Japan considers stricter data protection laws following regulatory review

Japan’s Personal Information Protection Commission (PIPC) has conducted a scheduled review of the country’s data protection law. The PIPC’s report outlines how Japanese law could change over the next three years.

The PIPC envisions stricter rules and much-needed clarifications in areas such as biometrics, enforcement, and children’s data intended to bring Japan in line with other advanced economies. Here’s an overview of what the regulator recommends.

Japan’s data protection framework

The Act on the Protection of Personal Information (APPI) was passed in 2003 and has been amended several times: in 2015, 2020, and 2021.

The 2020 amendment provided that the APPI is to be reviewed by the PIPC every three years to account for international trends, technological advancements, and new industry developments.

The latest review began in November 2023. The PIPC aims to publish draft amendments to the law next year for consultation, with any changes taking effect from 2027.

Here are some highlights from the PIPC’s report (in Japanese).

Please note that this article is based on an automated translation of the PIPC’s report.

Biometric data

Unlike other major economies, such as the EU, California, China, India, Brazil, Australia, and South Korea, Japan’s APPI does not mandate specific rules on handling biometric data.

Japanese law recognizes biometric data as a type of personal identifier—but does not impose any specific obligation to obtain consent or offer an opt-out before collecting biometrics.

The PIPC is considering drawing up new regulations on the collection and use of biometric data, taking into account the needs of businesses and the privacy rights of individuals.

Use and acquisition of personal data

The APPI prohibits the improper use and acquisition of personal data, at Articles 19 and 20 respectively.

However, the PIPC sees a need for greater clarity around what constitutes improper use and acquisition, referencing recent incidents involving the publication of bankruptcy information online and the acquisition of customer information by new electricity retailers.

As such, an amendment to the APPI could clarify the rules on how to collect and use personal information.

Supervision and oversight

The APPI’s oversight regime relies heavily on guidance and recommendations from the PIPC. The authority may only issue an order after having first given a recommendation. Criminal sanctions are available under the law but are rarely used.

The PIPC is considering recommending amendments to the APPI’s enforcement provisions to introduce a new system of administrative fines, expand the scope of the law’s criminal sanctions, and allow the PIPC to issue orders without first issuing a recommendation.

Children’s data

Japanese law provides few rules on the handling of children’s data. The APPI does not define the age at which a person is considered a “child”, and businesses tend to rely on informal guidance from the PIPC. This approach differs from most other advanced economies, where children’s data is strictly protected.

As such, the PIPC will consult on new rules around the protection of children’s data. Such rules could clarify when businesses should obtain parental consent, require special protection for children’s data, and establish a “child” as a person aged under 16.

Prepare for stricter data protection law in Japan – and elsewhere

Japan is just one example of the global trend towards stricter data protection and privacy laws. Companies engaged in unethical or unlawful data processing activities may find such changes highly disruptive.

Businesses that treat personal data with respect and meet or exceed their legal obligations are in a strong position to deal with the legal and regulatory changes taking place worldwide.