MONOLITH LAW OFFICE+81-3-6262-3248Weekdays 10:00-18:00 JST

MONOLITH LAW MAGAZINE

General Corporate

What Are the Key Points of the Revised Personal Information Protection Act in Reiwa 6 (2024)? Explaining the Changes and Measures You Should Know

General Corporate

What Are the Key Points of the Revised Personal Information Protection Act in Reiwa 6 (2024)? Explaining the Changes and Measures You Should Know

In April 2024 (Reiwa 6), the revised Japanese Personal Information Protection Act Enforcement Regulations will come into effect. This amendment expands the scope of obligations to report to the Personal Information Protection Commission and to notify the individual concerned in the event of a data breach.

The main focus of this amendment is to address recent issues surrounding personal information, such as web skimming.

However, accurately understanding the amendments and responding appropriately requires specialized knowledge, and many may find themselves unsure of the necessary actions their company should take. This article will explain the key points of the Reiwa 6 (2024) amendment and the measures to be taken.

Overview of the Amendments to the Japanese Personal Information Protection Act in Reiwa 6 (2024)

Key changes in the Japanese Personal Information Protection Act, amended in Reiwa 6 (2024), include the expansion of the scope of obligations to report and notify in the event of a leak, and to take safety management measures, now covering certain “personal information.”

Under the previous regulations, only “personal data” was subject to obligations such as reporting in the event of a leak, and “personal information” was not included.

The amendments are detailed in Article 7, Paragraph 3 of the Japanese Personal Information Protection Act Enforcement Regulations and the “Japanese Personal Information Protection Act Guidelines (General Rules)”[ja].

Amended LawBefore Amendment
Obligation to Report Leaks, etc.Required (in certain cases)Not Required
Obligation to Take Safety Management MeasuresRequired (in certain cases)Not Required
Changes in the Handling of Certain Personal Information

We will explain the specific regulatory content and changes in detail below.

Regulated Entities Under the Previous Personal Information Protection Law

Regulated Entities Under the Previous Personal Information Protection Law

To understand the content of the amended law, it is essential to have an accurate understanding of the regulations before the amendment. Here, we will explain the definitions and contents of the regulations that were established before the amendment.

The Difference Between Personal Information and Personal Data

Under the Japanese Personal Information Protection Law, “personal information” and “personal data” are considered separately as objects of protection.

“Personal information” refers to information related to an individual who is alive, and it is information that can identify a specific individual through descriptions such as name and date of birth. This is defined in Article 2, Paragraph 1, Item 1 of the Japanese Personal Information Protection Law.

Related article: Amendments to the Japanese Personal Information Protection Law in Reiwa 4 (2022) Introducing ‘Pseudonymously Processed Information’ to Promote Data Utilization[ja]

On the other hand, “personal data” refers to personal information that constitutes a personal information database, etc., as stipulated in Article 16, Paragraph 1 of the Japanese Personal Information Protection Law.

For example, when creating an attendee list for an event, the information such as names and addresses sent by the registrants is referred to as “personal information.” The database created by compiling each registrant’s personal information into a spreadsheet, for instance, is a “personal information database.” The individual pieces of information that make up this database are considered “personal data.”

It is important to understand that under the Japanese Personal Information Protection Law, the regulatory content significantly changes depending on whether the subject of protection is “personal information” or “personal data.”

Obligations for Reporting and Notification of Data Breaches

The Japanese Personal Information Protection Law mandates that in the event of a data breach, personal information handlers are required to report to the Personal Information Protection Commission and notify the individuals affected.

(Reporting of Data Breaches, etc.)
Article 26: Personal information handlers must report to the Personal Information Protection Commission in accordance with the rules set by the Personal Information Protection Commission when a situation related to the security of personal data they handle, such as leakage, loss, destruction, or other significant risks to the rights and interests of individuals, occurs. However, this does not apply if the personal information handler has been entrusted with all or part of the handling of the personal data by another personal information handler or administrative body, and has notified the other personal information handler or administrative body of the situation in accordance with the rules set by the Personal Information Protection Commission.
2. In the case specified in the preceding paragraph, personal information handlers (excluding those who have made notifications under the provisions of the proviso of the same paragraph) must notify the individual concerned of the situation in accordance with the rules set by the Personal Information Protection Commission. However, this does not apply when it is difficult to notify the individual and alternative measures necessary to protect the rights and interests of the individual are taken.

Law Concerning the Protection of Personal Information | e-Gov Law Search[ja]

The obligation to report and notify does not arise in all cases of data breaches. It is limited to the following four cases as specified in Article 7 of the Enforcement Regulations of the Japanese Personal Information Protection Law:

  1. Leakage of personal data containing sensitive personal information (e.g., results of an employee’s health examination)
  2. Leakage of personal data that may result in financial damage due to unauthorized use (e.g., credit card numbers)
  3. Leakage of personal data that may have been conducted with malicious intent
  4. Leakage affecting more than 1,000 individuals

This revision has modified the content of Article 7, Paragraph 3 of the regulations.

What Are Security Control Measures?

The Personal Information Protection Act obligates businesses handling personal data to take necessary and appropriate measures to prevent data breaches and ensure its safe management.

(Security Control Measures)
Article 23: Businesses handling personal data must take necessary and appropriate measures to prevent the leakage, loss, or damage of personal data and to ensure its safe management.

Personal Information Protection Act | e-Gov Law Search[ja]

Examples of such measures include access control, training for employees, and the establishment of regulations.

Regulations Before the Amendment

Prior to the amendment, the entities obligated to report incidents of leaks and to take safety management measures were limited to those handling “personal data” only. There was no obligation for businesses to undertake such responsibilities in the event of a leak or similar incident involving “personal information”.

However, the recent amendment has expanded the scope of the reporting/notification obligations and the requirement to establish safety management measures to include certain “personal information”.

Purpose and Objectives of the Amendments to the Japanese Personal Information Protection Act Enforcement Regulations

Purpose and Objectives of the Amendments to the Japanese Personal Information Protection Act Enforcement Regulations

The recent amendments primarily focus on countermeasures against web skimming. Web skimming is an attack method that involves installing malicious programs on e-commerce sites to steal personal information.

Specifically, this involves directly obtaining passwords and credit card information that users enter into input forms on the webpage.

In web skimming, the personalityistic issue is that the information entered by users is stolen directly before it is incorporated into the e-commerce site operator’s personal information database or similar. In this scenario, it is the ‘personal information’ before it becomes ‘personal data’ that is stolen.

Prior to the amendment, the obligation to report leaks was only applicable to ‘personal data.’ Therefore, even if damage occurred due to web skimming, e-commerce site operators were not obligated to report it.

The purpose of this amendment is to include information leaks caused by web skimming within the scope of reportable incidents, thereby expanding the scope of leak reporting and safety management measures to include ‘personal information.’

Amendments to the Personal Information Protection Law Enforcement Regulations in 2024 (Reiwa 6)

Expansion of the Scope of Obligations for Reporting Leaks, etc.

The Enforcement Regulations of the Personal Information Protection Law, Article 7, Paragraph 3, has been amended as follows.

Amended LawBefore Amendment
Article 7, Article 26, Paragraph 1 stipulates that the Personal Information Protection Commission rules shall apply to situations where there is a risk of significant harm to the rights and interests of individuals due to acts against the personal information handler (including personal information that the personal information handler has acquired or is attempting to acquire, and is expected to be treated as personal data) that are likely to be carried out with fraudulent intent, resulting in or likely to result in a leak of personal data, etc.Article 7, Article 26, Paragraph 1 stipulates that the Personal Information Protection Commission rules shall apply to situations where there is a risk of significant harm to the rights and interests of individuals due to a leak of personal data, etc., that is likely to be carried out with fraudulent intent.
Personal Information Protection Law Enforcement Regulations | e-Gov Law Search[ja]

“Personal information handlers” include subcontractors and providers of personal information handling services.

Furthermore, whether the personal information that the personal information handler is attempting to acquire falls under this category is to be objectively determined, taking into account the means of acquiring the personal information (Guidelines General Provisions 3-5-3-1).

Thus, one of the major changes in the 2024 (Reiwa 6) amendment is the expansion of the scope of reporting and notification obligations to include “personal information” in certain cases.

Expansion of the Scope of Safety Management Measures

With the amendment of the regulations on the obligation to report leaks, etc., the description in the General Provisions of the Personal Information Protection Law Guidelines 3-4-2 has also been changed.

The safety management measures that businesses are required to take now include necessary and appropriate measures to prevent leaks, etc., of personal information (personal information that the personal information handler has acquired or is attempting to acquire) that is intended to be treated as personal data.

The scope of safety management measures has also been expanded to include not only “personal data” but also “personal information” in certain cases.

Reference: Personal Information Protection Commission | Guidelines on the Personal Information Protection Law (Effective April 1, 2024 (Reiwa 6)) (General Provisions)

Measures to Take Following the Enforcement of the Revised Japanese Personal Information Protection Act

Measures to Take Following the Enforcement of the Revised Japanese Personal Information Protection Act

The measures that should be taken in response to the enforcement of the Revised Japanese Personal Information Protection Act in 2024 (Reiwa 6) are as follows:

  • Revise the privacy policy
  • Revise and disseminate internal regulations

Let’s take a closer look at each.

Revise the Privacy Policy

Personal information handlers must ensure that safety management measures for retained personal data are accessible to the individual concerned. This includes being able to respond promptly upon request (Article 32, Paragraph 1, Item 4 of the Japanese Personal Information Protection Act).

Businesses that have addressed this by including safety management measures for retained personal data in their privacy policy need to be cautious. It is necessary to revise the privacy policy to include certain personal information under the safety management measures.

Revise and Disseminate Internal Regulations

With the revision, the obligation to report and notify in the event of a leak of certain personal information has arisen, and this must be reflected in internal regulations and made known to employees.

The instances of personal information leakage that now require reporting are not limited to web skimming.

For example, suppose a personal information handler sends a customer a reply envelope with a tampered address, and the personal information filled out on the questionnaire inside the envelope ends up in the hands of a third party. If this personal information was intended to be handled as personal data, it would result in an obligation to report and notify of the information leakage.

Since the handling of certain personal information that previously did not trigger obligations has changed, employees must be cautioned accordingly.

Summary: Consult Experts for Compliance with the Amendments to the Personal Information Protection Law

The 2024 (Reiwa 6) amendments to the Japanese Personal Information Protection Law have expanded the scope of reporting/notification obligations and safety management measures in the event of a leak, with a focus on countermeasures against web skimming. While previously only “personal data” was targeted, now “personal information” is also included under certain circumstances.

Due to these amendments, it is necessary to take measures such as revising privacy policies and internal regulations.

When handling personal information, incorrect measures can lead to significant risks, such as the loss of social credibility. It is advisable to consult with a lawyer when addressing these issues.

Guidance on Measures by Our Firm

Monolith Law Office is a legal office with extensive experience in both IT, especially the internet, and law. Recently, the leakage of personal information has become a significant issue. In the event that personal information is leaked, it can have a fatal impact on corporate activities. Our firm possesses specialized knowledge in preventing information leakage and in taking countermeasures. Details are provided in the article below.

Areas of practice at Monolith Law Office: Japanese Personal Information Protection Law-related legal services[ja]

Managing Attorney: Toki Kawase

The Editor in Chief: Managing Attorney: Toki Kawase

An expert in IT-related legal affairs in Japan who established MONOLITH LAW OFFICE and serves as its managing attorney. Formerly an IT engineer, he has been involved in the management of IT companies. Served as legal counsel to more than 100 companies, ranging from top-tier organizations to seed-stage Startups.

Return to Top