Insights from the Second Japan Privacy Symposium: Global Data Protection Authorities Discuss Their 2025 Priorities, from AI, to Cross-Regulatory Collaboration

The Future of Privacy Forum (FPF) hosted the Second Japan Privacy Symposium (Symposium) in Tokyo on November 15, 2024. The Symposium brought together leading data protection authorities (DPAs) from around the world to discuss pressing issues in privacy and data governance. The Symposium featured in-depth discussions on international collaboration, artificial intelligence (AI) governance, and the evolving landscape of data protection laws.

The Symposium kickstarted the Personal Information Protection Commission of Japan’s (PPC) Japan Privacy Week, and was an official side-event of the 62nd Asia-Pacific Privacy Authorities (APPA) Forum (APPA 62). FPF is grateful for the collaboration and support from the PPC, the Japan DPO Association, and S&K Brussels.

In this blog post, we share some of the key takeaways from the Symposium. 

Japan Privacy Symposium features global privacy regulators in Tokyo

The Symposium welcomed an esteemed line-up of speakers. Commissioner Shuhei Oshima from the PPC delivered the opening keynote. In his keynote, Commissioner Oshima shared about the PPC’s regulatory priorities for 2025. These included cross-border data transfers and the Data Free Flow with Trust initiative, as well as further collaboration with the G7 DPAs and bilaterally with various international regulators. 

Following the keynote, Gabriela Zanfir-Fortuna, Vice-President for Global Privacy at FPF moderated a panel on the regulatory strategies of APAC and global DPAs in 2024 and beyond. Gabriela was joined by Philippe Dufresne, Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada, Ashkan Soltani, Executive Director of the California Privacy Protection Agency (CPPA), Dr. Nazri Kama, Commissioner, Personal Data Protection Commissioner’s Office of Malaysia (PDPD), Thienchai Na Nakorn, Chairman, Personal Data Protection Committee of Thailand (PDPC), and Josh Lee Kok Thong, Managing Director for Asia-Pacific at FPF. 

Regulators in APAC have some common priorities, such as cybersecurity and cross-border data transfers

The panel kicked off with highlights from a recent report published by FPF’s APAC office, “Regulatory Strategies of Data Protection Authorities in the Asia-Pacific Region: 2024, and Beyond”, presented by Josh. In line with similar FPF work focusing on the EU, Latin America and Africa, the report provides a comprehensive analysis of strategy documents and key regulatory actions of DPAs in 10 major jurisdictions in Asia-Pacific, as well as an overview of key trends in the region.

There are three top common priorities for APAC’s major DPAs:

1. First, cybersecurity and data breach responses, with 90% of the DPAs included in the Report prioritising this. However, jurisdictions are at various stages of implementing measures in these areas, while enforcement approaches also differ significantly.

2. Second, cross-border data transfers, which are a priority for 80% of APAC DPAs. Jurisdictions are similarly taking a diversity of approaches, from taking a leading role in international initiatives, such as the Global Cross-Border Privacy Rules (CBPR) System (for instance, Japan and Singapore), to promoting the use of standardized contractual clauses (for instance, China, Japan and Singapore).

3. Third, AI governance, with 70% of regulators prioritising this. Some have developed comprehensive policy frameworks and regulations for AI, while others have focused on issuing guidelines or addressing AI within existing regulatory structures.

Cross-regulatory and cross-border collaboration is a shared priority for regulators in APAC and beyond

During the panel discussion, one top regulatory priority surfaced was on cross-border collaboration. Commissioner Dufresne emphasized the importance of international cooperation in addressing privacy challenges. “At the OPC, we will continue to be focused on topics such as international collaboration,” he noted. Commissioner Dufresne discussed the OPC’s efforts to collaborate with domestic and international partners, including other regulators in fields such as competition, copyright, broadcasting, telecommunications, cybersecurity, and national security. “Data protection is key to so many of those things,” Commissioner Dufresne said. “It touches other regulators, so working very closely is something we’ve been discussing, including at the G7.”

Expanding regional and international collaboration was similarly a key priority for Malaysia. Commissioner Nazri noted that Malaysia’s PDPD had visited fellow regulators in the UK, EU, Japan, South Korea and Singapore. The PDPD had also just joined the APPA Forum, as well as the APEC Cross-Border Privacy Enforcement Arrangement (CPEA). Going forward, Commissioner Nazri noted that the PDPD would be “moving towards” applying for the Global Cross-Border Privacy Rules (CBPR) certification system. The PDPD is also taking steps towards meeting the EU’s adequacy requirements, with Commissioner Nazri expressing hope that Malaysia would attain EU adequacy “in the next two years.”

Similarly, Chairman Thienchai from Thailand’s PDPC noted that it had sent delegations to attend Global CBPR workshops, and that the PDPC could also be applying to be a member of the Global CBPR system soon. 

Regulators are balancing between AI innovation and risk, while managing an ever-growing pool of AI-related issues

AI remains a top concern for regulators worldwide. Commissioner Dufresne stated that ensuring the protection of privacy in the context of emerging and changing technology is a key priority for the OPC. “Certainly, generative AI and other emerging technologies like quantum computing and neurorights are changing the landscape,” he said. “We need to use innovation to protect data.”

He emphasized the importance of leveraging technology to protect privacy, noting that AI can be used as a tool against threats like deepfakes. The OPC is also looking to work with cross-regulatory partners to address issues such as synthetic media. “We’re looking to work with cross-regulatory partners in identifying specific areas and seeing what are the common areas or perhaps different areas of privacy and competition with a specific topic like synthetic media,” he explained.

California’s CPPA has also been at the forefront of rule-making and enforcement actions pertaining to AI and automated decision-making challenges. In this regard, Director Soltani observed that “there is no AI without PI (personal information).” The CPPA has thus had to develop deep expertise in AI while acting as California’s privacy regulator. Besides focusing on rule-making, the CPPA has been conducting enforcement sweeps in various sectors, starting with the connected vehicle sector. 

The task of applying data protection laws to AI and issuing relevant industry guidance is also one that Thailand’s PDPC is working on. Chairman Thienchai noted that the PDPC had “established a working group study” on how AI is impacting the protection mechanism under Thailand’s Personal Data Protection Act, with results expected in the first quarter of 2025. Thailand’s PDPC is also working to issue guidelines on the intersection of AI and the PDPA. The guidelines could state, for instance, that in using personal data to train AI systems, developers have to do so on an anonymised basis. 

Regulators continue to work on implementing updates to data protection laws to deal with new and emerging challenges

A third theme that emerged from the panel discussion was how regulators were planning to continue working on updates to their data protection laws – and implementing them – in 2025.

For California’s CPPA, Director Soltani highlighted that his agency was deeply engaged in rule-making, especially in these areas: (a) cybersecurity, where companies in California will be required to perform and submit cybersecurity assessments to the CPPA; (b) data protection impact assessments or risk assessments, where companies will be required to perform such assessments including where they deploy AI tools; and (c) automated decision-making technologies and AI. Director Soltani also highlighted the ongoing work of implementing aspects of the California Consumer Privacy Act (CCPA). For instance, with the CPPA’s Data Broker Registry, the CPPA is working on setting up a one-stop shop by January 2026, where Californians will “have the ability to go to one place and request that all of their data be deleted from all of these companies.”

For Malaysia, Commissioner Nazri provided an update on recent amendments to Malaysia’s Personal Data Protection Act (PDPA) that were passed in late-2024. “The amendment was presented to our national parliament in July this year and was officially approved on July 31,” he noted. Commissioner Nazri noted several key changes to the PDPA, including:

• A requirement to appoint a Data Protection Officer (DPO);

• A mandatory data breach notification system;

• Introducing responsibilities for data processors;

• Introducing data portability rights;

• Revising conditions for cross-border data transfers; and

• Increasing penalties for non-compliance. 

Commissioner Nazri also noted that the PDPD would be issuing 19 new documents in tranches throughout 2025. Specifically, these were nine pieces of subsidiary legislation, two circulars (or Commissioner’s Orders), seven guidelines, and one standard. Commissioner Nazri further shared that work was ongoing to re-formulate the PDPD into an independent Commissioner’s Office. 

For Thailand, while Thailand had passed its PDPA in 2021, Chairman Thienchai noted that Thailand’s PDPA contained a review requirement to update the law if necessary. Chairman Thienchai thus noted that the PDPC would be working in 2025 to introduce a proposal to amend the PDPA “to catch up with the global community.” Further, Chairman Thienchai acknowledged challenges with data breaches, especially in the public sector, and emphasized the need for coordination among agencies. “We have to coordinate with other agencies to improve the enforcement mechanism in the PDPA,” he said.

Finally, the PDPC is prioritizing cross-border data transfers. “We issued some subordinate laws related to cross-border transfers and we adopted ASEAN Model Contractual Clauses (MCCs) and also EU Standard Contractual Clauses (SCCs) in our subordinate laws,” Chairman Thienchai explained, concluding with an update that his office is “promoting ASEAN MCCs with the Thai Chamber of Commerce.”

Conclusion

The second edition of the Japan Privacy Symposium showcased the shared challenges and priorities among global data protection authorities. From AI governance to cross-regulatory collaboration and legal reforms, the Symposium highlighted the need for continued dialogue, cooperation, and information-sharing. 

Following the Symposium, FPF was also honored and privileged to have been invited to participate in speaking opportunities during the closed and public sessions of APPA 62. In particular, Gabriela moderated a session on AI governance and regulation, while Josh spoke on a panel on balancing innovation and data protection.

FPF remains committed to facilitating these important conversations and advancing the discourse on privacy and emerging technologies globally.