According to a supplementary provision of Japan's Act on the Protection of Personal Information, a review of whether to amend the APPI is conducted every three years.
Based on this provision, on 27 June, the Personal Information Protection Commission published the "Interim Summary," outlining its current thinking based on discussions and examinations to date. The Interim Summary is open for public comment until 29 July, and the final direction of the PPC will be decided based on the opinions received.
Although the official timeframe has not yet been published, it is estimated the draft law of the amended APPI would be published in 2025, taking effect in 2027.
The Interim Summary outlines important points in the PPC's review.
New regulations on biometric data
The PPC will consider establishing effective rules for handling biometric data.
Biometric data is categorized as sensitive personal information under the EU General Data Protection Regulation and the data protection regulations of some other jurisdictions.
However, it is not categorized as such under Japan's current law and no other special rules have been established for handling biometric data.
Regulations on improper use and unauthorized acquisition
Although the current law prohibits the improper use and unauthorized acquisition of personal information, the PPC will seek to specify and categorize the scope to which the regulations apply.
Specifically, the PPC will consider how to apply regulations on unlawful acquisition and improper use of personal information for purposes other than those naturally recognized considering the relationship with the data subject, and the acquisition and use of personal information beyond the scope necessary to achieve those purposes.
The PPC will also consider how to respond to the unauthorized acquisition or improper use of such personally referable information.
Aggravating obligations on the opt-out scheme for provision of personal data to third parties
In principle, under the APPI, operators handling personal information are required to obtain data subjects' consent before providing personal data to third parties.
However, if data subjects are notified of matters related to opting-out or make the matters easily accessible, and the PPC is notified, operators may provide data to third parties without obtaining data subjects' consent.
As a countermeasure against criminal groups using personal information, such as using elderly individuals' financial information to commit fraud or other crimes, there is a demand to regulate malicious personal information list providers. Having identified cases of businesses that have filed opt-out notifications and inappropriately handled the acquisition or provision of personal information, the PPC is considering imposing stricter obligations on the opt-out scheme for provision of personal data to third parties.
Regulations regarding children's personal information
Under the current law, there are basically no explicit provisions regarding the handling of children's personal information, and the age of children is not defined in the APPI. It is only indicated in Q&A by the PPC that the specific age at which someone is considered a child can vary depending on the type of personal information involved and the nature of the business, but generally speaking, individuals aged 12 to 15 and under are considered children.
In addition to considering the vulnerability and sensitivity of children and their resulting need for protection, it is also necessary to consider the usefulness of data concerning students' education and learning.
Since major countries have established rules regarding children's personal information, and there are many enforcement examples, the PPC will deepen its examination of rules protecting children's rights and interests.
The interim summary specifically lists the following considerations:
- Clarify in legal provisions that consent of the legal representative should be obtained or information should be provided to that person with respect to children’s personal information in situations where the consent of or notification to the data subject is required.
- Regarding children’s retained personal data, consider allowing more flexible ex-post suspension of use compared to other retained personal data. Note that retained personal data refers to personal data for which the retaining business has the authority to disclose to the data subject, correct, add to, or delete the data, or suspend its use, erasure, or suspend provision to third parties.
- Strengthen the obligation to take safety control measures with respect to children's personal data.
- The regulations shall stipulate the responsibilities of personal information handling operators, such as prioritizing the best interests of children and giving special consideration to them.
- Those under 16 years old should be identified as children.
Strengthening APPI enforcement
Currently, enforcement of the APPI primarily relies on administrative guidance and recommendations from the PPC, with formal orders being extremely rare. As a general rule, criminal penalties are only applied in cases of violation of PPC orders. Therefore, the commission is considering strengthening enforcement in four ways.
Establishing a new system of injunctive relief and restoration of damages by organizations. Since this may be an effective option, the PPC will conduct a multi-faceted review of these systems, including the need to introduce a framework, while balancing the burden on businesses and protection of individuals' rights and interests.
Unreasonable acts in violation of the law are subject to the injunctive relief system, and several issues have been noted for effective operation, including securing expertise. The PPC will continue to consider this system, however, since it diversifies the means of protecting the rights and interests of data subjects and complements the monitoring and supervision functions of the PPC.
The PPC will carefully consider the damage restoration system. In addition to the issues with the injunctive relief system, claims for damages resulting from data breach incidents are considered extremely small individually, but massive in total, and there are problems in proving claims.
These systems are hardly institutionalized in other areas of Japanese legislation, but if they were to be around personal information protection they would have a considerably large impact.
Reform of recommendation and order from the PPC. Currently, the PPC must, in principle, issue a recommendation before issuing an order. While there is a system for urgent orders that can be issued without a prior recommendation, this is only for extremely exceptional cases. Expanding the situations where cessation orders can be issued without a prior recommendation is under consideration.
Additionally, it is said that the necessity of administrative measures should be considered not only for the operator handling personal information that violates the law, but also for third parties involved in violations.
Implementation of an administrative fine system. The PPC will examine the administrative fine system based on use examples under other Japanese laws and regulations, as well as international trends, while balancing the burden on businesses and protecting individuals' rights and interests. The administrative fine system has been institutionalized in several laws, including the Antimonopoly Act, and implementing a system under the APPI has been considered in the past.
If an administrative fine system is considered necessary, the PPC will detail the types of illegal acts subject to administrative fines, the calculation method for fines, establish the minimum fine, and determine the addition or subtraction of fines in cases where certain requirements are met.
Considering the scope of criminal penalties. Under the APPI currently, violations directly subject to criminal penalties are quite limited. Given that there are various types of malicious cases in which personal information has been improperly handled, the PPC will examine whether the provisions that directly apply penalties to these cases do so without excess or deficiency, and will consider the scope of such penalties.
Furthermore, considering the numerous cases of fraudulent and related unauthorized acquisition of personal information, the PPC will also consider whether such acts should be included in the scope of provisions directly subject to penalties.
Streamlining the scope, details of data breach reports, data subject notifications
After reviewing data breach reports received to date, the PPC will consider streamlining the reporting scope and details as well as data subject notifications according to the risk of infringing on individuals' rights and interests.
In addition, the PPC will consider clarifying the necessary requirements for the "likelihood" that obligations regarding data breaches will arise.
If a business illegally provides personal data to a third party, there is no obligation under current law to report to the PPC or to notify the data subject, but the commission will consider the scope of such obligations and their potential necessity.
Data use that does not require data subjects' consent
Unlike the GDPR and similar regulations, the APPI does not require a legal basis for all processing of personal information. It does generally require obtaining data subjects' prior consent, with some exceptions: in cases where personal information is handled beyond the scope necessary to achieve the specified purpose of use, when acquiring sensitive personal information, or when providing personal data to third parties.
There are technologies and services considered to be beneficial to society and of high public interest, such as those that could become fundamental to our way of living, like generative AI. Some are considered difficult to be addressed by existing legal exceptions, so the PPC will consider them to establish exceptions based on the growing needs of society and degree of public interest.
In addition, there is a growing need for using personal information, including highly sensitive information, mainly in fields of public interest such as health and medical care, so the PPC will consider establishing exceptions to the legal provisions.
PIA and those in charge of handling personal data
It is desirable to promote a privacy impact assessment and persons in charge of handling personal data, so the PPC will carefully consider the possibility of making these mandatory, taking into account compliance by businesses and the burden they would face.
Other issues
The Interim Summary states continued consideration will be given to various issues, including profiling, clarification of concepts related to personal information and privacy-enhancing technologies, financial institutions' obligation to provide information to senders during overseas remittances, and regulations concerning genomic data.
Hiroyuki Tanaka is a partner of Mori Hamada & Matsumoto.
Kohei Shiozaki is an associate of Mori Hamada & Matsumoto.