Japan: A Bill to Update Current Data Protection

Japan’s law on data privacy, Act on the Protection of Personal Information ( Act no 57 of 2003), so far has not been subject to amendment. The data protection landscape has had to flex considerably over the past 10 years to keep pace with new technologies and as such most countries have given thought to upgrading or refreshing their local data privacy statutes to ensure that individuals are still afforded protection. Given that Japan’s laws have so far gone without change, an overhaul is well overdue.

A new bill intended to plug many of the holes in the existing Act has been submitted for review. Key upgrades are the introduction of the concept of sensitive data, provisions which cover the use of anonymised data, extraterritorial reach ( i.e. the standards will follow the data and not stop at Japans border), and the introduction of data transfer agreement to legitimize transfers of data abroad.

In addition the changes to the Act itself the Bill proposes that there will be a new independent privacy regulator, the ‘Personal Information Protection Commission’. It is not yet clear on whether the provisions of the Act will be extended to all private sector businesses (currently the Act applies only to those which have databases covering 500 individuals or more).

The amendments will be introduced in three stages and it is though the main provisions won’t be law until at least 2017