A Guide To Privacy Laws In Japan

Aug 25, 2016



We can start with the strongest legal right of all: the Constitution of Japan.

Article 13. All of the people shall be respected as individuals. Their right to life, liberty, and the pursuit of happiness shall, to the extent that it does not interfere with the public welfare, be the supreme consideration in legislation and in other governmental affairs.

Practical Law (uk.practicallaw.com/country/japan) explains:

The constitution technically applies only to the relationship between the state and the individual. However, courts have referred to the standards of the constitutional right to privacy when applying the Civil Code in disputes between private individuals.

The “right to privacy” for individuals is derived from a general right to the “pursuit of happiness”; a right from which invasions of privacy commonly detract.

The Supreme Court generally defines this as a right which prohibits reckless or otherwise arbitrary disclosure of information about an individual’s private life.

Article 13 of the Constitution provides that citizens’ liberty in private life shall be protected against the exercise of public authority, and it can be construed that, as one of individuals’ liberties in private life, every individual has the liberty of protecting his/her own personal information from being disclosed to a third party or made public without good reason.

(See 1965 (A) No. 1187, judgement of the Grand Bench of the Supreme Court of December 24, 1969, Keishu Vol. 23, No. 12, at 1625)

You may have also noticed that Practice Law previously made mention of the Civil Code, so let’s take a look at that, too, to see how it factors into the equation:

Chapter 5: Torts
Article 709. A person who has intentionally or negligently infringed any right of others, or legally protected interest of others, shall be liable to compensate any damages resulting in consequence.

Practical Law (uk.practicallaw.com/country/japan) further elaborates:

The privacy law rules protect individuals located in Japan, including foreign nationals and minors. Privacy law rules do not protect legal entities. Public figures including government officials and celebrities have a right to privacy.

Japanese courts have described the right to privacy as both:

・ The right to not have private affairs made public without due cause.
・ The right to control private information.

In conclusion, we can see that the individual right to privacy is recognized by both the Japanese Constitution and the Civil Code, and (of course) also extends to protect foreign nationals.



If your privacy has been violated, what can you do about it?

The answer can be find in tort law (specifically: Chapter 5 of the Civil Code).

For those who may not be familiar with tort:

A tort, in common law jurisdictions, is a civil wrong that unfairly causes someone else to suffer loss or harm resulting in legal liability for the person who commits the tortuous act, called a tortfeasor. Although crimes may be torts, the cause of legal action is not necessarily a crime, as the harm may be due to negligence which does not amount to criminal negligence. (Wikipedia)

Such “common laws” tend to address such things as intentional torts (assault; false imprisonment; psychological abuse; etc), property torts (trespassing; detinue; etc), negligence (proximate cause; malpractice; etc), liability (product recalls; etc), nuisances (public intoxication; public nudity; etc), fraud, and many others.

In Japan, tort law also offers victim of violations of privacy the means by which to seek legal action against their tortfeasors.

Article 710. Persons liable for damages under the provisions of the preceding Article must also compensate for damages other than those to property, regardless of whether the body, liberty or reputation of others have been infringed, or property rights of others have been infringed.

Therefore, if (for example) someone takes your photo without your consent, you have a legal right to have that photo deleted, otherwise you are equally within your right to sue them as per tort law.



What happens if you sign an employment contract which essentially requires you to waive your right to privacy, though?

Doesn’t the act of signing the contract binds you to whatever clause a company has inserted, giving them the right to invade your privacy without your consent?

As we’ve stated before, signing a contract does not mean that you automatically agree with every clause in that contract, and contract clauses are always superseded by the law (and, this, rendered invalid). In a nutshell, if a clause conflicts with the law, the law wins every time.

Even if the clauses are valid, that doesn’t mean that they give a company carte blanche to do whatever they like depending on how creative they want to be with their interpretation of those clauses.

In the case of gathering personal information, a business is meant to ask you for your consent, and explain why (and for what purpose) they want your personal information.

Such requirements are covered by the Act on the Protection of Personal Information (APPI):

Article 15. Specification of the Purpose of Utilization
1. When handling personal information, a business operator handling personal information shall specify the purpose of utilization of personal information hereinafter referred to as “Purpose of Utilization” as much as possible.

2. A business operator handling personal information shall not change the Purpose of Utilization beyond the scope which is reasonably considered that the Purpose of Utilization after the change is duly related to that before the change.

Article 16. Restriction by the Purpose of Utilization
1. A business operator handling personal information shall not handle personal information about a person, without obtaining the prior consent of the person, beyond the scope necessary for the achievement of the Purpose of Utilization specified pursuant to the provision of the preceding article.

There are a few exceptions to these articles, however.

There are certain kinds of personal information that an employer must obtain because it is necessary for your employment. For example, your name, date of birth, and home address, are all types of personal information that a business or other entity needs to be able to have access to in order for them to function as an employer.

That being said, even in these cases, consent must be given by the individual, and an employer may not seek to gain this information by deceptive means, nor is an employer permitted to give this information to a third-party without permission (except under certain circumstances).

Article 17. Proper Acquisition
A business operator handling personal information shall not acquire personal information by a deception or other wrongful means.

Article 23. Restriction of Provision to A Third Party
A business operator handling personal information shall not … provide personal data to a third party without obtaining the prior consent of the person.

In addition, the employer needs to give a clear reason as to why they want to obtain the individual’s private information to begin with.

Article 15. Specification of the Purpose of Utilization
When handling personal information, a business operator handling personal information shall specify the purpose of utilization of personal information … as much as possible.

Furthermore, an employer has a legal duty to ensure that your private information is protected:

Article 20. Security Control Measures
A business operator handling personal information shall take necessary and proper measures for the prevention of leakage, loss, or damage, and for other security control of the personal data.

Finally, upon leaving a company, you have the right (within acceptable reason) to ask your former employer to delete your private information:

Article 27. Discontinuance of the Utilization, etc.
Where a business operator handling personal information is requested by a person to discontinue using or to erase such retained personal data as may lead to the identification of the person on the ground that the retained personal data is being handled in violation of Article 16 or has been acquired in violation of Article 17, and where it is found that the request has a reason, the business operator shall discontinue using or erase the retained personal data concerned without delay to the extent necessary for redressing the violation. However, this provision shall not apply to cases in which it costs large amount or otherwise difficult to discontinue using or to erase the retained personal data and in which the business operator takes necessary alternative measures to protect the rights and interests of the person.

If you want to read the APPI in more detail, you can do so here: Act on the Protection of Personal Information (PDF)



On the subject of “giving consent”, it should be noted that the APPI does not explicitly state what kind of consent is required in these situation.

Is implied consent enough (e.g. “You smiled for the photo.”), or must an employer get explicit consent in the form of a written document?

The European Commission’s “COMPARATIVE STUDY ON DIFFERENT APPROACHES TO NEW PRIVACY CHALLENGES (B.5 – JAPAN)” offers these thoughts on the matter:

The influential METI Privacy Guidelines provide that ‘consent’ can only be obtained once the data subject has been given a reasonable opportunity to understand to what he/she is consenting (METI, 2007: 2-1-10). It is desirable for consent to be evidenced by a positive action such as an oral or written statement, or checking a box on a website.

However, implied consent might be recognized as valid on a case-by-case basis in view of the circumstances (METI, 2007a). A minor lacks the capacity to consent, but his or her attorney-in-fact may consent on his/her behalf (META, 2007: 2-1-10).

The FSA guidelines also say that in principle, consent should be obtained by a written form, not oral (FSA, 2007: A 4).

It seems that the law (or, rather, guidelines on interpreting the law) is that written consent should always be acquired, and that oral consent is usually not enough to grant permission to an entity that’s seeking your private information.

Implied consent, however, may be treated on a “case-by-case” basis, depending on the circumstances.



What did we learn from this?

We’ve discovered that an individual’s right to privacy is protected by Article 16 of the Constitution, with the Civil Code’s tort law further protecting those rights while also offering recourse and compensation against tortfeasors.

We learned that the Act on the Protection of Personal Information (APPI) extensively details how an entity must seek, use, and protect, your private information.

Finally, we became aware that the METI’s Privacy Guidelines outline how consent should be attained from an individual, and that oral and implied consent are inadequate for attaining permission to collect and use private information.

There is, of course, much more that can be said and explored in regards to the issue of privacy in Japan and how those privacy issues might directly affect you.

However, those deeper issues are, perhaps, best left for other articles, as situations arise.

Be that as it may, we hope that you find this information to be useful during your time in Japan!