DATA RISK INTELLIGENCE    |    GDPR       |    WHITEPAPERS

Contact us Today!


Japan’s Efforts to Enact New Data Privacy Regulations

Japan New Data Privacy Regulations

Japan, known for its technological advancements and robust economy, has been progressively strengthening its data privacy regulations. As the digital landscape continues to evolve and data breaches become more frequent, the Japanese government recognizes the need to enhance protections for personal information. This article delves into Japan’s efforts to enact new data privacy regulations, examining the driving forces behind these initiatives, the key components of the proposed changes, and their potential impact on individuals and businesses.

Historical Context of the APPI

Japan’s journey towards stringent data privacy regulations began with the Act on the Protection of Personal Information (APPI), which was enacted in 2003. The APPI set the foundation for data privacy in Japan, establishing basic principles and requirements for the handling of personal information by businesses and government entities. Over the years, amendments have been made to the APPI to address emerging challenges and align with international standards, most notably in 2017, to comply with the European Union’s General Data Protection Regulation (GDPR).

Recent Developments

According to a supplementary provision of Japan’s Act on the Protection of Personal Information, a review of whether to amend the APPI is conducted every three years. Based on this provision, on June 27, 2024, the Personal Information Protection Commission (PIPC) published the “Interim Summary,” outlining its current thinking based on discussions and examinations to date. The Interim Summary is open for public comment until July 29, 2024, and the final direction of the PIPC will be decided based on the opinions received. Although the official timeframe has not yet been published, it is estimated that the draft law of the amended APPI would be published in 2025, taking effect in 2027.

New Regulations on Biometric Data

The PIPC will consider establishing effective rules for handling biometric data. Currently, biometric data is categorized as sensitive personal information under the EU GDPR and the data protection regulations of some other jurisdictions. However, it is not categorized as such under Japan’s current law, and no special rules have been established for handling biometric data.

Regulations on Improper Use and Unauthorized Acquisition

Although the current law prohibits the improper use and unauthorized acquisition of personal information, the PIPC seeks to specify and categorize the scope to which the regulations apply. The commission will consider how to apply regulations on unlawful acquisition and improper use of personal information for purposes other than those naturally recognized considering the relationship with the data subject, and the acquisition and use of personal information beyond the scope necessary to achieve those purposes.

Aggravating Obligations on the Opt-Out Scheme

In principle, under the APPI, operators handling personal information are required to obtain data subjects’ consent before providing personal data to third parties. However, if data subjects are notified of matters related to opting out or make the matters easily accessible, and the PIPC is notified, operators may provide data to third parties without obtaining data subjects’ consent. As a countermeasure against criminal groups using personal information, such as using elderly individuals’ financial information to commit fraud or other crimes, the PIPC is considering imposing stricter obligations on the opt-out scheme for the provision of personal data to third parties.

Regulations Regarding Children’s Personal Information

Under the current law, there are no explicit provisions regarding the handling of children’s personal information, and the age of children is not defined in the APPI. The PIPC will consider establishing rules to protect children’s rights and interests, including clarifying that the consent of a legal representative should be obtained for children’s personal information and strengthening safety control measures.

Us Privacy Law Tracker

Strengthening APPI Enforcement

The PIPC is considering several ways to strengthen enforcement of the APPI, including:

  • Establishing a new system of injunctive relief and restoration of damages.
  • Reforming the recommendation and order process, allowing for more situations where cessation orders can be issued without a prior recommendation.
  • Implementing an administrative fine system.
  • Considering the scope of criminal penalties for violations.

Streamlining Data Breach Reports and Notifications

The PIPC will consider streamlining the reporting scope and details of data breach reports and data subject notifications according to the risk of infringing on individuals’ rights and interests. This includes clarifying the necessary requirements for the “likelihood” that obligations regarding data breaches will arise and considering the scope of obligations for illegal provision of personal data to third parties.

Data Use Without Consent

Unlike the GDPR and similar regulations, the APPI does not require a legal basis for all processing of personal information. The PIPC will consider establishing exceptions for technologies and services considered beneficial to society and of high public interest, such as generative AI and the use of personal information in health and medical care.

Privacy Impact Assessments (PIA)

The PIPC will carefully consider the possibility of making privacy impact assessments and the designation of persons in charge of handling personal data mandatory, taking into account compliance by businesses and the burden they would face.

Other Issues

The Interim Summary states that continued consideration will be given to various issues, including profiling, clarification of concepts related to personal information and privacy-enhancing technologies, financial institutions’ obligation to provide information to senders during overseas remittances, and regulations concerning genomic data.

Enhancing Consumer Trust and Global Competitiveness

Japan’s efforts to enact new data privacy regulations reflect the increasing global initiative to safeguard personal information. By addressing the handling of biometric data, strengthening enforcement mechanisms, and enhancing protections for children’s personal information, Japan aims to align with other global standards and address the evolving challenges of data protection. While these changes present compliance challenges for businesses, they also offer opportunities to enhance consumer trust and global competitiveness. As Japan continues to refine its data privacy framework, it sets an example for other nations seeking to balance innovation with privacy protection in the digital age.

To learn more about US privacy laws, check out
the Clarip US Privacy Law Tracker

Clarip’s Data Privacy Governance Platform ensures compliance with all consumer privacy regulations, including the “Do Not Sell/Do Not Share My Personal Information” solution. Allow customers to submit, revoke and update granular consent with Clarip’s Universal Consent Management. Clarip takes enterprise privacy governance to the next level and helps organizations reduce risks, engage better, and gain customers’ trust! Contact us at www.clarip.com or call Clarip at 1-888-252-5653 for a demo.

Email Now:

Mike Mango, VP of Sales
mmango@clarip.com

Related Articles:

Data Privacy and the Future of Digital Marketing
US Privacy Law Tracker
Understanding US Data Privacy Law Fines
Evolution of digital consent and preferences
What Is GPC (Global Privacy Control), And why does it matter?

CONTACT

  • 1521, Concord Pike, Suite #301,
    Wilmington, DE 19803 USA
  • 20 Montchanin Road, Suite 20,
    Greenville, DE 19807 USA
  • Contact Online

    •   888-252-5653