Japan: Personal Data Protection Commission – Announces Interim Report of Triennial Review

16 Jul 2024 7 minute read

- Share by email
- Share on
- Twitter
- LinkedIn
- Facebook
- Google plus
- Get link
- Get QR Code
- Download
- Print

In brief

On 27 June 2024, the Personal Information Protection Commission (PPC), Japan's data protection authority, released the "Interim Report on Considerations for the Triennial Review of the Act on Protection of Personal Information" ("Interim Report"). The Interim Report summarizes discussions within the PPC on issues surrounding the Act on Protection of Personal Information (APPI) from November 2023 to June 2024. The Interim Report is in accordance with amendments made to the APPI in 2020 requiring the PPC to review the provisions of the APPI every three years.

The Interim Report has now been made available for public consultation, after which the PPC will prepare a final report with the aim of amending the APPI in 2025. In this alert, we will introduce key issues which are being discussed in the Interim Report which may have a substantial impact on businesses.

Relaxed incident reporting obligations

The Interim Report proposes relaxing the incident reporting obligations on the condition that the business has obtained the third party's confirmation on appropriate safeguards for personal data.

Currently under the APPI, when a data breach incident involving personal data has occurred or is suspected to have occurred, businesses have an obligation to report the incident to the PPC and notify the affected individuals of the incident.

Reporting obligations are triggered for incidents which affect more than 1,000 individuals and incidents which (i) involve sensitive personal information; (ii) pose as a risk of financial damages; or (iii) are caused or may have been caused by acts with wrongful purposes, regardless of the number of individuals affected.

Where a incident report needs to be submitted to the PPC, businesses must first "promptly" (within three to five days of becoming aware of the incident) submit a preliminary report. A final report is then submitted within 30 days (or 60 days if the incident is caused or may have been caused by acts with wrongful purposes).

According to the Interim Report, 84.0% of the reported cases involve only one individual whose personal data has been affected, placing an excessive burden on businesses to report breaches.

The Interim Report suggests relaxing the reporting obligations on businesses as long as they have obtained confirmation from a third party organization such as the Certified Personal Information Protection Organizations. More specifically, the Interim Report proposes to, (i) to a certain extent, provide businesses with an exemption from the obligation to file a preliminary report and (ii) allow for the submission of summary reports at regular intervals for cases where only one individual's personal data was breached.

New rules on use of biometric data

Services using biometric data have become widespread in recent years. Coupled with the development of cameras utilizing AI technology and other similar technologies, biometric data can be used to track a specific individual over a long period of time, which may pose as a high risk to the rights and interests of individuals.

As the APPI currently does not contain any special rules which focus on biometric data, the Interim Report has introduced new rules in relation to biometric data.

The Interim Report refers to "biometric data" as a code in which any certain physical characteristics are converted for use in a computer so that a person can be authenticated. The Interim Report proposes reinforcing the existing obligations to specify the purpose of use of personal information by requiring businesses to indicate what services or projects the information will be used for. In addition, the Interim Report suggests expanding the scope of the data subject's rights so that they are able to request that the processing of biometric personal data be suspended.

New rules for children's personal information

As the APPI does not currently contain any provisions in relation to the processing of information of children, the Interim Report also suggests introducing the following rules in relation to children's personal information:

Involvement of legal representative: Provide clarity either in the APPI or other relevant regulations that the consent of a legal representative should be obtained when processing children's personal information in situations where the consent of the data subject is required in principle.
Extension of the right to request suspension of processing: Provide data subjects, especially where the data subject is a child, with further flexibility to request that their personal data not be used. Currently under the APPI, data subjects can exercise the right to suspend use of personal data only in limited situations, such as when there has been an illegal act regarding the use of personal data. The Interim Report suggests expanding the scope of the APPI to include situations where children's personal data is involved. The Interim Report also suggests certain exceptions to this rule, such as when consent of a legal representative has been obtained for the collection of the child's personal data.
Strengthening the obligation to take security measures: Strengthen the obligation to take security measures with respect to children's personal data.
Responsibility rule: Add a provision which identifies points which businesses should take into consideration when processing children's personal information. An example of one of the rules suggested in the Interim Report is that special considerations shall be made in the best interests for children. Therefore, the rules to be introduced may be abstract or generic.
Clarifying age of a child: Clarify that a child is an individual who is younger than 16 years old.

Introduction of "class action" system for data privacy

The Interim Report encourages further discussion regarding introducing a "class action" system for data privacy.

In Japan, there is a legal system where an organization authorized by the government who represents the interests of a certain class of individuals can file a lawsuit against businesses to seek injunctive relief or other remedial measures for wrongful acts in violation of certain regulatory laws. However, this system is currently not available for remedies under the APPI.

The Interim Report considers extending the scope of this legal system to include some types of the rights of data subject under the APPI. Currently under the APPI, the individual has a statutory right to request businesses to cease processing of personal data in certain situations (such as transfer of personal data to third parties when there is a data breach incident triggering the reporting obligations). However, there are only a few cases where data subjects have made these requests in practice.

In light of the above, the Interim Report proposes introducing a class action system for violations of the APPI. Since there are many issues and objections in introducing the system for data privacy, the Interim Report also states that it is necessary to conduct a broad study to look at the various issues, including further assessment of the necessity of the system.

Establishment of an administrative fine system

Another issue raised by the Interim Report is the introduction of an administrative fine system under the APPI.

Unlike other jurisdictions which have data protection laws and impose administrative fines for violations of data protection laws and have actual cases where fines have been imposed on businesses, there are currently no administrative fines for violations of the APPI in Japan.

Currently under the APPI, enforcement measures of the PPC consist essentially of (i) investigations followed by the issuance of guidance or recommendations, and (ii) issuing cease and desist orders in cases where a business who has received a recommendation from the PPC fails to take measures based on the recommendations without justifiable reasons and is imminently likely to seriously infringe the rights and interests of individuals. Although there are criminal penalties for violation of this order, it is rarely enforced in practice.

The Interim Report suggests introducing an administrative fine system in order to enhance the effectiveness of the PPC's monitoring and supervision regarding compliance with the APPI. However, the Interim Report also points out the necessity to carefully address the implementation of an administration fine system and take various factors into consideration as the implementation of an administration fine system as strong opposition has been expressed at hearings by stake holders at the relevant organizations.

Impact on businesses

Based on the contents of the Interim Report, it is advisable for businesses whose processing of personal data is subject to the APPI to take the following actions:

Development of internal systems: Because the Interim Report suggests relaxing the incident report obligations of businesses based on the condition that they have obtained confirmation from a third party regarding appropriate security measures for the protection of personal data, businesses are recommended to (i) consider whether or not they will benefit from the relaxation of the incident reporting obligations by receiving third party confirmation on security measures, and (ii) if so, review their internal systems to obtain the confirmation. In addition, based on the possibility that regulations on processing of biometric data and children's personal information are likely to be enhanced, it is also recommended to review the existing internal rules on processing of personal data so that your business is ready to amend the rules to respond to the data subject's requests for suspension of processing once the APPI is amended as proposed by the Interim Report.
Watch out for progress of the amendments to APPI: Depending on the results of public comments and other future discussions, additional requirements may be placed on businesses, such as the establishment of a Japanese "class action" system for non-compliance with the APPI and an administrative fine system. It is therefore important to keep a close watch on whether or not these systems will be introduced and what kind of impact these changes will have, even before the law is actually amended, and to consider establishing an internal system to ensure compliance with the possible new rules.

Contact Information

Kensaku Takase
Partner at BakerMcKenzie
Tokyo
Read my Bio
kensaku.takase@bakermckenzie.com

Daisuke Tatsuno
Partner at BakerMcKenzie
Tokyo
Read my Bio
daisuke.tatsuno@bakermckenzie.com

Tsugihiro Okada
Partner at BakerMcKenzie
Tokyo
Read my Bio
tsugihiro.okada@bakermckenzie.com

Ayako Suga
Counsel at BakerMcKenzie
Tokyo
Read my Bio
ayako.suga@bakermckenzie.com

Ayako Nakano
Associate at BakerMcKenzie
Tokyo
Read my Bio
ayako.nakano@bakermckenzie.com

Copyright © 2024 Baker & McKenzie. All rights reserved. Ownership: This documentation and content (Content) is a proprietary resource owned exclusively by Baker McKenzie (meaning Baker & McKenzie International and its member firms). The Content is protected under international copyright conventions. Use of this Content does not of itself create a contractual relationship, nor any attorney/client relationship, between Baker McKenzie and any person. Non-reliance and exclusion: All Content is for informational purposes only and may not reflect the most current legal and regulatory developments. All summaries of the laws, regulations and practice are subject to change. The Content is not offered as legal or professional advice for any specific matter. It is not intended to be a substitute for reference to (and compliance with) the detailed provisions of applicable laws, rules, regulations or forms. Legal advice should always be sought before taking any action or refraining from taking any action based on any Content. Baker McKenzie and the editors and the contributing authors do not guarantee the accuracy of the Content and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the Content. The Content may contain links to external websites and external websites may link to the Content. Baker McKenzie is not responsible for the content or operation of any such external sites and disclaims all liability, howsoever occurring, in respect of the content or operation of any such external websites. Attorney Advertising: This Content may qualify as “Attorney Advertising” requiring notice in some jurisdictions. To the extent that this Content may qualify as Attorney Advertising, PRIOR RESULTS DO NOT GUARANTEE A SIMILAR OUTCOME. Reproduction: Reproduction of reasonable portions of the Content is permitted provided that (i) such reproductions are made available free of charge and for non-commercial purposes, (ii) such reproductions are properly attributed to Baker McKenzie, (iii) the portion of the Content being reproduced is not altered or made available in a manner that modifies the Content or presents the Content being reproduced in a false light and (iv) notice is made to the disclaimers included on the Content. The permission to re-copy does not allow for incorporation of any substantial portion of the Content in any work or publication, whether in hard copy, electronic or any other form or for commercial purposes.