What laws apply to the collection and use of individuals’ personal information?
Data privacy laws have become more prominent in recent years. As the amount of personal information available online has grown substantially, there has been an enhanced focus on the processing of personal data, as well as the enforcement of such laws.
Japan made changes to its data privacy laws through the 2016 Amended Act on the Protection of Personal Information and recently passed additional amendments in 2020. The 2020 Revisions are expected to go into effect in spring 2022. There are also four main guidelines relating to the Act (General, Cross-Border Transfer, Records of Transfer, Anonymous Data), and the government issued a guideline outlining how employers should manage employee and job applicant health information.
The Act separates personal information into two categories. The first category, Personal information, is defined as data relating to a living individual which can be used to:
- identify the individual; or,
- identify the individual in conjunction with easy reference to other information.
The second category is defined as “special care-required personal information” which is sometimes referred to in other countries as sensitive personal information. Special care-required personal information includes data relating to a subject’s race, creed, social status, medical history, criminal record, fact of having suffered damage by a crime and other categories (defined by the government) which require special care so as not to cause unfair discrimination, prejudice or other disadvantages to the individual. This includes mental/physical disorders, health examination results, and criminal procedures.
When processing special care-required personal information, there are additional requirements and protections that must be followed, including obtaining consent (with a few exceptions).
The authority responsible for enforcement of data privacy law and regulations in Japan is the:
Personal Information Protection Commission