The Act on the Protection of Personal Information (個人情報の保護に関する法律, commonly abbreviated APPI) is Japan's primary statute governing the collection, use, and management of personal data. Originally enacted in 2003, the Act was overhauled by amendments that took effect in April 2022, significantly expanding obligations for businesses and rights for individuals. Any company that handles personal information about individuals in Japan — including foreign companies providing goods or services to Japan — needs to understand what the APPI requires.
Key Definitions
The APPI builds its framework on a set of defined terms that are worth understanding before examining the obligations they trigger.
Personal Information (個人情報)
"Personal information" means information about a living individual that can identify that person — either directly from the information itself (such as a name or photograph), or by easy cross-reference with other information. The Act also includes "individual identification codes" (個人識別符号) in the definition: passport numbers, driver's licence numbers, My Number, fingerprints, facial recognition data, and similar identifiers each constitute personal information on their own.
The definition covers only living individuals. Deceased persons' data is not personal information under the APPI, although separate legal and ethical considerations may still apply.
Personal Data and Retained Personal Data
A personal information handling business operator typically manages large volumes of personal information in structured databases. Information forming part of such a database is called "personal data" (個人データ), and the subset over which the operator has authority to disclose, correct, or erase — and which is held for more than six months — is called "retained personal data" (保有個人データ). Individual rights under the Act attach primarily to retained personal data.
Special Care-Required Personal Information (要配慮個人情報)
A protected category of personal information includes data that could cause discrimination or other harm if disclosed without consent: race, creed, social status, medical history, criminal records, records of being a crime victim, disability status, and diagnosis results, among others. Acquiring special care-required personal information requires the individual's prior explicit consent, with limited exceptions (medical necessity, legal proceedings, etc.).
Who Must Comply
The APPI applies broadly to any business or individual that handles a personal information database in the course of business.
Personal Information Handling Business Operators (個人情報取扱事業者)
The term covers every commercial entity — corporations, sole traders, non-profit organisations — that systematically manages personal information as part of its operations. There is no minimum scale threshold: the 5,000-record floor that existed before the 2015 amendment has been removed. A small online retailer with a customer mailing list of fifty people is technically subject to the Act.
Central and local government bodies are covered by a parallel public-sector framework, largely unified with the private-sector rules by the 2021 amendment.
Overseas Businesses (外国事業者)
The 2022 reform clarified the extraterritorial reach of the APPI. Overseas businesses that provide goods or services to individuals in Japan and handle their personal information are subject to the Act's obligations. The Personal Information Protection Commission (PPC) can issue recommendations and orders against such businesses, and can request information from them through international cooperation channels.
Core Obligations
Business operators subject to the APPI must observe the following categories of obligation. Failure to comply can result in PPC recommendations, orders, and — for deliberate violations or obstruction of inspections — criminal penalties.
Specifying and Notifying the Purpose of Use
When acquiring personal information, operators must specify the purpose for which it will be used and communicate that purpose to the individual, either by direct notification or by publicly announcing it in advance. Personal information must not be used for purposes beyond what was notified without obtaining new consent, except in limited circumstances.
Security Management Measures (安全管理措置)
Operators must take necessary and appropriate measures — organisational, human, physical, and technical — to prevent leakage, loss, or damage to the personal data they hold. They must also supervise employees and any subcontractors who handle personal data on their behalf.
Third-Party Provision (第三者提供)
Personal data generally may not be passed to third parties without the individual's prior consent. The Act provides specific exceptions for legal obligations, emergencies involving life or health, academic research, and similar situations. Operators may also use an "opt-out" mechanism for providing data to third parties without individual consent, provided they file a record with the PPC and make it publicly available — but this mechanism is not available for special care-required personal information.
Cross-Border Data Transfers (外国にある第三者への提供)
Providing personal data to a third party located outside Japan requires one of the following: (1) the destination country is recognised by the PPC as providing an adequate level of protection; (2) the recipient has in place measures equivalent to the APPI standards; or (3) the individual has given informed consent after being told about the recipient country's data protection environment. Following the 2022 reform, operators must provide individuals, upon request, with information about the protective measures in place at the overseas recipient.
Individual Rights
The APPI grants individuals the following rights with respect to retained personal data held by an operator, enforceable by making a request to the operator.
| Right | Scope |
|---|---|
| Disclosure | Request to be told what retained personal data is held, and on what basis |
| Correction / Addition / Deletion | Request to correct inaccurate data, or add missing data |
| Cessation of Use / Erasure | Request to stop use or delete data obtained in violation of the Act, or used beyond the stated purpose |
| Cessation of Third-Party Provision | Request to stop provision of data to third parties in violation of the Act |
Operators must respond to these requests within a reasonable period. They may charge a fee for disclosure requests within limits set by PPC rules.
The 2022 Reform: What Changed
The amendments that took effect on 1 April 2022 represented the most significant overhaul of the APPI since its enactment. The changes reflected both the growth of digital business and the need to align Japan's framework more closely with international standards such as the EU's GDPR.
The major changes include the following. First, mandatory breach notification: when a leak, loss, or unauthorised access involving personal data meets criteria specified by PPC rules (such as leakage of special care-required personal information, or data affecting 1,000 or more individuals), operators must report to the PPC and notify affected individuals within the timeframes prescribed by those rules. Previously, reporting was voluntary.
Second, tightened cross-border transfer rules: operators must now provide individuals with information about overseas recipients' protective measures on request, and must confirm that recipients continue to maintain equivalent measures throughout the relationship.
Third, expanded opt-out obligations: records of opt-out third-party provision must be filed with the PPC, and the PPC publishes them publicly. Certain types of data — those originally obtained via opt-out from another operator — are excluded from the opt-out mechanism entirely.
Fourth, new data categories: "pseudonymously processed information" (仮名加工情報) was introduced as a category that allows de-identified data to be used internally for analysis and research without individual consent, subject to strict handling restrictions and a prohibition on re-identification.
Fifth, significantly raised penalties: the maximum corporate fine for violations was increased to ¥100 million (from ¥50 million), and the fine for provision of data to a foreign government without lawful basis was set at ¥1 million for individuals.
Enforcement: The Personal Information Protection Commission (PPC)
The Personal Information Protection Commission (個人情報保護委員会) is the independent supervisory authority for the APPI. The PPC issues guidance and recommendations, conducts inspections, and can issue binding orders against operators who fail to comply. It also manages the registration and publication of opt-out records, the designation of adequate foreign jurisdictions, and international cooperation with foreign data protection authorities.
The PPC publishes guidance documents and FAQs on its official website, including materials in English, which are the authoritative reference for interpreting the Act's requirements.