FOCUS: Japan Weighs Fines to Strengthen Personal Data Protection

Tokyo, Oct. 23 (Jiji Press)–The Japanese government plans to amend the law on the protection of personal information to introduce administrative fines for business operators that repeatedly commit serious violations. During the ordinary session of parliament earlier this year, the government held back from submitting a bill amid resistance from the business community. Since then, the government’s Personal Information Protection Commission has proposed easing certain regulations to facilitate corporate use of personal data, pairing these deregulatory steps with the new penalties as a single package. Amid intensifying competition in artificial intelligence development, the commission, now led by Chairman Satoru Tezuka, who took office in May, is seeking a fresh start. In a July interview with Jiji Press, Tezuka argued for introducing administrative surcharges, saying they are essential to “protect businesses that play by the rules.” These surcharges are administrative, not criminal, penalties designed to deter violations by creating a financial disincentive. In its fiscal 2024 annual report, the commission said that businesses filed a record 19,056 personal data breach cases under the personal information protection law, up about 57 pct from the previous year. In May this year, it issued its first emergency order against a so-called “roster broker” that had provided personal information to a special fraud group. Under the current framework, however, there is no mechanism to claw back profits obtained through illegal data practices, allowing malicious operators to retain their illicit gains, according to people familiar with the situation. Compared with data protection authorities in Europe and elsewhere, the commission lacks robust sanctioning powers. Introducing an administrative fines regime has therefore become a long-standing policy goal. Yet the business community protested plans to introduce administrative fines, arguing that they would “discourage companies’ use of data.” To build support, the committee suggested limiting the scope to large-scale incidents, such as personal data breaches affecting 1,000 or more people, so the fines would not be unduly burdensome. The proposal, however, did little to allay industry concerns. To break the deadlock, the commission has proposed revisiting consent requirements. Under current rules, sharing personal information with third parties generally requires an individual’s consent. Businesses contend that this requirement imposes heavy operational burdens and have voiced strong dissatisfaction with it. In response, the commission outlined a policy permitting the use of personal data without explicit consent when the use is not expected to affect individuals’ rights or interests, for example, for statistical compilation and analysis. The approach shifts to an ex post regulatory model in which companies must establish governance measures, and serious violations would trigger administrative fines. The commission’s review of consent rules reflects the rapid evolution of AI, which improves by learning from data. It warns that strict, ex ante regulations centered on individual consent could stifle data use and leave Japan at a disadvantage in the global AI race. “Japan would find itself unable to compete on the same footing as the rest of the world” Tezuka said. In June, the government’s Meeting on Digital Administrative and Fiscal Reform adopted a basic policy aimed at promoting data use across sectors including health care, education and transportation, laying the groundwork for new legislation. Tezuka, a specialist in data distribution, advocated revising the personal information protection law as part of an effort to balance stronger enforcement with greater flexibility for data utilization. “Data use and protection are the two wheels of a cart,” he said. END [Copyright The Jiji Press, Ltd.]