Data Protection in Japan

//by Toshihiro Wada

The European Commission adopted the adequacy decision on Japan pursuant to Article 45(3) GDPR on 23 January 2019.¹ On the same day, the Japanese data protection authority, the Personal Information Protection Commission (PPC), judged that the EU protected personal information as high level as Japan does.² As a result, personal data is transferred between the EU and Japan under a high data protection standard. Moreover, European and Japanese need to understand each other’s data protection regimes. This article introduces the basic matters of the data protection in Japan.

1 Sensitivity of Japanese to the data protection

Japanese are sensitive to the data protection in their daily lives. The disclosure of the victims’ names of serious accidents or unfortunate happenings is a subject of discussion. The relatives often wish to prevent this due to the fact that it can bring them more grief. On the one hand people need to be informed about such accidents or happenings, on the other hand, the families still need time to recover from the shock. In the case of the arson attack against the Kyoto Animation studio in July, the Kyoto prefecture police took the heartbroken families into consideration and released the victim’s names after obtaining the consent from their families.³

2 Data protection regime in Japan

2.1 National data protection laws

2.1.1 Three Acts on the Protection of Personal Information

The national data protection laws in Japan are the Act on the Protection of Personal Information (APPI)⁴, the Act on the Protection of Personal Information Held by Administrative Organs (APPIHAO)⁵ and the Act on the Protection of Personal Information Held by Incorporated Administrative Agencies (APPI-IAA)⁶.

The provisions from chapter 1 to chapter 3 of the APPI are applicable to the public and private sector. This part involves basic concepts such as the purpose of the APPI, the definition of the terminology and the task of the national and communal government. The provisions from chapter 4 to chapter 7 of the APPI only apply to the private sector which includes companies and private universities as well as private schools. The APPIHAO and the APPI-IAA are categorised as data protection laws in the public sector.⁷ The APPIHAO applies to the processing of the personal information in national administrative organs such as ministries or commissions and agencies in the cabinet. The APPI-IAA is applicable to the processing of the personal information for example in the National Consumer Affairs Center of Japan⁸ or in the national universities.

2.2.1 Special data protection laws and guidelines

Data processing concerning medical matters and public health, telecommunication and in the financial sector requires additional regulations to enhance the data protection. Special laws or guidelines deal with data protection in these fields.⁹ For example, the following acts and guidelines:

• Act on Anonymously Processed Medical Information to Contribute to Medical Research and Development¹⁰,

• Article 16 (1) and (2) of the Act on the Prevention of Infectious Diseases and Medical Care for Patients with Infectious Diseases¹¹,

• Article 4 (1) and (2) of the Telecommunications Business Act¹² and

• Guidelines for Protection of Personal Information in the Finance Sector¹³.

  2.2 Data protection in local authorities

It is striking that all 47 prefectures, all cities and the special wards of Tokyo as well as towns and villages have their own bylaw on the Protection of Personal Information. For example, the prefectural bylaw on the Protection of Personal Information is applicable to the processing of personal information in the prefectural administrative organ, university, school or hospital.

3 Principles of the APPI

3.1 Basic principle of the APPI

Article 3 of the APPI provides the basic principle of the APPI.

“Personal information, considering it should be carefully handled under the vision of respecting the personality of an individual, shall be made subject to proper handling.”¹⁴

This principle is supported by Article 13 of the Constitution of Japan which provides that all people shall be respected as individuals.¹⁵ Therefore, personal information handling business operators¹⁶ have to recognise that the protection of personal information is closely connected to respecting the personality of an individual.¹⁷

3.2 OECD Privacy Guidelines

The provisions concerning obligations of a personal information handling business operator and an anonymously processed information handling business operator¹⁸ are based on the basic principles of national application of the OECD guidelines governing the protection of privacy and transborder flows of personal data¹⁹.

• Collection Limitation Principle: Article 17 of the APPI

• Data Quality Principle: Article 19 of the APPI

• Purpose Specification Principle: Article 15 and 16 of the APPI

• Use Limitation Principle: Article 16, 23 and 24 of the APPI

• Security Safeguards Principle: Article 20, 21, 22, 36(2) and (6) as well as 39 of the APPI

• Openness Principle: Article 18, 27, 36(3) and (4) as well as 37 of the APPI

• Individual Participation Principle: Article 28, 29, 30, 31, 32, 33 and 34 of the APPI

• Accountability Principle: Article 35 and 36(6) of the APPI

  4 Resume

Japanese are concerned about the data protection in their everyday lives. The data protection regime in Japan is a construction which consists of the national laws, guidelines and many bylaws in local authorities. The APPI has evolved on the basis of the principles of the OECD’s guidelines as an international standard of the protection of privacy and cross-border data flow.