My Business Deals with Japanese Public Entities: How Does the Act on the Protection of Personal Information Affect Us?

When businesses interact with public entities in Japan—be it through regulatory filings, government contracts, or collaborative projects—the exchange and handling of personal information are often involved. Japan has a comprehensive legal framework, primarily the Act on the Protection of Personal Information (個人情報の保護に関する法律 - Kojin Jōhō no Hogo ni Kansuru Hōritsu, hereinafter "APPI"), which governs how such data must be treated. Significantly, following major reforms, this single APPI now provides a unified set of rules for both private sector businesses and "Administrative Organs, etc." (行政機関等 - gyōsei kikan tō). This article explores how the APPI's provisions concerning administrative organs impact businesses that deal with these public entities.

Japan's Unified Approach to Personal Information Protection

Historically, Japan had separate laws governing personal information held by the private sector, national administrative organs, and independent administrative agencies. However, to create a more consistent and robust data protection regime, these were largely consolidated under a comprehensively amended APPI. The old "Act on the Protection of Personal Information Held by Administrative Organs" was abolished, and its core principles and rules were integrated into the main APPI, primarily within Chapter V ("Measures concerning Personal Information Handled by Administrative Organs, etc.").

This unified approach means that a single overarching law now sets the standards, although specific operational details might differ between private entities and administrative organs. The Personal Information Protection Commission (PPC) (個人情報保護委員会 - Kojin Jōhō Hogo Iinkai) serves as the independent data protection authority, overseeing compliance with the APPI across both sectors, including providing guidance and enforcement related to administrative organs.

Key Definitions and Scope under the APPI

Understanding the APPI's application requires familiarity with its key definitions:

• Personal Information (APPI Article 2, Paragraph 1): Broadly defined as information relating to a living individual which can identify the specific individual by name, date of birth, or other descriptions, etc., contained in such information (including information which can be easily collated with other information and thereby identify a specific individual). It also includes Individual Identification Codes (e.g., driver's license number, passport number).
• Administrative Organ, etc. (Gyōsei Kikan Tō) (APPI Article 2, Paragraph 11): This term under the APPI encompasses national administrative organs (as defined in the National Government Organization Act), the Imperial Household Agency, organs established within the Cabinet, the Board of Audit, organs of local public entities, and incorporated administrative agencies, among others. Essentially, it covers most public sector bodies at national and local levels.
• Personal Information File (APPI Article 60, Paragraph 2; Article 106 for administrative organs): A collection of information systematically arranged so that specific personal information can be retrieved. Administrative organs are required to maintain and publish a "Personal Information File Register" for files they hold that meet certain criteria.

Core Obligations of Administrative Organs Regarding Personal Information

Chapter V of the APPI (specifically, Sections 2 and 3, Articles 107-117) outlines the primary obligations for administrative organs when handling personal information. These are crucial for businesses to be aware of, as they dictate how information provided by or concerning businesses and their personnel will be treated.

1. Lawful and Fair Collection; Specification of Purpose of Use (APPI Articles 108, 109):
   • Administrative organs must not collect personal information beyond the extent necessary for achieving their specified administrative affairs.
   • The purpose of use must be specified as concretely as possible and, in principle, must not be changed beyond a scope reasonably considered to be related to the original purpose.
   • Personal information must generally be collected directly from the individual concerned, except in certain cases (e.g., with consent, when permitted by law, or when it doesn't unreasonably infringe upon individual interests).
2. Restriction on Use and Provision to Third Parties (APPI Articles 111, 112):
   • Use: An administrative organ must not use personal information beyond the scope of its specified purpose of use, except with the individual's consent, when required by law, or in other limited circumstances (e.g., urgent necessity for the protection of life, body, or property).
   • Provision to Third Parties: Similarly, personal information must not be provided to third parties without the individual's consent, unless permitted by law, for urgent necessity, or if it's used statistically in a non-identifiable form. There are also specific exceptions for provision to other administrative organs or private entities if certain conditions promoting proper handling are met.
3. Ensuring Accuracy and Security (APPI Articles 110, 113):
   • Administrative organs must endeavor to keep personal information accurate and up-to-date within the scope of the purpose of use.
   • They must implement necessary and appropriate security safeguards to prevent leakage, loss, or damage of the personal information they handle. This includes organizational, personnel, physical, and technical security measures.
4. Transparency and Public Register (APPI Article 106):
   • Administrative organs are required to prepare and make publicly available a "Personal Information File Register" (個人情報ファイル簿 - kojin jōhō fairu bo) which lists and describes the personal information files they maintain (subject to certain exceptions, like files related to national security or criminal investigations). This register helps individuals understand what personal information is being held and for what purposes.

Individual Rights of Access and Control (Regarding One's Own Information)

Chapter V, Section 4 of the APPI (Articles 118-126) grants individuals specific rights concerning their own personal information held by administrative organs. These rights are fundamental for data subject autonomy.

1. Right to Request Disclosure (開示請求 - Kaiji Seikyū) (APPI Article 118):
   • Any individual can request the head of an administrative organ to disclose their own personal information held by that organ.
   • The agency must, in principle, disclose the information without delay, usually within 30 days (extendable).
   • Grounds for Non-Disclosure (APPI Article 119): Similar to the Information Disclosure Act, there are exemptions. Disclosure may be denied if:
     • It is likely to harm the life, body, property, or other rights and interests of the requester or a third party.
     • It is likely to seriously impede the proper execution of the administrative organ's affairs (e.g., information concerning deliberations, examinations, or consultations; information related to inspections or investigations).
     • It contains information about individuals other than the requester (unless disclosure is deemed particularly necessary for the requester's legitimate interests or other specific conditions are met).
     • It contains information about corporations that could harm their competitive position, if disclosure is not deemed necessary to protect an individual's life, body, or property.
2. Right to Request Correction (訂正請求 - Teisei Seikyū) (APPI Article 123):
   • If an individual believes that their disclosed personal information is inaccurate, they can request the administrative organ to correct, add to, or delete it.
   • The agency must investigate and, if the information is indeed incorrect, make the necessary corrections within, in principle, 30 days.
3. Right to Request Suspension of Use, Deletion, or Cessation of Provision (利用停止等請求 - Riyō Teishi tō Seikyū) (APPI Article 125):
   • An individual can make such a request if they believe their personal information is being handled in violation of the APPI's rules regarding:
     • Lawful collection or purpose of use (e.g., collected illegally, used beyond stated purpose).
     • Provision to third parties (e.g., illegally provided to a third party).
   • If the request has grounds, the administrative organ must suspend use, delete, or cease provision to the extent necessary to rectify the violation, except where such measures would seriously impede the proper execution of administrative affairs. The decision is generally made within 30 days.

If dissatisfied with an agency's decision on these requests, individuals can file an administrative complaint or, in some cases, litigation. Administrative complaints concerning these APPI rights related to administrative organs are typically reviewed with the involvement of the Personal Information Protection Commission or a similar review body at the local government level.

How This Affects Businesses Interacting with Japanese Public Entities

The APPI's rules for administrative organs have several direct and indirect implications for businesses:

1. Providing Personal Information to Administrative Organs:
   • When businesses submit personal information (of their employees, customers, executives, etc.) to administrative organs for applications, registrations, tax filings, or in response to investigations, they should be aware that this information will be subject to the APPI rules governing administrative organs.
   • While the APPI restricts how agencies can use and further disclose this information, businesses should still be mindful of the scope of information requested and provided.
2. Acting as a Contractor/Entrusted Party (Itaku-saki):
   • Administrative organs frequently entrust private businesses with tasks that involve handling personal information (e.g., system development and operation, data entry, survey implementation, event management).
   • When a business is entrusted with such tasks (becoming an 委託先 - itaku-saki), it is typically required by the APPI (Article 114, Paragraph 2) and by contract to implement appropriate security measures to protect the entrusted personal information. The administrative organ retains oversight responsibility.
   • The specific security measures required of the contractor will usually align with the APPI's standards and may be detailed in the entrustment agreement. Failure to meet these standards can lead to contractual liabilities and reputational damage.
3. Responding to Official Information Requests from Agencies:
   • If an administrative organ requests personal information from a business as part of its official duties (e.g., an investigation), the business needs to understand the legal basis for such a request and the APPI's implications for how that information will be handled by the agency once provided.
4. Data Breach Incidents:
   • If a business, while handling personal information entrusted to it by an administrative organ, experiences a data breach, it will likely have obligations to report the incident to the entrusting administrative organ and potentially to the PPC, as well as take remedial actions. These obligations will stem from the APPI itself (which includes general breach notification rules) and the specific terms of the entrustment contract. Administrative organs themselves also have obligations under the APPI in the event of a leak.
5. Joint Use with Administrative Organs (共同利用 - Kyōdō Riyō):
   • In some cases, businesses and administrative organs might jointly use personal information for specific projects. The APPI has rules for joint use, requiring prior notification to individuals about the scope of data, users, purpose, and responsible manager (Article 27 for private sector, with analogous considerations for public-private partnerships).
6. Cross-Border Data Transfers:
   • If a business is handling personal information on behalf of an administrative organ and needs to transfer that data outside of Japan (e.g., to a subcontractor or for cloud storage), this will be subject to the APPI's rules on cross-border transfers, which require ensuring an adequate level of protection in the destination country or obtaining individual consent, among other measures. The administrative organ, as the primary data controller, would need to ensure these requirements are met.

Enforcement and Remedies

The Personal Information Protection Commission (PPC) plays a central role in overseeing the APPI's implementation by administrative organs. Its functions include:

• Issuing guidance and recommendations.
• Requesting reports and conducting on-site inspections of administrative organs (APPI Articles 154-156).
• Making recommendations or issuing orders for improvement if violations are found (though direct orders to national administrative organs are typically framed as recommendations to the head of the organ).
• Acting as a key body in the administrative complaint review process regarding disclosure, correction, or suspension of use requests.

Individuals whose rights under the APPI have been infringed by an administrative organ can:

• Utilize the disclosure, correction, and suspension of use request mechanisms within the APPI.
• File an administrative complaint if dissatisfied with the agency's response.
• In some cases, pursue litigation (e.g., revocation litigation to challenge a non-disclosure decision, or state compensation claims if damages result from illegal handling of personal information).

While direct penalties against administrative organs themselves for APPI violations are structured differently from those against private businesses, failure to comply with PPC recommendations or the APPI's fundamental obligations can lead to significant administrative and political accountability. For businesses entrusted with data by administrative organs, failure to adhere to APPI standards and contractual obligations can result in contractual penalties, loss of business, and severe reputational harm.

Relationship with the Information Disclosure Act

It's important to distinguish between requesting one's own personal information under the APPI and requesting general administrative documents (which might happen to contain personal information about third parties) under the Information Disclosure Act.

• APPI Disclosure Requests: The primary route for an individual to access their own personal information held by an administrative organ is through the APPI's disclosure request system (Article 118). The exemptions are tailored to this context (e.g., information about the requester is not automatically exempt simply because it's "personal").
• Information Disclosure Act Requests: "Any person" can request general administrative documents under this Act. If these documents contain personal information about individuals other than the requester, that information is generally exempt from disclosure under Article 5, Item 1 of the Information Disclosure Act to protect privacy.

The PDF gives an example (case 461-1 vs. 461-2): if an individual (A) requests their own information from a city (B), using the Gyōsei Kikan Kojin Jōhō Hogo Hō (now integrated into APPI) would likely lead to disclosure. However, if A used the general Information Disclosure Act, the city might refuse disclosure, citing that the information is A's personal information, and under that Act, disclosure to "any person" would reveal it. While a Supreme Court decision of December 18, 2001, showed flexibility before the comprehensive system was in place, the current APPI provides the dedicated and more appropriate channel for self-information requests.

Conclusion

For businesses engaging with Japanese public entities, the Act on the Protection of Personal Information (APPI) establishes a critical set of rules that these entities must follow when handling personal data. Understanding these obligations—regarding collection, use, security, and third-party provision—is essential for businesses when they provide personal information to, or act as contractors for, administrative organs. Moreover, being aware of the individual rights of access, correction, and suspension of use can empower individuals within a business context. By recognizing the APPI's framework, companies can better manage data-related risks, ensure their interactions with public bodies are compliant, and uphold the data protection standards expected in Japan.