JAPAN Trends and Developments Contributed by: Yasushi Kudo, Yukiko Konno and Takayuki Inukai, Nagashima Ohno & Tsunematsu
the Cyber Security Basic Act, in which both the public and private sector participate) to obtain non-public information on the latest attack trends, and such like, from the view - point of information gathering. Trends in Legal Reforms and in Other Areas Discussion on the review of the APPI When the APPI was amended in 2020, it was decided that the regulatory regime would thence - forth be reviewed every three years. Based on this, the PPC is currently reviewing the regime, including the introduction of a surcharge system and revision of the system for demanding injunc - tions; and on 25 December 2024, the report of the Expert Panel was published (albeit in the form of both sides of the argument). The report examines, with respect to both (i) vio - lations of various conduct regulations and (ii) vio - lations of regulations pertaining to leaks, and the like, as well as security control measures, nar - rowing down the cases to which the surcharge system applies. Specifically, with respect to the situation in which the surcharge system is to be applied, the report • limiting the subject acts (situations) to vio - lations of the following four types: restric - tions on provision to third parties (Article 27, Paragraph 1); prohibition of inappropriate use (Article 19); restrictions based on the purpose of use (Article 18); and appropriate acquisition (Article 20); • limiting the subject cases to those where the violator can be said to have failed to have been negligent in respect of taking reason - able care to prevent the violation; proposes the following. With respect to (i) above:
• limiting the subject cases to those where indi - vidual rights and interests have been infringed or there is a concrete threat of infringement; and • limiting the subject cases to those where a large-scale breach has occurred (specifically, where the number of data subjects involved in the breach is 1,000 or more), etc. With respect to (ii), above: • limiting the subject acts to cases where a large-scale leakage, or the like of personal data and the like occurs as a result of a breach of the obligation to take security control measures (specifically, cases where the number of data subjects involved in the breach is 1,000 or more); • limiting the subject cases to those where the violator can be said to have been extremely negligent in respect of taking reasonable care to prevent violations of the obligation to take security control measures; and • limiting the subject cases to those where indi - vidual rights and interests have been infringed or there is a concrete threat of infringement. With respect to the method of calculation of the surcharge, the report proposes the following. With respect to (i) above: • the surcharge be the full amount of financial gain (or an amount exceeding the full amount of such financial gain) obtained by the violat - ing business operator from the violation or from the use of personal information acquired through the violation. With respect to (ii), above:
181 CHAMBERS.COM
Powered by FlippingBook