Japan’s Law Concerning the Protection of Personal Information (the “Law”) came into effect for private sector
businesses in April 2005. The Law provides only a broad outline for the Japanese privacy regime, the details of
which are left to various government ministries to regulate through a patchwork of guidelines and other administrative guidance. Over the last two and a half years the ministries have developed new guidelines and amended existing ones.
The activities of a majority of businesses are covered by the guidelines promulgated by at least one of the
following agencies: the Ministry of Economy, Trade and Industry (METI), the Ministry of Health, Labor and
Welfare (MHLW), the Financial Services Agency (FSA), the Ministry of Internal Affairs and Communications (MIC), and the Ministry of Land, Infrastructure and Transport (MLIT). However, as of September 1, 2007, there are as many as 35 sets of guidelines issued pursuant to the Law, covering 22 business areas, including two sets of newly published guidelines and five sets of revised guidelines in the fiscal year 2006.
In general, the Law requires businesses to state the purpose of use of personal information at the time of
collection, and prohibits use beyond that stated purpose. Subject to certain exceptions, the Law also generally
prohibits disclosure of personal data to third parties without consent. Corporate subsidiaries and affiliates are
considered third parties for the purposes of the Law. The Law also requires that businesses acquire personal
information fairly, maintain accurate data, adopt security control measures, supervise employees and delegates (such as data processors and payroll or direct marketing vendors), permit access and correction of personal data, and create a system to address complaints regarding the handling of personal information. The details of these requirements are set out in the ministerial guidelines.
See article for more information.