Law Library Stacks

Back to Online Privacy Law

*This report updates a report from 2012

The Act on the Protection of Personal Information (APPI), which applies to online privacy matters in Japan, was significantly amended in 2015.  The amendments took effect on May 30, 2017.  The APPI requires business operators handling personal information to specify the purpose for which personal information is utilized when they collect personal information.  When such business operators acquire sensitive information, in principle, they must obtain the consent of the data subject.  The consent of the data subject is also required in order to transfer information to a third party.  With respect to retained personal data, a business operator handling the data must make available to data subjects the business’s contact information, purpose of utilization of personal information, procedures for requesting corrections and disclosure, and information on filing complaints.

The Personal Information Protection Commission (PIPC) oversees the handling of personal information by businesses.  The PIPC can require businesses that handle personal information to submit reports and materials, and PIPC employees can visit businesses in order to interview persons handling personal information and inspect business records.

Unauthorized access to a computer is prohibited under the Act on the Prohibition of Unauthorized Computer Access.

I.  Overview

A.  Laws

The Act on the Protection of Personal Information (APPI)[1] contains basic data protection policies applicable to the private sector.  The rules are not limited to online data protection.  The APPI was significantly amended in 2015 and the amendment took effect on May 30, 2017.[2]  The major aspects of the amendments are as follows:

  • “Personal information” was newly defined, for clarification
  • Small-business operators handling five thousand or fewer items of personal information became subject to the APPI
  • “Sensitive personal information” was defined and must be treated more carefully
  • Rules for utilization of de-identified information were established
  • Rules were established for cases where personal data is transferred to a third party in a foreign state
  • The Personal Information Protection Commission (PIPC) was established
  • Criminal penalties for the improper use of databases containing personal information for wrongful gain were created[3]

The Act on the Prohibition of Unauthorized Computer Access punishes a person who accesses a computer by circumventing access control measures.[4] 

In addition, the Act on the Protection of Personal Information Held by Administrative Organs[5] and the Act on the Protection of Personal Information Held by Independent Administrative Agencies, etc.[6] apply to the handling of personal information by government agencies and independent administrative agencies.  These two laws are not discussed in this report.

B.  Personal Information

The APPI defines the term “personal information” to mean information about a living person that identifies that person by name, date of birth, or other description, including information that will allow easy reference to other information and will thereby enable the identification of the person.[7]  Personal information also includes personally identifiable signs, such as fingerprint data and the identification numbers of various documents.[8]

During the discussion of the 2015 amendments to the PPI, the discussion group established by the government[9] considered whether data about customer behaviors, such as the history of smartphone application downloads and the history of access to various websites, should be covered as personal information under the APPI.  These data do not directly identify a person, but data subjects can be identified by referring other personal data to such data.  Because the government decided not to expand the definition of personal information with the 2015 amendment, information that itself does not identify a person, including customer behavior data, was excluded from the coverage of personal information under the APPI.[10] 

C.  Right to Privacy

There is a no legal provision that explicitly protects the right to privacy; however, the right to privacy has been recognized by the courts.  The scope of personal information protected under the APPI is different from the scope of the right to privacy, though they overlap.  Aspects of online privacy that are not covered by the APPI appear to be covered by the right to privacy as defined by the courts.  

The first Supreme Court decision recognizing the right to privacy was rendered in 1969.[11]  The Court stated that individuals have the right not to have their photos taken without consent.[12]   In 2003 decision, the Supreme Court stated that information concerning a student’s name, phone number, address, student number, and his/her application to attend a lecture is not in and of itself confidential information, but his/her expectation that such information would not be disclosed without reason should be protected.  Therefore, this information is subject to legal protection as a right concerning privacy.[13]  In 2017, the Supreme Court, citing its 2003 decision, stated that information concerning a person’s minor child’s name, sex, date of birth, address, phone number and his/her (parents’) names is subject to legal protection as information involving privacy.[14]     

D.  Government’s Roles

The government has established the Basic Policy on the Protection of Personal Information,[15] as required by the APPI.[16]  The Basic Policy sets out the basic direction and actions to be taken by the state, local public bodies, independent administrative agencies, and entities handling personal information. 

Under the APPI, the Personal Information Protection Commission (PIPC) was placed under the jurisdiction of the Cabinet Office in order to oversee the handling of personal information by businesses.[17]  The PIPC can require business operators handling personal information to submit reports and materials, and PIPC employees can visit businesses in order to interview their staff and inspect business records.[18]  The PIPC can delegate this authority to the government ministers who have jurisdiction over the area of business of the relevant business operators.[19] 

The PIPC can provide advice to businesses handling personal information.[20]  When such a business neglects its legal obligations, the PIPC may recommend that the business operator cease the violation(s) and take other necessary corrective measures.  If the business does not take the recommended measures without justifiable grounds, and when the PIPC finds that a serious infringement of the rights and interests of individuals is imminent, the PIPC may order the business operator to take the recommended measures.[21]  Business operators that do not follow such orders may be punished by imprisonment for not more than six months or a fine of not more than 300,000 yen (approximately US$2,700).[22]

Back to Top

II. Protection of Personal Information Under the APPI

A.  Businesses Handling Personal Information

The APPI applies to any business operators in Japan that hold personal data.[23]  A business operator that handles personal information must take necessary and proper measures to prevent the leakage, loss, or damage of the data.[24]  However, when the press, academic institutions, religious organizations, and political organizations deal with personal information for a specified purpose, such as broadcasting, research, religious or political activities, they are excluded from the APPI requirements.  Instead, they must seek to take necessary and appropriate measures for controlling the security of personal data, and necessary measures for processing complaints about the handling of personal information, and make such measures public.[25] 

B.  Purpose of Utilization and Requirement for Consent  

The APPI requires business operators handling personal information to specify the purpose for which personal information is utilized as much as possible.[26]  Upon acquiring personal information, a business must promptly notify the data subject of the purpose of its utilization, unless it has otherwise publicly announced the purpose.[27]  Businesses must not use deception or other wrongful means to acquire personal information.[28] 

When businesses acquire sensitive personal information that may trigger discrimination or other disadvantages, such as information related to race, religion, social status, health records, criminal records, and a history of being a crime victim,[29] they must obtain the consent of the data subject, unless

  • acquiring the information is based on laws and regulations;
  • acquiring the information is necessary for the protection of the body or property of an individual and it is difficult to obtain the consent of the data subject;
  • acquiring the information is especially necessary for public health or promoting the sound growth of children and it is difficult to obtain the consent of the data subject; 
  • acquiring the information is necessary in order for the business to cooperate with national government agencies, local governments, or persons who were entrusted by these to conduct activities that are prescribed by law and obtaining prior consent is likely to impede execution of the work;
  • the information has been made public by the government or institutions specified by the Commission; or
  • acquiring the personal information is otherwise allowed by a Cabinet Order.[30]

A business also must obtain consent from data subjects before using the information for any other purpose than the one originally notified.[31]  However, prior consent may not be necessary when the handling of personal information is

  • based on laws and regulations necessary for the protection of life;
  • necessary to protect the body or property of an individual and it is difficult to obtain the consent of the data subject;
  • especially necessary for public health or promoting the sound growth of children and it is difficult to obtain the consent of the data subject; or
  • necessary in order for the businesses to cooperate with national government agencies, local governments, or persons who were entrusted by these to conduct activities that are prescribed by law and obtaining prior consent is likely to impede the execution of the work.[32] 

A business handling personal information cannot change the purpose of its utilization to one that is not duly related to the original one.[33]  When the purpose is changed, the data subjects must be notified of the new purpose.[34]

C.  Disclosure to the Data Subject

With respect to retained personal data, a business operator handling personal information must make the following information readily available to data subjects:

  • The name of the business operator
  • The purpose of utilization of all retained personal data
  • The procedures for requesting corrections and disclosure, and for filing complaints[35]
  • Contact information for the entity that accepts complaints[36]

When a data subject requests that a business operator disclose retained personal data that may lead to the identification of the person, the business operator must disclose the retained personal data to the person without delay.  Such disclosure includes notifying the data subject that the business operator has no such retained personal data that may lead to his/her identification.[37]  However, the business operator may keep all or part of the retained personal data undisclosed in cases where disclosure

  • is likely to harm the life, body, property, or other rights or interests of the data subject or a third party;
  • is likely to seriously impede the proper execution of the business of the business operator handling personal information; or
  • violates other laws and regulations.[38]

When a business operator has decided not to disclose all or part of such retained personal data, the business operator must notify the data subject of that decision and the underlying reason without delay.[39] 

D.  Transfer to a Third Party

A business operator handling personal information must not provide personal data to a third party without the prior consent of the data subject, except where the transfer is

  • based on laws and regulations;
  • necessary for the protection of the life, body, or property of an individual and it is difficult to obtain the consent of the data subject;
  • especially necessary for improving public health or promoting the sound growth of children and it is difficult to obtain the consent of the data subject; or
  • necessary for the affairs, prescribed by laws and regulations, conducted by a state organ, local government, or person who is authorized to conduct such affairs by these entities, where obtaining the consent of the person is likely to impede execution of the affairs.[40]

However, the data transfer is allowed if the business has notified the data subject about the following matters or made information regarding these matters easily available to the data subject:

  • The fact that the data is to be transferred to the third party
  • What information is to be transferred
  • The method of transfer
  • That the data subject can request to stop the transfer of information that can identify individuals
  • The method for making such a request[41]

If the personal information is processed in such a way that individuals cannot be identified, such personally nonidentifiable information can be transferred to a third party after the business makes public the type of information to be transferred and method of the transfer.[42]   

When businesses transfer personal information to a third party in a foreign country the prior consent of data subjects is, in principle, required.  However, if the foreign country has a system to protect personal information that is considered to be of the same level as Japan, or the third party has a system to properly deal with personal information that meets the standards established by the PIPC, prior consent to the transfer to a foreign country is not required.[43] However, consent to transfer personal information to a third person is still needed.[44]

Businesses must keep records of transfers of personal information to third parties.[45]  Recipients of such data from a third party must obtain the name (or representative’s name in case of an entity) and address of the third party, and confirm the history of the data acquisition by the third party.[46]

E.  Complaints and Requests to Businesses

The APPI states that a business operator must endeavor to establish a system for data subjects to complain about the handling of personal information and endeavor to appropriately and promptly process complaints.[47] 

A data subject can request that a business operator correct, add, or delete personal data that may lead to the identification of the person when the personal data is contrary to the facts.  The business operator must investigate the situation without delay and correct, add, or delete the retained personal data if it is found to be contrary to the facts, and inform the requester of the action taken.[48]  

When a data subject finds that a business operator is using the retained personal data in a manner that may lead to the identification of the person beyond the stated purpose for the utilization of the data, or learns that the data was acquired improperly, he or she may request that the business operator discontinue using or erase such retained personal data.[49]  Also, when a data subject finds that a business operator is providing retained personal data that may lead to the identification of the person to a third party without following the procedures stated above, he or she may request that the business operator discontinue the transfer.[50]  When the business operator finds that the request is well-founded, it must discontinue using or erase the retained personal data concerned, or cease providing it to a third party, without delay.[51]  However, if it would cost a large amount of money or would otherwise be difficult to discontinue using, erase, or discontinue the transfer of the data, the business operator may take alternative measures as long as those measures can protect the rights and interests of the person.[52]  The business operator must promptly notify the data subject of its decision and, when the request is declined, the reason for refusing to act.[53]

F.  Certified Personal Information Protection Organization

Many business organizations issued guidelines on personal information protection and regulated their members before the enactment of the APPI.[54]  Business organizations conduct the following activities for the purpose of ensuring the proper handling of personal information by their members:

  • Processing complaints about the handling of personal information
  • Providing information for business operators to ensure the proper handling of personal information
  • Any other activities necessary for ensuring the proper handling of personal information by member entities[55]

Such organizations engaged in personal information protection activities may be certified by the PIPC.[56]  A certified personal information protection organization must endeavor to issue guidelines concerning specifying the purpose of utilization of personal information, security control measures, procedures for complying with individuals’ requests, methods to create information that do not identify individuals, and other matters.[57] 

A data subject may file a complaint about the handling of personal information by a business operator with a personal information protection organization if the business operator is a member of the organization.  When such an organization receives a complaint, it must give the data subject necessary advice and investigate the circumstances pertaining to the complaint.  The organization also forwards the complaint to the business operator and requests that the operator resolve the complaint promptly.[58] 

G.  Criminal Penalty for Data Theft

When persons who handle or previously handled personal information provide third parties with personal information databases that were acquired in relation to their business, or use those databases for the purpose of seeking illegal profits for themselves or third parties, they are subject upon conviction to imprisonment for not more than one year or a fine of not more than 500,000 yen (approximately US$4,500).[59]

Back to Top

III. Unauthorized Access to Computers

The Act on the Prohibition of Unauthorized Computer Access punishes a person who accesses a computer by circumventing access control measures, such as using the authorized person’s identification and password without authorization or by creating a security hole.[60]  The following acts are also prohibited:

  • Obtaining and storing another person’s identification and password without authorization for the purpose of unauthorized computer access[61]
  • Providing another person’s identification and password without authorization to a third person who does not have authority to use them[62]

An act of unauthorized access is punishable by imprisonment for not more than three years or a fine of not more than one million yen (about US$9,000).[63]  Other acts listed above are punishable by imprisonment of not more than one year or a fine of not more than 500,000 yen (about US$4,500).[64]  

Back to Top

IV. Right to Be Forgotten

In a case involving a petitioner who claimed his right to privacy was violated by Google because reports of his arrest for child prostitution in 2011 were shown in Google searches, the court of first instance, the Saitama District Court, recognized the man’s “right to be forgotten” and ordered Google to delete the search results.[65]  However, the Tokyo High Court reversed the decision and did not recognize the right to be forgotten.  The High Court stated that the right to be forgotten did not have to be independently considered, because it was not yet a concrete concept, and it could be included in the discussion of the right to privacy and defamation.[66]  The Supreme Court did not mention the right to be forgotten when it affirmed the High Court’s decision on January 31, 2017.[67]

The Supreme Court recognized that the petitioner had a right to privacy, but found that the provision of Internet search results had the character of an act of expression by Google, because the search program reflects Google’s policies on internet searches.  The Court held that Google has the right to freedom of expression.  In addition, the Court recognized in general the importance of internet search engines like Google’s in society.[68]  

The Court set forth the general rule that the adverse effects of invasion of privacy versus the importance of the provision of search results must be weighed in individual cases, and when the right to privacy prevails, the person whose information was revealed can demand the deletion of the search results.  The Court set forth the elements to be considered in balancing the two, including the

  • nature of the information,
  • extent to which the information is spread by the search results,
  • extent of adverse effects for the person who is the subject of the search,
  • public status of the searched person, and
  • purpose and meaning of the presentation of the information on the websites.[69]

Back to Top

V.  PrivacyMark

The Japan Information Processing Development Corporation (JIPDEC) established the “PrivacyMark” system in 1998 upon instruction from the Ministry of International Trade and Industry (currently the Ministry of Economy, Trade and Industry, or METI).[70]  This system assesses whether a business operator has taken appropriate measures to protect personal information and grants those who meet certain standards the right to display the PrivacyMark label in the course of their business activities.[71]  The system provides incentives for business operators to gain social credibility.  A PrivacyMark conformity assessment body evaluates the business operator’s compliance with all relevant laws and regulations.[72]  The system is in compliance with Japan Industrial Standards (Personal Information Protection Management System – Requirements, JIS Q15001 (2006)).  JIS Q15001 is in the process of being amended.  The standards for PrivacyMark will be amended after the amended JIS Q15001 is published.[73] 

In accordance with the PrivacyMark agreement, a business operator who obtains the right to use the mark must report any incidents in which data subjects’ personal information was leaked.  JIPDEC reviews the incidents and may cancel the grant of the right to use the PrivacyMark.[74]

Back to Top

Sayuri Umeda
Foreign Law Specialist
December 2017


[1] Kojin jōhō no hogo ni kansuru hōritsu [Act on the Protection of Personal Information (APPI)], Act No. 57 of 2003 (May 30, 2003), last amended by Act No. 51 of 2016, English translation as amended by Act No. 65 of 2015 available at http://www.japaneselawtranslation.go.jp/law/detail_main?re=02&ia=03&vm=02&id=2781, archived at https://perma.cc/SD3Z-UU8T

[2] Act to Amend APPI and Other Acts, Act No. 65 of 2015, Sup. Provisions art. 1; Order to Set the Enforcement Date of the Act to Amend the APPI and the Act on the Utilization of Personal Identification Numbers for Administrative Procedures, Order No. 385 of 2016.

[3] PIPC, Outline of the Amended Personal Information Protection Act (Feb. 2016), https://www.ppc.go.jp/ files/pdf/280222_outline_v2.pdf, archived at https://perma.cc/B2DQ-AE2C.

[4] Fusei akusesu kōi no kinshi ni kansuru hōritsu [Act on the Prohibition of Unauthorized Computer Access], Act No. 128 of 1999 (Aug. 13, 1999), amended by Act No. 28 of 2013, art. 2, para. 4 & art. 3, English translation available at http://www.japaneselawtranslation.go.jp/law/detail/?id=2250&vm=02&re=02&new=1, archived at https://perma.cc/2UBQ-WEYM.

[5] Gyōsei kikan no hoyū suru kojin jōhō no hogo ni kansuru hōritsu [Act on the Protection of Personal Information Held by Administrative Organs] (APPIHAO), Act No. 58 of 2003 (May 30, 2003), last amended by Act No. 51 of 2016, English translation as amended by  Act No. 102 of 2005 available at http://www.japaneselawtranslation. go.jp/law/detail_main?re=02&ia=03&vm=02&id=131, archived at https://perma.cc/9MEE-536A.

[6] Dokuritsu gyōsei hōjin tō no hoyū suru kojin jōhō no hogo ni kansuru hōritsu [Act on the Protection of Personal Information Held by Independent Administrative Agencies], Act No. 59 of 2003 (May 30, 2003), last amended by Act No. 94 of 2011 (Aug. 10, 2011).

[7] APPI art.2, para. 1.

[8] Kojin jōhō no hogo ni kansuru hōritsu shikōrei [Enforcement Order of the Act on the Protection of Personal Information (APPI Order)], Order No. 507 of 2003, amended by Order No. 324 of 2016, art. 1.

[9] Discussion Meeting on Personal Data, Personal Data Commission, IT Strategic Headquarters, https://www.kantei.go.jp/jp/singi/it2/pd/index.html (last visited Nov. 20, 2017), archived at https://perma.cc/JD4A-VL3U.

[10] Katsuya Uga, 個人情報保護法の逐条解說 [Article by Article Commentaries on PIPA] at 41 (2016), https://lccn.loc.gov/2017407262.

[11] S. Ct., 1965 (A) No. 1187, 23 Keishū 12, 1625 (Dec. 24, 1969), http://www.courts.go.jp/hanrei/ pdf/js_2010 0319120221050991.pdf, archived at https://perma.cc/ZEP8-TN8B, English-language summary of decision available on Courts of Japan website, at http://www.courts.go.jp/english/judgments/text/1969.12.24-1965.-A-.No..1187.html, archived at https://perma.cc/EG65-8TJL.

[12] S. Ct., 1965 (A) No. 1187.

[13]S. Ct., 2002 (Ju) No. 1656, 57 Minshu 8, 973 (Sept. 12, 2003), http://www.courts.go.jp/app/files/hanrei_jp/357/ 052357_hanrei.pdf, archived at https://perma.cc/TKE4-TT7M.

[15] Kojin jōhō no hogo ni kansuru kihon hōshin [Basic Policy on the Protection of Personal Information], Cabinet Decision (Apr. 2, 2004), last amended by Cabinet Decision (Oct. 28, 2016), https://www.ppc.go.jp/files/pdf/ 290530_personal_basicpolicy.pdf, archived at https://perma.cc/PE8A-8LC8.

[16] APPI art. 7.

[17] Id. arts. 59 & 60.

[18] Id. art. 40.

[19] Id. art. 44.  If the matter relates to employment management, the Minister of Health, Labor and Welfare will have jurisdiction. Id. art. 46. 

[20] Id. art. 41.

[21] Id. art. 42.

[22] Id. art. 84.

[23] Id. art. 2, para. 5.  Note that Item 5 of article 2, paragraph 5 (Small-business exemption) was repealed by the 2015 amendment.

[24] Id. art. 20.

[25] Id. art. 76.

[26] Id. art. 15, para. 1.

[27] Id. art. 18, para. 1.

[28] Id. art. 17, para. 1.

[29] Id. art. 2, para. 3.

[30] Id. art. 17, para. 2.

[31] Id. art. 16, para. 1.

[32] Id. art. 16, para. 3.

[33] Id. art. 15, para. 2.

[34] Id. art. 18, para. 3.

[35] Id. art. 27, para. 1.

[36] Id. and Enforcement Order of the APPI, art. 5.

[37] APPI art. 28.

[38] Id. art. 28, para. 2.

[39] Id. art. 28, para. 3 & art. 31.

[40] Id. art. 23, para. 1.  One example of the final exception is when hospitals submit certain patient information to the national cancer survey. 

[41] Id. art. 23, para. 2.

[42] Id. art. 36, para. 3 & art. 37.

[43] Id. art. 24.

[44] Yasutaka Tsujibata, Q&A de wakari yasuku manabu heisei 27nen kaisei kojin joho hogoho [Easily Studying Personal Information Protection Act Amended in 2015 by Q&A], at 72 (2016).

[45] APPI art. 25.

[46] Id. art. 28, para. 1.

[47] Id. art. 35.

[48] Id. art. 29.

[49] Id. art. 30, para. 1.

[50] Id. art. 30, para. 3.

[51] Id. art. 30, para. 2 & 4.

[52] Id.

[53] Id. art. 30, para. 5.

[54] Shizuo Fujiwaya and Kojin Jōhō hogo hōsei kenkyūkai [Personal Information Law Research Study Group], Kojin jōhō hogo hō no kaisetsu [Commentary on the Act on the Protection of Personal Information] 219 (Itsuo Sonobe ed., 2005).

[55] APPI art. 47, para. 1.

[56] Id. art. 47, para. 2.  The list of Certified Personal Information Protection Organizations are available on PIPC’s website, at https://www.ppc.go.jp/personal/nintei/list/ (last visited Nov. 16, 2017), archived at https://perma.cc/EQ7E-4PKK.

[57] APPI art. 53, para. 1.  For example, the Japan Data Communications Association’s guideline is available at http://www.dekyo.or.jp/kojinjyoho/law/1.html (in Japanese), archived at https://perma.cc/BF3R-BSBN.

[58] APPI art. 52, para. 1.

[59] Id. art. 83.

[60] Act on the Prohibition of Unauthorized Computer Access, Act No. 128 of 1999 (Aug. 13, 1999), amended by Act No. 28 of 2013, art. 2, para. 4 & art. 3.

[61] Id. arts. 4 & 6.

[62] Id. art. 5.

[63] Id. art. 11.

[64] Id. art. 12.

[65] Saitama Dist. Ct., (Dec. 22, 2015), Hanrei Jiho 2282, 78.

[66] Tokyo High Ct. (July 12, 2016), Hanrei Taimuzu 1429, 112 (Dec. 2016).

[67] Heisei 28 (Kyo) 45 (S. Ct., Jan. 31, 2017), http://www.courts.go.jp/app/hanrei_jp/detail2?id=86482 (click Chinese characters beside the PDF icon), archived at https://perma.cc/4RL2-JXMM & https://perma.cc/UU8T-AP2K.

[68] Id.

[69] Id.

[70] About the Privacy Mark: Outline and Objective, JIPDEC, https://privacymark.org/about/outline_and_ purpose.html (last modified Nov. 20, 2017), archived at https://perma.cc/5DWT-YGUB.

[71] Id.

[72] Id.  

[73] JIS改正に関連したプライバシーマーク付与適格性審査の対応方針について [Regarding Eligibility Examination for PrivacyMark Corresponding to JIS Amendment], JIPDEC, https://privacymark.jp/ system/operation/jis_kaisei.html (last visited Nov. 21, 2017), archived at https://perma.cc/329F-Y72Y.   

[74] 個人情報の取扱いに関する事故の報告について[Reporting Accidents of Handling Personal Information], JIPDEC,  https://privacymark.jp/system/accident/index.html (last modified Nov. 21, 2007), archived at https://perma.cc/T27T-KF45.

Back to Top

Last Updated: 04/05/2018