The Enforcement of Personal Data Protection Law in Japan

Abstract

This article examines issues regarding the administrative enforcement system of the Act on the Protection of Personal Information (APPI) in Japan. The former APPI (established in 2003) provided two regulatory mechanisms for the administrative enforcement system: (1) self-regulation business operators or accredited personal information protection organizations and (2) indirect penalty based on violations of orders. Moreover, the Amendment Act in 2015 improved the system for securing obligations, such as the establishment of the Personal Information Protection Committee (PPC), the enhancement of regulatory authority, and the implementation of a co-regulation system. However, it is pointed out that these mechanisms might still not be sufficient as a system for securing obligations because of the limited authority of PPC, the validation of the co-regulation system, and the malfunction of an indirect penalty system. This article outlines the history of the APPI focused on the administrative enforcement system and examines improvement measures and further amendments such as the introduction of the administrative monetary penalty system.