Hogan Lovells 2024 Election Impact and Congressional Outlook Report
The 2020 amendment to the Act on the Protection of Personal Information (“APPI”) stipulates that the APPI must be reviewed every three years — the time for a review has arrived. In the past, since its enactment in 2003, major substantive amendments have taken place in 2015, 2020, and 2021.For the current review, an interim report compiled by the Personal Information Protection Commission (“PPC”) was released on 27 June 2024.
The PPC has released its interim report last month and it is inviting public comments until 30 July 2024. Given that this is only an interim report and includes items that may have a significant impact on businesses and individuals, it is expected to be revised based on further discussions.
The items addressed in the interim report are as follows:
(1) Proper handling of personal information, etc.:
Biometric data with a high need of protection (e.g. people flow data and facial recognition images): currently, generally not considered as sensitive personal information.
Prohibition of improper use: such use is not specifically categorised.
Opt-out notification system (a system that allows the provision of personal information to third parties under certain conditions, if the privacy policy is notified to the PPC and made public, even when consent of the data subject is required in principle): considering imposing an obligation on data controllers to confirm the purpose of use, identity, etc. of the third party to which the information is provided.
(2) Children's personal information:
Currently, rules relating to the protection of children's personal information is not very clear. Particularly, the rules relating to the procedures for obtaining consent needs to be reviewed (e.g. consent by a legal guardian, the expansion of the right to request suspension of use, the reinforcement of security control obligations, and age criteria).
(3) Relief:
Considering introducing an injunction system and damage restoration system (although there is a strong opposition for small mass damage cases).
(1) Administrative penalties:
Administrative fines: identifying the types of activities to be covered (under the current system, profits earned from illegal activities remain in the hands of the illegal actors); establishing calculation methods and minimum amount of fines; and expanding the scope of persons subject to administrative advice and orders.
(2) Criminal penalties
(3) Leakage reporting requirement: It has been mandatory from 2022, with an increase in the number of reports. 12120 cases in 2023 (84% of the cases (i.e. 10184 cases) involved only one affected individual ). Strong requests from relevant organisations to change to a risk-based approach. Considering exempting the prompt reporting requirement under certain conditions for certain types of cases, such as unintentional provision of information (instead, a summary reporting at regular intervals will be permissible). The illegal provision of information to third parties may also be covered.
(1) Considering the use of data that does not require consent (e.g. the use of highly sensitive data, but in areas of high public interest such as health and medicine; and the use of generated AI as social infrastructure).
(2) Other private sector initiatives: Carefully considering mandating Privacy Information Assessment (PIA) and Data Protection Officers (DPO). Also considering supporting voluntary data governance based on practical considerations.
(3) Considering the role of profiling and the obligation of financial institutions to provide information when transferring funds abroad, etc.
The above has been compiled based on the views of researchers, legal experts, and practitioners, but is still to be finalised. It is expected that the practices in other jurisdictions, particularly in areas covered by the GDPR, will be taken into account in the light of Japan's unique circumstances.
Authored by Hiroto Imai and Mizue Kakiuchi.