This article outlines the regulations of Japanese Data Privacy Law, officially titled the Act on the Protection of Personal Information (“APPI”) from the perspectives that are particularly important for foreign companies handling the personal data of individuals located in Japan.

Extraterritorial Application

• Overview: Extraterritorial Application concerns whether APPI applies to a controller or processor in a third country.
• The APPI stipulates that it applies extraterritorially if a controller or processor located outside Japan: (1) handles the personal data of individuals located in Japan (hereinafter “data subjects”) and (2) in connection with providing goods or services to corporations and/or individuals located in Japan (APPI Article 171).
• The term “business” includes both domestic and foreign companies. The term “individuals in Japan” refers to data subjects regardless of their nationality and whether their stay is temporary. The key point is that it is limited to cases related to the provision of goods or services.
• Therefore, when foreign companies are subject to the extraterritorial application of the APPI, they must be aware of the regulations, including reporting data breaches (APPI Article 26), obtaining consent from data subjects for third-party provision (APPI Article 27), cross-border data transfer restrictions (APPI Article 28), and penalties for violations (APPI Article 148, 178, 184).

Cross-Border Data Transfer Regulations

• Who is the subject of the regulation? Cross-border data transfer regulations typically apply to a business in Japan that transfers personal data to a controller or processor in a third country. The key point is that these regulations pertain to the obligations of the transferring party, not the receiving party. Therefore, foreign companies are not directly obligated under this principle. However, if a foreign company is subject to the aforementioned extraterritorial application, and it transfers personal data to a controller or processor in the same or another third country (all considered foreign countries from Japan’s perspective), it could be subject to these cross-border data transfer regulations. Therefore, it is important for foreign companies to be aware that they might exceptionally be subject to these regulations.
• Overview: When a business in Japan (including foreign companies subject to extraterritorial application) transfers personal data to a third party located outside Japan (“cross-border data transfer”), the Japanese business must obtain the consent of the data subjects in advance after providing them with specific reference information about the foreign country (“reference information,” APPI Article 28, Paragraph 1 and 2).
• Reference Information:
  • Name of the foreign country
  • Information about the personal information protection system in the foreign country: The Personal Information Protection Commission of Japan (“PPC”) provides an overview of the major foreign systems on its websites ( https://www.ppc.go.jp/enforcement/infoprovision/laws/ ). If the foreign country of the recipient is not listed, Japanese businesses need to inquire about the foreign country’s system with the foreign business.
  • Measures taken by the recipient for the protection of personal information: If the recipient has implemented all measures corresponding to the OECD Privacy Guidelines’ eight principles, that information is sufficient. If the measures taken by the recipient are unclear, it is sufficient to provide that information and the reasons, but it is advisable to add explanations as they become available.
• Scope of Foreign Countries: EU member states and the UK are excluded from the definition of “foreign countries” under APPI Article 28, thus treated as equivalent to transferring inside of Japan under the APPI.
• Scope of Third Parties: Foreign business entities that have implemented appropriate measures are excluded from the definition of “third parties” under APPI Article 28, Paragraph 3. However, even if this exception applies, the provider in Japan must continue to ensure that appropriate measures are implemented by the recipient, necessitating measures such as annual certification to ensure the ongoing implementation of adequate measures, which can be burdensome. This exception (APPI Article 28, Paragraph 3) offers the advantage of eliminating the need for providing reference information and obtaining consent from the data subject; however, it is not very practical in reality.

Reporting and Notification Obligation in Case of Data Breach

• Overview: In the event of leakage, loss, or damage of personal data (“data breach”) because of unauthorized access, malware attack, or other incident, or where there is a risk of such incidents, the business must report to the PPC and notify the data subjects (APPI Article 26). Reporting to the PPC and notifying the data subjects are required in the following cases:
  • If the data breach involves sensitive personal data, which includes data on race, creed, social status, medical history, criminal record, etc. (see APPI Article 2, Paragraph 3).
  • If the data breach could lead to financial harm due to unauthorized use, such as with leaked credit card numbers.
  • If the data breach was carried out with malicious intent, such as in a third-party attack.
  • If the data breach involves the personal data of more than 1,000 data subjects.
• These criteria apply not only when a data breach has occurred but also when there is a “risk” of incidents. This aligns with GDPR Article 33, Paragraph 1, which deals with “likelihood.” The requirement for data breaches affecting more than 1,000 individuals applies even if the exact number of affected data subjects cannot be determined; if the source server stored personal data for more than 1,000 individuals, it is likely considered the data breach affecting more than 1,000 individuals, making reporting obligatory (it is usually difficult to prove the absence of likelihood).
• Reporting and Notification by the Processor: If a data breach occurs at a processor, both the controller and the processor must report and notify. However, to avoid duplication of reporting, if the processor informs the controller of the data breach, the processor is exempt from reporting and notification obligations.
• Methods of Reporting to the PPC
  • Initial Report: Within approximately 3-5 days of becoming aware of a data breach involving any of the cases above, report the content known at that time.
  • Detailed Report: Within 30 days (60 days in case where the data breach was carried out with malicious intent), report details including (1) the overview, (2) the types of personal data involved, (3) the number of affected data subjects, (4) the cause, (5) the presence and details of secondary harm, (6) the status of responses to data subjects, (7) the status of public announcements, (8) measures taken to prevent recurrence, and (9) other relevant information.
  • Method: Reports are primarily made using the PPC’s online reporting form at https://roueihoukoku.ppc.go.jp/incident/?top=r2.kojindata.
• Methods of Notifying Data Subjects (APPI Article 26, Paragraph 2): Unlike reporting to the PPC, notifications must be made promptly depending on the situation. The content of the notification should include (1) the overview, (2) the types of personal data involved, (3) the cause, (4) the presence and details of secondary harm, and (5) other relevant information. Notifications are typically made directly to data subjects via written documents or email. However, if contact details are unknown or it is otherwise difficult to notify the affected person directly, alternative measures such as public announcements on websites or setting up inquiry desks can be considered.

Penalties for Violations of the APPI

If a business violates the regulations on cross-border data transfers or data breaches, the PPC will recommend corrective actions. If the business does not comply with the recommendation, the PPC will issue an order (APPI Article 148). If the business does not comply with this order, the individual who committed the violation can be sentenced to imprisonment for up to one year or fined up to 1 million JPY, and if the violator is a representative, agent, or employee of a corporation, the corporation can be fined up to 100 million JPY (APPI Article 178, Article 184, Paragraph 1, Item 1).

*This article is based on a previous paper that I co-authored with my colleagues. You can find the publication here https://law.asia/japan-data-privacy-laws/.

Articles

• Japanese Corporate Law 1 (Differences between Stock Companies and Limited Liability Companies)
• Japanese Corporate Law 2 (Board of Directors, Shareholders’ Meeting, Annual Reporting Obligations)
• Japanese Corporate Law 3 (Corporate Governance)
• Japanese Corporate Law 4 (Dissolution and Liquidation)
• Japanese Labor and Employment Law 1 (Dismissal Regulations)
• Japanese Real Estate Law 1 (General Overview)
• Japanese Data Privacy Law 1 (the APPI regulations for Foreign Companies)
• Japanese Intellectual Property Law 1 (General Overview)
• Japanese Competition Law 1 (General Overview)
• M&A Laws in Japan 1 (Significance and Characteristics of M&A Laws in Japan)
• Joint Ventures in Japan 1 (General Overview)
• Renewable Energy Project Finance in Japan 1 (General Overview)
• Renewable Energy Project Finance in Japan 2 (Amendment on the Act on Special Measures Concerning Renewable Energy Requiring Resident Briefings Effective April 1, 2024)