Personal Information Protection Act No. 57 - Japan

From The Secure Arc Wiki

Jump to: navigation, search

Introduced in Japan in 2003, this law was passed because of the spread of personal information in our advanced- information/telecommunication society. The law tries to protect individuals’ rights and welfare while preserving the usefulness of personal information. The intent is to set out a policy for handling personal information, and measures for protecting personal information. This law spells out duties of the national and local government. It also sets out obligations of businesses that handle personal information.

Philosophy Respect for the individual requires treating Personal Information carefully. So treat Personal Information appropriately.

Restrictions on Providing Data to Third Parties

  • 1. A Business shall not give Personal Data to any third party, without first getting the Principal’s consent
  • 2. Principals have a right to tell Businesses not to transfer their information on to third parties. Businesses have to tell Principals they have this right. Where a Principal does not exercise this right, the Business can transfer that Principal’s data to third parties, but only if the business first notifies the Principal (or the Principal can easily learn):
    • i. That giving the Personal Data to a third party is within the Business’s Purpose of Use;
    • ii. What categories of Personal Data the Business is giving the third party;
    • iii. How the Business gives Personal Data to the third party;
    • iv. That the Business will stop giving the third party the data if the Principal requests.
  • 3. If a Business changes the categories of Personal Data it gives third parties, or if it changes how it gives Personal Data to third parties, that Business must first notify the Principal of these changes—unless the Principal can easily learn them.
  • 4. Any party who has received Personal Data shall not be considered a “third party” under 1-3, if:
    • i. The Business delegates some or all of the Personal Data handling to that party, in order to achieve its Purpose of Use;
    • ii. The transfer of Personal Data to that party is part of a succession of business operations (such as a merger);
    • iii. The Business and that party jointly use the Personal Data, and the Principal got notice about (or can easily learn of) the joint use—and where that notice also communicated: what Personal Data would be used jointly; who the jointly-using parties are; what the joint parties’ Purpose of Use is; and the name (or title) of the joint parties’ contact person.
  • 5. As to paragraph 4(iii), if a Business changes its Purpose of Use, or if the name or title of the person responsible for managing Personal Data changes, then the Business must notify the Principal in advance (unless the Principal can easily learn of the changes).

Major publications

The Personal Information Protection Act No. 57, can be found at the following link.


Penalties for non compliance are as follows;

Penalty Provisions

  • Section 56
    • Anyone who violates an order under section 34 2-3 can be put in prison for up to six months, or fined up to 300,000 yen.
  • Section 57
    • Anyone who fails to file a report under sections 32 or 46, or who files a false report, can be fined up to 300,000 yen.
  • Section 58
    • 1. A representative can be punished under sections 56 and 57, as can any legal entity principal he represents.
    • 2. A representative or manager must represent any institution not organized as a legal entity in civil and criminal proceedings.
  • Section 59
    • Anyone is subject to a fine of up to 100,000 yen if he:
    • i. Failed to file a notice under section 40, or files a false notice;
    • ii. Violated section 45.


Personal tools