Data Protection 2016€¦ · The International Comparative Legal Guide to: Data Protection 2016 General Chapter: Country Question and Answer Chapters: 1 Preparing for Change: Europe’s

The International Comparative Legal Guide to:

A practical cross-border insight into data protection law

Published by Global Legal Group, with contributions from:

Affärsadvokaterna i Sverige ABBagus Enrico & PartnersCuatrecasas, Gonçalves PereiraDeloitte Albania Sh.p.k.Dittmar & IndreniusECIJA ABOGADOSEversheds SAGilbert + TobinGRATA International Law Firm Hamdan AlShamsi Lawyers & Legal ConsultantsHerbst Kinsky Rechtsanwälte GmbHHogan Lovells BSTL, S.C.

Hunton & WilliamsLee and Li, Attorneys-at-LawMathesonMori Hamada & MatsumotoOsler, Hoskin & Harcourt LLPPachiu & AssociatesPestalozziRossi AsociadosSubramaniam & Associates (SNA)Wigley & CompanyWikborg, Rein & Co. Advokatfirma DA

3rd Edition

Data Protection 2016

ICLG

WWW.ICLG.CO.UK

The International Comparative Legal Guide to: Data Protection 2016

General Chapter:

Country Question and Answer Chapters:

1 Preparing for Change: Europe’s Data Protection Reforms Now a Reality – Bridget Treacy, Hunton & Williams 1

2 Albania Deloitte Albania Sh.p.k.: Sabina Lalaj & Ened Topi 7

3 Australia Gilbert + Tobin: Peter Leonard & Althea Carbon 15

4 Austria Herbst Kinsky Rechtsanwälte GmbH: Dr. Sonja Hebenstreit & Dr. Isabel Funk-Leisch 30

5 Belgium Hunton & Williams: Wim Nauwelaerts & David Dumont 41

6 Canada Osler, Hoskin & Harcourt LLP: Adam Kardash & Bridget McIlveen 50

7 Chile Rossi Asociados: Claudia Rossi 60

8 China Hunton & Williams: Manuel E. Maisog & Judy Li 67

9 Finland Dittmar & Indrenius: Jukka Lång & Iiris Keino 74

10 France Hunton & Williams: Claire François 83

11 Germany Hunton & Williams: Anna Pateraki 92

12 India Subramaniam & Associates (SNA): Hari Subramaniam & Aditi Subramaniam 104

13 Indonesia Bagus Enrico & Partners: Enrico Iskandar & Bimo Harimahesa 116

14 Ireland Matheson: Anne-Marie Bohan & Andreas Carney 123

15 Japan Mori Hamada & Matsumoto: Akira Marumo & Hiromi Hayashi 135

16 Kazakhstan GRATA International Law Firm: Leila Makhmetova & Saule Akhmetova 146

17 Mexico Hogan Lovells BSTL, S.C.: Mario Jorge Yáñez V. & Federico de Noriega Olea 155

18 New Zealand Wigley & Company: Michael Wigley 164

19 Norway Wikborg, Rein & Co. Advokatfirma DA: Dr. Rolf Riisnæs & Dr. Emily M. Weitzenboeck 171

20 Portugal Cuatrecasas, Gonçalves Pereira: Leonor Chastre 182

21 Romania Pachiu & Associates: Mihaela Cracea & Ioana Iovanesc 193

22 Russia GRATA International Law Firm: Yana Dianova, LL.M. 204

23 South Africa Eversheds SA: Tanya Waksman 217

24 Spain ECIJA ABOGADOS: Carlos Pérez Sanz & Lorena Gallego-Nicasio Peláez 225

25 Sweden Affärsadvokaterna i Sverige AB: Mattias Lindberg 235

26 Switzerland Pestalozzi: Clara-Ann Gordon & Phillip Schmidt 244

27 Taiwan Lee and Li, Attorneys-at-Law: Ken-Ying Tseng & Rebecca Hsiao 254

28 United Arab Emirates Hamdan AlShamsi Lawyers & Legal Consultants: Dr. Ghandy Abuhawash 263

29 United Kingdom Hunton & Williams: Bridget Treacy & Stephanie Iyayi 271

30 USA Hunton & Williams: Aaron P. Simpson & Chris D. Hydak 280

Contributing EditorBridget Treacy, Hunton & Williams

Sales DirectorFlorjan Osmani

Account DirectorsOliver Smith, Rory Smith

Sales Support ManagerToni Hayward

Sub EditorHannah Yip

Senior EditorRachel Williams

Chief Operating OfficerDror Levy

Group Consulting EditorAlan Falach

Group PublisherRichard Firth

Published byGlobal Legal Group Ltd.59 Tanner StreetLondon SE1 3PL, UKTel: +44 20 7367 0720Fax: +44 20 7407 5255Email: [email protected]: www.glgroup.co.uk

GLG Cover DesignF&F Studio Design

GLG Cover Image SourceiStockphoto

Printed byAshford Colour Press Ltd.April 2016

Copyright © 2016Global Legal Group Ltd.All rights reservedNo photocopying

ISBN 978-1-910083-93-2ISSN 2054-3786

Strategic Partners

Further copies of this book and others in the series can be ordered from the publisher. Please call +44 20 7367 0720

DisclaimerThis publication is for general information purposes only. It does not purport to provide comprehensive full legal or other advice.Global Legal Group Ltd. and the contributors accept no responsibility for losses that may arise from reliance upon information contained in this publication.This publication is intended to give an indication of legal issues upon which you may need advice. Full legal advice should be taken from a qualified professional when dealing with specific situations.

ICLG TO: DATA PROTECTION 2016 135WWW.ICLG.CO.UK© Published and reproduced with kind permission by Global Legal Group Ltd, London

Chapter 15

Mori Hamada & Matsumoto

Akira Marumo

Hiromi Hayashi

Japan

amended; the “My Number Act”), and (iii) other relevant laws was promulgated. Amendments to the APPI (the “Amended APPI”) include: ■ Establishing the Personal Information Protection Committee

(the “Committee”) which will supervise the enforcement and application of the APPI.

■ Introducing the definition of Sensitive Personal Information.■ Introducing restrictions on transferring personal data to

foreign jurisdictions.The Committee was established on 1 January 2016. However, most of the amendments under the Amended APPI will take effect on the date. This date must fall within two years from 9 September 2015, to be designated by the ordinance of the Amended APPI yet to be issued. Cited provisions of the APPI (i.e., Article and paragraph numbers) are the adjusted provision numbers when all the provisions of the Amended APPI have become effective.APPIThe APPI is the principal data protection legislation. It is the APPI’s basic principle that the cautious handling of Personal Information, as defined in Article 2, paragraph 1, under the principle of respect for individuals will promote the proper handling of Personal Information. (APPI, Article 3.)Chapters 2 and 3 set forth the basic frameworks of the responsibilities and policies of the national and local governments to protect Personal Information. Pursuant to Article 7 of the APPI, the Cabinet established the “Basic Policy on the Protection of Personal Information” (Kojin Jyouhou no Hogo ni kansuru Kihon Houshin) in 2004 (as amended; the “Basic Policy”). Chapter 4 regulates the use of Personal Information by private businesses and sets forth the obligations of “Business Operators Handling Personal Information (Kojin Joho Toriatsukai Jigyosha)” (the “Handling Operators”), as defined in Article 2, paragraph 5 of the APPI. Before the amendment of the APPI, Handling Operators include all Business Operators using a Personal Information Database for their businesses (please see question 2.1) except for Business Operators with fewer than 5,000 individuals in their Personal Information Database at any time in the past six months. This exception will no longer be available when the Amended APPI becomes effective. Administrative organs and independent administrative agencies are not Handling Operators and their data handling is regulated under the laws described in items (ii) and (iii) of the first paragraph of this answer to question 1.1.Privacy MarkA Business Operator may use a logo called a “Privacy Mark” (the “Privacy Mark System”) which shows its compliance

1 Relevant Legislation and Competent Authorities

1.1 What is the principal data protection legislation?

The following laws and regulations are the basic legislation in Japan for the Protection of Personal Information since 2005:(i) Act on the Protection of Personal Information (Act No. 57 of

30 May 2003, as amended; the “APPI”);(ii) Act on the Protection of Personal Information Held by

Administrative Organs (Act No. 95 of 1988 of 30 May 2003 as amended);

(iii) Act on the Protection of Personal Information Held by Independent Administrative Agencies; and

(iv) local regulations (jyourei) legislated by local governments.In addition, each Ministry regulating specific industrial sectors issues data protection guidelines for those sectors. Please see question 1.3.This diagram shows the basic structure of the regulatory regime for the Protection of Personal Information.

(Source: the website of Consumer Affairs Agency)

On 9 September 2015, a bill amending (i) the APPI, (ii) the Act on the Utilisation of Numbers to Identify Specific Individuals in Administrative Procedures (Act No. 27 of 31 May 2013, as

WWW.ICLG.CO.UK136 ICLG TO: DATA PROTECTION 2016© Published and reproduced with kind permission by Global Legal Group Ltd, London

Industry Ministry Number of Guidelines

Agriculture, Foresty and Fisheries

Ministry of Agriculture, Forestry and Fisheries 1

Broadcasting Ministry of Internal Affairs and Communications 1

Credit Ministry of Economy, Trade and Industry 1

Defence Ministry of Defence 1

Economy and Industry

Ministry of Economy, Trade and Industry 3

Education, Culture, Sports, Science and Technology

Ministry of Education, Culture, Sports, Science and Technology

1

Employment (General)

Ministry of Health, Labour and Welfare 2

Employment (Seaman)

Ministry of Land, Infrastructure, Transport and Tourism

1

Employment Placement (General)


Employment Placement (Seaman)


1

Environment Ministry of Environment 1

Finance Financial Services Agency 2

Financial Affairs Ministry of Finance 1Foreign Affairs Ministry of Foreign Affairs 1

Labour Union Ministry of Health, Labour and Welfare 1

Land, Infrastructure, Transport and Tourism


1

Legal Affairs Ministry of Justice 2

Letters Ministry of Internal Affairs and Communications 1

Medical Care (General)


Medical Care (Research)

Ministry of Health, Labour and Welfare(Some Guidelines are jointly issued with the Ministry of Economy, Trade and Industry or Ministry of Education, Culture, Sports, Science and Technology)

3

Pensions Ministry of Health, Labour and Welfare 1

Police National Public Safety Commission 1

Posting Ministry of Internal Affairs and Communications 1

Telecommunications Ministry of Internal Affairs and Communications 1

Temporary Worker Placement (General)


Temporary Worker Placement (Seaman)


1

Welfare Ministry of Health, Labour and Welfare 1

(Source: the website of Consumer Affairs Agency)

with the relevant laws and the Japan Industrial Standards (JIS Q 15001:2006 [Personal Information Protection Management System – Requirements]) (“JIS Q 15001”) established by the Japan Information Processing Development Centre. JIS Q 15001 is not a law but, in certain aspects, it provides a higher level of standards than the APPI. For example, JIS Q 15001 does not exempt a Business Operator with fewer than 5,000 individuals.

1.2 Is there any other general legislation that impacts data protection?

(a) Privacy Right Privacy right is recognised by Japanese courts as the right of

persons for their private life not to be disclosed except for a legitimate reason, and is recognised among academics as the right to control one’s own Personal Information. Therefore, in addition to complying with the APPI, a person who possesses the Personal Information of others in Japan must not infringe on the privacy rights of the principals.

(b) Privacy of Communications Article 4 of the Telecommunications Business Law

provides that no person may infringe on the privacy of the communications handled by telecommunications Business Operators. Privacy of communications does not necessarily refer to Personal Information, although the guidelines issued by the Ministry of Internal Affairs and Communication (“MIAC”) for the Protection of Personal Information in the telecommunication business (please see question 1.3) also deal with the privacy of communications, such as telecommunications logs (the “MIAC Guidelines”).

(c) Electronic Mails The Act on the Regulation of Transmission of Specified

Electronic Mails (Act No. 26 of 17 April 2002, as amended) regulates unsolicited marketing by email. Please see question 7.1.

(d) Commercial Transactions TheActonSpecifiedCommercialTransactions(ActNo.57

of 4 June 1976, as amended) regulates, among other forms of unsolicited marketing, unsolicited marketing by email. Please see question 7.1.

(e) Utilisation of Numbers to Identify Individuals in Administrative Procedures

The Japanese government adopted a social security and tax number system, and in 2015 assigned specific numbers toentities and individuals pursuant to the My Number Act. It is the basic principle of this law that using the assigned numberswillcontributetotheefficientandpromptexchangeof information by administrative organs. Under this law, the assigned numbers should be handled duly and safely in accordance with certain standards, which are different from those under the APPI and the laws described in items (ii) and (iii)ofthefirstparagraphoftheanswertoquestion1.1.

1.3 Isthereanysectorspecificlegislationthatimpactsdata protection?

The APPI is the principal legislation applicable to Handling Operators in all sectors. Under Article 8 of the APPI, the national and local governments will provide information, formulate guidelines to ensure the appropriate and effective implementation of measures to be taken by various persons, and take other necessary measures.Inthisregard,eachMinistryregulatingspecificindustriesissued guidelines for those industries. As of 25 November 2015, 38 guidelines have been issued for 27 industrial sectors as described in the chart below:

Mori Hamada & Matsumoto Japan

Japa

n


Japa

n

■ “Personal Data” means Personal Information constituting a Personal Information Database (Id. Article 2, paragraph 6).

■ “Retained Personal Data” means personal data which a Handling Operator has the authority to disclose, correct, add, or erase or delete, discontinue its utilisation, or discontinue its provision to a third party, excluding the following (Id. Article 2, paragraph 7):

(i) any personal data, the existence or absence of which would harm the life, body or property of the relevant individual or a third party, encourage or solicit illegal or unjust acts, jeopardise the safety of Japan or harm the trust or negotiations with other countries or international organisations, or impede crime investigations or public safety; or

(ii) any personal data which will be erased from the Personal Information Database within six months after becoming part of the database.

A Handling Operator is required to comply with obligations regarding Retained Personal Data under Articles 27 through to 30 of the APPI. Please see question 4.1.

■ “Sensitive Personal Data” “Sensitive Personal Data”, which was not defined in the

APPI prior to its amendment, is defined in the Amended APPI as data referring to race, belief, social status, medical history, criminal record, whether one has been a victim of crime, and other Personal Information which needs careful handling so as not to cause social discrimination, prejudice or other disadvantages. The details of Sensitive Personal Data will be designated by the ordinance of the Amended APPI yet to be issued (Id. Article 2, paragraph 3).

Further, JIS Q 15001 for the Privacy Mark System prohibits obtaining Personal Information such as:

(i) beliefs, creeds and religion;(ii) race, ethnic origin, family origin, registered domicile,

physical and mental disorder, criminal records, and other information that may cause social discrimination;

(iii) group activities such as labour’s right to organise, collective bargaining, and other collective actions;

(iv) participation in a mass demonstration, exercise of the right to petition and other political rights; and

(v) medical care and sex life (JIS Q 15001, 4.4.2.3).■ “Processing” The APPI does not define “Processing”. Although the APPI

uses certain words such as handling (toriatsukai), obtaining (shutoku), utilisation (riyou), provisions (teikyo) to third parties and disclosure (kaiji), it does not define these words.

■ “Data Controller” Please see the definition of “Data Processor” below.■ “Data Processor” The APPI does not use the terms “Data Controller” or “Data

Processor”. But a Handling Operator (Kojin Joho Toriatsukai Jigyosha) may be comparable to a Data Controller or a Data Processor in that it is subject to obligations to protect Personal Information. Please see question 1.1 for the definition of a Handling Operator. Foreign companies doing business in Japan will be regulated as Handling Operators if they fall within the definition.

■ “Data Subject” The term “principal” would be comparable to a “Data Subject”.

Article 2, paragraph 8 of the APPI defines “principal” as a specific individual identified by Personal Information.

These guidelines basically provide how Handling Operators in each industry may comply with their obligations under the APPI. The guidelines issued by the Ministry of Economy, Trade and Industry (“Guidelines for Personal Information Protection Laws Concerning Fields of Economy and Industry”; the “METI Guidelines”) cover businesses which do not fall into specific sectors.

1.4 What is the relevant data protection regulatory authority(ies)?

Before the amendment of the APPI, the Minister of each Ministry regulating a specific industry was responsible for the supervision and enforcement of the APPI in that industry. Under the Amended APPI, however, the Committee, as an independent regulatory body, is authorised to advise a Handling Operator or require it to prepare and submit a report on the handling of Personal Information to the extent necessary to implement the APPI (APPI, Articles 40 and 41). If a Handling Operator violates the APPI, the Committee may urge it to cease the violation and take other necessary measures to correct the violation (Id. Article 42, paragraph 1). If the Committee finds it necessary and certain requirements are met, it may order the Handling Operator to take the urged measures or to cease the violation and take other necessary measures to rectify the violation (Id. Article 42, paragraphs 2 and 3). The Committee is also responsible for the supervision and enforcement of the My Number Act (My Number Act, Article 32). Please also see question 1.1.

2 Definitions

2.1 Pleaseprovidethekeydefinitionsusedintherelevantlegislation:

■ “Personal Data” The APPI provides four definitions relevant to personal data:

■ “Personal Information” means information about specific living individuals which can identify them by name, date of birth or other descriptions contained in the information (including information that will allow easy reference to other information which may enable the individual identification) (APPI, Article 2, paragraph 1).

The METI Guidelines give examples of information that is not Personal Information, such as an email address which will not allow easy reference to other identifying information, and statistical information which will not enable the identification of any specific individual.

■ “Personal Information Database” means an assembly of information including the following: (i) an assembly of information systematically arranged in such a way that specific Personal Information can be retrieved by a computer; and (ii) an assembly of information designated by a Cabinet Order as being systematically arranged in such a way that specific Personal Information can be easily retrieved. When the Amended APPI becomes effective, any assembly of information, the use of which is not likely to harm the interests of the individual principals, will be excluded from the definition, whose exclusion will be designated by the relevant ordinance of the APPI (Id. Article 2, paragraph 4).



■ Data minimisation The APPI imposes no obligation to minimise the Personal

Information which Handling Operators may obtain or use.■ Proportionality The APPI has no provision on proportionality.■ Retention Handling Operators are required to delete Personal

Information if its utilisation is no longer necessary (Id. Article 19). Further, there may be other restrictions under industry guidelines. For example, the MIAC Guidelines provide that telecommunication Business Operators must fix the retention period for the purpose of utilisation of Personal Information, and erase Personal Information after the expiration of the retention period without delay (MIAC Guidelines, Article 10).

■ Other key principles – please specify■ Restriction on provision of personal data to a third

party A Handling Operator is prohibited from providing Personal

Data to a third party without obtaining the prior consent of the principal, subject to certain exceptions (Id. Article 23, paragraph 1), such as when the Handling Operator (a) agrees to stop providing the Personal Data to the third party upon the demand of the principal, (b) notifies the principal of the provision to a third party or makes such notification readily accessible to the principal, and (c) submits a notification to the Committee stating (i) that the provision to third parties is included in the purpose of utilisation, (ii) the items to be provided to third parties, (iii) the mode of provision (e.g., by publishing a book or uploading on the website through the internet), (iv) the availability of opt-out for the principal who may request the Handling Operator to stop the provision, and (v) the mode of receiving the principal’s request (e.g., telephone, email, or any written material) (Id. Article 23, paragraph 2).

■ Exceptions The obligations imposed on Handling Operators will

not apply to Handling Operators that fall under any of the following items and if all or part of the purpose of handling Personal Information is prescribed in the following applicable items (APPI, Article 76):

(i) broadcasting institutions, newspaper publishers, communication agencies and other forms of the press (including individuals engaged in news reporting as their business), for the purpose of news reporting;

(ii) Business Operators in the business of literary work, for the purpose of literary work;

(iii) colleges, universities, other institutions or organisations engaged in academic studies, or entities belonging to any of the foregoing entities, for the purpose of academic studies;

(iv) religious organisations, for the purpose of religious activities (including activities incidental thereto); or

(v) political organisations, for the purpose of political activities (including activities incidental thereto).

4 Individual Rights

4.1 What are the key rights that individuals have in relation to the processing of their personal data?

■ Access to data A Handling Operator is required to make accessible

to the principal certain information (such as the name

■ “Pseudonymous Data” The APPI does not use this term.■ “Direct Personal Data” The APPI does not use this term.■ “Indirect Personal Data” The APPI does not use this term.■ Other key definitions – please specify (e.g., “Pseudonymous

Data”, “Direct Personal Data”, “Indirect Personal Data”)■ “Anonymously Processed Information” This term, introduced in the Amended APPI to promote

the utilisation of big data, is excluded from Personal Information. The Committee will supervise Business Operators in their dealings with Anonymously Processed Information. Please see question 12.1.

3 Key Principles

3.1 What are the key principles that apply to the processing of personal data?

■ Transparency The APPI has no provision explicitly dealing with

transparency. However, Handling Operators are required to either publicly announce or notify the principals of the purposes of utilisation of their Personal Information promptly after the collection of Personal Information (subject to certain exceptions) (APPI, Article 18).

Further, the Basic Policy requires Handling Operators to establish and publicly disclose their privacy policy or privacy statement, as well as to disclose their use of service providers to handle collected Personal Information and the extent of the service.

■ Lawful basis for processing Handling Operators are prohibited from acquiring Personal

Information by deception or other wrongful means (Id. Article 17). They are also prohibited from acquiring Sensitive Personal Information without the consent of the principal, except:

(i) if required by laws and regulations;(ii) if necessary to protect the life, body, or property of a

person and it is difficult to obtain the consent of the principal;

(iii) if necessary to improve public health and promote the sound nurturing of the young and it is difficult to obtain the consent of the principal;

(iv) if necessary for governmental bodies to perform its business and getting the consent of the principal will likely impede the proper performance of business; or

(v) for Sensitive Personal Information that has been disclosed to the public by the principal, governmental bodies, or certain parties designated by the Committee.

■ Purpose limitation Handling Operators are required to specify the purposes of

utilisation of Personal Information as much as possible and not to use the Personal Information of any person, without obtaining the prior consent of that person, beyond the scope necessary to achieve the specified purpose of utilisation of Personal Information (Id. Articles 15 and 16).

Further, Handling Operators are required to endeavour to keep Personal Information accurate and up to date within the scope necessary for the achievement of the purpose of utilisation of Personal Information (Id. Article 19).


Japa

n


Japa

n

■ Objection to marketing There are no provisions explicitly setting forth objections to

marketing. Any objection to marketing would be dealt with as an objection to processing.

■ Complaint to relevant data protection authority(ies) If the Handling Operator decides to decline a request from

individuals to notify them of the purpose of utilisation of their Retained Personal Data, or to disclose, correct, add, erase or delete, or discontinue the utilisation of their Retained Personal Data, the Handling Operator must endeavour to explain the reasons (Id. Article 31).

The Handling Operator must also endeavour to appropriately and promptly process complaints about the handling of Personal Information and establish a system necessary for achieving it (Id. Article 35).

■ Other key rights – please specify■ Complaint to Authorised Entities for the Protection

of Personal Information (Nintei Kojin Jyouhou Hogo Dantai)

Authorised Entities for the Protection of Personal Information (Nintei Kojin Jyouhou Hogo Dantai) are entities authorised by the Committee to handle complaints from individuals on the handling of Personal Information by Handling Operators. As of January 2016, 42 entities have obtained such authorisation.

When an Authorised Entity for the Protection of Personal Information is requested by an individual to solve a complaint about the handling of Personal Information by a Handling Operator, it must promptly notify the Handling Operator of the complaint and give the necessary advice, investigate the circumstances pertaining to the complaint and request the Handling Operator to solve the complaint promptly. It may, if necessary, request the Handling Operator to explain in writing or orally, or request it to submit relevant materials. The Handling Operator may not reject such a request without justifiable ground (Id. Article 52).

5 Registration Formalities and Prior Approval

5.1 Inwhatcircumstancesisregistrationornotificationrequired to the relevant data protection regulatory authority(ies)?(E.g.,generalnotificationrequirement,notificationrequiredforspecificprocessingactivities.)

The APPI imposes no requirement on a Handling Operator to register or notify the Committee to process Personal Information. However, if the Handling Operator provides the Personal Information to third parties without obtaining the prior consent of the principals, it is required to notify the Committee (please see question 3.1). The Committee is also authorised to enter offices or other places, to make inquiries and investigate, and to require a Handling Operator to report or submit materials regarding the handling of Personal Information or Anonymously Processed Information, to the extent necessary to implement the APPI (APPI, Articles 40 and 41). Please see question 1.4.

5.2 Onwhatbasisareregistrations/notificationsmade?(E.g., per legal entity, per processing purpose, per data category, per system or database.)

Please see question 5.1.

of the Handling Operator, the purpose of utilisation of Personal Information, and the procedures for notification of such information to the principal, correction of Personal Information or discontinuation of the utilisation of Personal Information) regarding Retained Personal Data (APPI, Article 27, paragraph 1).

Further, if a person requests a Handling Operator to notify him or her of the purpose of utilisation of such Retained Personal Data which may lead to the identification of the person concerned, the Handling Operator must meet the request without delay, subject to certain exceptions (Id. Article 27, paragraph 2).

The exceptions are cases where:(i) the purposes of utilisation are evident from the information

made available to the person by the Handling Operators pursuant to Article 27, paragraph 1 of the APPI;

(ii) publicly announcing or notifying the person of the purpose of utilisation is likely to harm the life, body, property, or other rights or interests of that person or a third party;

(iii) publicly announcing or notifying the person of the purpose of utilisation is likely to harm the rights or legitimate interests of the Handling Operator; or

(iv) it is necessary to cooperate with an administrative organ or a local government in implementing laws and regulations, and publicly announcing or notifying the person of the purpose of utilisation is likely to impede that implementation.

In addition, the Handling Operator is required to disclose, without delay, upon the request of an individual, that person’s Retained Personal Data, subject to certain exceptions (Id. Article 28).

The exceptions are cases where:(i) disclosure will likely harm the life, body, property, or

other rights or interests of the person or a third party;(ii) disclosure will likely seriously impede the proper

execution of the business of the Handling Operator; or(iii) disclosure will violate other laws and regulations.

The Handling Operator may charge for complying with a request to notify the purpose of utilisation pursuant to Article 27 or to disclose Retained Personal Data pursuant to Article 28.

■ Correction and deletion The principal may request the Handling Operator to correct,

add or delete Retained Personal Data if the Retained Personal Data is not correct. The Handling Operator must investigate without delay, and based on the result of the investigation, correct, add or delete, as requested by the principal, the Retained Personal Data to the extent necessary to achieve the purposes of use (Id. Article 29).

■ Objection to processing The principal may request a Handling Operator (a) to

discontinue the use of, or erase, the Retained Personal Data, and (b) to stop providing the Retained Personal Data to third parties if such use or disclosure is or was made, or the Retained Personal Data in question was obtained, in violation of the APPI. The Handling Operator must discontinue the use of, or the provisions to third parties of, or erase, Retained Personal Data upon the request of the principal if the request has reasonable grounds (Id. Article 30).

However, this obligation will not apply if it will be too costly or difficult to discontinue the use of, or to erase, the Retained Personal Data and the Handling Operator takes necessary alternative measures to protect the rights and interests of the principal.



control measures for personal data, and (v) respond to accidents or violations. The following are examples of measure (i) as illustrated by the METI Guidelines:■ Appointment of a Chief Privacy Officer (“CPO”).■ Appointment of a responsible official for audit.■ Implementation of an audit system.The METI Guidelines also mention the planning of an audit programme and implementation of an internal or external audit based on the programme as an example of measure (iv) above.However, although a Handling Operator is expected to adopt the measures described in the METI Guidelines, failure to adopt such measures is not a breach of the APPI. JIS Q 15001 for the Privacy Mark System requires a representative of a Handling Operator to appoint from its personnel a controller who understands and is competent to implement the JIS Q 15001.

6.2 What are the sanctions for failing to appoint a mandatoryDataProtectionOfficerwhererequired?


6.3 What are the advantages of voluntarily appointing a DataProtectionOfficer(ifapplicable)?


6.4 PleasedescribeanyspecificqualificationsfortheDataProtectionOfficerrequiredbylaw.


6.5 What are the responsibilities of the Data Protection Officer,asrequiredbylawortypicalinpractice?


6.6 MusttheappointmentofaDataProtectionOfficerberegistered/notifiedtotherelevantdataprotectionauthority(ies)?


7 Marketing and Cookies

7.1 Please describe any legislative restrictions on the sending of marketing communications by post, telephone, email, or SMS text message. (E.g., requirement to obtain prior opt-in consent or to provide a simple and free means of opt-out.)

Unsolicited marketing by email is regulated principally by the Act on the Regulation of the Transmission of Specified Electronic Mail (Act No. 26 of 17 April 2002, as amended; the “Act”). Pursuant to the Act, marketing emails can be sent only to recipients (i) who “opted in” to receive them, (ii) who provided the sender with their email address in writing (for instance, by providing a business card), (iii) who have a business relationship with the sender, or (iv) who make their email address available on the internet for business purposes. In addition, the Act requires the senders to allow the

5.3 Who must register with/notify the relevant data protection authority(ies)? (E.g., local legal entities, foreign legal entities subject to the relevant data protectionlegislation,representativeorbranchofficesof foreign legal entities subject to the relevant data protection legislation.)


5.4 What information must be included in the registration/notification?(E.g.,detailsofthenotifyingentity,affected categories of individuals, affected categories of personal data, processing purposes.)


5.5 What are the sanctions for failure to register/notify where required?


5.6 What is the fee per registration (if applicable)?


5.7 Howfrequentlymustregistrations/notificationsberenewed (if applicable)?


5.8 For what types of processing activities is prior approval required from the data protection regulator?


5.9 Describe the procedure for obtaining prior approval, and the applicable timeframe.


6 AppointmentofaDataProtectionOfficer

6.1 IstheappointmentofaDataProtectionOfficermandatory or optional?

The APPI has no provision which is comparable to Article 35 of proposed EU Regulation regarding a Data Protection Officer. However, the Handling Operator is required to take necessary and proper measures for the prevention of leakage, loss, or damage, and for other security control, of personal data (APPI, Article 20). The METI Guidelines explain that such measures should include systematic, human, physical, and technical security control measures. They provide that the Handling Operator should, as systematic security control measures, (i) establish an organisational structure to take security control measures for personal data, (ii) prepare regulations regarding security control measures for personal data and operate its business in accordance with those regulations, (iii) prepare the means to make the handling of personal data transparent, (iv) assess, review, and improve security


Japa

n


Japa

n

8 Restrictions on International Data Transfers

8.1 Please describe any restrictions on the transfer of personal data abroad?

Before the amendment, the APPI did not restrict the transfer of personal data abroad. Under the Amended APPI, the Handling Operator may not transfer personal data to an individual or an entity in a foreign jurisdiction without the prior consent of the principal, subject to certain exceptions. However, if a foreign jurisdiction has regulations to protect personal data that are comparable to the regulations in Japan, or if the receiving individual or entity takes necessary measures to protect personal data that are comparable to duties owed by Handling Operators under the APPI, this restriction is not applicable (Id. Article 24).

8.2 Please describe the mechanisms companies typically utilise to transfer personal data abroad in compliance with applicable transfer restrictions.


8.3 Do transfers of personal data abroad require registration/notificationorpriorapprovalfromtherelevant data protection authority(ies)? Describe whichmechanismsrequireapprovalornotification,what those steps involve, and how long they take.


9 Whistle-blower Hotlines

9.1 What is the permitted scope of corporate whistle-blower hotlines under applicable law or binding guidance issued by the relevant data protection authority(ies)? (E.g., restrictions on the scope of issues that may be reported, the persons who may submit a report, the persons whom a report may concern.)

As described in question 6.1, a Handling Operator is obligated to take necessary and proper measures for the prevention of leakage, loss, or damage, and for other security control, of personal data (APPI, Article 20). The METI Guidelines provide that the Handling Operator must establish, as a systematic security control measure, an organisational structure to take security control measures for personal data. An example of that measure is the “preparation of a system to report to and inform the Operator’s representative when the fact or sign of violation of the regulations regarding the handling of personal data is known”.However, although a Handling Operator is expected to adopt the measures described in the METI Guidelines, the failure to adopt such measures is not a breach of the APPI.

9.2 Is anonymous reporting strictly prohibited, or strongly discouraged, under applicable law or binding guidance issued by the relevant data protection authority(ies)? If so, how do companies typically address this issue?


recipients to “opt out”. Marketing emails sent from overseas will be subject to this Act as long as they are received in Japan. The Act on Specified Commercial Transactions also adopts the opt-in system for unsolicited marketing.Unsolicited telephone marketing regarding certain items such as financial instruments (e.g., derivatives) is also restricted under different regulations.

7.2 Is the relevant data protection authority(ies) active in enforcement of breaches of marketing restrictions?

Criminal sanctions against breaches of the Act were introduced in 2005. For example, a person sending marketing emails without the consent of the recipient may be fined 1,000,000 yen or less if the sender does not comply with an order issued by the Ministry to improve its business. Further, if the breach is committed by a legal entity, the entity is subject to a fine of 30,000,000 yen or less. Although various Ministries and agencies, such as the METI, the Consumer Affairs Agency or MIAC, proactively carry out educational activities to enhance the protection of Personal Information, information on government websites does not seem to show an active enforcement of breaches.

7.3 Are companies required to screen against any “do not contact” list or registry?

Japan does not have a “do not contact” registry, and the Act does not require companies to screen against any such list or registry.

7.4 What are the maximum penalties for sending marketing communications in breach of applicable restrictions?

The maximum penalties under the Act are one year of imprisonment or a fine of 1,000,000 yen or less for an individual, and a fine of 30,000,000 yen for the legal entity which employed that individual.

7.5 What types of cookies require explicit opt-in consent, as mandated by law or binding guidance issued by the relevant data protection authority(ies)?

The APPI does not differentiate cookies from other Personal Information. On the contrary, they are treated similarly to other Personal Information.

7.6 For what types of cookies is implied consent acceptable, under relevant national legislation or binding guidance issued by the relevant data protection authority(ies)?


7.7 To date, has the relevant data protection authority(ies) taken any enforcement action in relation to cookies?

Please see questions 6.1 and 7.5.

7.8 What are the maximum penalties for breaches of applicable cookie restrictions?

Please see questions 6.1 and 7.5.



11 Processing Data in the Cloud

11.1 Is it permitted to process personal data in the cloud? Ifso,whatspecificduediligencemustbeperformed,under applicable law or binding guidance issued by the relevant data protection authority(ies)?

The APPI does not differentiate processing personal data in the cloud. If a Handling Operator uses a cloud computing service, it is likely that it has a service agreement with the cloud computing service provider. If that is the case, the Handling Operator is required to exercise necessary and appropriate supervision over the service provider to ensure the security control of the personal data (APPI, Article 22). The METI Guidelines provide that “necessary and appropriate supervision” includes appropriately selecting the service provider, concluding the necessary contracts so that the security control measures based on Article 20 of the APPI are observed by the service provider, and knowing the status of the handling of the personal data that was entrusted to the service provider.

11.2 Whatspecificcontractualobligationsmustbeimposed on a processor providing cloud-based services, under applicable law or binding guidance issued by the relevant data protection authority(ies)?

According to the METI Guidelines, a Handling Operator is expected to incorporate the following matters in the service agreement with the service provider:■ Clarification of the responsibilities of the Handling Operator

and the service provider.■ Matters regarding the security control of personal data, such

as:■ Prevention of the leakage of personal data and prohibition

of the fraudulent use of personal data.■ Prohibition on processing and use beyond the scope of the

service agreement.■ Prohibition on copying and duplicating beyond the scope

of the service agreement.■ Term of the service agreement.■ Return, erasure, and disposal of personal data after the

expiration of the service agreement.■ Matters regarding the re-entrusting of Personal Information,

such as:■ Reporting in writing to the Handling Operator when there

is a re-entrusting of Personal Information.■ Contents and frequency of reporting regarding the status of

the handling of personal data to the Handling Operator.■ Confirmation that the service agreement is duly performed

(including a security audit).■ Measures if the service agreement is not duly performed.■ Matters regarding reporting and communication when a

security incident or accident occurs.

9.3 Do corporate whistle-blower hotlines require separate registration/notificationorpriorapprovalfromtherelevant data protection authority(ies)? Please explain the process, how long it typically takes, and any available exemptions.


9.4 Do corporate whistle-blower hotlines require a separate privacy notice?

The METI Guidelines do not require a separate privacy notice regarding whistle-blower hotlines.

9.5 To what extent do works councils/trade unions/employeerepresentativesneedtobenotifiedorconsulted?

The METI Guidelines recommend that a Business Operator have sufficient discussions with labour unions regarding the acquisition, use and disclosure of Personal Information in connection with the employees and their employment.

10 CCTV and Employee Monitoring

10.1 Does the use of CCTV require separate registration/notificationorpriorapprovalfromtherelevantdataprotection authority(ies)?

There is no registration/notification requirement for the use of CCTV under the APPI.

10.2 What types of employee monitoring are permitted (if any), and in what circumstances?


10.3 Is consent or notice required? Describe how employers typically obtain consent or provide notice.


10.4 To what extent do works councils/trade unions/employeerepresentativesneedtobenotifiedorconsulted?


10.5 Does employee monitoring require separate registration/notificationorpriorapprovalfromtherelevant data protection authority(ies)?



Japa

n


Japa

n

data is compromised because encryption software was not used to protect personal data held on portable and mobile devices, the Committee may take regulatory action against the Operator.

13.2 Is there a legal requirement to report data breaches to the relevant data protection authority(ies)? If so, describe what details must be reported, to whom, and within what timeframe. If no legal requirement exists, describe under what circumstances the relevant data protection authority(ies) expects voluntary breach reporting.

The APPI does not require a Handling Operator to report data breaches to the authorities. However, a Handling Operator is obligated to take necessary and proper measures for the prevention of leakage, loss, or damage, and for other security control, of personal data (Id. Article 20). The METI Guidelines provide that the Handling Operator must respond to any accident or violation as a systematic security control measure. Under the METI Guidelines, the Handling Operator is expected to report to the Minister of the METI promptly with respect to certain cases such as breaches in connection with sensitive data, or personal data regarding financial information or credit card numbers.

13.3 Is there a legal requirement to report data breaches to individuals? If so, describe what details must be reported, to whom, and within what timeframe. If no legal requirement exists, describe under what circumstances the relevant data protection authority(ies) expects voluntary breach reporting.

The APPI does not require a Handling Operator to report data breaches to individuals. However, a Handling Operator is obligated to take necessary and proper measures for the prevention of leakage, loss, or damage, and for other security control, of personal data (Id. Article 20). The METI Guidelines provide that the Handling Operator must respond to any accident or violation as a systematic security control measure. Under the METI Guidelines, the Handling Operator is expected to contact any person who may be affected. The Guidelines say that it is preferable to apologise to the affected person for the accident or violation and to contact him or her to the extent possible in order to prevent a secondary damage to that person, subject to exceptions where the rights and interests of that person have not been infringed and it seems that there is no, or extremely little, likelihood of infringement in the future.

13.4 What are the maximum penalties for security breaches?

If a Handling Operator provides or misuses the Personal Information Database for the purpose of unlawful gains, it may be subject to an imprisonment of one year or less, or a fine of 500,000 yen or less (Id. Article 83). If a breach is committed by a person who is employed by an entity, such an entity will be subject to the same penalty (Id. Article 87).

12 Big Data and Analytics

12.1 Is the utilisation of big data and analytics permitted? If so, what due diligence is required, under applicable law or binding guidance issued by the relevant data protection authority(ies)?

Aiming to promote the utilisation of big data, the Amended APPI introduced the notion of Anonymously Processed Information (tokumei kakou jyouhou). It is defined as information obtained by processing the Personal Information, such that ordinary people cannot (a) identify a specific individual using the processed information, and (b) restore the Personal Information from the processed information (APPI, Article 2, paragraph 9). A Handling Operator who processes Anonymously Processed Information is required (i) to produce the Anonymously Processed Information in compliance with the standards set forth in the rules of the Committee, (ii) to take measures for security control in compliance with the standards set forth in the rules of the Committee for the prevention of leakage, (iii) to disclose items that will be included in the Anonymously Processed Information pursuant to the rules of the Committee, (iv) when it provides Anonymously Processed Information to third parties, to disclose items that will be included in the Anonymously Processed Information and the medium to be used to deliver the information in compliance with the rules of the Committee, and to explicitly inform the third party recipients that the disclosed information is Anonymously Processed Information, and (v) not to do anything to identify the individual (Id. Article 36). The rules of the Committee have not yet been established.Because Anonymously Processed Information, by definition, is not Personal Information, a Handling Operator can provide it to the third parties without the consent of the principals if it complies with the requirements above.According to commentators, businesses are expected to utilise big data such as purchasing records of customers and ride-on and ride-off records of railroad users as Anonymously Processed Information.

13 Data Security and Data Breach

13.1 What data security standards (e.g., encryption) are required, under applicable law or binding guidance issued by the relevant data protection authority(ies)?

A Handling Operator is obligated to take necessary and proper measures for the prevention of leakage, loss, or damage, and for other security control, of personal data (APPI, Article 20). Further, the Handling Operator is required to exercise necessary and appropriate supervision over its employees and service providers to ensure the security control of personal data (Id. Articles 21 and 22). Please see questions 6.1, 11.1 and 11.2. The METI Guidelines recommend encryption as a means of ensuring that personal data is kept secure. In particular, the METI Guidelines have made it clear that, where the security of personal



Japa

n

14.2 Describe the data protection authority’s approach to exercising those powers, with examples of recent cases.

From information which is publicly available, the Financial Services Agency has issued orders against commercial banks several times. Further, the METI has required certain companies to report, and has subsequently rendered its advice.

15 E-discovery / Disclosure to Foreign Law Enforcement Agencies

15.1 How do companies within your jurisdiction respond to foreign e-discovery requests, or requests for disclosure from foreign law enforcement agencies?


15.2 What guidance has the data protection authority(ies) issued?

There is no guidance regarding e-discovery/disclosure to foreign law enforcement agencies.

16 Trends and Developments

16.1 What enforcement trends have emerged during the previous 12 months? Describe any relevant case law.

Please see question 1.1. Given that the Committee was established on 1 January 2016, the issuances of the ordinance and its rules containing details of the implementation of the Amended APPI are still outstanding.

16.2 What “hot topics” are currently a focus for the data protection regulator?


14 Enforcement and Sanctions

14.1 Describe the enforcement powers of the data protection authority(ies):

Investigatory Power

Civil/Administrative Sanction Criminal Sanction

Personal Information Protection Committee

(i) May require a Handling Operator to report or submit materials regarding its handling of Personal Information, enter offices or other places for investigation, make inquiries and check records or other documents (Article 40).(ii) May require an Authorised Entity for Protection of Personal Information to report regarding its activities (Article 56).

A fine of 300,000 yen or less (Article 85).If a breach is committed by a person who is employed by an entity, such an entity will be subject to the same penalty (Article 87).

Same as aboveMay render guidance or advice to a Handling Operator (Article 41).

-

Same as above

May recommend a Handling Operator to cease the violation and take other necessary measures to correct the violation. May order a Handling Operator to take necessary measures (Article 42).

Imprisonment of six months or less, or a fine of 300,000 yen or less (Article 84).If a breach is committed by a person who is employed by an entity, such an entity will be subject to the same penalty (Article 87).

Same as above

Order an Authorised Entity for Protection of Personal Information to take necessary measures (Article 57).

Revoke the authorisation of an Authorised Entity for Protection of Personal Information (Article 58).



Japa

n

Mori Hamada & Matsumoto is a full-service international law firm based in Tokyo with offices in Bangkok, Beijing, Shanghai, Singapore and Yangon, with a desk in Indonesia. The firm has over 380 attorneys and a support staff of approximately 400, including legal assistants, translators and secretaries. The firm is one of the largest law firms in Japan and is particularly well-known in the areas of mergers and acquisitions, finance, litigation, insolvency, telecommunications, broadcasting and intellectual property, as well as domestic litigation, bankruptcy, restructuring and multi-jurisdictional litigation and arbitration. The firm regularly advises on some of the largest and most prominent cross-border transactions representing both Japanese and foreign clients. In particular, the firm has extensive practice in, exposure to and expertise on telecommunications, broadcasting, Internet, information technology and related areas, and provides legal advice and other legal services regarding the corporate, regulatory, financing and transactional requirements of clients in these areas.

Akira MarumoMori Hamada & Matsumoto16th Floor, Marunouchi Park Building2-6-1 Marunouchi, Chiyoda-kuTokyo 100-8222Japan

Tel: +81 3 5225 7738Fax: +81 3 5223 7638Email: [email protected]: www.mhmjapan.com

Hiromi HayashiMori Hamada & Matsumoto16th Floor, Marunouchi Park Building2-6-1 Marunouchi, Chiyoda-kuTokyo 100-8222Japan

Tel: +81 3 5220 1811Fax: +81 3 5220 1711Email: [email protected]: www.mhmjapan.com

Akira Marumo is a partner at Mori Hamada & Matsumoto. He has a broad range of experience in telecom regulations and corporate and finance matters. He co-authored Multimedia Business and Laws in 1995, Law concerning Providers’ Liabilities in 2002 and the Japanese section of Telecommunication in Asia in 2006. He was awarded an LL.B. from the University of Tokyo in 1991 and an LL.M. from Columbia University School of Law in 1997. He was admitted to the Bar in 1993 in Japan and in 1998 in New York. He is a member of the Tokyo Bar Association and the New York State Bar Association.

Hiromi Hayashi is a partner at Mori Hamada & Matsumoto, which she joined in 2001. She specialises in communications law and regulation and authored the Japanese section of Telecommunication in Asia in 2005. Her other areas of practice are international and domestic transactions, takeover bids and corporate restructuring. She was admitted to the Bar in 2001 in Japan and in 2007 in New York. She worked at Mizuho Corporate Bank from 1989 to 1994, and at Davis Polk & Wardwell in New York from 2006 to 2007.


Other titles in the ICLG series include:

■ Alternative Investment Funds■ Aviation Law■ Business Crime■ Cartels & Leniency■ Class & Group Actions■ Competition Litigation■ Construction & Engineering Law■ Copyright■ Corporate Governance■ Corporate Immigration■ Corporate Recovery & Insolvency■ Corporate Tax■ Employment & Labour Law■ Enforcement of Foreign Judgments■ Environment & Climate Change Law■ Franchise■ Gambling■ Insurance & Reinsurance■ International Arbitration

59 Tanner Street, London SE1 3PL, United KingdomTel: +44 20 7367 0720 / Fax: +44 20 7407 5255

Email: [email protected]

www.iclg.co.uk

■ Lending & Secured Finance■ Litigation & Dispute Resolution■ Merger Control■ Mergers & Acquisitions■ Mining Law■ Oil & Gas Regulation■ Outsourcing■ Patents■ Pharmaceutical Advertising■ Private Client■ Private Equity■ Product Liability■ Project Finance■ Public Procurement■ Real Estate■ Securitisation■ Shipping Law■ Telecoms, Media & Internet■ Trade Marks

Documents

Data Protection 2016€¦ · The International Comparative Legal Guide to: Data Protection 2016 General Chapter: Country Question and Answer Chapters: 1 Preparing for Change: Europe’s