persons as set forth in the definition of “Business Handling Personal Information.”
• Identifiable Person: A specific individual identifiable by Personal Information.
• Personal Data: Personal Information compiled in a Personal Information Database or the Equivalent.
• Personal Information: Information relating to a living individual which falls under any of the following items: (i) information containing a name, date of birth, or other identifier or the equivalent (meaning all items (excluding individual identification codes) made by writing, recording, sound or motion, or other means, in a document, drawing, or electronic or magnetic record (this includes a record created in electronic or magnetic form (meaning electronic form, magnetic form, or any other form that cannot be perceived with the human senses; the same applies in item (ii) of the following paragraph); hereinafter the same); hereinafter the same) which can be used to identify a specific individual (this includes any information that can be easily collated with other information and thereby used to identify that specific individual); (ii) those containing an individual identification code.
• Personal Information Database or the Equivalent: A collective body of information comprised of Personal Information, as set forth in the following (excluding those prescribed by Cabinet Order as having little possibility of harming individual rights and interests in consideration of how the information is used): (i) those systematically organized so as to be searchable for particular Personal Information using a computer; (ii) beyond what is set forth in the preceding item, those prescribed by Cabinet Order as having been systematically organized so as to be easily searchable for particular Personal Information.
• Pseudonymized Personal Information: Information relating to an individual that can be prepared in a way that makes it not possible to identify a specific individual unless collated with other information by taking any of the measures prescribed in each following item in accordance with the divisions of Personal information set forth in those items: (i) deleting a part of the identifiers or their equivalent contained in the Personal Information (including replacing the part of the identifiers or their equivalent with other identifiers or their equivalent without following patterns that enable its restoration); (ii) deleting all individual identification codes contained in the Personal Information (including replacing the individual identification codes with other identifiers or their equivalent without following patterns that enable restoration of the individual identification codes).
• Sensitive Personal Information: Personal Information as to an Identifiable Person’s race, creed, social status, medical history, criminal record, the fact of having suffered damage by a crime, or other identifiers or their equivalent prescribed by Cabinet Order as those of requiring special care so as not to cause unjust discrimination, prejudice, or other disadvantages to that person.

Penalties:

Businesses that violate the APPI may be subject to various civil and criminal penalties. The APPI ascribes varying monetary fines and maximum imprisonment lengths for different types of violations.

Effective Date:

The latest amendments to the APPI became effective on April 1, 2022.