Regulators and Enforcement Priorities
Jump to
Regulators and Enforcement Priorities Start Comparison
Is there a data privacy and security regulator in the jurisdiction?

[Last updated: 24 January 2020]


The Personal Information Protection Commission (“PPC”)

How active is the regulator?

[Last updated: 24 January 2020]

☐ Not very     ☒ Moderately active     ☐ Very active


What were the key enforcement activities and priorities in the past 18 months?

[Last reviewed: 31 March 2022]

The latest report on the enforcement activities issued by the PPC states that there were four cases of onsite investigations, 198 cases of the PPC issuing guidance/advice notices to business owners on handling personal information, and 357 cases of information submission requests relating to the handling of personal information from 1 April 2020 to 31 March 2021.

In August 2019, the PPC issued a corrective recommendation to a Japanese company, which disclosed personal information of approximately 8,000 job applicants to the companies to which the applicants submitted a job application, showing the "likelihood of resignation in three years" based on an AI analysis of the job applicants' behavior, without the job applicants' consent. This is the first issuance of a corrective recommendation by the PPC.

Further, in July 2020, the PPC issued the first formal order against two entities, which disclosed a database of bankruptcy information without authorization.

In April 2021, the PPC issued an administrative advice to a messaging app provider which allowed software engineers at a foreign entity affiliated with the app provider to have access to the personal information of the app users.

What enforcement priorities are anticipated for the near future?

[Last updated: 24 January 2020]

The PPC has not published its enforcement priorities.