Guide: Act on the Protection of Personal Information (Japan APPI) 

Japan’s approach to privacy did not emerge from a fear of technology. It grew from a belief that personal data has real value and should be used with care. Enacted in 2003, the Act on the Protection of Personal Information sits at the centre of this idea. Japan APPI respects consumer rights while also supporting innovation and encouraging proper data-handling, which in turn drives new services, new industries, and a better quality of life for the public.

To bring all of this together, the law sets clear principles, assigns duties across government and industry, and creates a dedicated authority to oversee how organisations manage personal information in a rapidly expanding data environment.

The Act on the Protection of Personal Information, commonly called the Japan APPI, is Japan’s main privacy law. It applies to Japanese organisations and foreign companies offering goods or services to people in Japan.

APPI sets the rules for how businesses collect, use, share, and protect personal information. It has similarities with both GDPR and Certain US state laws.

Under the APPI, personal information must be handled with a clear purpose, proper consent (where necessary), and strong security measures. Chapter 4 of the Act deals with obligations of businesses. The law has been amended multiple times since its enactment, with major ones in 2015 and 2020.

They must notify individuals about how their data will be used, take steps to prevent leaks, and report serious incidents. The law also regulates cross-border transfers and gives individuals rights such as access, correction, and the ability to request deletion.

APPI enforcement is carried out by the Personal Information Protection Commission, an independent regulator with powers to investigate, issue orders, and enforce compliance. 

Japan’s privacy obligations apply to any organisation that handles personal information about people in Japan. It does not matter where the organisation is based or how big it is. If it collects, stores or uses information that can identify a person in Japan, it must follow APPI.

This could include:

• Japanese companies in any industry
• Foreign companies that offer goods or services to people in Japan

In short, APPI applies to almost anyone handling personal information connected to individuals in Japan, whether the organisation operates inside Japan or from abroad.

The law exempts certain processing activities, including those used for household or personal purposes and anonymised information.

Personal information (PI) refers to any information about a living individual that allows that person to be identified, either directly or indirectly.

It covers familiar details such as a person’s:

• Name
• Date of birth
• Address
• Phone number
• Any other identifier recorded in written, audio, visual, electronic or magnetic form

Even if a single piece of data cannot identify someone on its own, it qualifies as personal information if it can be easily combined with other data to pinpoint an individual.

APPI extends the definition of PI to also cover an individual identification code. These codes are set by Cabinet Order and may include biometric identifiers, such as data derived from physical characteristics used for computer-based recognition, or unique numbers and symbols assigned to individuals for services, transactions or membership records. 

The Japanese privacy law generally does not require businesses to obtain consent for processing personal data. However, you need to clearly inform the users about why you are collecting their data and offer opt-out options.

Consent is only mandatory for:

• sensitive personal data processing
• third-party data sharing
• Cross-border data transfers, except when other conditions are not satisfied. 

The above might be subject to certain exemptions.

Websites using third-party cookies must therefore notify the users about the purpose of the cookies and obtain consent.

Specified purpose of collection

Businesses must clearly define why they are collecting personal information and limit their use of that data to the stated purpose. The purpose must be as specific as possible and communicated to individuals. If it changes, the new purpose must remain closely connected to the original one.

Do not use personal information for any additional purpose without the individual’s prior consent. The same rule applies when a company acquires data through a merger or business transfer. In such cases, the information should only be used for the original purpose unless consent is obtained.

This principle ensures that personal information is collected transparently and handled within clear boundaries.

Prohibition of inappropriate use 

Businesses must never use personal information in a way that could encourage or support behaviour that is unlawful or unjust.

This includes any data handling that might:

• enable fraud
• assist discrimination
• support harassment
• facilitate harmful or unethical activities

Proper acquisition 

Businesses must collect personal information fairly, honestly and transparently. This means they cannot obtain data through:

• tricking individuals
• misrepresentation
• secretly collecting information without a legal basis
• other improper or unethical means

Sensitive data use

Obtain prior consent for processing special care-required personal information such as race, medical history, criminal record, and similar categories. 

However, under a situation like a legal requirement, public interest, or vital interest, consent is not necessary.

Information requirements

Under APPI, businesses must be transparent about why they collect personal information. When they collect data, they must notify individuals of the purpose or make it publicly available, unless it has already been clearly disclosed.

If the information is collected directly through a written document or contract, the business must explain the purpose before collecting it.

And, if the purpose later changes, individuals must be notified, or the change must be publicly announced.

Notification is not required when it could:

• endanger someone’s rights, safety or property
• harm the business’s legitimate interests
• interfere with government duties
• or when the purpose is already obvious from the context

Data accuracy

Businesses should correct any inaccuracies or remove any outdated information from their database.

Security

Implement security safeguards to protect the personal information of individuals. Organisations are also required to supervise employees or any other party handling personal data to ensure the secure use of data.

Breach notification

Notify any breaches that could harm the rights and interests of the individuals to the PPC. This includes the loss or leak of sensitive information, data leakage of more than 1000 individuals, etc.

Third-party data sharing

APPI allows third-party data sharing with the consent of the individual, as well as through special opt-out.

When sharing data with a third party, the affected individual should be informed of the following:

• The purpose of collection is third-party sharing
• What data will be shared
• How it will be shared
• Opt-out rights

To ensure compliance, provide a detailed privacy policy conspicuously, obtain consent for third-party sharing, including cookies and offer opt-out choices.

Cross-border transfers

Sending personal data outside Japan requires one of the following:

• The individual’s explicit consent after being informed of the foreign country’s data protection system.
• Receiving organisation implementing APPI-equivalent protections.
• Transfer to a country approved by the PPC as having adequate protections.

Businesses must also monitor foreign recipients to ensure ongoing compliance.

Record-keeping requirements

When providing personal data to or receiving personal data from a third party, businesses must record the date, who the recipient is, the purpose, and the circumstances of the transfer.

 These records help track accountability.

Responding to data subject rights

 Individuals have the right to:

• access their data
• request corrections
• request deletion
• stop the use of their data
• stop third-party sharing

Businesses must respond promptly and explain the reasons for any refusal.

The Personal Information Protection Commission (PPC) is the authority responsible for enforcing the Japan APPI. It is an independent regulatory body that oversees compliance and issues guidelines and orders for privacy violations in the country.

The following penalties can be imposed:

• Failure to submit reports or submitting false information: Fine up to JPY 500,000.
  
• Failure to comply with a PPC order:
  • Up to 1 year imprisonment or
  • Fine up to JPY 1,000,000.
  • If the violator is a company, up to JPY 100,000,000.
    
• Unauthorised disclosure of personal information for personal or third-party gain:
  • Up to 1 year imprisonment 
  • Fine up to JPY 500,000.
  • If the disclosing party is a company, up to JPY 100,000,000.