Mori Hamada & Matsumoto is a full-service law firm that has served clients with distinction since its establishment in December 2002. Its experienced lawyers have considerable expertise in the constantly evolving and increasingly complex areas of information technology, life sciences and intellectual property, providing a variety of legal services in response to clients' diverse legal needs. These legal services include advising on regulatory requirements, setting up a business, corporate housekeeping, contract negotiations and dispute resolution. In terms of data protection, the firm has noted expertise in leveraging user information while protecting clients' businesses. Mori Hamada & Matsumoto's data protection team comprises approximately 70 lawyers.
Expand AllJapan's principal data protection legislation is the Act on the Protection of Personal Information (APPI). It provides the basic principles for the government's regulatory policies and authority, as well as the obligations of private business operators that handle personal information (the handling operator). An amendment to the APPI was approved in June 2020 and came into full force on 1 April 2022.
Another set of amendments to the APPI was approved in May 2021. Previously, national administrative bodies were regulated by the Act on the Protection of Personal Information Held by Administrative Organs and the Act on the Protection of Personal Information Held by Independent Administrative Agencies. One of the main purposes of the 2021 amendments was to integrate the obligations prescribed in these two laws into the APPI. The amendments relating to this integration came into effect on 1 April 2022.
In addition, local government bodies are regulated under their own local regulations (jyorei), but these vary between bodies. The 2021 amendments to the APPI introduced nationwide principles for jyorei and related implementing guidelines to homogenise the administration of national data protection regulations. Under this set of amendments, standard rules regarding personal information handled by local governments are uniformly stipulated in the APPI, and jyorei can only stipulate local rules in very limited situations allowed under the APPI. These amendments came into effect on 1 April 2023.
Another important law is the Act on the Use of Numbers to Identify a Specific Individual in the Administrative Procedure (the “My Number Act”), which stipulates special rules for what is known in Japan as the Number to Identify a Specific Individual in the Administrative Procedure (“My Number”), a 12-digit individual number assigned to each resident of Japan.
The bill to amend the Telecommunication Business Act (TBA) was passed in June 2022 and came into effect on 16 June 2023. This amendment mainly introduced a regulation about sending cookies to an external party. It also imposed new obligations regarding user information on large telecommunications service providers that have either 5 million paid users or 10 million free users.
There are no laws or regulations that target artificial intelligence (AI) at this time. Please refer to 5.1 Addressing Current Issues in Law (Artificial Intelligence) for more details.
Furthermore, the Personal Information Protection Commission (PPC – the regulator primarily responsible for the APPI and the My Number Act) has published guidelines for handling personal information (the PPC Guidelines). For some industrial sectors, the ministry with jurisdiction over them has published data protection guidelines for those sectors. For example, the Financial Services Agency (FSA) and the PPC have jointly published data protection guidelines for the financial sector, and the Ministry of Internal Affairs and Communications (MIC) has issued data protection guidelines for telecommunication business operators.
Enforcement and Penalty Trends
Between 1 April 2023 and 30 September 2023, no administrative orders were issued, no administrative recommendations were made, 165 issuances of administrative guidance or advice were made, no on-site inspections were conducted, and 60 administrative requests for reports and materials were made against handling operators under the APPI. No administrative orders or recommendations have been issued because ordinary companies were in compliance with the PPC's administrative guidance and advice. Moreover, companies are typically concerned with their social reputation, so endeavour to comply with laws and regulations.
Key Concepts and Terminology
In order to understand the regulations under the APPI, it is important to distinguish between three key categories: personal information, personal data and retained personal data.
The APPI defines personal information as information about living individuals that can identify specific individuals or that contains an individual identification code (Article 2.1).
Information that can be used to identify specific individuals includes information that can be readily collated with other information to identify specific individuals. Whether information can be readily collated with other information for this purpose would be determined on a case-by-case basis, depending on how it is stored or handled by the handling operator. For example, information collected by cookies is not personal information by itself; however, if the handling operator can easily collate information collected by cookies with the name of the individual (which typically occurs when registered customers log in to the website of a company, and the company knows the cookie ID of the registered customer), the information collected by the cookies will be deemed to be personal information.
An individual identification code means a partial bodily feature of a specific individual that has been converted into any character, number, symbol or other code by computers for use, and that can identify that specific individual or is assigned to services or goods provided to an individual, or is stated or electromagnetically recorded on a card or any other document issued to an individual, to identify them as a specific user, purchaser or recipient of the issued document (Article 2.2). The various types of individual identification codes are listed in a Cabinet Order, and include driver's licences, passports and health insurance numbers. Credit card numbers and phone numbers are not individual identification codes.
Personal data is personal information contained in a personal information database (Article 16.3), which is a collection of information (that includes personal information) that is systematically organised to enable a computer (or through another means) to search for particular personal information; however, this term excludes a collection of information that a Cabinet Order indicates as having little possibility of harming an individual's rights and interests considering how that collection uses personal information. Examples of information collections excluded from this definition include a commercially available telephone directory or a car navigation system (Article 16.1).
Retained personal data is personal data that a handling operator has the authority to disclose, correct, add or delete content from; discontinue the use of; erase; or discontinue the provision of to a third party, excluding certain limited personal data (Article 16.4).
The PPC is tasked with enforcing and implementing the APPI, and has the following powers:
For some sectors, other government authorities also enforce the APPI – for example, the FSA is the relevant authority for banks, whereas the MIC is the appropriate authority for telecommunication service providers. There is no regulator specifically overseeing AI data.
The PPC does not have the authority to conduct criminal investigations, and the APPI explicitly stipulates that the PPC’s power to conduct on-site inspections does not include criminal investigations (Article 146.3).
It is important to note that the APPI imposes no administrative fines. Criminal sanctions may only be imposed if the handling operator:
Please also see 2.5 Enforcement and Litigation.
While local governments have enacted jyorei on data protection, those regulations apply only to the public sector. Please note that, from 1 April 2023, jyorei are regulated by the APPI, as discussed in 1.1 Laws.
The PPC empowers private organisations called accredited personal information protection organisations (Nintei Kojin Jyouhou Hogo Dantai) to handle and promote the protection of the personal information of handling operators. These accredited organisations process complaints against handling operators or provide information on them to ensure the reliability of the business of those handling operators and promote the protection of personal information. They also establish their own rules, with which their members must comply.
The APPI follows the Organisation for Economic Co-operation and Development’s eight Privacy Principles. Japan has reached an agreement with both the EU and the UK to certify each other’s country or territory as an “adequate” country for Japan’s and the EU/UK’s data protection purposes; this decision was renewed in March and April 2023. However, this does not mean that the APPI is identical to Regulation (EU) 2016/679 (the General Data Protection Regulation – GDPR).
Japanese data protection law is, nonetheless, closer to the EU omnibus model than the US sectoral/subnational approach in the sense that Japan has a comprehensive data protection law: the APPI.
As discussed in 1.1 Laws (Major Laws), the APPI was amended in 2020 and 2021, and the TBA was amended in 2022.
The MIC and the Ministry of Economy, Trade and Industry (METI) are in the process of establishing an AI Business Guideline for AI developers, AI service providers and AI users, which will be finalised around March 2024. This Guideline includes points regarding privacy and data protection.
The PPC is also having discussions to aim for updates of the APPI. According to a PPC document published in November 2023, there are three main topics:
The PPC plans to publish an interim report on the potential amendment in spring 2024.
Handling Operator Duties
The various obligations of a handling operator under the APPI are set out below.
The 2020 amendments to the APPI introduced mandatory obligations to report data breach incidents to the PPC and to notify affected data subjects in cases where their rights and interests are likely to be infringed (Article 26).
Entrustment
Under Article 27.5 (i) of the APPI, if a handling operator entrusts all or part of the handling of personal data it acquires to an individual or another entity, that individual or entity will not be considered a third party under Article 27.1. For example, if a handling operator uses third-party vendors of handling operator services and shares personal data with those vendors for them to use on the handling operator’s behalf and not for their own use, that transfer will be deemed an “entrustment” and is not subject to data transfer restrictions.
When a handling operator “entrusts” personal data, it must exercise the necessary and appropriate supervision over the entrusted person to ensure security control over the entrusted personal data (Article 25).
A handling operator may share and jointly use personal data with specific individuals or entities as long as the handling operator notifies the data subject or makes the following information accessible to them (Article 27.5(iii)), before any information sharing and joint use:
After notice or publication of these matters is made, the identified joint users will not be deemed third parties within the context of Article 27 and, therefore, the handling operator and the identified joint users may share and jointly use specific items of personal data as if they were a single entity.
Business Succession
A handling operator may transfer personal data to a third party without the opt-in consent of data subjects if the transfer accompanies a business succession caused by a merger or other legal reason (Article 27.5 (ii)).
Filing of Notification of Opt-Out Consent
Under Article 27.2 of the APPI, a handling operator may provide personal data (excluding special-care-required personal information and personal data that was acquired by improper means or provided by another handling operator pursuant to the opt-out mechanism) to a third party without the opt-in consent of data subjects if the following conditions are satisfied:
Please note that, in practice, the PPC does not readily accept the foregoing opt-out notification unless it is not practical to seek the data subjects’ consent, and it is difficult to use the other exceptions.
Data Protection Officers
The APPI has no provision mandating the appointment of a privacy or data protection officer; however, a handling operator must take necessary and proper measures to prevent the leakage, loss or damage of personal data and to implement other security controls. Under the PPC Guidelines, those measures should include the following:
As of 1 April 2024, the PPC Guidelines will also require a handling operator to take security control over personal information that will be collected and expected to be treated as personal data so that a cyber-attacker will not intercept such information on behalf of the operator.
The PPC Guidelines indicate that appointing a person to be in charge of the handling of personal data is an example of proper and necessary measures. However, although a handling operator is expected to adopt the measures described in the PPC Guidelines, the failure to adopt such measures is not a direct breach of the APPI.
Under the amendment of the TBA, large telecommunications service providers are required to appoint a chief manager responsible for handling user information.
Privacy By Design/Default and Privacy Impact Analyses
The APPI does not mandate obligations regarding privacy impact analyses (PIA). However, the PPC has issued a report titled “Promoting the implementation of PIA – Significance of PIA and points to keep in mind in the implementation procedure”, which it encourages business operators to follow voluntarily. The APPI does not refer to the concepts of privacy by design or by default, but PPC guidelines on accredited personal information protection organisations recommend that these organisations promote privacy by design.
Internal or External Privacy Policy
The PPC Guidelines recommend releasing a privacy policy or statement.
Article 32.1 of the APPI requires handling operators to make the following information regarding retained personal data available to data subjects:
Most handling operators typically comply, using internal and external privacy policies.
The PPC Guidelines also recommend stating the following in a handling operator’s basic policies as security control measures regarding personal data:
Most handling operators typically comply, using internal and external privacy policies.
The PPC Guidelines also recommend being transparent in disclosing the entrustment of work involving personal data (eg, disclosing whether entrustment has been made and what kind of work has been entrusted).
Data Subjects’ Rights
A data subject may request a handling operator to disclose their retained personal data and the record of providing it to a third party. The handling operator must comply with the request unless there is a possibility that the disclosure could harm the data subject’s or a third party’s life, body, property or other rights and interests, or that it could seriously interfere with the handling operator’s business (Article 33).
A data subject may also request a handling operator to correct, add or delete retained personal data. The handling operator must investigate without delay and, based on the results of the investigation, comply with the request to the extent necessary to achieve the purposes of use of the retained personal data (Article 34).
Furthermore, the data subject may request the handling operator to discontinue the use of or erase retained personal data and to stop providing retained personal data to third parties if:
However, this obligation will not apply if it will be too costly or difficult to discontinue the use of or erase the retained personal data and the handling operator takes necessary alternative measures to protect the rights and interests of the data subject (Article 35).
The APPI has no provision for data portability.
Anonymisation, De-identification or Pseudonymisation
The APPI recognises the concept of anonymously processed information, which is defined as information obtained by processing personal information so that ordinary people cannot identify a specific data subject using the processed information nor restore any personal information from the processed information (Article 2.6). This framework intends to promote the use of anonymously processed information by clarifying the rules and was expected to lead to the use of big data, innovations and new businesses. A handling operator can provide anonymously processed information to third parties without the consent of the data subjects, provided that the handling operator:
According to the PPC Guidelines, statistical information – ie, information that can be obtained by extracting items concerning a common element from information taken from several people and tallying them up by category – is not anonymously processed information because it is not information regarding an individual, and is therefore not covered by any regulations under the APPI.
The 2020 amendment of the APPI introduces the concept of pseudonymously processed information. This information is processed so that it cannot be used to identify a specific individual without collation with other information (Article 2.5). The pseudonymously processed information is exempted from certain regulations under the APPI, such as restrictions on changing the purpose of use, the obligation to comply with the data subject’s rights, and report/notification obligations in the case of a data breach (Article 43).
Profiling, Microtargeting, Automated Decision-Making, Online Monitoring or Tracking, Big Data Analysis and AI
There is no specific statutory law on microtargeting, online monitoring or tracking. However, any activity relating to the collection, use and provision of personal information will be subject to the rules of the APPI.
Under the 2020 amendment of the APPI, certain types of cookies, web beacons, online identifiers and so forth are subject to new regulations. Under the APPI, the transfer of personal data to third parties – whether the data is personal data or not – is judged based on the circumstances surrounding the transferor, not the transferee. In brief, if the data is not personal data in the hands of the transferor, regulations regarding the transfer of personal data to third parties are not applicable.
In recent years, some schemes have emerged whereby data management platforms provide non-personal information such as user data collected by cookies (eg, user browsing histories/interests and preferences) to third parties, with the knowledge that the data will be personal data in the hands of the recipient. The PPC was concerned by the expansion of this kind of data sharing without the involvement (control) of the data subjects. As a result, the concept of personally referable information has been introduced, defined as a collective set of information comprising information relating to a living individual that does not fall under personal information, pseudonymously processed information or anonymously processed information but that has been systematically organised to be searchable using a computer for specific personally referable information or similar information prescribed by Cabinet Order. The amended APPI regulates the provision of personally referable information if the provider assumes that a recipient will acquire a database of the provided personally referable information as personal data. In this case, the transferor must confirm that the transferee has obtained the data subjects’ consent to transfer their data as personal data.
See 5.1 Addressing Current Issues in Law for other items relating to profiling, microtargeting, automated decision-making, big data analysis and AI.
There is no definition of “injury” or “harm” under the APPI. However, an infringement of privacy is a tort under the Civil Code if the individual suffers from a mental burden or mental unease regarding the disclosure of information.
There are no regulations specific to AI data, but please note that general regulations are applicable. For example, if AI data includes personal information, the APPI applies to the data processing. The MIC and the METI are in the process of establishing an AI Business Guideline for AI developers, AI service providers and AI users, which will be finalised around March 2024. This Guideline includes points regarding privacy and data protection. The PPC published an announcement on 2 June 2023, setting out its interpretation of the APPI in the context of generative AI and requesting generative AI service providers and users to comply with the APPI.
Health Data
The APPI contains the concept of special-care-required personal information, which is defined as personal information comprising a principal’s race, creed, social status, medical history, criminal record, the fact of having suffered damages from crime, or other descriptions that may be prescribed by a Cabinet Order (Article 2.3). The handling operator must get prior consent to obtain special-care-required personal information (Article 20.2) and to transfer the same (opt-out consent is not allowed) (Article 27.2). For health data, the following categories of personal information are included in special-care-required personal information:
Under the Act Regarding Anonymised Medical Data to Contribute to Research and Development in the Medical Field (the “Medical Big Data Act”), government-accredited medical information anonymisation entities can obtain medical information from medical institutions (eg, hospitals) unless the data subjects opt out. Those entities are entitled to anonymise the acquired medical information and distribute the anonymised medical information for the purpose of R&D in the medical area.
Financial Data
Financial data is not categorised as special-care-required personal information, but will be treated as ordinary personal information if it can identify an individual.
Communications Data
A voice recording by voice telephony itself is not personal information, but it can be considered as such if the speaker can be identified from its contents or with other information. Even if a voice recording is not considered protected personal information, it is subject to protection under the basic principle of secrecy of communication granted under the Constitution of Japan, the TBA, the Radio Act and the Wire Telecommunications Act, which specifically protect the secrecy of telecommunication data.
The same applies to text messaging.
Other Categories of Sensitive Data
Information on political or philosophical beliefs generally falls within special-care-required personal information as a personal belief.
The APPI has no provisions regarding personal information related to union membership or sexual orientation. However, since that type of information is protected under the GDPR, the PPC has issued Supplementary Rules under the APPI for the handling of personal data transferred from the EU based on an adequacy decision, which provides that if any information is transferred from member countries of the EEA and the UK based on an adequacy decision, the information must be protected under the same standards as special-care-required personal information. In addition, data protection guidelines for the financial sector, published jointly by the FSA and the PPC, stipulate that information on union membership and sexual orientation is considered sensitive information. Financial companies should not acquire, use or collect such information unless specific exceptions apply.
There is no mandatory requirement under the APPI to set up privacy policies; however, as explained in 1.1 Laws (Key Concepts and Terminology), it is common and highly recommended for handling operators with websites to publish their privacy policy on their websites.
The use of cookies, web beacons and other tracking technology is not directly regulated under the APPI. Information collected by cookies or web beacons is not automatically personal information, but will be deemed to be personal information if the handling operator can easily collate information collected by cookies or web beacons with the name of the individual (for example, when an internet-based company can identify the cookie ID of customers when logged in to its website).
Behavioural advertising is not directly regulated under the APPI, but any personal information collected to provide behavioural advertising is subject to the APPI.
It is good practice to have a cookie policy and to offer an opt-out from using cookies (especially behavioural advertising). The Japan Interactive Advertising Association’s Guidelines are useful for an understanding of good practices in Japan.
The 2020 amendment of the APPI introduced regulations for certain cookies, web beacons and other tracking technology underlying behavioural or targeted advertising. Please see 2.1 Omnibus Laws and General Requirements (Profiling, Microtargeting, Automated Decision-Making, Online Monitoring or Tracking, Big Data Analysis and AI).
The amendment of the TBA imposed new obligations on telecom service providers (TSP), which have a non-trivial impact on users’ interests. More specifically, a TSP is an entity that provides:
When a TSP makes users send their information (typically including cookies) to an external party, the TSP is required to make a notification, make a public announcement, obtain opt-in consent or provide an opt-out mechanism with respect to certain information, including the content of the information, the name of the recipient party and the recipient’ purpose of use of the information.
Video and Television
Image information in videos or television would be categorised as personal information and subject to restrictions under the APPI if it can identify a specific individual. The MIC has published a Handbook for the Use of Camera Images, which explains the considerations necessary for utilising camera images for commercial purposes and the key points of the considerations through specific examples. In addition, the PPC published the Draft Report of the Expert Panel on the Use of Camera Images for Crime Prevention and Security, which underwent the public comment procedures in January 2023. This report covers points to be noted when introducing camera systems with facial recognition functions from the perspective of compliance with the APPI and ensuring that they do not cause infringements of portrait rights and privacy, as well as voluntary measures to gain understanding from the subjects of the images and society.
Social Media, Search Engines and Large Online Platforms
If social media and online platforms are categorised as “telecommunication services” under the TBA, then the provider is subject to the MIC’s guidelines on personal information for telecommunication businesses. Business operators providing telecommunications services with an average of more than 10 million users per month in the previous year (for free telecommunications services) or more than 5 million users per month (for fee-based telecommunications services) are required under the amended Telecommunications Business Act (effective 16 June 2023) to formulate and notify information handling rules, formulate and publish information handling policies, conduct self-evaluation and reflect them in information handling rules and regulations, and appoint and notify a general management representative.
As for large online platforms, the Act on Enhancing Transparency and Fairness of Specified Digital Platforms (the “Transparency Act”) takes the necessary measures to ensure transparency and fairness of transactions between designated large-scale digital platform operators and digital platform users. It also provides a mandatory disclosure rule about how user data is processed.
Intermediary Liability for User-Generated Content
Under the Provider Liability Limitation Act, even if an online platform has distributed information posted by a third party that infringes the rights of another person, the general rule is that the service provider will not be liable unless it is aware of or has a good reason to be aware of the infringement.
Children’s Privacy
A Q&A issued by the PPC states that, for minors between the ages of 12 and 15, the consent of a person with parental authority over the minor must be obtained for data processing, which requires the consent of data subjects (eg, the provision of personal data to third parties and the collection of special-care-required personal information).
Educational or school data is not subject to special restrictions but only to the restrictions under the APPI as personal information.
Rights to Object to Sale of Data and Tracking
There are no rights to object to the sale of personal data, but the APPI sets forth a similar scheme regarding the provision of personal data. Providing personal data to a third party is generally permissible only with consent or under an opt-out mechanism. If a data subject does not want their personal data to be provided or sold to another entity, they should either not provide their consent or object to any such provision/sale (opt-out.) For more opt-out details, please see 2.1 Omnibus Laws and General Requirements (Filing of Notification of Opt-Out Consent). The APPI introduced some regulations for tracking; please see 2.1 Omnibus Laws and General Requirements (Profiling, Microtargeting, Automated Decision-Making, Online Monitoring or Tracking, Big Data Analysis and AI).
Unsolicited marketing by email is regulated principally by the Act on the Regulation of Transmission of Specified Electronic Mail (the Anti-Spam Act), under which marketing emails can only be sent to recipients who:
In addition, the Act requires the senders to allow the recipients to opt out.
Furthermore, the Act on Special Commercial Transactions restricts marketing regarding mail order businesses, including online shopping, but does not provide exceptions similar to the last three items above.
As discussed in 2.1 Omnibus Laws and General Requirements, behavioural and targeted advertising is not directly regulated under the APPI, but any personal data collected to provide behavioural and targeted advertising is subject to the APPI. There are no specific restrictions for behavioural and targeted advertising, but the 2020 amendment of the APPI introduced regulations for certain cookies, web beacons and other tracking technology underlying behavioural or targeted advertising.
There are special restrictions on telecommunication business operators regarding location information under the MIC’s guidelines on personal information for telecommunication businesses. Under these guidelines, telecommunication business operators can obtain or transfer location information from a mobile device only with the data subject’s prior consent or if there is a justifiable cause.
The Ministry of Health, Labour and Welfare has issued a notice regarding the health information of employees, which provides for an employer’s handling of the health information of its employees, including a condition that an employer shall not handle the health information of any employee beyond the scope necessary to secure the employee’s health.
Furthermore, the Employment Security Act has special restrictions on obtaining information on job applicants during recruitment, to prevent discrimination.
The employer has the right to monitor workplace communications in relation to work and to use cybersecurity tools, insider threat detection and prevention programmes, and digital loss prevention technologies, but a privacy issue may arise regarding private communications and other privacy matters at the workplace. Thus, employers are recommended to establish internal rules prohibiting the use of company PCs and email addresses for private use, and to disclose the possibility of monitoring those devices and data, including emails.
In principle, there is no special role for labour organisations or works councils regarding employment-related data privacy, but there is a general requirement for employers to obtain the opinion of the employee representative in establishing work rules.
The Whistle-Blower Protection Act prohibits employers from dismissing whistle-blowers, and requires large companies with more than 300 employees to have whistle-blower systems in place. The Act also mandates companies to appoint personnel to handle whistle-blowing; such personnel have statutory confidentiality obligations about the whistle-blowing cases.
Administrative Sanctions
The PPC has the power to enforce administrative sanctions; please see 1.2 Regulators for details.
Please see 1.1 Laws for recent statistics about administrative sanctions enforced by the PPC. The PPC did not issue any official recommendations or administrative orders between May 2017, when it became the regulator and enforcement authority of the APPI, and August 2019, but has subsequently issued them for cases with a large social impact. For example, on 26 August 2019, the PPC first officially recommended a company operating an online job platform. It was considered that the company captured users’ likelihood of declining a job offer based on their web browsing history and sold the data to potential employers. The PPC decided that the company did not comply with the required procedures under the APPI.
On 29 July 2020, the PPC first issued two administrative orders regarding non-compliance with an official recommendation. In these cases, two anonymous internet-based companies published the personal data of bankrupts, including names and addresses, in violation of required procedures in the APPI. On 23 March 2022 and 2 November 2022, the PPC again issued administrative orders against similar website operators. On 11 January 2023, the PPC officially requested a criminal investigation authority to file a criminal charge against an operator for non-compliance with the order.
Please note that, even after May 2017, the PPC entrusts its enforcement powers to relevant public authorities for some industries.
Criminal Sanctions
Criminal sanctions for violations of the APPI are as follows.
The APPI does not provide the legal procedures that the PPC or the prosecutors must follow to allege violations of privacy or data protection laws. However, the authorities must generally follow the general restrictions of the Code of Criminal Procedure regarding the imposition of criminal sanctions, while the PPC does not have to follow those restrictions regarding administrative sanctions.
Private Actions
A data subject may go to court to seek compensation for damages or distress caused by a breach of data protection. There are two major types of legal causes.
Class actions
The Act on Special Measures Concerning Civil Court Proceedings for Collective Redress for Property Damage Incurred by Consumers allows for class actions to be filed by consumers. Please note that claims allowed under that law are limited to property damage and do not cover compensation for distress caused by a breach of the APPI. Please also note that an amendment to this act came into force on 1 October 2023, which includes emotional distress in the scope of the class action if it is caused along with property damage or by intentional conduct.
As a practical matter, a number of data subjects may select the same lawyer to represent them, and that lawyer can file one litigation for those data subjects, which can be similar to a class action.
Recent leading cases
In a decision issued in October 2017, the Supreme Court found that the breach of a right to privacy may give rise to a claim for compensation for distress caused by the leakage of personal information (eg, names, birth dates, addresses and telephone numbers). The case was remanded to the Osaka Appeal Court, which awarded JPY1,000 to the claimant on 20 November 2019. In addition, the Tokyo Appeal Court awarded JPY3,300 to other plaintiffs on 25 March 2020 for the same data breach. The Supreme Court denied appeals of these cases in December 2020, so these Appeal Court decisions are deemed final.
