//by Toshihiro Wada
The European Commission adopted the adequacy decision on Japan pursuant to Article 45(3) GDPR on 23 January 2019.1 On the same day, the Japanese data protection authority, the Personal Information Protection Commission (PPC), judged that the EU protected personal information as high level as Japan does.2 As a result, personal data is transferred between the EU and Japan under a high data protection standard. Moreover, European and Japanese need to understand each other’s data protection regimes. This article introduces the basic matters of the data protection in Japan.
1 Sensitivity of Japanese to the data protection
Japanese are sensitive to the data protection in their daily lives. The disclosure of the victims’ names of serious accidents or unfortunate happenings is a subject of discussion. The relatives often wish to prevent this due to the fact that it can bring them more grief. On the one hand people need to be informed about such accidents or happenings, on the other hand, the families still need time to recover from the shock. In the case of the arson attack against the Kyoto Animation studio in July, the Kyoto prefecture police took the heartbroken families into consideration and released the victim’s names after obtaining the consent from their families.3
2 Data protection regime in Japan
2.1 National data protection laws
2.1.1 Three Acts on the Protection of Personal Information
The national data protection laws in Japan are the Act on the Protection of Personal Information (APPI)4, the Act on the Protection of Personal Information Held by Administrative Organs (APPIHAO)5 and the Act on the Protection of Personal Information Held by Incorporated Administrative Agencies (APPI-IAA)6.
The provisions from chapter 1 to chapter 3 of the APPI are applicable to the public and private sector. This part involves basic concepts such as the purpose of the APPI, the definition of the terminology and the task of the national and communal government. The provisions from chapter 4 to chapter 7 of the APPI only apply to the private sector which includes companies and private universities as well as private schools. The APPIHAO and the APPI-IAA are categorised as data protection laws in the public sector.7 The APPIHAO applies to the processing of the personal information in national administrative organs such as ministries or commissions and agencies in the cabinet. The APPI-IAA is applicable to the processing of the personal information for example in the National Consumer Affairs Center of Japan8 or in the national universities.
2.2.1 Special data protection laws and guidelines
Data processing concerning medical matters and public health, telecommunication and in the financial sector requires additional regulations to enhance the data protection. Special laws or guidelines deal with data protection in these fields.9 For example, the following acts and guidelines:
Act on Anonymously Processed Medical Information to Contribute to Medical Research and Development10,
Article 16 (1) and (2) of the Act on the Prevention of Infectious Diseases and Medical Care for Patients with Infectious Diseases11,
Article 4 (1) and (2) of the Telecommunications Business Act12 and
Guidelines for Protection of Personal Information in the Finance Sector13.
2.2 Data protection in local authorities
It is striking that all 47 prefectures, all cities and the special wards of Tokyo as well as towns and villages have their own bylaw on the Protection of Personal Information. For example, the prefectural bylaw on the Protection of Personal Information is applicable to the processing of personal information in the prefectural administrative organ, university, school or hospital.
3 Principles of the APPI
3.1 Basic principle of the APPI
Article 3 of the APPI provides the basic principle of the APPI.
“Personal information, considering it should be carefully handled under the vision of respecting the personality of an individual, shall be made subject to proper handling.”14
This principle is supported by Article 13 of the Constitution of Japan which provides that all people shall be respected as individuals.15 Therefore, personal information handling business operators16 have to recognise that the protection of personal information is closely connected to respecting the personality of an individual.17
3.2 OECD Privacy Guidelines
The provisions concerning obligations of a personal information handling business operator and an anonymously processed information handling business operator18 are based on the basic principles of national application of the OECD guidelines governing the protection of privacy and transborder flows of personal data19.
Collection Limitation Principle: Article 17 of the APPI
Data Quality Principle: Article 19 of the APPI
Purpose Specification Principle: Article 15 and 16 of the APPI
Use Limitation Principle: Article 16, 23 and 24 of the APPI
Security Safeguards Principle: Article 20, 21, 22, 36(2) and (6) as well as 39 of the APPI
Openness Principle: Article 18, 27, 36(3) and (4) as well as 37 of the APPI
Individual Participation Principle: Article 28, 29, 30, 31, 32, 33 and 34 of the APPI
Accountability Principle: Article 35 and 36(6) of the APPI
Japanese are concerned about the data protection in their everyday lives. The data protection regime in Japan is a construction which consists of the national laws, guidelines and many bylaws in local authorities. The APPI has evolved on the basis of the principles of the OECD’s guidelines as an international standard of the protection of privacy and cross-border data flow.
1 Commission Implementing Decision (EU) 2019/419 of 23 January 2019 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate protection of personal data by Japan under the Act on the Protection of Personal Information  OJ L76/1 <https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2019:076:FULL&from=EN> accessed 15 October 2019
2 PPC, ‘The framework for mutual and smooth transfer of personal data between Japan and the European Union has come into force’ <https://www.ppc.go.jp/en/aboutus/roles/international/cooperation/20190123/> accessed 7 October 2019
3 Kyodo, ‘Police release names of remaining 25 victims of Kyoto Animation arson attack’ the japan times (Kyoto, 28 August 2019) <https://www.japantimes.co.jp/news/2019/08/28/national/police-release-names-remaining-25-victims-kyoto-animation-arson-attack/#.XXDEm8RCQuU> accessed 15 October 2019
4 Act on the Protection of Personal Information <http://www.japaneselawtranslation.go.jp/law/detail/?id=2781&vm=04&re=01&new=1> accessed 15 October 2019
5 Act on the Protection of Personal Information Held by Administrative Organs <http://www.japaneselawtranslation.go.jp/law/detail/?id=3152&vm=04&re=01&new=1> accessed 15 October 2019
6 Act on the Protection of Personal Information Held by Incorporated Administrative Agencies <http://www.japaneselawtranslation.go.jp/law/detail/?id=3264&vm=04&re=01&new=1> accessed 15 October 2019
7 Shizuo Fujiwara and Christian Geminn, ‘Reform des japanischen Datenschutzrechts im öffentlichen Bereich’  ZD 522
9 See Article 6 of the APPI
10 Act on Anonymously Processed Medical Information to Contribute to Medical Research and Development <http://www.japaneselawtranslation.go.jp/law/detail/?id=3343&vm=04&re=01&new=1> accessed 15 October 2019
11 Act on the Prevention of Infectious Diseases and Medical Care for Patients with Infectious Diseases <http://www.japaneselawtranslation.go.jp/law/detail/?id=2830&vm=04&re=01&new=1> accessed 15 October 2019
12 Telecommunications Business Act <http://www.japaneselawtranslation.go.jp/law/detail/?id=3390&vm=04&re=02&new=1> accessed 15 October 2019
13 Guidelines for Protection of Personal Information in the Finance Sector <http://www.japaneselawtranslation.go.jp/common/data/notice/052908_checked_2019-06-14-16-22-55.html> accessed 15 October 2019
14 See Article 3 of the APPI
15 See fn 1 recital 7 and 8; The Constitution of Japan <http://www.japaneselawtranslation.go.jp/law/detail/?id=174&vm=04&re=02&new=1> accessed 15 October 2019
16 See Article 2 (5) of the APPI
17 Kojin jōhō ni kansuru kihon hōshin [basic policy concerning personal information] 1(2) <https://www.ppc.go.jp/files/pdf/300612_personal_basicpolicy.pdf> accessed 15 October 2019
18 See Article 2 (10) of the APPI
19 OECD, ‘The OECD Privacy Framework’ 14-15 <https://www.oecd.org/sti/ieconomy/oecd_privacy_framework.pdf> accessed 15 October 2019