All Regulations
🇯🇵Japan

APPI

Act on the Protection of Personal Information

Japan's primary data protection law governing the handling of personal information by businesses and public entities, most recently amended in 2022.

Overview

Japan's Act on the Protection of Personal Information (APPI) was first enacted in 2003 and has been substantially revised twice — in 2017 and 2022 — to address evolving digital risks and bring Japan's framework closer to international standards, particularly GDPR. The 2022 amendments introduced mandatory breach reporting, strengthened rights for data subjects, added requirements around pseudonymous information, and imposed new obligations for transferring data overseas with adequate protection confirmation.

The APPI applies to business operators handling personal information databases of 5,000 or more records on any single day in the preceding 6 months (prior to 2017) — following the 2017 amendments this threshold was removed, making the law applicable to all business operators regardless of scale. The PPC, established as an independent body in 2016, issues guidelines, conducts investigations, and since 2022 can issue binding orders and impose criminal penalties.

Japan's APPI is notable for its concept of 'pseudonymously processed information' — data processed to the extent that an individual cannot be identified without cross-referencing with other information — which allows for more flexible secondary use within an organisation while still requiring registration and opt-out opportunities. The law also covers 'anonymously processed information' with lighter obligations.

Scope & Applicability

APPI applies to business operators (both domestic and foreign) handling personal information databases. The 2022 amendments strengthened the extraterritorial reach: foreign business operators handling personal information of individuals in Japan who provide goods or services to Japan are subject to PPC guidance requests. Personal information includes any information that can identify a living individual, including name, date of birth, and combinations of descriptors. 'Specially Sensitive Personal Information' (race, creed, social status, medical history, criminal records, sexual orientation) requires explicit consent.

Key Principles

  1. 1
    Purpose Specificationthe purpose of use must be specified to the extent practicable and notified or publicly announced at collection
  2. 2
    Use Limitationpersonal information may not be handled beyond the scope of the specified purpose without prior consent
  3. 3
    Appropriate Acquisitionpersonal information must be acquired by lawful and fair means
  4. 4
    Accuracypersonal information must be kept accurate and up to date to the extent necessary for the purpose
  5. 5
    Security Managementnecessary and appropriate measures must be taken to prevent leakage, loss, or damage
  6. 6
    Supervision of Employees and Subcontractorsappropriate supervision of employees and third parties entrusted with personal information is required
  7. 7
    Third-Party Provision Limitationpersonal information must not be provided to third parties without prior consent, unless an opt-out notification has been filed with the PPC

Data Subject Rights

Right to Disclosure

Individuals can request disclosure of retained personal data, including the purposes of use. The business operator must respond promptly.

Right to Correction

Individuals can request correction, addition, or deletion of retained personal data if it is factually inaccurate.

Right to Suspension of Use or Erasure

Following 2022 amendments, individuals can request suspension of use or erasure if the data is not being handled within the scope of the purpose, was acquired illegally, or is no longer necessary.

Right to Suspension of Third-Party Provision

Individuals can request suspension of provision of their data to third parties if it is being provided without consent or through an invalid opt-out procedure.

Right to Opt Out of Third-Party Provision

Individuals can opt out of having their personal information provided to third parties by notifying the business operator, which must then file an opt-out notification with the PPC.

Right to Explanation for Refusals

Following 2022 amendments, business operators must make efforts to explain the reasons for refusing a data subject request.

Business Obligations

Specify Purpose of Use

The purpose for which personal information is used must be specified to the extent practicable and notified or publicly announced at or before collection.

Implement Security Management Measures

Necessary and appropriate security management measures — including organisational, personnel, physical, and technical measures — must be implemented and documented.

Mandatory Breach Reporting

Since 2022, business operators must report to the PPC and notify affected individuals within 30 days (or 60 days for certain incidents) when a breach occurs. Reporting is mandatory, not discretionary.

Third-Party Provision Controls

Prior consent is required before providing personal information to third parties. Opt-out procedures are permitted for certain data sharing, but require PPC notification and cannot be used for sensitive data.

Overseas Transfer Confirmation

When transferring personal information overseas, business operators must either obtain consent (after disclosing the adequacy status of the destination country) or ensure the recipient maintains protection equivalent to APPI.

Records of Third-Party Provision and Receipt

Records of personal information provided to and received from third parties must be maintained as prescribed by PPC rules.

Cross-Border Transfer Rules

Transferring personal information overseas without consent requires the recipient to be in a country with an adequacy decision from the PPC (currently only the EU and UK have such decisions) or to have equivalent protection measures in place. When seeking consent for overseas transfer, the operator must inform the individual of the destination country's personal information protection system. The PPC issues country-specific information on the personal information protection systems of major countries to assist with this disclosure. Following 2022 amendments, operators must conduct ongoing monitoring to ensure recipients maintain adequate protection.

Breach Notification Requirements

Notification Timeline

Report to PPC within 30 days of becoming aware of the breach (within 60 days for unauthorised access-related incidents involving sensitive data or large numbers of individuals)

Notify Authority

Personal Information Protection Commission (PPC) — reports submitted via the PPC's online notification system

Notify Individuals

Affected individuals must be notified promptly once the breach is confirmed; notification must include the type of data involved, timing, and measures taken

How TruePrivacy Helps

Purpose-built tools for every APPI obligation.

APPI Breach Notification Workflows

Structured incident response workflows assess breach severity, generate PPC notification reports in the required format, and track the 30/60-day reporting deadlines.

Third-Party Transfer Record Management

Automated records of personal information provided to and received from third parties, with opt-out notification tracking and PPC filing support.

Overseas Transfer Compliance

Country adequacy status dashboards and consent templates that include required disclosures about destination country protection systems for APPI-compliant overseas transfers.

Purpose of Use Registry

A centralised register of all data processing purposes with automated alerts when processing approaches or exceeds the stated purpose boundaries.

Security Management Evidence Collection

TruePrivacy collects and organises evidence of security management measures across all four categories — organisational, personnel, physical, and technical — for PPC audit readiness.

Ready to achieve APPI compliance?

TruePrivacy automates your compliance workflows so your team can focus on what matters.

Start Free TrialBook a Demo