MenuClose

Blog

ブログ

Commentary on the "Policy for Institutional Reform of the Act on the Protection of Personal Information (the So-called 3-Yearly Review)" (January 9, 2026)

2026.03.25

#個人情報

The Personal Information Protection Commission (“PPC”) has been conducting a "so-called 3-yearly review"[1] of the Act on the Protection of Personal Information[2] (the "APPI" or the "Act"), based on the provisions of Article 10 of the Supplementary Provisions of the 2020 Amendment Act, since November 2023. However, since the publication of the "Approach to Institutional Issues of the Act on the Protection of Personal Information (March 5, 2025)" [3] (the "Approach") and the comments received thereon, the formal progress of the 3-yearly review by the PPC had not been formally disclosed. Recently, after a 10-month interval, the PPC published the "Policy for Institutional Reform regarding the So-called 3-Yearly Review of the Act on the Protection of Personal Information (January 9, 2026)" [4] (the "Current Policy"), clarifying the policy for the next amendment of the APPI.

The Current Policy has been compiled based on the discussions of the 3-yearly reviews to date, the "Basic Policy on the Modalities of Systems for Data Utilization (Cabinet Decision of June 13, 2025)" [5] (the "Basic Policy"), and various related government decisions [6]. It aims for deepening discussions between the PPC and relevant parties, in coordination with government-wide initiatives, with the objective of the early submission of an amendment bill to the APPI (Current Policy, p. 1).

Although the Current Policy does not explicitly state the timing for submitting the amendment bill to the Diet, the Basic Policy stated an aim to "submit the bill to the next ordinary session of the Diet" (Basic Policy, p. 21). Furthermore, as Prime Minister Takaichi has given instructions [7] to proceed with the submission to the 2026 ordinary session of the Diet in mind, it is expected that the amendment bill will be submitted to the ordinary session of the Diet in 2026. The 2026 ordinary session of the Diet is scheduled to be held from January 23 to June 21 of the same year. If the amendment bill to the APPI is passed during this session, it will become the 2026 Amended Act on the Protection of Personal Information.

The Current Policy designates four pillars for the APPI amendment bill: "Promotion of Proper Data Utilization," "Rules Appropriately Responding to Risks," "Prevention of Improper Utilization" and "Rules for Ensuring Effectiveness of Compliance," and intends to accelerate deliberations toward their realization (Current Policy, p. 1). Based on these four pillars, the Current Policy primarily outlines reform policies for the following 12 items:

Pillar

Reform Item

Promotion of Proper Data Utilization

(i)     Exemption from the obligation to obtain consent when utilized solely for the creation of statistical information*
(ii)     Relaxation of requirements for exception provisions related to obtaining consent

Rules Appropriately Responding to Risks

(iii)     Clarification and tightening of regulations regarding children's personal information*
(iv)     Establishment of new rules regarding facial recognition data
(v)     Establishment of rules for entrusted business operators*
(vi)     Relaxation of the obligation to notify individuals in the event of a leakage*

Prevention of Improper Utilization, etc.

(vii)     Strengthening of regulations on information that enables approaching specific individuals*
(viii)     Mandating verification of recipient identities and the purpose of use under the opt-out system

Rules for Ensuring Effectiveness of Compliance

(ix)     Introduction of flexibility in the exercise of advisory and mandatory orders
(x)     Statutory measures against third parties who assist in infringing acts
(xi)     Strengthening and expansion of penal provisions*
(xii)     Introduction of an administrative fine system

* For items marked with "*", it is stated that the purpose of the amendment is also applicable to rules concerning the public sector and regulations will be developed accordingly.

In this article, we explain the reform policies for the APPI shown in the Current Policy regarding the 12 items above. Please note that the following explanation focuses on the reform policies for the private sector rules.

[1] Article 10 of the Supplementary Provisions states: "The Government shall, every three years after this Act comes into effect, examine the status of enforcement of the new Act on the Protection of Personal Information, taking into consideration international trends regarding the protection of personal information, progress in information and communication technology, and the associated status of creation and development of new industries utilizing personal information, and shall take necessary measures based on the results thereof when it finds it necessary."

[2] Act on the Protection of Personal Information (Act No. 57 of 2003)

https://elaws.e-gov.go.jp/document?lawid=415AC0000000057

[3] Personal Information Protection Commission, "Approach to Institutional Issues of the Act on the Protection of Personal Information" (March 5, 2025) 

https://www.ppc.go.jp/files/pdf/seidotekikadainitaisurukangaekatanitsuite_250305.pdf

[4] Personal Information Protection Commission, "Policy for Institutional Reform regarding the So-called 3-Yearly Review of the Act on the Protection of Personal Information" (January 9, 2026)

https://www.ppc.go.jp/files/pdf/01-1_seidokaiseihousin.pdf

[5] Digital Administrative and Fiscal Reform Council, "Basic Policy on the Modalities of Systems for Data Utilization" (Cabinet Decision of June 13, 2025)

https://www.cas.go.jp/jp/seisaku/digital_gyozaikaikaku/pdf/data_houshin_honbun.pdf

[6] Reference 2 of the Current Policy (pp. 9–11)

[7] Prime Minister's Official Residence Website, "Digital Administrative and Fiscal Reform Council" (December 24, 2025)

https://www.kantei.go.jp/jp/104/actions/202512/24digitalgyouzaisei.html?utm_source=chatgpt.com

Exemption from the Obligation to Obtain Consent when Utilized Solely for the Creation of Statistical Information

Under the current Act, even when personal data is used solely for the creation of statistical information obtaining consent is, in principle, required for the third-party provision of personal data and the acquisition of special care-required personal information (Article 27, 28 and 20(2)). In this regard, the "Approach" pointed out that there is an increasing need for multiple businesses to share and cross-analyze data to create statistical information, and that the creation and use of statistical information where the correspondence with a specific individual has been eliminated poses little risk of infringing on an individual's rights and interests. Therefore, it was proposed that third-party provision of personal data, etc., and acquisition of publicly available special care-required personal information, without the person's consent, should be possible, on the condition that it is guaranteed that the information will be used only for the creation of such statistical information, etc. (Approach, pp. 1-2).

In the Current Policy, based on the discussions to date, a policy has been described to render a person's consent unnecessary for the third-party provision of personal data, etc., and the acquisition of publicly available special care-required personal information, on the condition that it is guaranteed that the information will be used only for the creation of statistical information (including AI development, etc., that can be organized as statistical creation) (Current Policy, pp. 1-2). Specific details of the said conditions are not shown in the Current Policy, but it is expected that they will be limited to those specified by the Personal Information Protection Commission Rules (the "PPC Rules") as having little risk of harming an individual's rights and interests (Current Policy, p. 2). As the following points were mentioned at the time of the "Approach," it is expected that such rules will also be stipulated in the Rules of the Commission (Approach, pp. 1–2):

Scope of exemption from the obligation to obtain consent Conditions for making consent unnecessary
Provision of personal data, etc. to a third party without the individual's consent (i)    Public announcement of certain matters (e.g., names of the provider and the recipient, contents of the statistical creation, etc. to be conducted) by the provider and the recipient of the personal data, etc. 
(ii)    Written agreement between the provider and the recipient stating that the provision is solely for the purpose of statistical creation, etc.
(iii)    Prohibition of use for unspecified purposes and provision to third parties by the recipient
Acquisition of publicly available special care-required personal information without the individual's consent (i)    Public announcement of certain matters (e.g., name of the acquirer, contents of the statistical creation, etc. to be conducted, or the fact that the purpose is to provide the personal data, etc. to a third party without the individual's consent based on the above rules) by the party acquiring the publicly available special care-required personal information 
(ii)    Prohibition of use for unspecified purposes and provision to third parties by the acquirer (excluding the said third-party provision in cases where the purpose is to conduct third-party provision of personal data, etc. without the individual's consent based on the above rules).

Relaxation of Requirements for Exception Provisions Related to Obtaining Consent

Regarding the exceptions in the Act to the obligation to obtain consent (Articles 18, 20(2), 27 and 28 of the Act), the Current Policy outlines the following reform points:

(1) New Exception for Handling where it is Clear that Individual Rights are not Harmed 

Under the current Act, there is no provision that exempts the need for consent in cases where it is clear that individual rights and interests are not harmed based on the circumstances of acquisition. The Current Policy proposes eliminating the need for consent in such cases (Current Policy, p. 2). The "Approach" suggested typical examples such as cases where a name is provided to a hotel for a reservation via a booking site, or cases where sender information is provided to a bank for overseas remittance (Approach, p. 2).

(2) Relaxation of the "Difficulty in Obtaining Consent" Requirement 

Under the current Act, as exceptions to the obligation to obtain consent, the following cases are stipulated: "cases in which there is a need to protect the life, body, or property of an individual and it is difficult to obtain the consent of the individual" and "cases in which there is a special need to enhance public hygiene or promote the sound nurturing of children and it is difficult to obtain the consent of the individual" (Articles 18(2)(ii) and (iii), 20(2)(ii) and (iii) and 27(1)(ii) and (iii) of the Act).

The Current Policy indicates a plan to relax the "difficulty of obtaining consent" requirement in cases where personal information is handled for the protection of life, etc., or the enhancement of public hygiene, etc. (Current Policy, p. 2). While the Current Policy does not specify the exact nature of this relaxation, the "Approach" previously proposed that the exception to the obligation to obtain consent should be applicable not only "when it is difficult to obtain the consent of the individual" but also "when there are other reasonable grounds for not obtaining the consent of the individual" (Approach, pp. 2–3). The Approach introduces specific examples, such as cases where there is no risk of unreasonable infringement of the individual's rights and interests because necessary and appropriate measures to prevent infringement of the individual's privacy (such as the deletion of names, etc., and the conclusion of confidentiality agreements with recipients) have been taken (Approach, p. 3). It is expected that this policy will be maintained in the amendment bill of the APPI.

(3)  Clarification that "Academic Research Institutions" include Medical Providers

Under the current Act, "Academic Research Institutions, etc." refers to universities or other institutions or organizations aimed at academic research, or persons belonging thereto (Article 16(8) of the Act). Therefore, it is considered that institutions or organizations aimed at providing medical care are not necessarily included. Regarding this point, the "Approach" pointed out the fact that in medical and life science research, the analysis of clinical cases concerning the diagnostic and treatment methods being researched is indispensable, and research activities are widely conducted by institutions or organizations aimed at providing medical care, such as hospitals (Approach, p. 3).

The Current Policy indicates a plan to explicitly state that institutions or organizations aimed at providing medical care are included in "Academic Research Institutions, etc.," which are the subjects of the exception provisions related to academic research (Current Policy, p. 2). At the time of the Approach, it was mentioned that hospitals and other institutions aimed at providing medical care (e.g., clinics) are expected to be included (Approach, p. 3), and it is anticipated that this policy will be maintained in the amendment bill of the APPI.

Clarification and Tightening of Regulations Regarding Children's Personal Information

Under the current Act, there are no specific provisions regarding the age of the children for obtaining consent when their personal information is involved. However, the PPC Q&A [8] suggests obtaining consent from legal representatives for children aged 12 to 15. The Current Policy proposes the following:

  • Codification of the rule that if the individual is under 16 years of age, the legal representative of said individual shall be the subject of obtaining consent and providing notifications (Current Policy, p. 2). Although not explicitly mentioned in the Current Policy, the "Approach" pointed out that it is necessary to exceptionally allow obtaining consent from or providing notifications to the individual in cases where: (i) the business operator has a justifiable reason for not knowing that the individual is under 16 years of age; (ii) the legal representative has permitted the individual to conduct business, and the business operator has acquired personal information regarding said business; or (iii) the individual has no legal representative, or there are reasonable grounds for the business operator to believe so (Approach, p. 4). It is expected that this policy will be maintained in the amendment bill of the APPI.
  • Relaxation of the requirements for requesting the cessation of use or erasure (“cessation of use, etc.,”) of retained personal data of an individual under 16 years of age (Current Policy, p. 2). Similarly, while not mentioned in the Current Policy, the Approach suggested a system where a request for cessation of use, etc., can be exceptionally refused in cases such as: (i) where the retained personal data was acquired with the consent of the legal representative; (ii) where it falls under the same exceptions as those for the acquisition of special care-required personal information; (iii) where fraudulent means were used to lead the business operator to believe the individual was 16 years of age or older; or (iv) where the legal representative has permitted the individual to conduct business, and the business operator has acquired the retained personal data regarding said business (Approach, p. 4). It is expected that this policy will be maintained in the amendment bill of the APPI.
  • Establishment of a duty provision stating that the best interests of the individual must be considered with priority regarding the handling of personal information, etc., of minors (Current Policy, p. 2). Similarly, while not mentioned in the Current Policy, the Approach proposed duty provisions stating that: (i) business operators handling the personal information, etc., of minors must endeavor to take necessary measures, considering the best interests of said minors with priority according to their age and degree of development, so as not to harm their development or rights and interests; and (ii) legal representatives must consider the best interests of the individual with priority when giving consent, etc., regarding the handling of personal information (Approach, p. 4). It is expected that this policy will be maintained in the amendment bill of the APPI.

[8] Personal Information Protection Commission, "Q&A regarding 'Guidelines on the Act on the Protection of Personal Information'" (July 1, 2025) No. 1-62 

https://www.ppc.go.jp/personalinfo/faq/APPI_QA/#q1-62

Establishment of New Rules Regarding Facial Recognition Data

Under the current Act, while face feature data may fall under the category of "individual identification codes" (Articles 2(2) of the Act; Article 1(1)(b) of the Enforcement Order of the Act), no specific requirements unique to face feature data are stipulated. Regarding this point, the "Approach" pointed out that, amidst the expanding use of biometric technologies such as camera systems with facial recognition functions, face feature data - which, among biometric data, can be easily acquired (and thus in large quantities) without the individual's knowledge, and possesses high uniqueness and immutability, meaning its effect of identifying a specific individual continues semi-permanently - has the characteristic of being more categorically linked to the infringement of the individual's privacy, etc., compared to other types of biometric data (Approach, p. 6).

The Current Policy indicates the following amendment policies regarding face feature data, etc.

  • Mandating the public announcement of certain matters regarding the handling of face feature data, etc. (Current Policy, p. 2). While the Current Policy does not specify the "certain matters" subject to this obligation, the "Approach" proposed that the following be subject to public announcement: (i) the name, address, and name of the representative of the relevant personal information of the business operator handling the face feature data, etc.; (ii) the fact that face feature data, etc. is handled; (iii) the purpose of use of the face feature data, etc.; (iv) the content of the physical characteristics that are the source of the face feature data, etc.; and (v) the procedures for responding to requests for cessation of use, etc. (Approach, p. 6). Furthermore, as grounds for exceptions to the obligation of public announcement, the following were proposed: (1) cases where there is a risk of harming the rights and interests of the individual or a third party through public announcement; (2) cases where there is a risk of harming the rights or legitimate interests of the said personal information handling business operator through public announcement; and (3) cases where it is necessary to cooperate with the performance of affairs by a national government agency or a local government, and there is a risk that public announcement would impede the performance of said affairs (Approach, p. 6). It is expected that these policies will be maintained in the amendment bill of the APPI.
  • Relaxing the requirements for requesting the cessation of use, etc. of face feature data, etc. (Current Policy, p. 2). Similarly, while not mentioned in the Current Policy, the Approach suggested that the following could be exception grounds for refusing a request for cessation of use, etc.: (i) cases where the face feature data, etc. was created or acquired with the individual's consent; and (ii) cases where the situation falls under the same type of exception requirements as those for the acquisition of special care-required personal information (Approach, p. 7). It is expected that this policy will be maintained in the amendment bill of the APPI.
  • Prohibiting the third-party provision of face feature data, etc. based on the opt-out system (Current Policy, p. 2).

Establishment of rules for entrusted business operators

Under the current Act, it is stipulated that when entrusting the handling of personal data, the business operator that provides the entrustment must conduct necessary and appropriate supervision over the entrusted business operator (e.g., data processors) (Article 25 of the Act). However, other than that, no provisions unique to entrusted business operators are stipulated, and the general rules for personal information handling business operators are applied. Regarding this point, the "Approach" proposed examining the structure of rules for entrusted business operators, considering the situation where cases of substantially depending on third parties for the handling of personal data are expanding due to the progress of DX in personal information handling business operators (Approach, p. 5).

The Current Policy indicates a plan to review the obligations related to the proper handling of entrusted personal data, etc. for business operators that have been entrusted with data processing, etc. (Current Policy, p. 2). Specifically, regarding the rules for entrusted business operators, the policy indicates a plan to newly establish the following obligations and exemptions:

  • Imposing a codification of the obligation imposed on the entrusted party not to handle personal data, etc., entrusted to it beyond the scope necessary for performing the entrusted business (Current Policy, p. 5). However, the entrusted party will be exceptionally allowed to use the data based on its own judgment in cases based on laws and regulations, or when there is an urgent need to respond to emergency situations such as the rescue of human life or disaster relief.
  • In cases where the entrusted party itself does not determine the method of handling (e.g., when the entrusted party only mechanically handles personal data, etc., in a manner instructed by the entrustor), if the entrustment contract includes an agreement on all methods of handling and an agreement on necessary measures for the entrustor to understand the status of handling at the entrusted party (e.g., that the entrusted party shall promptly report to the entrustor upon learning that a leakage, etc., has occurred), the application of each obligation provision under Chapter 4 of the APPI to said entrusted party shall, in principle, be exempted (Current Policy, p. 5). In such cases, only the following provisions - which do not presuppose the existence of authority to determine the handling method - will apply to the entrusted party: (i) the obligation not to handle data beyond the scope necessary for performing the entrusted business, and (ii) obligations regarding security control measures.

Relaxation of the Obligation to Notify Individuals in the Event of a Leakage

Under the current Act, when a personal information handling business operator is under an obligation to report a leakage, loss or damage (“leakage, etc.”) to the regulator, it also bears the obligation to notify the individual, except in cases where notification to the individual is difficult and alternative measures have been taken (Article 26(2) of the Act).
The Current Policy indicates a plan to relax the obligation to notify the individual upon the occurrence of a leakage, etc., in cases where there is little risk of there being insufficient protection for the individual’s rights and interests (Current Policy, p. 2). While the specific details of "cases where there is little risk of there being insufficient protection for the individual’s rights and interests" are not shown in the Current Policy, the "Approach" cited examples such as cases where only information that has almost no meaning on its own to the acquirer of the affected information is leaked, such as a service user’s internal identifier (ID) (Approach, p. 3). It is anticipated that this policy will be maintained in the amendment bill of the APPI or the Rules of the Commission.

Strengthening of Regulations on Information that Enables Approaching Specific Individuals

Under the current Act, the prohibition of improper use and the prohibition of acquisition by deceit or other improper means are stipulated for personal information (Articles 19 and 20(1) of the Act). However, they are not stipulated for personally referable information, pseudonymously processed information, and anonymously processed information. Regarding this point, the "Approach" pointed out that information including telephone numbers, email addresses, Cookie IDs which are descriptions that allow for contacting a specific individual, may result in the infringement of the individual's rights and interests such as privacy and property rights through such contact, even if said information does not fall under the category of personal information. Furthermore, it was noted that there is a risk that privacy may be infringed or the infringement of the individual's rights and interests through the aforementioned contact may become more serious by consolidating information including highly confidential descriptions through said descriptions as a medium (Approach, p. 5).

The Current Policy indicates a plan to prohibit the improper use and acquisition by deceit or other improper means of personally referable information, etc., that enables approaching a specific individual (Current Policy, p. 2). While the Current Policy does not explain the specific details of "personally referable information, etc." referred to here, the Approach proposed targeting personally referable information, pseudonymously processed information, and anonymously processed information that includes the following descriptions (limited to those that can be used to contact a specific individual) (Approach, pp. 5–6), and it is expected that this policy will be maintained in the amendment bill of the APPI:

(i)    Location of a specific individual (residence, workplace, etc.)
(ii)     Telephone number
(iii)    Email address
(iv)    Cookie ID, etc.

Mandating Verification of Recipient Identities and the Purpose of Use under the Opt-out System

Under the current Act, when providing personal data to a third party based on the opt-out system, there is no obligation to verify the identity of the recipient or their purpose of use (Article 27(2) of the Act). Regarding this point, the "Approach" pointed out that, amidst the recent worsening of the so-called "dark list" problem, cases have occurred where "list brokers" (meiboya), who are business operators that have submitted opt-out notifications, provided lists while being aware that the recipients were malicious list brokers (who resell lists even to those engaged in acts violating the law). It was noted that personal data provided based on the opt-out system currently serves as one of the information sources for creating these "dark lists" (Approach, p.7).

The Current Policy indicates a plan to mandate the verification of the identity of the recipient and their purpose of use when providing data to a third party based on the opt-out system (Current Policy, p. 2). Although not mentioned in the Current Policy, the Approach proposed that the aforementioned verification obligation should exceptionally not apply in cases where the personal data had already been made public by the individual, a national government agency, a local government, etc., at the time the opt-out notifying business operator acquired said personal data (Approach, pp. 7–8). It is anticipated that this policy will be maintained in the amendment bill of the APPI.

Introduction of Flexibility in the Exercise of Advisory and Mandatory Orders

Under the current Act, an urgent mandatory order that does not require being preceded by a advisory order can be issued only "when it is found that there is a need to take urgent measures because there is a fact that significantly harms an individual's rights and interests" (Article 148(3) of the Act). Furthermore, what can be required by an advisory order is "to cease the act of violation and take other necessary measures to rectify the violation" (Article 148(1) of the Act ), and advisory orders are not structured to allow for demanding proactive measures to make the fact of problematic handling known (e.g., notification to the individual or public announcement).

The Current Policy indicates a plan to amend the following points from the perspective of making the exercise of advisory and mandatory orders more flexible:

  • Reviewing the requirements for orders so that the rectification of a violation can be demanded promptly (Current Policy, p. 2). While the specific details of the review are not explained in the Current Policy, the "Approach" proposed that, in addition to cases where the fact that an individual's significant rights and interests are being infringed by a violation has already occurred as stipulated under the current Act, the amended Act should allow for issuing an order in cases where: (i) said infringement is imminent; or (ii) even if it is not deemed imminent, there is a risk of said infringement and the violation remains unrectified despite the chance for voluntary rectification through an advisory order having been provided (Approach, p. 8). It is expected that this policy will be maintained in the amendment bill of the APPI.
  • Allowing for advisory and mandatory orders to take necessary measures for the protection of an individual's rights and interests, such as notification of the facts regarding the violation to the individual or public announcement thereof (Current Policy, p. 2).

Statutory Measures Against Third Parties Who Assist in Infringing Acts

Under the current Act, an order can be issued only against a personal information handling business operator that has violated the mandatory provisions of the APPI (Articles 148(2) and (3) of the Act). It is not possible to order a third party involved in said act of violation to suspend the provision of services to said personal information handling business operator nor is there a statutory basis for a voluntary request.

The Current Policy indicates a plan to establish a statutory basis for requesting third parties that assist, etc. in an act of violation to take necessary measures, etc. to cease said act of violation (Current Policy, p. 2). While the Current Policy does not explain what types of entities are envisioned as third parties involved in an act of violation, the "Approach" mentioned: (i) business operators providing cloud services for storing personal information, etc.; (ii) hosting business operators of servers for making personal information public; and (iii) hosting business operators of DNS servers that convert the domain names of said servers into IP addresses, etc. (Approach, pp. 9–10). It is expected that this policy will be maintained in the amendment bill of the APPI. Furthermore, the Approach proposed limiting the liability for damages of such third parties relating to said personal information handling business operators, etc. in cases where the third parties comply with the aforementioned request (Approach, p. 10), and it is anticipated that this policy will be maintained in the APPI amendment bill as well.

Strengthening and Expansion of Penal Provisions

Under the current Act, penalties for the unauthorized provision of personal information databases apply only when the act is performed with the "intent to seek improper profits," and do not cover cases where the act is performed with the "intent to cause harm" (Article 179 and 180). Regarding this point, the "Approach" pointed out that there is no difference in the degree of harm to an individual's rights and interests between provision with the intent to seek improper profits and provision with the intent to cause harm (Approach, p. 10).
Furthermore, under the current Act, the penalties for unauthorized provision personal information databases apply to the acts of provision or theft, and do not target the acquisition itself. Regarding this point, the "Approach" pointed out that personal information acquired improperly is highly likely to be used inappropriately, and therefore, acts of acquiring personal information through means that impair the management of those who hold the personal information, such as fraud or unauthorized access, should be subject to direct penalties (Approach, p. 10).
From the perspective of strengthening and expanding penal provisions, the Current Policy outlines the following reform policies:

  • Including provision with the intent to cause harm within the scope of penalties for the unauthorized provision of personal information databases and increasing statutory penalties (Current Policy, p. 3).
  • Establishing penalties for the act of improperly acquiring personal information through fraud or other deceptive means (Current Policy, p. 3).

Introduction of an Administrative Fine System

Under the current Act, monetary sanctions for violations of the APPI are limited to fines as criminal penalties, and surcharges (i.e., administrative monetary penalties) as administrative sanctions cannot be imposed. Regarding this point, the "Approach" pointed out that surcharges are imposed flexibly as administrative measures and are introduced with the aim of deterring violations by reducing the economic incentives for such acts. It was also noted that they play an important role in law enforcement in today’s market economy, which leans toward a post-check model (Approach, p. 10. Regarding the surcharge system, from the perspective of conducting careful discussions, it was deliberated at the "Study Group on the So-called 3-Yearly Review of the Act on the Protection of Personal Information" starting in July 2024, and a report [9] was compiled at the end of December of the same year).

The Current Policy indicates a plan to order the payment of a surcharge equivalent to the amount of property benefits, etc., obtained through said violation in cases where an individual’s rights and interests have been infringed by a serious violation, in order to effectively deter malicious violations involving the handling of large amounts of personal information with economic incentives (Current Policy, p. 3).

(1) Targeted Acts

It is stated that a surcharge payment order shall apply when money, etc., is obtained as consideration for any of the following acts or for ceasing said acts (Current Policy, p. 6):

  • Provision of personal information to a third party in a situation where it is expected that said third party will use the personal information to conduct illegal acts or unfair discriminatory treatment.
  • Use of personal information conducted at the request of a third party in a situation where it is expected that said third party will conduct illegal acts or unfair discriminatory treatment through the use of said personal information.
  • Acts of acquiring personal information by deceit or other improper means in violation of the provisions of Article 20(1) of the APPI, and using said personal information.
  • Acts of providing personal data to a third party without obtaining the individual's prior consent, in violation of the provisions of Article 27(1) of the APPI.
  • Acts of handling personal information acquired based on special provisions for statistical creation, etc., for unspecified purposes in violation of the obligations related to said special provisions, or providing such information to a third party, etc.

(2) Application Conditions

An act shall be subject to a surcharge payment order only if all of the following application conditions are met (Current Policy, p. 6):

  • Due Care (Subjective Element): It is not recognized that the personal information handling business operator did not fail to exercise due care to prevent the targeted act.
  • Large-scale Case: The number of individuals whose personal information or personal data is involved in the targeted act exceeds 1,000.
  • Infringement of Rights and Interests: It does not fall under a case where the degree of harm to an individual’s rights and interests is not significant.

(3) Surcharge Amount

The amount of the surcharge shall be an amount equivalent to the property benefits, such as money, obtained by the personal information handling business operator as consideration for the targeted act or for ceasing the targeted act (Current Policy, p. 6)

[9]  Study Group on the So-called 3-Yearly Review of the Act on the Protection of Personal Information, "Report of the Study Group on the So-called 3-Yearly Review of the Act on the Protection of Personal Information" (December 25, 2024)

https://www.ppc.go.jp/files/pdf/minaoshi_kentokaihoukokusho_r6.pdf

Member

PROFILE

野呂悠登

野呂悠登

#個人情報

Other Categories

MORE
MORE
MORE
MORE
MORE
MORE
MORE

TAGS

VIEW MORE
× メールマガジンの
配信登録は
こちら