Alignment of Personal Information Protection Laws in Japan

Japan first adopted the Act on the Protection of Personal Information (APPI) in 2003, when it was one of the first data protection regulations in Asia. It received a major overhaul in September 2015 after a series of high profile data breaches. The amended APPI came into force on in May 2017, one year ahead of the EU’s General Data Protection Regulation.

In early March 2020, the Cabinet Secretariat presented a high-level plan to review the personal information protection legislation. The Supplementary Provision #12 of the 2015 amendment requires the government to establish information protection regulation, and to consider unified provisions. Section 7 of the System Revision Charter enacted in December 2019 requires a review of the APPI every three years and explicitly demands a unification of legislation as it relates to administrative organs, independent administrative agencies, etc. and the private sector.

The high-level plan presented foresees an Administrative Review, supported by a Council of Experts. The objective is to submit a revised bill to the Diet for enactment during 2021.

Administrative Review

The Administrative Review will be conducted through a working-level Task Force reporting into an Executive Committee. The Task Force was constituted in December 2019, is expected to submit interim findings for public comment around summer, and issue their final report by year-end 2020.

Task Force on Review of Personal Information Protection System

The Task Force has been established in the Cabinet Secretariat to study how the legal system for the private sector, administrative organs, and independent administrative agencies, etc. should be unified (aggregation and unification of regulations), and how the administrative system should be post-implementation.

Members: Deputy Secretary-General of the Cabinet Secretariat (in charge of domestic affairs), Deputy Director-General of the Cabinet Secretariat Information and Communication Technology (IT) Deputy Chief of Strategy (Deputy Government CIO), Cabinet Deputy Officer (with Deputy Secretary-General of the Cabinet Secretariat), Cabinet Secretariat Information and Communication Technology (IT) Comprehensive Strategy Counselor of the Office, Secretary-General of the Personal Information Protection Committee, Director of Administrative Affairs Bureau, Ministry of Internal Affairs and Communications

Executive Committee on Review of Personal Information Protection System

Members: Deputy Cabinet Secretary, Deputy Secretary of the Cabinet Secretary, Counselor at the Information and Communication Technology (IT) Comprehensive Strategy Office, Deputy Secretary-General of the Personal Information Protection Committee, Deputy Secretary-General of the Minister of Internal Affairs and Communications (+ Executives of relevant ministries and agencies according to the agenda)

Expert Council

The Expert Council will independently examine how the legal system for the private sector, administrative organs, and independent administrative agencies, etc. should be unified (aggregation and unification of regulations), and how the administrative system should be post-implementation.

The Expert Council will be hosted by the Cabinet Secretariat with the cooperation of the Personal Information Protection Commission and the Ministry of Internal Affairs and Communications. It will be constituted by March 2020, will contribute to the interim findings, and then consider the public comments to factor into the final report.

Members: Administrative law scholar, information law scholar, academic background in each field, etc.

Execution Plan

The three laws, the Personal Information Protection Law, the Administrative Agency Personal Information Protection Law, and the Independent Administrative Agency and other Personal Information Protection Laws, are to be combined into a single law, with the premise that the Personal Information Protection Commission is centrally responsible. The appropriate administrative system for this needs to be designed.

While doing so, the imbalances and inconsistencies caused by the silos of the existing legislation will be corrected as much as possible, with the only constraint in terms of time is that the revised bill will be submitted to the Diet during 2021. Some examples of differing legislation are as follows:

• The definition of “personal information” differs between the private and public sectors
• National, private and municipal hospitals have different legal rules regarding data distribution
• Exceptions for academic research differ between national and private universities

If you found value in this article, please “clap” (up to 50 times).

This article is part of our Tokyo FinTech Publication, please follow us to read more from our writers, like hundreds of readers do every day.

Should you live in Tokyo, or just pass through, please also join our Tokyo FinTech Meetup. In any case, our LinkedIn page, Facebook page and our Instagram account are there for you as well.