Data Privacy in Japan

Japan’s Act on the Protection of Personal Information (APPI)

APPI regulates data privacy in Japan as well as activities of the Personal Information Protection Commission (PPC), a central agency that acts as a supervisory governmental organization on issues of privacy protection. APPI was initially enforced in 2003 and has since been amended twice—once in 2015 and the latest version went into effect in 2022. This recent amendment focuses on improving transparency between organizations that mine data and Japan’s citizens. APPI provisions dictate that the law be reviewed and updated every three years to accommodate the latest developments and maintain relevancy.

The 2022 update brought with it the establishment of the Personal Information Protection Commission (PPC), an independent agency that, among others, protects the rights and interests of individuals and promotes the proper and effective use of personal information. Japan also became the first country to earn an adequacy decision from the European Union, since APPI comes very close to their General Data Protection Regulation (GDPR). APPI levies ¥100 million (roughly $815,000 USD) in non-compliance penalties. Organizations and individuals found guilty can also face imprisonment of up to a year.

Key Principles of APPI

  • The APPI framework is similar to the EU’s GDPR as it has extraterritorial reach. It applies to companies and organizations located within the country as well as outside, that provide products and services to the citizens of Japan.
  • APPI applies to two kinds of protected data. Personal data refers to identification details such as biometrics, date of birth, etc. Special care-required data refers to data that could be used for discrimination and prejudice such as political and religious beliefs, medical history, and criminal records.
  • Similar to GDPR, APPI gives individuals the right to know why their data is being collected and how the organization intends to use it.
  • Individuals can opt-out or request deletion of their personal data.
  • Individuals can request their personal data in hard copy or electronic format, as well as rectify incorrect information.
  • APPI requires companies to use necessary safety and cybersecurity measures to protect data privacy in Japan.
  • The 2020 amendment requires that the Personal Information Protection Commission (PPC), as well as data subjects, must be notified in case of a data breach.
  • The 2020 amendment restricted use of the opt-out exception for third-party transfers. Companies can no longer transfer personal data collected by deceitful or improper means or continue to transfer personal information based on the previous opt-out exception. If a company wishes to continue transferring that data, it must obtain direct consent from the data subject.

The information on this page is provided for educational purposes only and should not be confused with or construed as Annex Cloud’s compliance capabilities or scope. Learn more about Annex Cloud’s enterprise-ready solution, including security, privacy and compliance.

Ready to get started?

Request a demo