Data Protection Enforcement in Japan

Administrative Remedies

The competent ministry (varies depending on the industry of the company and/or the category of the data) has the power to collect reports, to make advices and recommendations, and to issue administrative orders to violators regarding their incompliance with the Japanese Act on the Protection of Personal Information (the “Act”).

Civil Remedies

The Act does not provide specific civil remedies, but violations of the Act may be subject to civil claims for monetary and/or mental suffering damages, and also apology ads as part of tortious claims under the Japanese Civil Code.

Criminal Remedies

Violations of specific administrative orders issued under the Act may be subject to imprisonment not exceeding six months or a fine not exceeding 300,000 YEN.

Other Remedies

‘Social’ remedies relating to reputation and other relevant business risks may be available, in addition to administrative, civil and criminal remedies.

Selected Enforcement Actions / General Comments

Details of administrative remedies (vary on case-by-case basis) may include improvements and suspensions of all or part of violated business activities for compliance with the Act. The amount of damages awarded in civil claims also varies depending on the specifics of the case, and the claims are sometimes made not only on the grounds of privacy invasions but also on other infringements of legal rights/interests such as defamation, unfair trade practices, embezzlement, etc. concurrently. As general notes, in Japan, an outline of amendments to the Act for utilizing personal data as discussion results of the special committee of the government was publicized in June 2014. And then, a Bill for amendments to the Act has been submitted to the current, annual Diet session and just passed at the Lower House of the National Diet in May 2015. The Bill newly introduces a unified, independent data protection authority, the Personal Information Protection Committee (PIPC) which will be given certain authorities centralizing the personal information protection matters currently administrated by each of the competent ministries in relevant sectors respectively, and also certain personal data activities may trigger filing requirements with the PIPC. However, shortly after passing the Bill at the Lower House, a massive pension data leakage incident was occurred, and as the results of such incident, it is postponed to discuss the Bill at the Upper House, and it is still not certain if or when the discussion of the Bill would be re-commenced at the Upper House in order to make the amendments to the Act effective.