According to a supplementary provision of Japan's Act on the Protection of Personal Information, a review of whether to amend the APPI is conducted every three years.
Based on this provision, on 27 June, the Personal Information Protection Commission published the "Interim Summary," outlining its current thinking based on discussions and examinations to date. The Interim Summary is open for public comment until 29 July, and the final direction of the PPC will be decided based on the opinions received.
Although the official timeframe has not yet been published, it is estimated the draft law of the amended APPI would be published in 2025, taking effect in 2027.
The Interim Summary outlines important points in the PPC's review.
New regulations on biometric data
The PPC will consider establishing effective rules for handling biometric data.
Biometric data is categorized as sensitive personal information under the EU General Data Protection Regulation and the data protection regulations of some other jurisdictions.
However, it is not categorized as such under Japan's current law and no other special rules have been established for handling biometric data.
Regulations on improper use and unauthorized acquisition
Although the current law prohibits the improper use and unauthorized acquisition of personal information, the PPC will seek to specify and categorize the scope to which the regulations apply.
Specifically, the PPC will consider how to apply regulations on unlawful acquisition and improper use of personal information for purposes other than those naturally recognized considering the relationship with the data subject, and the acquisition and use of personal information beyond the scope necessary to achieve those purposes.
The PPC will also consider how to respond to the unauthorized acquisition or improper use of such
If a business illegally provides personal data to a third party, there is no obligation under current law to report to the PPC or to notify the data subject, but the commission will consider the scope of such obligations and their potential necessity.
Unlike the GDPR and similar regulations, the APPI does not require a legal basis for all processing of personal information. It does generally require obtaining data subjects' prior consent, with some exceptions: in cases where personal information is handled beyond the scope necessary to achieve the specified purpose of use, when acquiring sensitive personal information, or when providing personal data to third parties.
There are technologies and services considered to be beneficial to society and of high public interest, such as those that could become fundamental to our way of living, like generative AI. Some are considered difficult to be addressed by existing legal exceptions, so the PPC will consider them to establish exceptions based on the growing needs of society and degree of public interest.
In addition, there is a growing need for using personal information, including highly sensitive information, mainly in fields of public interest such as health and medical care, so the PPC will consider establishing exceptions to the legal provisions.
It is desirable to promote a privacy impact assessment and persons in charge of handling personal data, so the PPC will carefully consider the possibility of making these mandatory, taking into account compliance by businesses and the burden they would face.
The Interim Summary states continued consideration will be given to various issues, including profiling, clarification of concepts related to personal information and privacy-enhancing technologies, financial institutions' obligation to provide information to senders during overseas remittances, and regulations concerning genomic data.
Hiroyuki Tanaka is a partner of Mori Hamada & Matsumoto.
Kohei Shiozaki is an associate of Mori Hamada & Matsumoto.
