New Report on Limits of “Consent” in Japan’s Data Protection Law

Introduction

Today, the Future of Privacy Forum (FPF) and Asian Business Law Institute (ABLI), as part of their ongoing joint research project: “From Consent-Centric Data Protection Frameworks to Responsible Data Practices and Privacy Accountability in Asia Pacific,” are publishing the fourteenth and final report in a series of detailed jurisdiction reports on the status of “consent” and alternatives to consent as lawful bases for processing personal data in Asia Pacific (APAC).

This report provides a detailed overview of relevant laws and regulations in Japan, including:

• notice and consent requirements for processing personal data;
• the status of alternative legal bases for processing personal data which permit processing of personal data without consent if the data controller undertakes a risk impact assessment (e.g., legitimate interests); and
• statutory bases for processing personal data without consent and exceptions or derogations from consent requirements in laws and regulations.

The findings of this report and others in the series will inform a forthcoming comparative review paper which will make detailed recommendations for legal convergence in APAC.

Japan’s Data Protection Landscape

The primary legislation in Japan governing the collection, use, and disclosure of personal information by private entities is the Act on Protection of Personal Information (APPI), which took effect in 2003 and applies to any handling of the personal information of data subjects (termed “principals” in the APPI) in Japan by businesses which supply goods and services to persons in Japan, termed “personal information handling business operators” (PIHBOs).

A core principle of the APPI is that personal information may only be processed for a specific purpose (termed the “utilization purpose”), which must be specified as clearly as possible. Before handling personal information, a PIHBO must notify the data subject or the public at large of the utilization purpose for handling the information (unless an exception applies). A PIHBO may also handle personal information in a manner that is consistent with that purpose without having to obtain the data subject’s consent.

The APPI was substantially amended in 2015, 2020, and 2021. These amendments did not significantly impact the APPI’s notice and consent framework.

• The 2015 amendments, which took effect in 2017, among others, introduced a set of enforceable rights and established an independent supervisory authority to oversee and enforce the APPI, the Personal Information Protection Commission (PPC).
• The 2020 amendments, which took effect in 2022, clarified the extraterritorial application of the APPI and disclosure and due diligence requirements for cross-border data transfers. These introduced a mandatory data breach notification scheme and new categories of “pseudonymously processed personal information” and “personally referrable personal information.”
• The 2021 amendments, among others, established a unified data protection system for both public and private entities and expanded the scope of an exemption to the APPI for use of personal information in academic studies.

Following the 2015 amendments to the APPI, the PPC has been empowered to enforce the APPI and issue guidelines to aid compliance.

Regarding guidance, the PPC to date has issued comprehensive guidelines (in Japanese) on interpretation of the APPI as well as more targeted guidance on specific topics, in a question-and-answer format. The PPC’s guidance is complemented by other guidelines (In Japanese) on personal data protection in specific sectors (including finance, credit reporting, debt collection, medical care, insurance, and genomics) issued by sectoral regulators.

Regarding enforcement, the PPC is empowered to conduct investigations into PIHBOs’ personal data protection practices and issue non-binding recommendations to cease certain conduct or rectify non-compliance with certain of the APPI’s requirements. If a PIHBO fails to implement the recommendation without a legitimate excuse, or in cases where urgent action is required, the PPC is further empowered to issue a binding order for the PIHBO to take appropriate action. Failure to comply with a binding order from the PPC is a criminal offense punishable with imprisonment or a fine.

Role and Status of Consent as a Basis for Processing Personal Data in Japan

Consent is not required for all handling of personal information under the APPI. As discussed above, a PIHBO may collect and use personal information for a utilization purpose without obtaining the data subject’s consent. However, the PIHBO must still ensure that the handling is lawful and fair and in most cases, notify the data subject of how his/her personal information will be handled.

That said, consent plays a number of secondary roles and may be required for certain activities concerning personal information. By default, a PIHBO must obtain data subject’s consent before:

• changing the utilization purpose or handling the data subject’s personal information beyond the scope necessary to achieve the utilization purpose;
• disclosing the data subject’s personal information to a third party under certain circumstances; or
• handling “personal information requiring special care” (a class of sensitive personal information comprising personal information about a person’s race, creed, social status, medical history, criminal record, having been a victim of a crime, disabilities, or health condition).

Consent also functions as one of several legal bases under the APPI for transferring personal information out of Japan. In this context, consent is only valid if the PIHBO first provides the data subject with certain information, including the jurisdiction to which the personal information will be transferred, details on the personal information protection system of that jurisdiction, and details of any action that the recipient will take to protect the personal information.

Though the APPI provides a number of exceptions to consent requirements, these exceptions are generally only available where provided by another law or regulation, or where there is a need to:

• protect a person’s life, health, or property or public health, and it is difficult to obtain the data subject’s consent;
• cooperate with a public authority, and seeking consent would interfere with the operations of that authority.

Additionally, the APPI also exempts certain activities, including academic research, journalism, and activities of political or religious organizations, from its requirements, including consent requirements, subject to certain obligations to secure and appropriately handle personal information.

The APPI does not define consent or specify the forms of consent that would be considered valid under the APPI. However, the PPC has issued guidelines which suggest that consent must minimally be specific and voluntary and provide examples of valid measures for obtaining consent in practice.

While express consent would qualify as valid under the APPI, there is ambiguity as to whether implied consent would qualify as valid for this purpose. Guidance from the PPC suggests that opt-in implied consent could be considered valid in appropriate cases but does not provide examples of any such cases.

However, certain sectoral guidelines, including for the medical care and debt collection sectors, do specify a number of situations in which consent can be inferred or would not be strictly required.

Read the previous reports in the series here.