Digital Policy Alert logo

Japan: Implemented increased data protection penalties in 2020 amendment to the Act on the Protection of Personal Information

Go to policy change overview
Share

Compare with different regulatory event:

Description

Implemented increased data protection penalties in 2020 amendment to the Act on the Protection of Personal Information

On 12 December 2020, the increased penalties of the amendment to the Act on the Protection of Personal Information were implemented. The Amendment contains rules on both domestic data protection and cross-border data transfers. Regarding data protection, the Amendment facilitates the cease of utilisation or deletion of personal data when there is a possibility of violating individual rights or legitimate interests of individuals. Moreover, the Act allows individuals to choose the methods of disclosure of their personal data retained by a third party and to request the disclosure of third-party transfers of their personal data. In addition, the maximum penalty for violations is raised to JPY 100,000,000. Finally, the Personal Information Protection Commission will establish Enforcement Rules for the amended Act on Protection of Personal Information. The enforcement rules will specify rules for data breach notification, data pseudonymization, cross-border data transfers and public disclosure.

Original source

Scope

Policy Area
Data governance
Policy Instrument
Data protection regulation
Regulated Economic Activity
cross-cutting
Implementation Level
national
Government Branch
legislature
Government Body
parliament

Complete timeline of this policy change

Hide details
2020-03-10
under deliberation

On 10 March 2020, the Amendment Act of the Act on the Protection of Personal Information was introd…

2020-06-05
adopted

On 5 June 2020, the amendment of the Act on the Protection of Personal Information was adopted. The…

2020-12-12
in force

On 12 December 2020, the increased penalties of the amendment to the Act on the Protection of Perso…

2021-10-01
in force

On 1 October 2021, the restriction of cases when providers may make use of an opt-out provision for…

2022-04-01
in force

On 1 April 2022, the remaining provisions of the amended Act on the Protection of Personal Informat…

Key regulatory dimensions

Regulated subjects

The businesses, government agencies or individuals affected by this policy or regulatory change.
producer / supplier
1
Type Private organisation
Economic activity cross-cutting
Category All

Policy change by business practice

The detailed activities within the scope of this policy or regulatory change.
personal data (all forms): data collection
Regulatory tool
User right to deletion of personal data
User consent: Other requirement
User right to information about third-parties, with which data has been shared
Recordkeeping requirement
User consent: Opt-in requirement
User consent: Permit user opt-out
Regulator notification requirement
Obligation to make customer data available to government agencies
User right to withdraw consent
Sanctions
Fine
Regulated subjects
1
personal data (all forms): storage (any form)
Regulatory tool
User right to deletion of personal data
User consent: Other requirement
User right to information about third-parties, with which data has been shared
Recordkeeping requirement
User consent: Opt-in requirement
User consent: Permit user opt-out
Technical standard adherence
Regulator notification requirement
Obligation to make customer data available to government agencies
Regulator reporting requirement
User right to withdraw consent
Sanctions
Fine
Regulated subjects
1
personal data (all forms): data processing
Regulatory tool
User consent: Other requirement
User right to information about third-parties, with which data has been shared
Recordkeeping requirement
User consent: Opt-in requirement
User consent: Permit user opt-out
Technical standard adherence
Regulator notification requirement
Obligation to make customer data available to government agencies
Regulator reporting requirement
User right to withdraw consent
Sanctions
Fine
Regulated subjects
1
personal data (all forms): transfer: cross-border
Regulatory tool
User consent: Other requirement
User right to information about third-parties, with which data has been shared
Recordkeeping requirement
User consent: Opt-in requirement
User consent: Permit user opt-out
Regulator notification requirement
Private code of conduct requirement
Obligation to make customer data available to government agencies
Regulator approval requirement
User right to withdraw consent
Sanctions
Fine
Regulated subjects
1
personal data: information that is publicly available: data processing
Regulatory tool
User right to information about third-parties, with which data has been shared
User consent: Opt-in requirement
User consent: Permit user opt-out
Technical standard adherence
Regulator notification requirement
Obligation to make customer data available to government agencies
User notification requirement
Sanctions
Regulated subjects
1
personal data: information that is publicly available: transfer (any destination)
Regulatory tool
User right to information about third-parties, with which data has been shared
User consent: Opt-in requirement
User consent: Permit user opt-out
Private code of conduct requirement
User right to withdraw consent
Sanctions
Regulated subjects
1

Policy change by business practice

The detailed activities within the scope of this policy or regulatory change.

personal data (all forms): data collection

personal data (all forms): storage (any form)

personal data (all forms): data processing

personal data (all forms): transfer: cross-border

personal data: information that is publicly available: data processing

personal data: information that is publicly available: transfer (any destination)