Japans PIPA

24 May 2005

Masayuki Watanabe from Anderson Mori & Tomotsune

Readers may be aware that there is now a new data protection law in Japan. Anderson Mori has kindly provided this summary.

The Personal Information Protection Act (“PIPA”) came into effect on 1 April 2005 and imposes strict regulations on Japanese companies. In addition foreign companies may be affected if they have business activities in Japan.

The requirements of the PIPA are not particularly onerous. However, businesses regulated by the Financial Services Agency are subject to guidelines stating that if Personal Information is leaked they should publicise that fact. It has been suggested that these guidelines will be strictly applied, which could necessitate potentially embarrassing publications for relatively minor Personal Information infringements.

Under the PIPA, “Personal Information”, or “Personal Data” means any information regarding a living individual from which it is possible to identify any particular individual by means of name, birth date or other information. Information about foreigners, whether residents or non-residents, also falls within the ambit of Personal Information.

The PIPA applies to “Personal Information Handlers” (“PIHs”), meaning a company or a person which utilises a database of more than 5,000 individuals’ Personal Information (at least once within 6 months) for conducting its business. The term “conducting business” is limited to conducting business in Japan, so a foreign company which owns branches in Japan may fall within the definition of PIH. If Japanese branches of a foreign company utilise a database of 5,000 or less than 5,000 individuals’ Personal Information, the foreign company will not fall within the definition of PIH, whether or not it has more than 5,000 individuals’ Personal Information held in total by its foreign head office and branches. Equally a foreign company, which does not have any branches in Japan will not be a PIH. At present it is not clear whether a foreign company that does not have a branch in Japan but is conducting business with residents in Japan via a web-site falls within the definition of a PIH. Such a company would therefore be well advised to comply with the PIPA regulations.

A PIH must comply with a number of restrictions relating to how they treat Personal Data which include:

  • specification of the purpose of use of Personal Information
  • notification of the purpose of use upon acquisition of Personal Information
  • acquiring Personal Information properly
  • ensuring the accuracy of Personal Data
  • taking safety control measures
  • supervising employees and contractors
  • limitation of provision of Personal Data to third parties
  • publicly announcing what Personal Information is retained
  • disclosure, correction and suspension of usage of retained Personal Data

Among these restrictions, foreign companies must especially pay attention to the limitation on providing Personal Information to third parties. A PIH must obtain prior consent from an individual if it provides the individual’s Personal Information to a third party. However, a Japanese branch of a foreign company, which falls within the ambit of PIH, may transfer an individual’s Personal Information to its foreign head office or branches without the consent of the individual. This is because the Japanese branch and foreign head office and branches are considered to be the same entity. Despite that, such a foreign company must still notify the individual or announce to the public the purpose for which the Personal Information is used (for example, management of Personal Information by foreign head office or branches).

The PIPA permits a PIH to disclose Personal Information to the government or agency without an individual’s consent if a law requires. Please note “law” does not include foreign laws. Therefore, a foreign company cannot disclose any Personal Information retained by the database of its Japanese branch to a foreign government without the consent of affected individuals, even if a foreign law requires such disclosure. A PIH may also disclose Personal Data without consent of an individual in the cases of: (i) a PIH outsources its handling of Personal Information, (ii) a business transfer, merger or corporate split etc., (iii) the joint utilisation of Personal Information (providing certain conditions are met.). These exceptions apply even where a PIH is transferring Personal Information to a foreign company.

If any provisions of the PIPA are violated the relevant governmental ministry or agency overseeing a given PIH’s business field may advise the PIH to cease the violating activity. If the PIH does not respond to this government advice and it is recognised that important individual rights are on the verge of being violated, the relevant governmental ministry may order the PIH to cease the violating activity. If the PIH does not properly respond to this government order, the responsible officer or employee of the PIH may be subject to a maximum penalty of either (i) up to six months imprisonment, or (ii) a fine of up to JPY 300,000 (roughly EUR 2,200). In such event, the PIH itself will also be subject to a fine of up to JPY 300,000.

Further, under the Guideline for Protection of Personal Information in the Financial Sector announced by the Financial Services Agency (the "FSA Guideline") which is applicable to banks, securities companies and other financial institutions supervised by the FSA, a PIH should take the following steps:

1. if a Personal Information leak or other accident takes place, the PIH in the Financial Sector shall immediately inform the competent regulator body

2. if a Personal Information leak or other accident takes place, the PIH in the Financial Sector shall publish the facts involving such leak or other accident, as well as measures that will be implemented to prevent the recurrence of such an accident

3. if a Personal Information leak or other accident takes place, the PIHin the Financial Sector shall promptly inform all individuals whose Personal Information has been leaked of the fact of the leak

It appears that these provisions may be relatively strictly applied, meaning that a PIH should take the above steps even in the event of a relatively minor Personal Information leak. If this is the case a PIH, Japanese or foreign, will have to ensure comprehensive Personal Information procedures are in place in order to avoid having to make potentially embarrassing public announcements.

For further information on the new Japanese law, please contact James Minamoto at jmm@amt-law.com.