We would like to ensure that you are still receiving content that you find useful – please confirm that you would like to continue to receive ILO newsletters.
24 January 2020
Recently publicised cases
In recent months, the Personal Information Protection Commission (PPC) has been proactive in publicising cases of data breaches that have had a significant social impact, together with the names of the companies.
With the partial enforcement of the amended Act on the Protection of Personal Information in January 2016, the PPC was established as a regulatory body responsible for managing and ensuring compliance with the act. Under the act, the PPC has been granted supervisory authority over companies that were previously regulated by the relevant competent ministers. Specifically, the PPC is empowered to issue:
The PPC's establishment has significantly increased the supervisory authority's work at large.(1) On the other hand, until recently, it was common practice for the PPC not to publicise the names of companies that were subject to PPC investigations or orders. In fact, until July 2019, the PPC had publicised only one case where it identified the relevant company by name.(2)
From August to December 2019, the PPC publicised the details of three data breach cases, together with the names of the relevant companies.
On 26 August 2019, together with the name of the relevant company, the PPC publicised the fact that it had issued a formal recommendation and guidance to a major Japanese human resources service company that operates a job hunting website (Company X). The PPC found that Company X had:
In its recommendation and guidance, the PPC instructed Company X, among other things, to:
The PPC stated that it had publicised the case in light of its social impact.
Further, on 4 December 2019, together with the names of the relevant companies, the PPC publicised that it had issued:
An investigation conducted after the first recommendation had been issued to Company X revealed new facts concerning violations of the Act on the Protection of Personal Information, which increased the number of data subjects affected by the data breach to approximately 26,000. In the recommendations and guidance, the PPC instructed:
On 17 September 2019, together with the name of the relevant company, the PPC publicised the fact that it had issued formal guidance twice to a Japanese company that provides taxi-related services (a taxi dispatch application). The PPC found that the company had not sufficiently informed taxi users that it would capture their facial images with a camera attached to a tablet terminal installed in its taxis and use the images to optimise advertising distribution. Although the PPC issued guidance to the company in November 2018 and instructed it to provide a simplified explanation to taxi users, the company did not implement improvement measures until April 2019. In light of the above circumstances, the PPC issued guidance for a second time and publicised the case together with the name of the company in September 2019.
On 11 October 2019 the PPC publicised the fact that the personal data (eg, name, delivery address and order history) of approximately 110,000 user accounts on an e-commerce website operated by a major online retailer headquartered in a foreign country may have been viewable by other users due to a temporary system error. While the PPC instructed the company to take measures to prevent a recurrence of the data breach and to respond to inquiries from the users, it did not exercise supervisory authority over the company pursuant to the Act on the Protection of Personal Information.
As described above, the PPC has been proactive in publicising cases of data breaches that have had a significant social impact, even when the PPC did not exercise its supervisory authority over the companies in question. Whether this trend will continue should be carefully monitored.
The PPC's views in the above three cases also provide the following practical reference points for companies:
For further information on this topic please contact Oki Mori or Takiko Kadono at Nagashima Ohno & Tsunematsu by telephone (+81 3 6889 7000) or email (firstname.lastname@example.org or email@example.com). The Nagashima Ohno & Tsunematsu website can be accessed at www.noandt.com.
(1) For example, there were less than 10 formal requests to report per year prior to the PPC's establishment in 2016. However, the PPC issued 305 formal requests to report in fiscal year 2017 and 391 in fiscal year 2018. On the other hand, no more than one recommendation has been issued per year in the past few years, and no orders have been issued thus far.
(2) On 22 October 2018, together with the name of the relevant company, the PPC publicised the fact that it had issued formal guidance to a major social networking service company headquartered in a foreign country. According to the PPC:
In the guidance, the PPC instructed the company, among other things, to provide a simplified explanation to its users and to make sure to thoroughly monitor the status of application activities on its platform. The PPC said that it publicised the case in light of its social impact.
(3) However, with respect to the formal guidance issued to 37 client companies of Company X that had used its services, the PPC did not publicise the names of three companies that had not purchased the personal data in question.
The materials contained on this website are for general information purposes only and are subject to the disclaimer.
ILO is a premium online legal update service for major companies and law firms worldwide. In-house corporate counsel and other users of legal services, as well as law firm partners, qualify for a free subscription.