Clifford Chance

The PPC announced that there will be amendments to the Act on the Protection of Personal Information (APPI) in 2025, which are set to introduce significant changes to the current data protection framework.

The Personal Information Protection Committee of Japan has published an interim report following their meeting on 26 June 2024 to summarise the ongoing discussions to revisit the APPI.  Revisions are being proposed as part of the requirement to have the APPI reviewed every three years and in response to industry feedback calling for regulations that better align with practical business conditions.

Key changes to the APPI include:

Relaxed Reporting Requirements for Certified Organisations

The government plans to ease the reporting obligations to the Personal Information Protection Committee for organisations that have obtained prior certification from recognised third-party bodies such as the Japan Institute for Promotion of Digital Economy and Community (JIPDEC). For such certified organisations, the proposed amendment will shift from the immediate reporting obligation within 3 to 5 days to a more lenient timeframe, allowing to report data breaches within 30 days (or 60 days in the case of unauthorised access). This change acknowledges the undue burden that immediate reporting places on corporate activities, especially when companies putting in place robust information management systems are subject to cyberattack.

Data Use for AI Education Without Consent

In a move to foster the development of generative AI, subject to further discussions the amendment may allow organisations to use personal data for the purpose of educating generative AI without obtaining consent from the data subjects. This provision aims to balance the advancement of AI technology with personal data protection.

Enhanced Rights to Suspend the Use of Sensitive Data 

The amendments may strengthen the protection of biometric and minor's personal data by obliging companies to respond to requests to suspend the use of such data. Unlike the current framework, which allows suspension requests only in cases of illegal activity, the new provision may grant wider rights for individuals to request the deletion of their biometric or children's data more readily, even if it has not been misused.

Other Issues

There are pending decisions still to be made. The government has yet to reach a consensus on the introduction of administrative fines from misuse or collective action rights. The business community has  also expressed concerns that such measures could negatively impact corporate activities.

How we can help

Our firm is closely monitoring these developments and is prepared to assist you in understanding how these changes may affect your business operations. We will provide further updates as the final amendments are clarified. Should you have any immediate questions or require further assistance, please do not hesitate to contact us.