Das japanische Datenschutzgesetz – das Recht zum Schutz von persönlichen Daten

Abstract

Quite a few years had passed since the year 2005, i.e. from the coming into force of the initial Japanese Data Protection Act, which by some was described as having being rather ‘toothless’ – until the one as it stands now in its revised version in effect since about mid-2022. This relatively long timespan was generally not too long when considering the past legislative development speed in Japan. However, due to an increasingly high number of cases widely covered in the media and an ensuing discussion in society about the negative effects on consumers, the legislative process received a push. While on the other hand the indirect pressure on Japan resulting from the introduction of a strong consumer- oriented data protection regime in the form of new laws and regulations (like the European GDPO) in some of the important trade partner countries likely may have accelerated the process even more.

This paper represents an abridged and adjusted version of the author’s newly inserted chapter on Japan’s personal data protection regime to be published in the forthcoming 2nd edition of the “Handbuch Japanisches Handels- und Wirtschaftsrecht”. It shows the development from Japan’s first data protection law via its first major 2017 revision until the recently already first revised version (within just 3+ years) of the current Personal Data Protection Act, herein referred to as GSpI.

The Japanese legislators aimed at bringing ‘everything data protection’ into one piece of an legislative act – in which they almost succeeded. As far as the latest version in effect since mid-2022 is concerned, one can say that Japan has now built a comprehensive and effective regime on the protection of personal data. The one slightly weakening point being that quite a large number of important regulatory matter finds detailed regulation in separate ‘Guidelines’ issued by the Data Protection Agency rather that in the Act itself.

Following a description of the structure of the GSpI and mention, to a limited detail, of the Guidelines and also other administrative regulations which can be and have been issued by the Data Protection Agency, the article provides German- language translations of some key definitions of what constitutes ‘personal data’ (or ‘personal information’) and other data categories, together with some elaboration on what actually is and can be regarded as ‘personal data’. There follows a description of the main duties and obligations of data users on the one hand and the corresponding rights of data subjects on the other. A further part deals with the problems of cross-border transmission of data, the special requirements and the particular care that must be taken both by transmitters of data to overseas third parties and by these overseas recipients.

Finally, to provide a rounded picture of the Japanese data protection regime, the article closes with a description of the regulatory framework and the administration by the Japanese Data Protection Agency: its structure, aims and competences. And it describes the establishment, the function and the various forms of administrative tools it may administer and which had been granted to it by the Act.