Search for:

In brief

On 27 June 2024, the Personal Information Protection Commission (PPC), Japan’s data protection authority, released the “Interim Report on Considerations for the Triennial Review of the Act on Protection of Personal Information” (“Interim Report“). The Interim Report summarizes discussions within the PPC on issues surrounding the Act on Protection of Personal Information (APPI) from November 2023 to June 2024. The Interim Report is in accordance with amendments made to the APPI in 2020 requiring the PPC to review the provisions of the APPI every three years.

The Interim Report has now been made available for public consultation, after which the PPC will prepare a final report with the aim of amending the APPI in 2025. In this alert, we will introduce key issues which are being discussed in the Interim Report which may have a substantial impact on businesses.


Relaxed incident reporting obligations

The Interim Report proposes relaxing the incident reporting obligations on the condition that the business has obtained the third party’s confirmation on appropriate safeguards for personal data.

Currently under the APPI, when a data breach incident involving personal data has occurred or is suspected to have occurred, businesses have an obligation to report the incident to the PPC and notify the affected individuals of the incident.

Reporting obligations are triggered for incidents which affect more than 1,000 individuals and incidents which (i) involve sensitive personal information; (ii) pose as a risk of financial damages; or (iii) are caused or may have been caused by acts with wrongful purposes, regardless of the number of individuals affected.

Where a incident report needs to be submitted to the PPC, businesses must first “promptly” (within three to five days of becoming aware of the incident) submit a preliminary report. A final report is then submitted within 30 days (or 60 days if the incident is caused or may have been caused by acts with wrongful purposes).

According to the Interim Report, 84.0% of the reported cases involve only one individual whose personal data has been affected, placing an excessive burden on businesses to report breaches.

The Interim Report suggests relaxing the reporting obligations on businesses as long as they have obtained confirmation from a third party organization such as the Certified Personal Information Protection Organizations. More specifically, the Interim Report proposes to, (i) to a certain extent, provide businesses with an exemption from the obligation to file a preliminary report and (ii) allow for the submission of summary reports at regular intervals for cases where only one individual’s personal data was breached.

New rules on use of biometric data

Services using biometric data have become widespread in recent years. Coupled with the development of cameras utilizing AI technology and other similar technologies, biometric data can be used to track a specific individual over a long period of time, which may pose as a high risk to the rights and interests of individuals.

As the APPI currently does not contain any special rules which focus on biometric data, the Interim Report has introduced new rules in relation to biometric data.

The Interim Report refers to “biometric data” as a code in which any certain physical characteristics are converted for use in a computer so that a person can be authenticated. The Interim Report proposes reinforcing the existing obligations to specify the purpose of use of personal information by requiring businesses to indicate what services or projects the information will be used for. In addition, the Interim Report suggests expanding the scope of the data subject’s rights so that they are able to request that the processing of biometric personal data be suspended.

New rules for children’s personal information

As the APPI does not currently contain any provisions in relation to the processing of information of children, the Interim Report also suggests introducing the following rules in relation to children’s personal information:

  • Involvement of legal representative: Provide clarity either in the APPI or other relevant regulations that the consent of a legal representative should be obtained when processing children’s personal information in situations where the consent of the data subject is required in principle.
  • Extension of the right to request suspension of processing: Provide data subjects, especially where the data subject is a child, with further flexibility to request that their personal data not be used. Currently under the APPI, data subjects can exercise the right to suspend use of personal data only in limited situations, such as when there has been an illegal act regarding the use of personal data. The Interim Report suggests expanding the scope of the APPI to include situations where children’s personal data is involved. The Interim Report also suggests certain exceptions to this rule, such as when consent of a legal representative has been obtained for the collection of the child’s personal data.
  • Strengthening the obligation to take security measures: Strengthen the obligation to take security measures with respect to children’s personal data.
  • Responsibility rule: Add a provision which identifies points which businesses should take into consideration when processing children’s personal information. An example of one of the rules suggested in the Interim Report is that special considerations shall be made in the best interests for children. Therefore, the rules to be introduced may be abstract or generic.
  • Clarifying age of a child: Clarify that a child is an individual who is younger than 16 years old.

Introduction of “class action” system for data privacy

The Interim Report encourages further discussion regarding introducing a “class action” system for data privacy.

In Japan, there is a legal system where an organization authorized by the government who represents the interests of a certain class of individuals can file a lawsuit against businesses to seek injunctive relief or other remedial measures for wrongful acts in violation of certain regulatory laws. However, this system is currently not available for remedies under the APPI.

The Interim Report considers extending the scope of this legal system to include some types of the rights of data subject under the APPI. Currently under the APPI, the individual has a statutory right to request businesses to cease processing of personal data in certain situations (such as transfer of personal data to third parties when there is a data breach incident triggering the reporting obligations). However, there are only a few cases where data subjects have made these requests in practice.

In light of the above, the Interim Report proposes introducing a class action system for violations of the APPI. Since there are many issues and objections in introducing the system for data privacy, the Interim Report also states that it is necessary to conduct a broad study to look at the various issues, including further assessment of the necessity of the system.

Establishment of an administrative fine system

Another issue raised by the Interim Report is the introduction of an administrative fine system under the APPI.

Unlike other jurisdictions which have data protection laws and impose administrative fines for violations of data protection laws and have actual cases where fines have been imposed on businesses, there are currently no administrative fines for violations of the APPI in Japan.

Currently under the APPI, enforcement measures of the PPC consist essentially of (i) investigations followed by the issuance of guidance or recommendations, and (ii) issuing cease and desist orders in cases where a business who has received a recommendation from the PPC fails to take measures based on the recommendations without justifiable reasons and is imminently likely to seriously infringe the rights and interests of individuals. Although there are criminal penalties for violation of this order, it is rarely enforced in practice.

The Interim Report suggests introducing an administrative fine system in order to enhance the effectiveness of the PPC’s monitoring and supervision regarding compliance with the APPI. However, the Interim Report also points out the necessity to carefully address the implementation of an administration fine system and take various factors into consideration as the implementation of an administration fine system as strong opposition has been expressed at hearings by stake holders at the relevant organizations.

Impact on businesses

Based on the contents of the Interim Report, it is advisable for businesses whose processing of personal data is subject to the APPI to take the following actions:

  • Development of internal systems: Because the Interim Report suggests relaxing the incident report obligations of businesses based on the condition that they have obtained confirmation from a third party regarding appropriate security measures for the protection of personal data, businesses are recommended to (i) consider whether or not they will benefit from the relaxation of the incident reporting obligations by receiving third party confirmation on security measures, and (ii) if so, review their internal systems to obtain the confirmation. In addition, based on the possibility that regulations on processing of biometric data and children’s personal information are likely to be enhanced, it is also recommended to review the existing internal rules on processing of personal data so that your business is ready to amend the rules to respond to the data subject’s requests for suspension of processing once the APPI is amended as proposed by the Interim Report.
  • Watch out for progress of the amendments to APPI: Depending on the results of public comments and other future discussions, additional requirements may be placed on businesses, such as the establishment of a Japanese “class action” system for non-compliance with the APPI and an administrative fine system. It is therefore important to keep a close watch on whether or not these systems will be introduced and what kind of impact these changes will have, even before the law is actually amended, and to consider establishing an internal system to ensure compliance with the possible new rules.
Author

Kensaku Takase is a partner in Baker McKenzie’s Tokyo office and is the Group Leader of the office's IP/IT/EC Practice Group. Mr. Takase is bilingual (Japanese and English) and focuses on intellectual property law, media law, and information technology law since 1999. He has assisted many companies in various industries with cross-border transactions in the trademark, copyright and design fields.

Author

Daisuke Tatsuno is a partner in the Firm’s Tokyo office, where he represents leading companies in various intellectual property and information technology matters. He was formerly with the San Francisco office of Baker McKenzie and worked at Warner Bros. Entertainment Inc. Mr. Tatsuno served as speaker on various seminars relating to his field and has authored various publications, including the PLC E-Commerce Practice Manual for the Practical Law Company.

Author

Tsugihiro Okada is a counsel in the Tokyo Antitrust, IP Tech groups. He is a member of the Tokyo Bar Association’s International Committee and the International Association for the Protection of Intellectual Property.

Author

Ayako Suga is a member of the Firm's IP Tech group in Tokyo. Ayako is a native Japanese speaker and is fluent in English.

Author

Ayako Nakano is an associate in the IP/ITC group of Baker McKenzie's Tokyo office. She has five years of experience working in IP and trademark portfolio management. Prior to joining the Firm, she worked in-house at a Japanese company on a trademark clearance project for one of its major brands.