Predicting the Next Amendment of the Japanese Privacy Law
The Act on the Protection of Personal Information (“APPI”), the Japanese privacy law, was enacted in 2005, and has been amended twice in 2015 (effective May 30, 2017) and 2020 (effective April 1, 2022). Also, the Act on the Protection of Personal Information Held by Administrative Organs and Act on the Protection of Personal Information Held by Incorporated Administrative Agencies, were both abolished and integrated into the Act on the Protection of Personal Information in 2021.
The Amending Act of the 2015 amendment included a supplementary provision that the law shall be reviewed 3 years after its enforcement, which led to the 2020 amendment. The Amending Act of 2020 also includes a similar provision requiring review within 3 years after its enforcement. Based on these supplementary provisions, discussions are currently underway with the aim of revising the law in 2025.
The Personal Information Protection Commission (“PPC”) recently published an interim summary of issues (“Interim Summary”) for this review. This Interim Summary gives us a glimpse of the next amendment of the APPI.
The Interim Summary classifies the issues into the following three sections.
- Additional substantial protection of individual rights and interests
- Effective monitoring and supervision
- Appropriate forms of support for initiatives for data utilization
Additional substantial protection of individual rights and interests
Handling of personal information
The current APPI does not include direct rules on biometric data. In recent years, legislation in other countries such as the EU, California, and India has included rules to treat biometric data as sensitive data. The Interim Summary suggests the possible legislation of adding provisions to the APPI to enhance protection of biometric data, as well as providing certain remedies such as allowing individuals to request the suspension of using the biometric data, more strictly than for retained personal data.
The Interim Summary also refers to further categorization of the the provisions on prohibition of improper use (article 19) and appropriate acquisition (article 20) in the APPI. It also mentions that it is necessary to continuously examine how to apply these rules in the APPI in cases where the personal information is used for a purpose other than the intended use.
Provision to third parties - additional amendment to Opt-Out Provision
Under the current APPI, a business operator that has made filings to the PPC and disclosed certain information, can provide personal data to a third party, without the consent of the individual concerned ( “Opt-Out Provision”). However, these rules have been used by certain businesses to receive and sell directories containing personal data, which are speculated to be used in fraud cases.
The Interim Summary mentions the possibility of introducing additional measures to this Opt-Out Provision, which may include (i) imposing an obligation on businesses to specifically confirm the purpose of use and identity of the provider of personal data, and (ii) adopting measures to ensure that the individuals are aware of their right to request suspension of the provision of their personal data.
Protecting Children's Personal Information
The current APPI has no explicit provisions on the handling of children's personal information. The only reference to children’s personal information is in the PPC guidelines, which state that consent must be obtained from a legal representative in the case of children aged 12 to 15 years or younger.
Legislation in other countries such as the US, EU, UK and India already includes regulation concerning children's personal information. In addition, the handling of personal information at schools and cram schools has recently become an issue, since it has been reported that certain schools have been collecting personal information such as blood pressure, sleep time, entry and exit history to school, of a student. It also has become clear that the management of personal information has been inadequate in most cram schools.
The Interim Summary suggests legislation that clarifies the necessity of legal representative’s consent when obtaining personal information of children. It also proposes that the legal representative should be provided information on the purpose of use and be subject to notification in cases of leakage, in case the child is the principal. In addition, it mentions the possibility of expanding the children's right to request suspension of use of their personal data, and strengthening obligations concerning security control measures to businesses who deal with personal data of children.
Remedies for Individuals
The current APPI is an administrative law under the Japanese jurisdiction and does not specifically provide for the relief of individual rights. However certain legislation, such as the Consumer Contract Act and the Specified Commercial Transactions Act, includes remedies that allow qualified consumer organizations to seek injunctions. The Interim Summary indicates the possibility of adopting a similar framework to the APPI, which would allow qualified consumer organizations to seek injunction and/or damage recovery on behalf of the individuals.
Effective monitoring and supervision
Three issues have been raised in this section: (1) administrative monitoring and supervision measures, (2) criminal penalties, and (3) report of leakage, and notification to the individual.
Of the three issues, it is noteworthy that the Interim Summary mentions the possibility of introducing a surcharge system in cases of personal data leakage. However, the types of illegal activities to be covered and the method of calculating the surcharge are to be further examined and discussed.
Support for initiatives for data utilization
The Interim Summary raises the issue of (1) the use of personal data not requiring individual consent. It suggests further discussion of the possibility of (i) adopting exemptions for technologies and services considered to be beneficial to society and of high public interest, such as generative AIs, and (ii) further exemptions for research activities at medical institutions. However, it is unclear from the context of the report whether these issues will be adopted in the next amendment of the APPI.
The Interim Summary also refers to (2) the promotion of voluntary efforts in the private sector, such as the PIA (Privacy Impact Assessment) and the designation of persons responsible for the handling of personal data (e.g. DPOs) within companies.
Article provided by INPLP member: Satoshi Shono (Matsuda & Partners, Japan)
Discover more about the INPLP and the INPLP-Members
Dr. Tobias Höllwarth (Managing Director INPLP)