What are the penalties for noncompliance with any applicable data protection laws?
Noncompliance with data privacy laws and data breaches may lead to sanctions, fines, and penalties. The amounts are usually calculated according to the risk to which personal rights were exposed and the preventive measures taken by the data controllers, processors and sub-processors in relation to their respective role in the chain of personal data processing.
There are penalties including fines and imprisonment for violation of Japan’s Amended Act on the Protection of Personal Information (2016). The 2020 Revisions to the Amended Act on the Protection of Personal Information, expected to go into effect in spring 2022, will increase some of these penalties. Personal information handling business operators (i.e. companies and relevant employees) who provided or used a personal information database by stealth for their illegal profits can be fined up to 500,000 yen or be imprisoned with labor for up to a year. The 2020 Revisions will increase the fine up to 100,000,000 yen.
If a business violates an order issued by the Personal Information Protection Commission, the entity (and the individuals involved) may be subject to imprisonment with work for up to six months or to a fine of up to 300,000 yen. The 2020 Revisions will increase the fine up to 100,000,000 yen.
The Commission may ask an entity to provide a report on the processing of personal data or may visit a company for an audit. If the business rejects the request from the Commission or falsifies an answer, the entity will be subject to a fine up to 300,000 yen. The 2020 Revisions will increase the fine up to 500,000 yen.
HR Best Practices: Before processing personal data, make sure to be in line with the provisions in the Act. In the event that your business receives a request from the Commission, comply with their request.