This article was written as of October 2024.

Under a supplementary provision in the Act on the Protection of Personal Information (the "APPI"), it is stipulated that a review of the APPI must be made every three years following its implementation. Accordingly, the next amendment to the APPI is due to be made in 2025. On June 27, 2024, the Personal Information Protection Commission (the "PPC"), data protection authority in Japan, released an Interim Summary (“Interim Summary”) which summarized the current direction of amendments under consideration for the APPI. Public comments on the Interim Summary were called for between June 27, 2024 and July 29, 2024, and the results of the public comments procedure were released on September 4, 2024.

The Interim Summary shows three major matters, and each of these can be subdivided into individual topics. The three major matters are (1) more substantial protection of individual rights and interests, (2) effective monitoring and supervision, and (3) support for activities regarding the utilization of data.

As for item (1), better protection of individual rights and interests, the topics flagged include (i) the necessity of additional rules for biometric data with high protection requirements, (ii) the necessity of specifying as categories the scope of applicability of the rules regarding improper use and unauthorized acquisition personal information, (iii) imposing stricter obligations for third party transfers (i.e. an enhancement of the duty of business operators who use an opt-out system), (iv) special rules regarding children’s personal information, and (v) establishing a new system for consumer organization to seek injunctive relief and indemnification for damage suffered.

As for item (2), effective monitoring and supervision, the topics mentioned include (i) the possibility of the introduction of an administrative monetary system, (ii) the necessity of enhancing rules regarding administrative recommendations and orders, (iii) the necessity to consider the rules regarding criminal penalties, including expansion the scope of direct criminal penalties, and (iv) the necessity to streamline the data breach incident reporting system (e.g. exemptions of immediate reporting obligation when the risk of infringement of rights and interests of individual is low).

As for item (3), supporting activities regarding the utilization of data, the topics covered include (i) the necessity to consider establishing additional exceptions to the consent requirement in some cases such as handling of personal information in technologies or services that underpin social infrastructures, or in cases of public health-related use in the field of medical research, (ii) the necessity to consider the implementation of a Privacy Impact Assessment or appointment of an officer responsible for the handling of personal data.

None of the topics mentioned in the Interim Summary will necessarily be included in the upcoming amendment of the APPI. For example, the implementation of a monetary penalty system is experiencing strong opposition from a number of organizations, and the PPC is carefully considering the necessity of such system.

The PPC will publish a draft of the amendments to the APPI based on the feedback it receives from the Interim Summary. The timeline for the publication of the draft and for the coming into force of the new amendments to the APPI has not yet been officially announced.