On June 27, 2024, Japan’s Personal Information Protection Commission (PPC) published the “Interim Report on Considerations for the Triennial Review of the Act on Protection of Personal Information” (APPI). This interim report, covering discussions held between November 2023 and June 2024, is part of the PPC’s ongoing review of the APPI, as required by amendments made to the law in 2020. The review, conducted every three years, aims to evaluate the effectiveness of the APPI and consider potential amendments.
The Interim Report is currently available for public consultation. Following this consultation, the PPC will prepare a final report with the goal of introducing changes to the APPI by 2025. The report outlines several key issues that may have significant implications for businesses.
Key Proposals in the Interim Report
1. Relaxed Incident Reporting Obligations The Interim Report suggests easing the incident reporting requirements for businesses under certain conditions. Currently, businesses must report personal data breaches to the PPC and notify affected individuals when more than 1,000 individuals are impacted, or when sensitive personal information is involved. The report proposes allowing businesses to avoid submitting a preliminary report if they have obtained third-party confirmation of appropriate security measures, such as certification from recognized data protection organizations. Additionally, businesses may be permitted to submit summary reports at regular intervals for incidents involving only one affected individual.
2. New Rules on the Use of Biometric Data With the growing use of biometric data, the Interim Report proposes new guidelines to address the risks associated with its use. These include strengthening obligations for businesses to clarify the purpose of using biometric data and expanding the rights of individuals to request suspension of processing in certain cases. The report emphasizes the potential risks of using biometric data to track individuals over time, particularly with advances in AI technology.
3. Rules on Processing Children’s Personal Information The Interim Report also introduces proposals for handling children’s personal data, an area not currently addressed by the APPI. Key suggestions include:
- Requiring the consent of a legal representative when processing children’s data.
- Expanding the right for individuals (or their legal representatives) to request suspension of data processing.
- Strengthening security measures for children’s personal data.
- Providing clearer guidelines on the age of a child, proposing that individuals under the age of 16 be considered children for the purposes of data protection.
4. Introduction of a Class Action System for Data Privacy The Interim Report explores the possibility of introducing a class action system for violations of data privacy laws under the APPI. This system would allow organizations to represent groups of individuals and seek legal remedies on their behalf. Currently, such a system does not exist for data protection violations in Japan, though there is ongoing debate about its necessity and potential challenges.
5. Consideration of an Administrative Fine System Another key proposal in the Interim Report is the establishment of an administrative fine system for violations of the APPI. This would align Japan with other jurisdictions that impose fines for data protection breaches. While the PPC currently issues guidance or cease and desist orders for non-compliance, no administrative fines are currently imposed for APPI violations. The report highlights the need for careful consideration of how such a system would be implemented, taking into account various stakeholder concerns.
Implications for Businesses
Businesses that process personal data under the APPI should consider the following actions based on the Interim Report:
- Review Internal Systems: Businesses may need to assess whether they can benefit from relaxed incident reporting requirements by obtaining third-party confirmation of security measures. They should also review their procedures for handling biometric data and children’s personal information, as the proposed amendments could require changes to internal rules and processes.
- Monitor Progress of APPI Amendments: Businesses should stay informed about the progress of the public consultation and further discussions on the proposed changes to the APPI. Potential amendments, such as the introduction of a class action system or administrative fines, could have significant operational impacts. It is advisable for businesses to prepare for compliance with these potential new requirements.
The PPC will continue to review feedback from the public consultation and finalize the proposed amendments, with the goal of implementing changes to the APPI in 2025.
Catch the latest supply chain news at The Supply Chain Report. Learn more about international trade at ADAMftd.com with free tools.
#JapanDataProtection #PersonalDataPrivacy #DataProtectionCommission #TriennialReview #PrivacyRegulations #CyberSecurity #DataGovernance
