In June 2024, the Personal Information Protection Commission (“PPC”), Japan’s data protection authority issued the Interim Report on Considerations for the Triennial Review of the Act on the Protection of Personal Information (“Interim Report”). The Interim Report has since gone through the public consultation process, and the PPC has conducted interviews with experts and economic/consumer organizations on a wide range of issues. The PPC has discussed what amendments should be made for each issue considering the opinions collected through the public consultation and the results of the interviews.
On 22 January 2025, the PPC published an updated proposal on how to proceed with the Triennial Review, summarizing the past discussions, the diverse perspectives on the data protection policies observed through the interviews and additional issues to be discussed in the short term. In this proposal, the PPC reframed the issues to be considered as follows:
- Rules on the involvement of data subjects in the processing of personal data
- Consent regulations considering the impact on the rights and interests of individuals
- Consent for data processing only for obtaining and using the results of general analysis that is not associated with specific individuals (e.g., statistics creation)
- Consent for data processing that is not against the will of data subjects considering the circumstances of the collection
- Requirements of “difficulty in obtaining consent” in cases where personal information is processed to protect life, body or property, or to improve public health
- Processing of personal information for academic research purposes by medical institutions
- Data breach incident response in cases where protecting the rights and interests of data subjects would not be affected even if no notification is provided to the affected data subjects
- Processing of children’s personal information
- Rules appropriately responding to risks associated with the diversification of personal data processing
- Rules on data processing companies engaged by businesses
- Rules on “personal related data”
- Rules on data related to physical characteristics (e.g., facial characteristics data)
- Rules on businesses that transfer personal data to third parties based on an opt-out arrangement to prevent personal data from being provided to malicious data brokers
- Rules to ensure the effectiveness of compliance by businesses
- Ensuring the effectiveness of the PPC’s recommendations and administrative orders
- Criminal penalties to address malicious cases
- Whether or not an administrative fine system should be introduced
- Whether or not a “class action” system for violations of the law should be introduced
- Data breach notification in cases where confirmation has been obtained regarding the system and procedures for data breach incidents, or where personal data has been illegally provided to a third party
On 5 March 2025, the PPC further released a document presenting its views on the specific directions of rules regarding the issues listed in (2) and (3) above. However, the PPC only raised issues under the current law and suggested possible regulations to address each issue. It is still uncertain what amendments to the law will ultimately be introduced.
The PPC aims to submit a bill of the amendments during the first half of 2025.
Click here to read this article, which was originally published in the 6th edition of LIR Japan.
