JAPAN Trends and Developments Contributed by: Keiji Tonomura, Minh Thi Cao Koike, Akira Komatsu and Yuki Matsumiya, Nagashima Ohno & Tsunematsu
(3) Tightening of regulations on the transfer of personal data to third parties Article 27 paragraph 2 of the APPI provides for an “opt-out” procedure for the transfer of per - sonal data to third parties without the consent of the data subject. Since this “opt-out” system can be used by malicious name list vendors, it may be necessary to impose additional restric - tions (including a stricter duty of care to confirm that the personal data was obtained in compli - ance with the APPI). (4) Strengthening protection of children’s per - sonal information Under the APPI, children’s personal informa - tion does not receive special protection. As it is a global trend to protect children’s personal information and there are some cases where the protection of children’s personal information is at issue, special protection may be given to chil - dren’s personal information. (5) Remedies (establishment of a class action system) Although the data subject has the right to claim suspension of the processing or transfer of per - sonal information under the APPI (Article 35), such remedial measures may not be effective enough to remedy the inappropriate use of per - sonal information. In order to protect personal information more effectively, the introduction of additional remedies (such as a class action sys - tem) may be possible. (6) Introduction of administrative fines and review of recommendations and orders In addition to the criminal fines currently pro - vided for as a sanction for violation of the APPI,
the introduction of administrative fines may be possible. Also, at present, the PPC can generally issue an order only after issuing a recommenda - tion, but this principle may need to be reviewed to enable the PPC to enforce the APPI in a more timely manner. (7) Criminal punishment Currently, criminal sanctions are only imposed when a party violates the PPC’s orders. In order to enforce the APPI more effectively, considera - tion should be given to providing for criminal penalties for violations of the APPI itself. (8) Review of leakage report and notification Currently, processors of personal data may be required to make a leakage report even if the number of affected data subjects is small or regardless of whether the processor is responsi - ble for the leakage. Such leakage reporting rules may need to be reviewed to be proportionate to the level of risk associated with such leakage. (9) Possibility of using personal data without obtaining consent In order to balance the protection of an individu - al’s right to his/her personal information and the social interest of utilising personal data, it may be worth considering expanding the use of per - sonal data. In particular, it may be possible, as an exceptional rule, to use personal data without obtaining the consent of the data subject for the benefit of society. (10) Encouraging voluntary initiatives in the pri - vate sector According to the APPI, Privacy Impact Assess - ment (PIA) and the appointment of a Data Pro -
191 CHAMBERS.COM
Powered by FlippingBook