Data protection in Japan: overview

A Q&A guide to data protection in Japan.

This Q&A guide gives a high-level overview of data protection rules and principles, including obligations on the data controller and the consent of data subjects; rights to access personal data or object to its collection; and security requirements. It also covers cookies and spam; data processing by third parties; and the international transfer of data. This article also details the national regulator; its enforcement powers; and sanctions and remedies.

To compare answers across multiple jurisdictions, visit the Data protection Country Q&A tool.

This article is part of the global guide to data protection. For a full list of contents, please visit www.practicallaw.com/dataprotection-guide.

Contents

Regulation

Legislation

1. What national laws regulate the collection and use of personal data?

General laws

The Act on the Protection of Personal Information (Law No. 57 of 2003) (APPI) is the central data protection legislation in Japan and applies to personal information processing by data controllers. (For the definition of personal information, see Question 3.) The APPI is an administrative law that empowers the ministries to enforce its provisions. It does not provide for a private individual cause of action. An individual who is damaged due to a violation of the APPI may have a cause of action against the data controller under tort or contract law. (For the definition of data controller, see Question 2.)

Sectoral laws

The following government decrees interpret the APPI and provide guidance to the ministries:

  • The Cabinet Order on the Protection of Personal Information (Cabinet Order No. 507, 10 December 2003) (APPI Cabinet Order).

  • The Cabinet Basic Policy on the Protection of Personal Information (cabinet approval, 2 April 2004).

The Consumer Affairs Agency (CAA) provides overall co-ordination of the government's data protection policy.

The various ministries, each responsible for a different sector of the Japanese economy, create privacy guidelines that interpret the text of the APPI. For example:

  • The Ministry of Economy, Trade and Industry (METI) issued privacy guidelines that apply to most manufacturers and service industry companies (Health, Labour and Welfare Ministry and METI Notice No. 2, 9 October 2009) (METI Guidelines).

  • The Ministry of Internal Affairs and Telecommunications (MIC) issued privacy guidelines that apply to telecommunications companies (MIC Notice No. 695, 31 August 2004).

Ministries are responsible for enforcement

Each ministry is responsible for enforcing the APPI against the data controllers that fall under its jurisdiction. Many companies are under the jurisdiction of two or more ministries. For example, banks are governed by:

  • The Financial Service Agency's Privacy Guidelines (FSA Notice No. 63, 20 November 2009) (FSA Guidelines).

  • The Privacy Guidelines of the Ministry of Health, Labour and Welfare with regard to their employees (Ministry of Health, Labour and Welfare Notice No. 357, 14 May 2012).

Industrial association privacy regulations

Industrial associations, such as the Japan Securities Dealers Association, have privacy regulations that follow the ministry regulations. These privacy regulations are not necessarily based on the APPI. They often set out rules that further the goals of the APPI in that industry's unique context. Industrial association privacy regulations do not have the force of law, but they may provide for sanctions within the association. A ministry might refer to an industrial association's privacy regulations when enforcing the APPI.

Scope of legislation

 
2. To whom do the laws apply?

The Act on the Protection of Personal Information (APPI) applies to data controllers (kojin jouhou toriatsukai jigyousha). A data controller is an entity using a personal information database for its business (Article 2-3, APPI).

If an entity uses a personal information database for its business, it will not be considered a data controller if it is any of the following (Article 2-3, APPI; Article 2, APPI Cabinet Order):

  • A state institution.

  • A local public body.

  • An independent administrative agency.

  • An entity that has not held over 5,000 individuals' personal information at any time over the past six months. However, a company operating in the financial industry must make efforts to comply with the APPI even if it has had fewer than 5,000 individuals' personal information at any time over the past six months (Article 1-4, Financial Service Agency (FSA) Guidelines).

 
3. What data is regulated?

Personal information (kojinjouhou) is information that both (Article 2-1, Act on the Protection of Personal Information) (APPI):

  • Relates to a living individual.

  • Can be used to identify the individual. This includes information that can be easily combined/compared with other information to identify an individual.

A simple example is a telephone number. A less obvious example is an employee identification number that could not identify an individual by itself. However, when used in conjunction with other available information, an employee identification number could lead to the identification of an individual (section 2-1-1, Ministry of Economy, Trade and Industry (METI) Guidelines).

 
4. What acts are regulated?

All aspects of processing personal information are regulated by the Act on the Protection of Personal Information (APPI). This includes the collection, storage, use, and transfer of personal information.

 
5. What is the jurisdictional scope of the rules?

The Act on the Protection of Personal Information (APPI) applies only to data controllers that have a presence in Japan. This is due to the general territorial principals of Japanese law and is not specifically stated in the APPI.

 
6. What are the main exemptions (if any)?

The Act on the Protection of Personal Information (APPI) does not apply to the use of personal information for (Article 50-1, APPI):

  • Journalism by broadcasting institutions, newspaper publishers, news agencies and other press members.

  • Literary work by businesses that conduct literary work.

  • Academic studies by colleges, universities, and other academic organisations.

  • Religious activities by religious organisations.

  • Political activities by political organisations.

Notification

 
7. Is notification or registration required before processing data?

The data controller must communicate the purposes of the use of the data by either (Article 18-1, Act on the Protection of Personal Information (APPI)):

  • Notifying the data subject.

  • A public announcement or display.

Change of purpose of use

A data controller may change the purposes of use within a scope that would not be difficult for a normal person to imagine in view of the originally communicated purposes of use. The data controller must notify the data subject or publicly announce the change. Changes beyond that scope require individual consent from the data subject (Article 15-2, APPI; section 2-2-1(2), Ministry of Economy, Trade and Industry (METI) Guidelines).

No requirement to notify a government agency

A data controller does not need to notify or register with any government agency before processing personal information.

 

Main data protection rules and principles

Main obligations and processing requirements

8. What are the main obligations imposed on data controllers to ensure data is processed properly?

Data controllers must:

  • Communicate the purpose of use of personal information to the data subject (Article 18-1, Act on the Protection of Personal Information (APPI)) (see Question 12).

  • Keep collected personal information safe, for example, from leaks (Article 20, APPI) (see Question 15).

  • Only provide personal information to a third party if the data subject consents or an exception under the APPI applies (Article 23, APPI) (see Question 20).

  • Respond to requests from data subjects concerning their retained personal data (Articles 25 to 29, APPI) (see Question 13).

 
9. Is the consent of data subjects required before processing personal data?

The consent of data subjects to the use of personal information is not required if it is used in accordance with the purposes communicated to them.

In contrast, as a general rule, consent is required to:

  • Transmit personal information to a third party (see Question 20).

  • Use personal information beyond the communicated purposes of use.

Obtaining consent

The correct method of obtaining consent can vary depending on the ministry that has authority over the data controller's industry. The consent formalities in the applicable ministry guideline(s) should be reviewed before attempting to obtain consent. The following are examples of ministry guidelines and their requirements for how to obtain consent.

The METI Guidelines (section 2-1-10, METI Guidelines):

  • Do not require written consent.

  • Recognise implied consent on a case-by-case basis (Answer 39, Q&A on METI Guidelines issued by METI, 30 March 2007).

  • Provide that a minor lacks the capacity to consent, but his legal guardian may consent on his behalf.

The Guidelines for Medical and Nursing Enterprises issued by the Ministry of Labour, Health and Welfare, 24 December 2004 (Medical Guidelines) (section III.1.2.4, Medical Guidelines) require consent from a minor if a minor has the mental capacity to understand the situation (in addition to the consent of the minor's legal guardian).

The Financial Service Agency (FSA) Guidelines require (Article 13-1, FSA Guidelines):

  • Consent to be in writing (including electronic writing).

  • That a data controller in the financial industry ensures that the data subject acknowledges all of the following in the data subject's written consent to third party transfer of personal information:

    • the third parties to whom the data will be provided;

    • the purpose of use of the third party; and

    • the content of the data that will be provided to the third party.

 
10. If consent is not given, on what other grounds (if any) can processing be justified?

Using personal information in accordance with the purposes of use communicated to the data subject does not require consent from the data subject. However, the transfer of personal information organised into a searchable database (personal data) from the data controller to another entity is generally forbidden unless the data subject consents. If the data subject does not consent to such a third party transfer, there are still exceptions to the general rule that could allow the data controller to transfer the personal data. See Question 20, Exceptions: when a data controller may provide personal data to a third party.

Special rules

11. Do special rules apply for certain types of personal data, such as sensitive data?

Sensitive information is not defined in the Act on the Protection of Personal Information (APPI). However, enforcement agencies are required to take strict measures to protect personal information that would be especially harmful to the data subject if not properly handled (Article 6, APPI).

Accordingly, a number of privacy guidelines give special protection to sensitive personal information, including:

  • The Financial Service Agency (FSA) Guidelines.

  • Guidelines issued by the Ministry of Economy, Trade and Industry (METI) concerning privacy in the money lending industry (section 2- (1-2), METI Notice No. 321, 16 October, 2006).

  • The Japanese Bankers Association Privacy Policy (Article 32, April 2005).

For example, a data controller in the financial field must not acquire, use, or disclose sensitive information unless one of the exceptions in the FSA Guidelines applies (Article 6, FSA Guidelines).

Generally, the guidelines define sensitive information as information regarding: political views, religion, union activities, race, family origin and domicile, healthcare, sexual activities and criminal records.

 

Rights of individuals

12. What information should be provided to data subjects at the point of collection of the personal data?

The purpose of use for collected personal information must always be communicated to the data subject.

The required timing and method of communication depends on whether the information is collected directly or indirectly from the data subject.

Where the data subject provides information directly, for example, by filling out a form, the purposes of use must be stated before collection. The purpose of use can be stated on the form.

If the personal information is collected indirectly, for example, from a third party, the purposes of use can be either (Article 18-1, APPI; sections 2-1-7 and 2-1-8, Ministry of Economy, Trade and Industry (METI) Guidelines):

  • Notified to the individual promptly after the collection.

  • Publicly displayed, for example on a website.

 
13. What other specific rights are granted to data subjects?

Retained personal data is personal information that is both (Article 2-5, Act on the Protection of Personal Information (APPI); Article 3, APPI Cabinet Order):

  • Organised in a searchable database.

  • Information over which the data controller has the authority to disclose, correct, add or delete content, suspend use, and discontinue provision to third parties.

A data subject may request any of the following regarding their retained personal data (Articles 24-27, APPI):

  • To be notified of the purposes of use.

  • That it is disclosed to them.

  • That it is corrected or updated.

  • Deletion, if the data controller uses the information improperly.

  • That it is not provided to a third party if the data subject did not consent to the provision.

 
14. Do data subjects have a right to request the deletion of their data?

A data subject can demand that his or her retained personal data is deleted if any of the following apply (Article 26, Act on the Protection of Personal Information (APPI)):

  • It is incorrect.

  • The data controller processes the data beyond the purposes of use that were communicated to the data subject.

  • It was collected improperly.

A data subject cannot demand that personal information is deleted if that information does not qualify as retained personal data.

 

Security requirements

15. What security requirements are imposed in relation to personal data?

A data controller must take necessary and proper measures to prevent leakage, loss, and damage of personal information (Article 20, Act on the Protection of Personal Information (APPI)).

The Ministry of Economy, Trade and Industry (METI) Guidelines divide this general duty into four specific control measures:

  • Systematic security.

  • Human security.

  • Physical security.

  • Technological security.

Examples of such control measures are (section 2-2-3-2, METI Guidelines):

Systematic security control measures, to:

    • delineate the responsibility of employees regarding security control; and

    • prepare procedure manuals and confirm the status of their implementation.

  • Human security control measures, to:

    • conclude non-disclosure agreements with employees; and

    • educate employees about duties concerning personal information.

  • Physical security control measures, to:

    • control entrance to buildings and rooms; and

    • lock filing cabinets that contain personal information.

  • Technological security control measures, to:

    • control access to data;

    • take countermeasures against spyware;

    • monitor IT systems.

 
16. Is there a requirement to notify personal data security breaches to data subjects or the national regulator?

General

There is no requirement for a data controller to report a data leak to any government agency. However, ministries with jurisdiction can order a data controller to submit a report about handling practices of personal information. This may include a report on leaks (Article 32, Act on the Protection of Personal Information (APPI)).

Voluntary reports

While a data controller is not required to report or announce a leak, ministerial guidelines applicable to a data leak might recommend a certain response. For example, the Ministry of Economy, Trade and Industry (METI) Guidelines state that it is preferable for a data controller to voluntarily report data leaks to the METI. A report to the METI typically covers, at a minimum (section 2-2-3-2, METI Guidelines):

  • An explanation of the data leak.

  • The cause of the data leak.

  • Action taken to address the leak.

  • The measures that will be taken to prevent a similar leak.

Public announcements

There is no requirement for a data controller to publicly announce a data leak. The METI Guidelines, however, strongly recommend making a public announcement where an announcement may help reduce the possibility of further damage being suffered by the affected individuals. Conversely, there is no need for a public announcement where either (section 2-2-3-2, METI Guidelines):

  • There is no risk of further damage to the affected individuals.

  • Where the affected individuals can be contacted individually.

 

Processing by third parties

17. What additional requirements (if any) apply where a third party processes the data on behalf of the data controller?

The data controller must oversee the third party to ensure that the third party complies with the Act on the Protection of Personal Information (APPI) and the purposes of use communicated to the data subject (Article 22, APPI).

 

Electronic communications

18. Under what conditions can data controllers store cookies or equivalent devices on the data subject's terminal equipment?

There is no restriction on cookies and equivalent devices as long as they do not collect personal information. Cookies often collect IP addresses. Generally, an IP address does not qualify as personal information, because an IP address alone cannot identify an individual. An IP address would qualify as personal information if the data controller had access to other information that could be used to identify an individual in conjunction with the IP address (Ministry of Internal Affairs and Telecommunications (MIC) study group: Title II, section 4-2, Smartphone Privacy Initiative – Innovation for a New Era by Proper Use of User Information and Improvement of Literacy, 7 August 2012).

 
19. What requirements are imposed on the sending of unsolicited electronic commercial communications (spam)?

A "sender" under the Act on Regulation of Transmission of Specified Electronic Mail (Spam Law) is either:

  • A for-profit organisation.

  • A person engaged in for-profit activities.

A sender must not falsify sender information or use fictional e-mail addresses to send mass e-mails (Articles 5 and 6, Spam Law).

Generally, senders must not send e-mails that contain commercial advertisements (commercial e-mails) within or into Japan.

The Spam Law does not apply to e-mails sent to:

  • Individuals who consent to receive commercial e-mails prior to transmission.

  • Individuals who have provided the sender with their own e-mail addresses.

  • Persons who have a pre-existing business relationship with the sender.

  • Individuals engaged in for-profit activities who make their e-mail addresses publicly available.

  • Organisations that make their e-mail addresses publicly available.

The Spam Law can be categorised as an opt-in law similar to those found in the member states of the EU.

Obtaining consent

An individual validly consents to receive commercial e-mails only where the sender first clearly notifies that individual of both:

  • The sender's identity.

  • The fact that commercial e-mails will be sent to the individual.

The sender can only send an e-mail to obtain consent for further commercial e-mails in certain exceptional circumstances (Article 3, Spam Law; Articles 2 and 3, Cabinet Rule on Regulation of Transmission of Specified Electronic Mail (MIC Rule No. 66, 21 June 2002) (Spam Cabinet Rule).

Obtaining individual consent to receive further commercial e-mails by pre-checking a consent box or other default opt-in method may constitute valid consent. It is safest to require the individual to manually check the consent box (section 2-1-7, Spam Law Guidelines).

Recording consent is necessary

A sender must save information relating to each opt-in consent it obtains. It must retain the information until one month after it sends the last commercial e-mail for which it has consent.

The sender must record and save all of the following:

  • The time of consent.

  • Method of consent.

  • Circumstances of the consent.

If the sender obtains consent after presenting something to the individual in writing (including e-mail), the sender must also record and save the standard form on which the writing was based (Article 3-2, Spam Law; Article 4, Spam Cabinet Rule; section 2-2 and section 3, Spam Law Guidelines).

The sender must display information about opting-out

The sender must display all of the following information in a commercial e-mail in an easily understandable manner:

  • The fact that opting-out of further e-mails is possible.

  • How to opt-out of further e-mails.

  • The sender's name and physical address.

  • Contact information for complaints or questions.

It is acceptable to provide a hyperlink to the sender's physical address and to the contact information for complaints and questions (Article 4, Spam Law; Article 7 to 9, Spam Cabinet Rule; section 5, Spam Law Guidelines).

After opt-out

The sender must stop sending e-mails once the individual opts out, even if the individual originally opted-in to receive commercial e-mails.

The sender can still send e-mails that mainly contain a non-advertising purpose yet have a secondary advertising aspect. For example, a sender can send an e-mail that is primarily an invoice or notice of change to service but has an advertising component (Article 3-3, Spam Law; Articles 5 and 6, Spam Cabinet Rule; section 4, Spam Law Guidelines).

Sanctions

Penalties depend on the type of violation. Falsifying sender information is punishable by (Articles 34-1 and 37-1, Spam Law):

  • Up to one year of imprisonment or a fine of up to JPY1 million, in the case of an individual.

  • A fine of up to JPY30 million, in the case of a legal entity.

The Ministry of Internal Affairs and Telecommunications (MIC) can order a sender of commercial e-mails:

  • To stop using fictional e-mail addresses.

  • To stop sending e-mails to individuals who have not opted-in or who have opted-out after having opted-in.

  • To make the disclosures required in a commercial e-mail.

If a sender does not comply with an order, they can be subject to:

  • One year of imprisonment or a fine of up to JPY1 million, in the case of an individual.

  • A fine of up to JPY30 million in the case of a legal entity.

Criminal penalties are also authorised against a sender that violates a MIC order to properly save consent information (Articles 7, 34-2, 35-1 and 37-2, Spam Law).

Source of requirements

The primary legislation in Japan specifically addressing the problem of unsolicited e-mails is the Act on Regulation of Transmission of Specified Electronic Mail (Act No. 26 of 2002) (Spam Law).

The MIC is in charge of enforcing the Spam Law.

The MIC and the Consumer Affairs Agency (CAA) issued guidance on Transmission of Specified Electronic Mail in August 2011 (Spam Law Guidelines).

Additionally, both of the following can be relevant when analysing the legality of e-mail marketing in Japan:

  • The Act on Specified Commercial Transactions (Act No. 57 of 1976) (Transactions Law).

  • The Act on the Protection of Personal Information (APPI).

 

International transfer of data

Transfer of data outside the jurisdiction

20. What rules regulate the transfer of data outside your jurisdiction?

The Act on the Protection of Personal Information (APPI) does not restrict the transfer of personal information to foreign countries. This is in contrast to EU data protection law. There are no reporting requirements that relate to the transfer of personal information abroad.

However, the transfer of personal information organised into a searchable database (personal data) from the data controller to another entity is restricted. This is regardless of the country in which the recipient is located.

General rule on transferring personal data to a third party

As a general rule, a data controller must not provide personal data to a third party without obtaining the prior consent of the data subject. A third party is any legal entity other than the data controller, whether abroad or in Japan. A third party also includes affiliated companies of the data controller (Article 23, APPI; section 2-2-4 (1), Ministry of Economy, Trade and Industry (METI) Guidelines).

Exceptions: when a data controller may provide personal data to a third party

A data controller may provide personal data to a third party without consent of the data subject where:

  • The provision is based on Japanese law. For example (Article 23-1-1, APPI):

    • a retailer transmits consumer data to a manufacturer to aid a product recall in compliance with the Consumer Product Safety Law (Act No. 31, 1973) (Shouhi Seikatsuyou Seihin Anzen Hou) (section 2-2-4 (1)(i), section 2-2-1 (5)(i), METI Guidelines); or

    • a bank reports personal data related to a suspicious transaction to the FSA in compliance with the Act on Prevention of Transfer of Criminal Proceeds (Act No. 22, 2007) (Hanzai ni yoru Shueki no Iten Boushi ni kan suru Houritsu) (section 2-2-4 (1)(i), section 2-2-1 (5)(i), METI Guidelines).

  • The provision is necessary for the protection of the life, body, or property of an individual and it is difficult to obtain the prior consent of the data subject (Article 23-1-2, APPI). For example, where member contact information is given to a doctor in an emergency situation (section 2-2-1 (5)(ii), METI Guidelines).

  • The provision is necessary for public hygiene or similar, and it is difficult to obtain the consent of the data subject (Article 23-1-3, APPI).

  • The provision is to co-operate with the Japanese government and obtaining the consent of the data subject might impede the execution of the operations concerned (Article 23-1-2, APPI). For example, a data controller voluntarily shares employee personal data with the National Tax Authority (section 2-2-1 (5)(iv), METI Guidelines).

  • The data controller has obtained opt-out consent from the data subject (Article 23-2, APPI). Opt-out consent may be obtained from a data subject by communicating all of the following to the data subject before providing the personal data to the third party:

    • the fact that the personal data will be provided to third parties;

    • the items of personal data to be provided to third parties;

    • the method of providing the data to third parties; and

    • the data controller will stop providing the personal data to third parties at the request of the data subject.

The data controller can obtain opt-out consent by stating the items in bullets above on a public website, publicly viewable bulletin board or by targeted e-mailing (section 2-2-1 (2), METI Guidelines).

  • The person disclosing the data qualifies as a data processing outsourcee under the APPI. A qualifying outsourcee is an entity that is (Article 23-4-1, APPI):

    • entrusted with personal information to perform a task for the data controller;

    • restricted from using the personal information for its own purposes; and

    • uses the personal information only in accordance with the purposes of use communicated to the data subject.

  • The personal data is provided pursuant to a merger or similar transaction (Article 23-4-2, APPI; section 2-2-4 (3)(ii), METI Guidelines).

  • The person disclosing the data qualifies as a joint user under the APPI (Article 23-4-3, APPI). An entity becomes a joint user once the data controller communicates the following information to the data subject (section 2-2-1 (3)(iii), METI Guidelines):

    • the type of personal data to be jointly used;

    • who the joint users will be;

    • the purposes of use of the jointly used personal data; and

    • contact information for the entity in charge of managing the jointly used personal data.

Data transfer agreements

21. Are data transfer agreements contemplated or in use? Have any standard forms or precedents been approved by national authorities?

A contract is not required in all situations to legally transfer personal information to a third party (for further information concerning restrictions on third party transfers, see Question 20). This is true regardless of whether the transfer of personal data is within Japan or across national borders. However, in the case of outsourcing personal information processing to an outsourcee, a data controller is recommended to execute a contract that requires its data processing outsourcee to (section 2-2-3-4, Ministry of Economy, Trade and Industry (METI) Guidelines):

  • Secure personal information by preventing leaks.

  • Not use personal information beyond the purposes of use communicated to the data subject.

  • Not copy personal information unnecessarily.

  • Return, delete, or destroy personal information at the end of the contract term.

  • Report to the data controller before sub-delegating.

  • Submit reports to the data controller concerning handling of the personal information.

  • Submit reports to the data controller when an accident occurs.

 
22. Is a data transfer agreement sufficient to legitimise transfer, or must additional requirements (such as the need to obtain consent) be satisfied?

A contract is not required in all situations to legally transfer personal information to a third party (for further information concerning restrictions on third party transfers, see Question 20).

 
23. Does the relevant national regulator need to approve the data transfer agreement?

No approval is necessary.

 

Enforcement and sanctions

24. What are the enforcement powers of the national regulator?

The powers of the ministries to enforce the provisions of the Act on the Protection of Personal Information (APPI) include:

  • Requiring the data controller to submit reports regarding the processing of personal information (Article 32, APPI).

  • Providing guidance to the data controller (Article 33, APPI).

  • Ordering the data controller to take the recommended or necessary measures (Article 34, APPI).

 
25. What are the sanctions and remedies for non-compliance with data protection laws?

A data controller that violates one of its duties under the Act on the Protection of Personal Information (APPI) may be subject to an enforcement action by a ministry and any industrial association to which it belongs.

The APPI does not provide for a private individual cause of action. However, an individual whose personal information has been mishandled in violation of the APPI is likely to have a cause of action against the data controller under the law of tort or contract.

The ministries, especially the Ministry of Economy, Trade and Industry (METI) and the Financial Service Agency (FSA), occasionally investigate companies. They can issue warnings demanding that the data controller in question remedy its non-compliance. If a ministry issues a warning and the violator does not improve its compliance to the ministry's satisfaction, the ministry is authorised to penalise the violator. Fines are up to JPY300,000. Individual data controllers can be imprisoned for up to six months (Articles 56 and 58, APPI).

 

Consumer Affairs Agency (Shohishacho)

W www.caa.go.jp/en/index.html

Main areas of responsibility. The Agency co-ordinates the ministries' implementation of the Act on the Protection of Personal Information (APPI) and is in charge of data protection policy making.

Ministry of Economy, Trade and Industry (Keizai Sangyo Sho)

W www.meti.go.jp/english/index.html

Main areas of responsibility. The Ministry has authority to enforce the APPI in the general fields of industry and commerce.

Ministry of Health, Labour and Welfare (Kosei Rodo Sho)

W www.mhlw.go.jp/english/

Main areas of responsibility. The Ministry has authority to enforce the APPI in the fields of healthcare and employee relations.

Financial Services Agency (Kinyucho)

W www.fsa.go.jp/en/index.html

Main areas of responsibility. The Agency has the authority to enforce the APPI in the financial services field.



Online resources

Japanese Law Translation

W www.japaneselawtranslation.go.jp/?re=02

Description. This site provides unofficial translations of Japanese legislation. The Japanese original and an English translation of the Act on the Protection of Personal Information (APPI) and the Spam Law can be obtained here.

Consumer Affairs Agency

W www.caa.go.jp/planning/kojin/index_en.html

Description. A collection of English language materials concerning data protection provided by the Consumer Affairs Agency.

METI Privacy Guidelines

W www.meti.go.jp/policy/it_policy/privacy/0910english.pdf

Description. English translation of the METI Privacy Guidelines, provided on the Ministry of Economy, Trade and Industry website.

Financial Services Agency Privacy Guidelines

W www.fsa.go.jp/frtc/kenkyu/event/20070424_02.pdf

Description. English translation of the Financial Services Agency Privacy Guidelines, available on the Financial Services Agency website.

Only the original Japanese language versions of the laws and guidelines referenced above are legally binding.



Contributor profiles

Mangyo Kinoshita, Local Partner

White & Case LLP

T +81 3 6384 3107
F +81 3 6384 3300
E mangyo.kinoshita@whitecase.com
W www.whitecase.com/mkinoshita/

Professional qualifications. Japan Bar; California State Bar

Areas of practice. Corporate; M&A.

Non-professional qualifications. LLM, Duke University, cum laude; Diploma, The Legal Training and Research Institute of The Supreme Court of Japan; LLB, Political Science, Keio University

Recent transactions

  • Advising on cross-border M&A and global technology transactions representing Japanese and global technology companies including: internet portal, mobile application, cyber security, online advertisement, social gaming and SNS companies.

  • Advising on data protection and privacy matters, including researching those issues in over 50 jurisdictions.

Languages. Japanese, English

Professional associations/memberships. Dai-ichi Tokyo Bar Association; California Bar Association

Publications

Co-author:

  • Overseas IPO Strategies for Global Japanese Companies, Business Homu, June to September 2012.

  • Triggered Poison Pills and the Delaware Court's Decision - Selectica, Inc v Versata Enterprises, Inc, Mergers & Acquisitions Research Report, August 2010.

  • Keys to Successful M&A Learned from Cancelled Deals, The Japanese M&A Review, July 2010.

Shino Asayama, Associate

White & Case LLP

T +81 3 6384 3160
F +81 3 6384 3300
E sasayama@whitecase.com
W www.whitecase.com/sasayama/

Professional qualifications. Japan Bar, 2006

Areas of practice. Corporate; M&A.

Non-professional qualifications. LLM, The University of Chicago, 2014; LLB, Hitotsubashi University, 2003

Recent transactions

  • Advising on competition law, M&A and corporate matters.

  • While previously on secondment to the Competition Enhancement Office of the Economic and Industrial Policy Bureau of Japan's Ministry of Economy, Trade and Industry, working on government policies related to Japanese competition law, especially merger review.

Languages. Japanese, English

Professional associations/memberships. Japan Bar.

Publications

Author:

  • Overview of a Report by a Study Group regarding Competition Law Compliance – Anti-cartel Measures by Japanese Corporations and Trade Associations in Light of Enhanced Global Enforcement of Competition Law –, New Business Law vol 925, Shojihomu Co, Ltd, March 2010.

  • How Japanese companies deal with information requests from the European Commission - when Japanese companies suddenly receive a questionnaire from the European Commission, New Business Law vol 911, Shojihomu Co, Ltd, August 2009.

Eric Kosinski, Associate

T +81 3 6384 3174
F +81 3 6384 3300
E ekosinski@whitecase.com
W www.whitecase.com/ekosinski/

Professional qualifications. New York State Bar, Massachusetts State Bar, Japanese Personal Information Protection Law Specialist

Areas of practice. Corporate; M&A.

Non-professional qualifications. JD, Temple University Beasley School of Law, 2006;

BA, Macalester College, 2001

Recent transactions

  • Advising on cross-border M&A involving Japan.

  • Advising on data protection law, advertising law, and employment law.

Languages. English, Japanese

Publications

Co-author:

  • Japan chapter, The International Comparative Legal Guide: Product Liability, 2014.

  • The Transfer of Undertakings in Asia: An EU or a US Approach?, Employment & Industrial Relations Law Newsletter, February 2010.

  • International Transfers of Personal Data - Treatment of Personal Data Transfers in Asia - Pacific Countries – Japan, International Privacy Guide, November 2009.


{ "siteName" : "PLC", "objType" : "PLC_Doc_C", "objID" : "1247647118252", "objName" : "Data protection in Japan overview", "userID" : "2", "objUrl" : "http://us.practicallaw.com/cs/Satellite/us/resource/5-520-1289?null", "pageType" : "Resource", "academicUserID" : "", "contentAccessed" : "true", "analyticsPermCookie" : "22e97be00:15b0af9e485:-1067", "analyticsSessionCookie" : "22e97be00:15b0af9e485:-1066", "statisticSensorPath" : "http://analytics.practicallaw.com/sensor/statistic" }