This form seeks to capture in summary form the enforcement jurisdiction and policies of each Participant in the APEC Cooperation Arrangement for Cross-Border Privacy Enforcement. The information will usually be posted on the relevant Participant’s website and, when available, at a central reference point maintained by the Administrator.

This form seeks to capture in summary form the enforcement jurisdiction and policies of each Participant in the APEC Cooperation Arrangement for Cross-Border Privacy Enforcement. The information will usually be posted on the relevant Participant’s website and, when available, at a central reference point maintained by the Administrator.


Privacy Enforcement Authority name: Ministry of Internal Affairs and Communications
Economy: Japan
Website address: http://www.soumu.go.jp/english/index.html
Key law(s) enforced by your authority:
Act on the Protection of Personal Information (hereunder “the Act”)
http://www.caa.go.jp/seikatsu/kojin/foreign/act.pdf別ウィンドウ
Basic Policy on the Protection of Personal Information (hereunder “the Basic Policy”)
http://www.caa.go.jp/seikatsu/kojin/foreign/basic-policy-tentver.pdf別ウィンドウ

General sectors/jurisdictions regulated by your authority:

The Ministry of Internal Affairs and Communications operates in such business areas as “Telecommunications” , “Broadcasting” , “Postal mail” and “Correspondence delivery” in Japan.


The Minister for Internal Affairs and Communications, as the competent minister for these business areas, has an enforcement jurisdiction for protecting personal information held by telecommunications carriers, entities using a personal information database, etc. of broadcasting receivers, etc. for their business, as well as postal operators, general correspondence delivery operators and specified letter delivery operators in the private sector within the framework of the Act.

Approach to investigation / resolution of enforcement matters:

The Act adopts the Competent Ministers System; namely each ministry and agency enforces entities handling personal information in each business area.

1) Enforcement power
Each ministry and agency has power of Collection of Reports (Article 32), Legal Advice (Article 33), Recommendations (Article34 (1)), and Legal Orders (Article34 (2)(3)).
Collection of Reports is enforced for implementation of the provisions of section 4 of the Act.
Recommendations are enforced when a business operator handling personal information has violated any of the provision of Article 16 to Article 18, Article 20 to Article 27, or paragraph (2) of Article 30.
Legal Orders are enforced in principle where a business operator handling personal information having received a recommendation under the provision of the preceding paragraph does not take the recommended measures without legitimate ground.

2) Processing of Complaints
A business operator handling personal information shall endeavour to handle appropriately and promptly complaints about the handling of personal information (Article 31(1)).
When an authorized personal information protection organization is requested by a person, etc. to solve a complaint about the handling of personal information by a target business operator, corresponding to the request, the organization shall give the person, etc. necessary advice, investigate the circumstances pertaining to the complaint and request the target business operator to solve the complaint promptly by notifying the target business operator of the content of the complaint (Article 42(1)).

3) Authorization
There is no authorization system for entities handling personal information.
Competent ministers authorize "authorized personal information protection organization" as the supervisory body for entities handling personal information, and The Minister for Internal Affairs and Communications authorizes 3 organizations (as of October 2011).

Prioritization policies:

The Act expects that all possible voluntary measures for the protection of personal information be taken in response to the actual conditions of each field of business, etc. by those who handle personal information (the Basic Policy 1(1) c).


Therefore, in the first, self-regulation by entities handling personal information is expected, law enforcement by each ministry and agency is placed as final means.
Concretely, in the case of big data breach or in the case greatly influences to society, enforcement by each ministry and agency is considered.

Other relevant information:

Under the Act on Access to Information Held by Administrative Organs, there are some cases information related to “Request for Assistance” is accessed by a third party.
Also , under the Act on the Protection of Personal Information Held by Administrative Organs Article 8 and 9, in some cases objects of “Request for Assistance” contain Personal Information; it may have some legal limitation for Assistance.
Furthermore, from our policy, when Privacy Enforcement Authorities in our Economy become Receiving Authority, we demand these requirements;
1) A guarantee for accept of the Request for Assistance when Privacy Enforcement Authorities in our Economy request the same kind of Assistance.
2) When the information provided by the acceptance of Request for Assistance falls under secret, a guarantee for the same level of confidentiality under the law of the Economy Requesting Authority is kept.
3) A guarantee for prohibition the information provided by the acceptance of Request for Assistance is used for purposes other than executing duties of Requesting Authority or is transmitted to third parties other than Requesting Authority without consent in advance by Receiving Authority.
4) A guarantee for prohibition of the information provided by the acceptance of Request for Assistance is used for criminal procedures by judges or courts.
5)  A guarantee for prohibition of the information provided by the acceptance of Request for Assistance is used for criminal investigation (limited the case objective clime is specified).