Japan’s Law Concerning the Protection of Personal Information (the “Law”) came into effect for private sector

businesses in April 2005. The Law provides only a broad outline for the Japanese privacy regime, the details of

which are left to various government ministries to regulate through a patchwork of guidelines and other administrative guidance. Over the last two and a half years the ministries have developed new guidelines and amended existing ones.

The activities of a majority of businesses are covered by the guidelines promulgated by at least one of the

following agencies: the Ministry of Economy, Trade and Industry (METI), the Ministry of Health, Labor and

Welfare (MHLW), the Financial Services Agency (FSA), the Ministry of Internal Affairs and Communications (MIC), and the Ministry of Land, Infrastructure and Transport (MLIT). However, as of September 1, 2007, there are as many as 35 sets of guidelines issued pursuant to the Law, covering 22 business areas, including two sets of newly published guidelines and five sets of revised guidelines in the fiscal year 2006.

In general, the Law requires businesses to state the purpose of use of personal information at the time of

collection, and prohibits use beyond that stated purpose. Subject to certain exceptions, the Law also generally

prohibits disclosure of personal data to third parties without consent. Corporate subsidiaries and affiliates are

considered third parties for the purposes of the Law. The Law also requires that businesses acquire personal

information fairly, maintain accurate data, adopt security control measures, supervise employees and delegates (such as data processors and payroll or direct marketing vendors), permit access and correction of personal data, and create a system to address complaints regarding the handling of personal information. The details of these requirements are set out in the ministerial guidelines.

See article for more information.