Act on the Protection of Personal Information (Japan)
Japan's APPI governs how businesses handle personal information, overseen by the independent PPC. Reforms in 2017 and 2022 broadened scope, strengthened individual rights, and added mandatory breach reporting and tighter cross-border transfer rules.
The Act on the Protection of Personal Information (APPI) is Japan's principal data protection law. It was first enacted in 2003 and substantially amended over the years. A major reform took effect on May 30, 2017, and a further amendment took effect on April 1, 2022, strengthening individual rights, breach reporting, and rules on cross-border transfers. The law is administered by the Personal Information Protection Commission (PPC), an independent authority. Japan and the EU have mutual adequacy recognition, which supports data flows between them.
The APPI applies to personal information handling business operators and emphasizes purpose specification, proper acquisition, and controls on third-party provision of personal data.
Who It Applies To
The APPI applies to personal information handling business operators that use a database of personal information for business, regardless of size. Following the 2017 reform, the previous small-business exemption was removed, so the law reaches almost all businesses. It has extraterritorial effect: foreign operators that handle the personal information of individuals in Japan in connection with supplying goods or services are covered.
Key Requirements
Operators must specify the purpose of use as clearly as possible and not use data beyond that purpose without consent. They must acquire data properly and, for sensitive personal information such as race, creed, medical history, and criminal record, generally obtain prior consent. Individuals have rights to disclosure, correction, suspension of use, and deletion, which the 2022 amendment strengthened. Provision of personal data to third parties generally requires consent, with an opt-out scheme available subject to notification to the PPC. Since 2022, operators must report serious data breaches to the PPC and notify affected individuals. Cross-border transfers require consent, transfer to a country with recognized adequacy, or a recipient that maintains equivalent standards, along with information to the data subject.
Penalties for Non-Compliance
The PPC can issue guidance, recommendations, and orders. Violating a PPC order can lead to imprisonment or fines, and corporate fines were increased by the 2020 amendment to up to JPY 100 million for certain violations. The PPC can also publicize non-compliance.
How to Comply
Specify and document the purpose of use and acquire data properly. Obtain prior consent for sensitive personal information. Build processes for disclosure, correction, and suspension requests. Manage third-party provision with consent or a compliant opt-out scheme. Establish breach reporting to the PPC and individual notification. Review cross-border transfers and apply consent or equivalent-standard safeguards with required disclosures.