Japan APPI: Personal Information Protection Compliance

Japan's Act on the Protection of Personal Information (APPI — 個人情報の保護に関する法律) is one of Asia's most comprehensive data protection frameworks. Significantly amended in 2022 (effective April 1, 2022) and subject to a mandatory three-year review cycle, APPI has progressively converged with global data protection standards while retaining uniquely Japanese regulatory approaches.

The 2022 amendments introduced a right to request deletion, mandatory cross-border transfer information disclosure, pseudonymously processed information rules, and enhanced enforcement with penalties up to ¥100 million ($660,000 USD) for corporate violations. Japan's Personal Information Protection Commission (PPC) has become increasingly active, issuing guidance, conducting investigations, and filing enforcement actions against major domestic and foreign businesses.

Key Takeaways

• APPI applies to business operators handling personal information in Japan; extraterritorial application covers overseas operators collecting data of persons in Japan
• Personal information handling rules cover collection, use, third-party provision, and security management
• Special care-required personal information (sensitive data) requires explicit prior consent for collection
• Cross-border transfers are restricted — permitted to third parties in countries with equivalent protection, or with explicit individual consent and information disclosure
• New 2022 provisions: right to request deletion/suspension, mandatory opt-out notification for third-party provision by opt-out, pseudonymous processing rules
• The PPC has broad investigation powers and can issue business suspension orders
• Japan and the EU have mutual adequacy decisions — APPI-compliant entities can transfer to/from the EU under streamlined rules
• APPI undergoes mandatory review every three years — next review cycle will further align with global standards

---

APPI Framework and Scope

Territorial Application

APPI applies to:

• Business operators in Japan handling personal information
• Overseas operators handling personal information of persons in Japan in connection with providing goods or services (Article 180 — extraterritorial application added in 2022 amendments)

The extraterritorial application is significant: overseas companies with Japanese users are now directly subject to APPI without having a Japanese legal entity. The PPC can issue orders to overseas operators and provide information to foreign authorities.

Who is a "Personal Information Handling Business Operator"?

Any person who uses a database of personal information for business purposes. Previously, operators handling data of fewer than 5,000 individuals were exempt — the 2015 amendment eliminated this small-operator exemption. All businesses using personal information databases for commercial purposes are now covered.

Key categories:

• Personal information (個人情報): Information about a living individual that can identify them by name, date of birth, or other description; includes unique identifiers (My Number, passport number, driver's licence number, biometric data)
• Personal data (個人データ): Personal information comprising a database
• Retained personal data (保有個人データ): Personal data over which the operator has authority to disclose, correct, add to, delete, stop use, eliminate, or stop third-party provision

---

Core APPI Obligations

Specification of Purposes of Use

Article 17 requires business operators to specify the purposes of use of personal information as specifically as possible. When collecting personal information, the purpose must be:

• Publicly disclosed in advance (on the privacy policy)
• Or clearly stated to the individual at collection
• Or if collected directly from the individual in writing, clearly stated in the form

Purpose limitation: Personal information must not be used beyond the specified purposes without the individual's consent.

Collection Restrictions

Personal information must be collected through fair and proper means. Specific restrictions:

• Cannot acquire personal information by deception or other improper means
• For direct written collection, state the purpose of use clearly on the form
• Use within the specified purpose; change of purpose requires notification or consent

Special care-required personal information (要配慮個人情報): Collection requires prior explicit consent. This includes:

• Race
• Creed (religion or religious beliefs)
• Social status (formal family registry distinctions that could lead to discrimination)
• Medical history
• Criminal record
• Status as a victim of a crime
• Physical or mental disability
• Disorders and injury medical information
• Examination results for genetic diseases

Security Management Measures

Article 23 requires business operators to take necessary and appropriate measures for the secure management of personal data to prevent leakage, loss, or damage. PPC guidelines specify four categories of measures:

1. Organisational measures: Establishing basic policies; organising management systems; understanding handling status; responding to leakage
2. Personnel measures: Training employees; executing confidentiality agreements
3. Physical measures: Managing entry/exit to personal data handling areas; managing devices; preventing theft/loss
4. Technical measures: Access control; access authentication; anti-virus measures; information system monitoring

Restriction on Third-Party Provision

Article 27 restricts provision of personal data to third parties without the individual's prior consent. Exceptions:

• Required by law
• Protection of human life, body, or property where consent cannot be obtained
• Improving public health where consent cannot be obtained
• Cooperating with national or local government entities
• Opt-out basis: Third-party provision without consent is permitted if the operator notifies the PPC and gives individuals the opportunity to opt out (with significant disclosure requirements)

Third-party provision to overseas entities: Subject to additional requirements (see Cross-Border Transfers section).

---

Individual Rights

The 2022 amendments significantly expanded individual rights:

Complaint handling: Business operators must endeavour to appropriately and promptly handle complaints about personal information handling. Third-party dispute resolution bodies certified by the PPC can provide alternative resolution.

Response requirements: APPI does not set a specific calendar day response period (unlike GDPR's 30 days). Operators must respond "without delay" — PPC guidelines indicate responses should generally be within 2–3 months at most for complex requests.

---

Cross-Border Data Transfers

Article 28 restricts overseas provision of personal data. Third-party provision to overseas recipients requires one of:

1. Individual consent: Prior consent from the individual, after providing specific information about the overseas destination and system
2. Country with equivalent protection: Transfer to a country designated by PPC cabinet order as having a comparable protection level (currently: EU/EEA countries under the Japan-EU adequacy arrangement)
3. Operator with equivalent protection: The overseas recipient has implemented equivalent data protection measures (documented through contract, binding corporate rules, or other means)

Required information disclosure for consent: For consent-based transfers, the operator must in advance provide to the individual:

• Name of the foreign country
• The personal information protection system in that country
• The measures taken by the third party for handling personal information

The PPC country information page provides reference information on protection systems in other countries.

Japan-EU Adequacy: Japan and the EU have mutual adequacy arrangements — Japan has an adequacy decision from the EU Commission, and Japan recognises EU member states as having equivalent protection. This simplifies Japan↔EU data flows significantly.

Pseudonymous Processing for Overseas Transfers: Pseudonymously processed information can be provided to overseas third parties on an opt-out basis (rather than requiring consent), subject to PPC notification and individual opt-out opportunity.

---

Pseudonymous Processing Information (仮名加工情報)

The 2021 amendments introduced pseudonymous processing information (仮名加工情報) — a new category between personal data and anonymously processed information. Requirements:

Creation: Process personal information by replacing identifying information (name, date of birth, addresses) with specific codes or other measures that make it impossible to identify the individual without other information.

Uses: Pseudonymously processed information can be used for internal analysis and research purposes without individual consent — enabling data analytics while reducing privacy risk.

Restrictions:

• Cannot be provided to third parties (except to entrusted operators and within corporate groups under specific conditions)
• Cannot be cross-referenced with other information to identify individuals
• Cannot be used to contact individuals

Security: Must be managed as safely as personal data.

---

Anonymously Processed Information (匿名加工情報)

Truly anonymised data that cannot be re-identified even with other information. Requirements:

• Follow PPC-specified anonymisation standards (irre reversible processing including: name/address replacement, generalisation of granular data, suppression of outliers, deletion of linkage information)
• Publish the categories of anonymised information created
• Can be provided to third parties with publication of categories
• Recipients cannot attempt to re-identify the information

---

Breach Notification (2022 Amendment)

The 2022 amendments made breach notification mandatory (previously strongly recommended). Requirements:

Notification to PPC (Article 26): Required when a leakage, loss, or damage occurs that is likely to harm individual rights and interests, including:

• Leakage involving special care-required personal information
• Leakage likely to cause property damage through illegal use (financial/account information)
• Leakage caused by improper purpose (malicious insider)
• Leakage affecting 1,000 or more individuals

Timeline:

• Preliminary report: Within 3–5 business days of becoming aware
• Full report: Within 30 days (60 days for malicious insider breaches)

Individual notification: Required for the same qualifying events — individuals must be notified without delay.

Notification content (to PPC and individuals):

• Overview of the incident
• Types and number of affected data subjects and personal data
• Causes and circumstances
• Whether there is risk of secondary damage
• Measures taken and planned

---

PPC Enforcement and Penalties

The Personal Information Protection Commission (PPC) (個人情報保護委員会) is Japan's independent data protection authority. Established in 2016, the PPC has broad supervisory powers.

Administrative powers:

• Reports/investigation requests from business operators (Article 146)
• On-site inspections
• Guidance and advice (Article 147)
• Recommendations (Article 148)
• Orders (Article 148(2)) — business operators must comply
• Publication of non-compliance (Article 148(3))

Penalties:

• Violation of PPC order: Up to ¥100 million corporate fine + ¥1 million for individuals
• Failure to report/false report in response to PPC investigation: Up to ¥500,000
• Illegal provision of third-party database: Up to ¥1 million + ¥300,000 for individuals + imprisonment up to 1 year (criminal)
• Misuse of personal information for illegal profit: Criminal penalty up to 1 year imprisonment

The PPC has been increasingly active — recent actions include investigations into major Japanese companies, guidance on overseas business operator obligations, and cooperation with foreign DPAs.

---

APPI Compliance Checklist

• APPI applicability confirmed (Japanese operations or overseas operator with Japanese users)
• Privacy Policy published specifying all purposes of use
• Collection purpose specified clearly at every collection point
• Special care-required personal information identified — prior explicit consent obtained
• Security management measures implemented (organisational, personnel, physical, technical)
• Third-party provision assessment: consent or exception documented for each sharing
• Opt-out notification filed with PPC if using opt-out basis for third-party provision
• Cross-border transfer mechanism determined (consent with disclosure, or equivalent protection)
• Records of third-party provision maintained (for disclosure requests)
• Individual rights response procedures documented (disclosure, correction, suspension, erasure)
• Complaint handling mechanism established
• Breach notification procedure documented (preliminary 3–5 days, full 30 days)
• Pseudonymous/anonymous processing procedures established if used
• Employee training on APPI obligations completed
• Overseas operator designation confirmed if applicable (PPC notification)

---

Frequently Asked Questions

Does APPI apply to my overseas company with Japanese users?

Yes, since the 2022 amendments. Article 180 of APPI applies APPI to overseas businesses handling personal information of persons in Japan in connection with providing goods or services. This includes any overseas website, app, or service collecting data from Japanese users. Overseas operators must comply with all applicable APPI provisions and are subject to PPC oversight. The PPC can issue orders to overseas operators and can share information with Japan's foreign counterparts under mutual assistance arrangements.

What is "special care-required personal information" and why does it matter?

Special care-required personal information (要配慮個人情報) is APPI's equivalent of sensitive data — information whose collection could lead to unjust discrimination or prejudice. It includes race, creed, social status, medical history, criminal record, disability status, and status as a crime victim. The key obligation: you must obtain prior explicit consent before collecting any of these categories, even if you would otherwise have grounds to collect them. Implied consent, opt-out basis, and other lower consent standards do not apply to special care-required information.

How do Japan-EU data flows work under the mutual adequacy arrangement?

Japan and the EU established mutual adequacy in 2019 — a unique bilateral arrangement. The European Commission adopted an adequacy decision for Japan, and Japan amended APPI to include EU personal data within its existing framework (with supplementary rules). This means: EU→Japan transfers are permitted without additional mechanisms (under the EC adequacy decision); Japan→EU transfers are permitted as Japan treats EU countries as equivalent protection destinations. Both directions still require compliance with all APPI obligations (for Japan→EU) and all EU GDPR obligations (for EU→Japan). The supplementary rules for EU personal data in Japan include additional protections matching GDPR requirements.

What records does APPI require for third-party provision?

APPI requires business operators to create records when providing personal data to third parties, and when receiving personal data from third parties. Records of provision must include: date of provision, name and other particulars of the third party, categories of personal data provided, circumstances of provision (legal basis), and information about the individual if acquired from a third party. These records must be retained for a specified period (3 years from creation for most, 1 year for cases where records can be shared with individuals upon request). Individuals can request disclosure of these third-party provision records.

When is a DPIA or privacy impact assessment required under APPI?

APPI does not specifically mandate Data Protection Impact Assessments (DPIAs) as EU GDPR does. However, the PPC has issued guidelines encouraging voluntary PIAs for high-risk processing activities, particularly: new systems or services involving large-scale personal data collection, cross-border transfer projects, new uses of sensitive data, and profiling or automated decision-making. Conducting PIAs is considered best practice by the PPC and signals organisational accountability. For businesses subject to both APPI and GDPR, GDPR's mandatory DPIA requirements will apply to EU-related processing activities.

---

Next Steps

Japan's APPI continues to evolve through its mandatory three-year review cycle — the 2025 review is expected to further align APPI with international standards. Building a compliance programme that is responsive to ongoing updates, while satisfying current obligations, requires both technical expertise and legal awareness.

ECOSIRE's team helps businesses with Japan market entry and expansion implement APPI-compliant data practices, privacy policies for Japanese users, and cross-border data transfer mechanisms.

Get started: ECOSIRE Services

Disclaimer: This guide is for informational purposes only and does not constitute legal advice. APPI is subject to regular review and amendment. Consult qualified Japanese legal counsel for advice specific to your organisation.