Japan’s Act on the Protection of Personal Information (APPI)

What U.S. Businesses Need to Know

Introduction

Japan is one of the world’s largest digital economies, and its data protection framework carries real consequences for U.S. businesses that collect, process, or transfer personal information relating to individuals in Japan.

Japan’s Act on the Protection of Personal Information, known by its Japanese acronym APPI (個人情報の保護に関する法律), is the country’s primary framework governing the handling of personal information by private-sector businesses. First enacted in 2003 and substantially reformed in 2015, the APPI has continued to evolve in response to the demands of the digital economy. The most recent major overhaul took effect on April 1, 2022, introducing mandatory breach notification requirements, significantly strengthened individual rights, tighter rules around cross-border data transfers, and markedly increased penalties for non-compliance.

For U.S. businesses, the APPI presents a distinct and increasingly important compliance challenge. Unlike earlier iterations of the law, the current APPI expressly applies to foreign operators that handle the personal information of individuals in Japan in connection with the supply of goods or services to those individuals. This extraterritorial reach mirrors the approach taken by the European Union’s General Data Protection Regulation (GDPR) and means that U.S. companies with Japanese customers, users, or employees cannot simply assume the APPI does not apply to them because they lack a physical presence in Japan.

This article provides a practical overview of the APPI’s key provisions for U.S. businesses, covering scope and applicability, core compliance obligations, individual rights, cross-border transfer mechanisms, breach notification duties, and enforcement. It also sets out recommended steps for businesses seeking to assess and strengthen their APPI compliance posture.

Does the APPI Apply to Your Business?

One of the most significant developments in the 2020 amendments (effective April 2022) was the formal extension of the APPI’s extraterritorial reach. Article 166 of the amended APPI makes clear that foreign business operators handling the personal information of individuals in Japan for the purpose of supplying goods or services to those individuals are subject to the Act’s obligations in the same way as domestic operators. The Personal Information Protection Commission (PPC), Japan’s data protection authority, may request that foreign operators submit reports or undergo on-site inspections, and may share information with overseas authorities in the event of non-compliance.

In practical terms, if your U.S. business operates an e-commerce website accessible to Japanese consumers, offers software-as-a-service products to Japanese businesses, runs targeted advertising campaigns toward residents of Japan, or maintains HR records for employees based in Japan, there is a strong basis for concluding that the APPI applies. The threshold does not require a formal legal entity, subsidiary, or representative in Japan. What matters is whether your activities are directed at individuals located in Japan and whether you handle their personal information in connection with those activities.

It is worth noting that the APPI applies to personal information about living individuals. Data relating to deceased persons generally falls outside the scope of the Act, although other legal obligations may apply. The APPI also exempts certain categories of operators from some (though not all) of its requirements, including government agencies and independent administrative agencies, which are covered by separate statutes. For most U.S. businesses, however, the private-sector provisions of the APPI are the relevant framework.

Understanding the APPI’s Key Definitions

The APPI operates through a layered definitional structure that determines which obligations apply to which types of data. Understanding these categories is essential to navigating compliance.

Personal Information

Personal information (個人情報) is defined broadly as information relating to a living individual that can identify the specific individual through descriptions contained in the information, including name, date of birth, or other particulars. This includes not only direct identifiers but also information that, when cross-referenced with other readily available data, would permit identification of a specific person. Photographs, video images, and voice recordings that allow identification of an individual also constitute personal information. The APPI separately defines Individual Identification Codes (個人識別符号), a category that encompasses biometric data such as fingerprints, facial recognition data, iris patterns, and DNA sequences, as well as government-issued identification numbers such as passport numbers and driver’s licence numbers. Crucially, Individual Identification Codes are treated as personal information in their own right, without the need to cross-reference other data.

Personal Data and Retained Personal Data

Personal data (個人データ) is personal information that forms part of a personal information database, meaning an aggregate of personal information systematically organized so that specific personal information can be retrieved by computer search, or in a physical file where entries are arranged in a searchable order. Most of the APPI’s core obligations attach to personal data rather than to personal information in an unstructured form. Retained personal data (保有個人データ) is a subset of personal data over which the business operator has the authority to respond to requests from individuals for disclosure, correction, deletion, and discontinuation of use. The 2020 amendments removed the previous six-month threshold, meaning that short-retention datasets now also qualify as retained personal data and are subject to individual rights.

Special Care-Required Personal Information

Special care-required personal information (要配慮個人情報) is a separately defined category of particularly sensitive data. It includes information about race, creed, social status, family origin, medical history, criminal record, status as a victim of a crime, physical or mental disability, the results of health examinations or medical consultations, a history of arrest or detention, and similar particulars. As discussed further below, the APPI imposes stricter acquisition and handling requirements on this category of data, and U.S. businesses operating in sectors such as healthcare, insurance, employment, or financial services should pay particular attention to how they handle it.

Core Compliance Obligations

Purpose Specification and Use Limitation

The APPI requires business operators to specify the purpose for which they use personal information as precisely as possible. This is not merely a notice requirement: operators are prohibited from handling personal information beyond the scope of the specified purpose without obtaining fresh consent from the individual. When acquiring personal information, operators must either publicly announce their purpose of use in advance or notify the individual of that purpose promptly after acquisition. If personal information is acquired in the course of a business succession (for example, through a merger or acquisition), the successor operator must promptly notify individuals or publicly announce the purpose of use if it differs from that originally specified.

Appropriate Acquisition

Personal information must not be acquired by wrongful means, including deception or other improper conduct. When acquiring special care-required personal information, prior explicit consent from the individual is required except in a limited set of statutory exceptions (such as legal obligations, emergencies involving risk to life, or academic research). U.S. businesses running data scraping operations, purchasing third-party marketing lists, or deploying cookies and tracking technologies in Japan should carefully review whether their data acquisition practices meet this standard.

Security Management Measures

Business operators must take necessary and appropriate measures to prevent the leakage, loss, or damage of personal data they handle. The APPI requires operators to establish internal rules, implement organizational measures (including the appointment of responsible persons), adopt technical security measures, and take steps to understand and improve the physical security environment. Operators must also exercise necessary and appropriate supervision over employees handling personal data and, when outsourcing personal data processing to third parties, must exercise the same level of supervision over those consignees. Importantly, a consignee that processes personal data on behalf of a principal is not treated as a third party for the purposes of the third-party provision rules discussed below, but the principal remains responsible for the consignee’s compliance. Given that U.S. businesses frequently use cloud service providers, payroll processors, customer relationship management platforms, and similar vendors, the outsourcing supervision requirement deserves careful attention when drafting vendor contracts.

Individual Rights Under the APPI

The APPI grants individuals a set of rights in respect of retained personal data that are enforceable against business operators. The 2020 amendments significantly expanded these rights, bringing them closer in scope to those found in the GDPR.

The right of disclosure allows individuals to request that operators disclose the retained personal data held about them. An operator must respond within a reasonable period and may charge a reasonable fee for the cost of responding. The right of correction, addition, and deletion allows individuals to request amendment of retained personal data that is factually inaccurate. The right to discontinue use or request erasure has been expanded: in addition to the original grounds of unlawful acquisition or use beyond the stated purpose, individuals can now request discontinuation or erasure where retention is no longer necessary given the original purpose, where a data breach has occurred affecting the individual’s data, or where the retention is otherwise likely to harm the individual’s rights or legitimate interests. The right to discontinue third-party provision permits individuals to opt out of the ongoing sharing of their data with third parties.

Operators must establish and publish procedures through which individuals can exercise these rights, and must respond to requests without undue delay. Refusing to act on a valid request requires a legally recognized ground. The widening of individual rights in the 2020 amendments means that U.S. businesses should review and update their data subject request handling procedures to ensure they are capable of responding to the full range of rights now available under the APPI.

Cross-Border Data Transfers: Sending Data to the United States

Cross-border data transfer is one of the most commercially significant and legally complex aspects of the APPI for U.S. businesses. Under the APPI, providing personal data to a third party located in a foreign country requires either consent-based authorization, reliance on an equivalency mechanism, or recognition of the destination country as having equivalent data protection standards. The United States is not on Japan’s whitelist of countries recognized as having equivalent protection, meaning that transfers of personal data from Japan to U.S.-based entities cannot rest on that ground alone.

Mechanism 1: Individual Consent with Required Disclosures

The most straightforward mechanism for international transfers is obtaining prior consent from the individual. However, consent for a cross-border transfer is subject to enhanced disclosure requirements introduced by the 2020 amendments. Before obtaining consent, the operator must inform the individual of the name of the destination country, the data protection legal framework of that country (or a statement that there is no equivalent framework), and the measures implemented by the third-party recipient to protect the personal data. This means that a U.S. company receiving personal data from a Japanese affiliate or partner must be prepared to provide the Japanese entity with accurate and up-to-date information about U.S. data protection laws and its own internal security practices, so that appropriate disclosures can be made to individuals.

Mechanism 2: Equivalent Protective Measures

Alternatively, a transfer can proceed without individual consent if the third-party recipient has implemented measures that are equivalent to the standards required under the APPI. In practice, this is most commonly achieved through contractual arrangements, such as data transfer agreements modelled on the standards in the PPC’s guidelines. The 2020 amendments impose ongoing obligations on the transferring operator: it must continuously confirm that the recipient continues to maintain the required measures and must be able to provide information to individuals about the third party and the measures in place upon request. If the recipient can no longer maintain equivalent measures, the operator must take necessary measures to protect the individual’s rights and interests, including, where necessary, ceasing the transfer. The PPC has issued guidance on what arrangements will be considered equivalent, and U.S. companies entering into such arrangements with Japanese partners or affiliates should review that guidance carefully when drafting contracts.

Mechanism 3: Intra-Group Transfers Under a Single Policy

The 2020 amendments also recognized a third mechanism: transfers where both the operator and the recipient are subject to a common data protection framework that meets APPI standards across an entire corporate group. This mechanism, sometimes referred to as the ‘common standards’ route, is intended to facilitate intra-group transfers for multinational organizations that have implemented group-wide data governance frameworks. However, the practical requirements for establishing that a common framework meets APPI standards are demanding, and this mechanism is less commonly used than consent or contractual equivalency.

For most U.S. businesses receiving personal data from Japanese-based entities, the practical path forward involves either updating customer-facing privacy notices to incorporate the required consent disclosures, or entering into data transfer agreements with Japanese partners that provide for APPI-equivalent protections. U.S. businesses should also be aware that the APPI’s transfer restrictions apply to the Japanese-based transferor, but that the PPC’s extraterritorial powers mean that foreign recipients are increasingly within the enforcement perimeter.

Mandatory Breach Notification

Prior to April 2022, Japan’s data breach notification framework was purely advisory. The 2020 amendments transformed it into a binding legal requirement, creating enforceable obligations on both business operators and, by extension, any overseas operators subject to the APPI’s extraterritorial reach.

When a data breach, loss, or unauthorized disclosure occurs and falls within one of the defined reportable categories, operators are required to report the incident to the PPC without delay, with PPC guidelines indicating that an initial report should be made within approximately three to five days of becoming aware of the incident, and a final detailed report within thirty days (or sixty days in cases involving unauthorized provision of personal data). Operators must also notify affected individuals without delay when the incident is likely to cause harm to their rights and interests.

The reportable categories are: incidents involving special care-required personal information; incidents likely to cause property damage to individuals, such as leakage of financial credentials or login information; incidents attributable to improper purpose, including deliberate insider leaks; and incidents affecting one thousand or more individuals. Operators must also report incidents involving the unauthorized provision of personal data via the opt-out third-party provision mechanism. The PPC has published detailed guidance on the content required in reports, and operators should ensure their incident response plans are calibrated to meet both the content and timing requirements.

For U.S. businesses, the APPI breach notification requirements add a further layer of complexity to multi-jurisdictional breach response. An incident involving the personal data of Japanese residents may simultaneously trigger notification obligations under applicable U.S. state laws, the APPI, and potentially the GDPR if European residents are also affected. Building APPI-specific notification workflows into your incident response plan in advance is far preferable to attempting to map obligations under pressure in the immediate aftermath of a breach.

Special Care-Required Personal Information

As noted above, the APPI treats a defined category of sensitive data with heightened protections. The acquisition of special care-required personal information requires the prior explicit consent of the individual in the absence of a specific statutory exception. This consent requirement applies even where the relevant data is already in the public domain. Business operators are also generally prohibited from providing special care-required personal information to third parties via the opt-out mechanism available for ordinary personal data; in most cases, consent is required for each provision.

U.S. businesses in the healthcare, life sciences, insurance, and human resources sectors are particularly likely to handle special care-required personal information in connection with their Japan-related activities. Employers processing disability or medical records of Japanese employees, insurers assessing claims involving medical history, and technology platforms handling mental or physical health data of Japanese users all need to ensure their consent and data handling practices align with APPI requirements for this sensitive category. The definition also encompasses certain categories that differ from those found in GDPR, most notably the inclusion of criminal records and victim-of-crime status.

Pseudonymized and Anonymized Information

The 2020 amendments introduced a new intermediate data category called pseudonymized information (仮名加工情報), sitting between ordinary personal data and fully anonymized information. Pseudonymized information is created by replacing identifying elements with other descriptions according to PPC-prescribed standards, in such a way that the data cannot be re-linked to the original individual without reference to separately held additional information. Pseudonymized information may be used internally within a business or shared with consignees without needing to specify a new purpose beyond the original, providing some operational flexibility. However, it cannot be provided to third parties as such, and operators must not attempt to re-identify it. Some of the rules applicable to retained personal data, such as individual access and correction rights, are relaxed in respect of pseudonymized information.

Anonymized information (匿名加工情報) represents a more complete de-identification. When personal data is processed into anonymized information in accordance with PPC standards, it loses its character as personal data altogether and may be shared with third parties or used for secondary purposes. However, creating anonymized information requires adherence to strict technical and procedural standards set out by the PPC, and operators must publicly disclose the categories of information contained in the anonymized dataset and the means by which it will be provided when sharing it externally. The operator must also take steps to prevent re-identification.

For U.S. businesses engaged in data analytics, artificial intelligence development, or research activities using data derived from Japanese residents, these two categories offer potential pathways to using data more flexibly while reducing regulatory burden. However, the technical requirements for achieving genuine anonymization under APPI standards are demanding, and legal advice specific to the proposed data processing activity is advisable before relying on either category.

Enforcement, Penalties, and the Role of the PPC

The Personal Information Protection Commission is Japan’s independent data protection authority, established in its current form in 2016 following the consolidation of regulatory responsibilities previously spread across multiple sector-specific agencies. The PPC has broad powers to investigate potential violations, including the power to require operators to submit reports, the power to conduct on-site inspections of business premises, and the power to issue recommendations requiring operators to take corrective action. If an operator fails to comply with a PPC order following a recommendation, criminal penalties and fines may be imposed.

The 2020 amendments significantly increased the severity of financial penalties. Under the amended Act, a business operator that violates a PPC order faces fines of up to one hundred million yen (the pre-amendment cap was three hundred thousand yen per individual). The introduction of a corporate fine track, distinct from the fines that may be imposed on individual officers, marks a significant escalation of Japan’s data protection enforcement regime. Additional criminal penalties of up to one million yen per individual, or up to fifty million yen for a corporation, apply to the unauthorized provision or theft of personal information databases. False reporting to the PPC carries a fine of up to five hundred thousand yen.

The PPC has been increasingly active in issuing guidance directed at foreign operators, and has signalled that it regards cross-border enforcement cooperation as an important priority. While formal enforcement actions against overseas operators remain relatively rare, the combination of heightened penalties, enhanced PPC powers, and the APPI’s extraterritorial reach creates a meaningful compliance risk for U.S. businesses that do not take the Act seriously.

Practical Steps for U.S. Businesses

Achieving APPI compliance requires a structured, programmatic approach rather than a piecemeal response to individual requirements. The following steps provide a practical starting point for U.S. businesses assessing or strengthening their APPI posture.

• Conduct a data inventory. Map the personal information your business holds relating to individuals in Japan, including how it was acquired, on what legal basis, for what purpose, where it is stored, and with whom it is shared. This exercise forms the foundation of every other compliance effort.
• Review and update privacy notices. Ensure that any privacy policy or notice directed at Japanese residents accurately specifies your purposes of use, identifies cross-border transfer mechanisms and provides the disclosures required by the APPI, and describes how individuals may exercise their rights.
• Establish a lawful transfer mechanism. Since the United States is not on Japan’s adequacy whitelist, decide whether you will rely on enhanced individual consent with the required disclosures, or on contractual arrangements providing equivalent protection, for transfers of personal data out of Japan to your U.S. systems.
• Review vendor and outsourcing arrangements. Identify all consignees and third-party processors that handle personal data relating to Japanese individuals on your behalf, and confirm that your contracts with them include the supervision obligations required by the APPI.
• Implement or review security measures. Assess your technical, organizational, and physical security measures against APPI standards and address any gaps. Document your security framework so that you can demonstrate compliance to the PPC if required.
• Build breach response procedures. Update your incident response plan to include APPI-specific notification triggers, timelines, and content requirements. Identify who within your organization is responsible for making notifications to the PPC and to affected individuals.
• Implement individual rights request procedures. Establish clear, documented procedures for responding to requests for disclosure, correction, erasure, and opt-out of third-party provision from individuals in Japan, and train the relevant staff.
• Train staff and raise awareness. Ensure that employees who handle personal data relating to Japanese residents understand the obligations imposed by the APPI, including any sector-specific guidance issued by the PPC.
• Monitor PPC guidance and legislative developments. The APPI is a living framework. The PPC regularly issues guidelines, Q&As, and enforcement decisions. Monitor these developments and adjust your compliance programme accordingly.

Conclusion

Japan’s APPI is a mature, sophisticated, and increasingly rigorous data protection framework that demands serious attention from U.S. businesses with meaningful exposure to the Japanese market. The 2020 amendments have brought the APPI closer in structure and ambition to the GDPR, with extraterritorial reach, mandatory breach notification, enhanced individual rights, and substantially increased penalties all now firmly in place.

For U.S. businesses, the most commercially sensitive aspects of the APPI are likely to be the cross-border transfer requirements, which demand specific contractual or consent-based mechanisms for moving personal data from Japan to the United States, and the breach notification framework, which imposes short and enforceable timelines. These requirements must be built into standard operating procedures well in advance of any incident.

If your business has not yet undertaken a systematic APPI compliance review, doing so promptly is strongly advisable. The combination of enhanced enforcement powers, increased penalties, and growing international regulatory cooperation means that the cost of non-compliance is rising. Engaging experienced data protection counsel with expertise in both U.S. privacy law and the APPI will help ensure that your compliance programme is appropriately tailored to your business model and exposure profile.