News
Predicting the Next Amendment of the Japanese Privacy Law
The Personal Information Protection Commission recently publishes an interim summary of issues for the next amendment of the Japanese Privacy Law.
The Act on the Protection of Personal Information (“APPI”), the Japanese privacy law, was enacted in 2005, and has been amended twice in 2015 (effective May 30, 2017) and 2020 (effective April 1, 2022). Also, the Act on the Protection of Personal Information Held by Administrative Organs and Act on the Protection of Personal Information Held by Incorporated Administrative Agencies, were both abolished and integrated into the Act on the Protection of Personal Information in 2021.
The Amending Act of the 2015 amendment included a supplementary provision that the law shall be reviewed 3 years after its enforcement, which led to the 2020 amendment. The Amending Act of 2020 also includes a similar provision requiring review within 3 years after its enforcement. Based on these supplementary provisions, discussions are currently underway with the aim of revising the law in 2025.
The Personal Information Protection Commission (“PPC”) recently published an interim summary of issues (“Interim Summary”) for this review. This Interim Summary gives us a glimpse of the next amendment of the APPI.
The Interim Summary classifies the issues into the following three sections.
- Additional substantial protection of individual rights and interests
- Effective monitoring and supervision
- Appropriate forms of support for initiatives for data utilization
Additional substantial protection of individual rights and interests
Handling of personal information
The current APPI does not include direct rules on biometric data. In recent years, legislation in other countries such as the EU, California, and India has included rules to treat biometric data as sensitive data. The Interim Summary suggests the possible legislation of adding provisions to the APPI to enhance protection of biometric data, as well as providing certain remedies such as allowing individuals to request the suspension of using the biometric data, more strictly than for retained personal data.
The Interim Summary also refers to further categorization of the the provisions on prohibition of improper use (article 19) and appropriate acquisition (article 20) in the APPI. It also mentions that it is necessary to continuously examine how to apply these rules in the APPI in cases where the personal information is used for a purpose other than the intended use.
Provision to third parties - additional amendment to Opt-Out Provision
Under the current APPI, a business operator that has made filings to the PPC and disclosed certain information, can provide personal data to a third party, without the consent of the individual concerned ( “Opt-Out Provision”). However, these rules have been used by certain businesses to receive and sell directories containing personal data, which are speculated to be used in fraud cases.
The Interim Summary mentions the possibility of introducing additional measures to this Opt-Out Provision, which may include (i) imposing an obligation on businesses to specifically confirm the purpose of use and identity of the provider of personal data, and (ii) adopting measures to ensure that the individuals are aware of their right to request suspension of the provision of their personal data.
Protecting Children's Personal Information
The current APPI has no explicit provisions on the handling of children's personal information. The only reference to children’s personal information is in the PPC guidelines, which state that consent must be obtained from a legal representative in the case of children aged 12 to 15 years or younger.
Legislation in other countries such as the US, EU, UK and India already includes regulation concerning children's personal information. In addition, the handling of personal information at schools and cram schools has recently become an issue, since it has been reported that certain schools have been collecting personal information such as blood pressure, sleep time, entry and exit history to school, of a student. It also has become clear that the management of personal information has been inadequate in most cram schools.
The Interim Summary suggests legislation that clarifies the necessity of legal representative’s consent when obtaining personal information of children. It also proposes that the legal representative should be provided information on the purpose of use and be subject to notification in cases of leakage, in case the child is the principal. In addition, it mentions the possibility of expanding the children's right to request suspension of use of their personal data, and strengthening obligations concerning security control measures to businesses who deal with personal data of children.
Remedies for Individuals
The current APPI is an administrative law under the Japanese jurisdiction and does not specifically provide for the relief of individual rights. However certain legislation, such as the Consumer Contract Act and the Specified Commercial Transactions Act, includes remedies that allow qualified consumer organizations to seek injunctions. The Interim Summary indicates the possibility of adopting a similar framework to the APPI, which would allow qualified consumer organizations to seek injunction and/or damage recovery on behalf of the individuals.
Effective monitoring and supervision
Three issues have been raised in this section: (1) administrative monitoring and supervision measures, (2) criminal penalties, and (3) report of leakage, and notification to the individual.
Of the three issues, it is noteworthy that the Interim Summary mentions the possibility of introducing a surcharge system in cases of personal data leakage. However, the types of illegal activities to be covered and the method of calculating the surcharge are to be further examined and discussed.
Support for initiatives for data utilization
The Interim Summary raises the issue of (1) the use of personal data not requiring individual consent. It suggests further discussion of the possibility of (i) adopting exemptions for technologies and services considered to be beneficial to society and of high public interest, such as generative AIs, and (ii) further exemptions for research activities at medical institutions. However, it is unclear from the context of the report whether these issues will be adopted in the next amendment of the APPI.
The Interim Summary also refers to (2) the promotion of voluntary efforts in the private sector, such as the PIA (Privacy Impact Assessment) and the designation of persons responsible for the handling of personal data (e.g. DPOs) within companies.
Article provided by INPLP member: Satoshi Shono (Matsuda & Partners, Japan)
Discover more about the INPLP and the INPLP-Members
Dr. Tobias Höllwarth (Managing Director INPLP)
News Archiv
- Alle zeigen
- September 2024
- August 2024
- Juli 2024
- Juni 2024
- Mai 2024
- April 2024
- März 2024
- Februar 2024
- Jänner 2024
- Dezember 2023
- November 2023
- Oktober 2023
- September 2023
- August 2023
- Juli 2023
- Juni 2023
- Mai 2023
- April 2023
- März 2023
- Februar 2023
- Jänner 2023
- Dezember 2022
- November 2022
- Oktober 2022
- September 2022
- August 2022
- Juli 2022
- Mai 2022
- April 2022
- März 2022
- Februar 2022
- November 2021
- September 2021
- Juli 2021
- Mai 2021
- April 2021
- Dezember 2020
- November 2020
- Oktober 2020
- Juni 2020
- März 2020
- Dezember 2019
- Oktober 2019
- September 2019
- August 2019
- Juli 2019
- Juni 2019
- Mai 2019
- April 2019
- März 2019
- Februar 2019
- Jänner 2019
- Dezember 2018
- November 2018
- Oktober 2018
- September 2018
- August 2018
- Juli 2018
- Juni 2018
- Mai 2018
- April 2018
- März 2018
- Februar 2018
- Dezember 2017
- November 2017
- Oktober 2017
- September 2017
- August 2017
- Juli 2017
- Juni 2017
- Mai 2017
- April 2017
- März 2017
- Februar 2017
- November 2016
- Oktober 2016
- September 2016
- Juli 2016
- Juni 2016
- Mai 2016
- April 2016
- März 2016
- Februar 2016
- Jänner 2016
- Dezember 2015
- November 2015
- Oktober 2015
- September 2015
- August 2015
- Juli 2015
- Juni 2015
- Mai 2015
- April 2015
- März 2015
- Februar 2015
- Jänner 2015
- Dezember 2014
- November 2014
- Oktober 2014
- September 2014
- August 2014
- Juli 2014
- Juni 2014
- Mai 2014
- April 2014
- März 2014
- Februar 2014
- Jänner 2014
- Dezember 2013
- November 2013
- Oktober 2013
- September 2013
- August 2013
- Juli 2013
- Juni 2013
- Mai 2013
- April 2013
- März 2013
- Februar 2013
- Jänner 2013
- Dezember 2012
- November 2012
- Oktober 2012
- September 2012
- August 2012
- Juli 2012
- Juni 2012
- Mai 2012
- April 2012
- März 2012
- Februar 2012
- Jänner 2012
- Dezember 2011
- November 2011
- Oktober 2011
- September 2011
- Juli 2011
- Juni 2011
- Mai 2011
- April 2011
- März 2011
- Februar 2011
- Jänner 2011
- November 2010
- Oktober 2010
- September 2010
- Juli 2010