Skip to content
Last reviewed: 2026-05-05 Reviewer: M.K., CIPP/E Methodology Report inaccuracy
APPI Personal Information Protection Commission

REGULATION · NATIONAL · IN FORCE SINCE 2003

Act on the Protection of Personal Information

The EU's baseline privacy law since May 2018. Defines six lawful bases, eight data-subject rights, and fines up to 4% of global annual turnover.

EUR-Lex official text Reviewed 2026-05-05 Free reference · sources cited

Scope and territorial reach

Scope

Japan’s Act on the Protection of Personal Information (個人情報の保護に関する法律) is the federal privacy law administered by the Personal Information Protection Commission (PPC). It applies to any “Personal Information Handling Business Operator” — effectively any business handling identifiable data of natural persons in Japan, with extraterritorial reach for foreign operators offering goods/services to Japanese residents.

The current text reflects the 2022 amendments — the most significant rewrite since the law’s 2003 introduction. EU adequacy is mutual since January 2019, meaning EU↔Japan transfers do not need additional safeguards.

APPI requires explicit consent (Art 18) for: (a) using personal information beyond the originally disclosed purpose, (b) providing personal information to third parties, (c) cross-border transfers (Art 24-2), and (d) handling sensitive data — race, creed, criminal record, medical history (Art 17-2).

For analytics tracking, the PPC has issued non-binding guidance recommending banner-style notices, but APPI does not have an explicit cookie-banner mandate equivalent to ePrivacy Art 5(3). In practice, opt-in consent is the safe default for cross-border transfers via Google Analytics and similar tools.

Data subject rights

  • Disclosure (Art 28) — copy of data + processing purposes. No fixed response window — “without delay”.
  • Correction, deletion, suspension (Art 29-30) — exercisable on the same “without delay” timetable.
  • Cease use of personal information (Art 30, 2022 expansion) — broader than GDPR’s restriction right; can be invoked for any unfair processing.

Cross-border transfers

APPI Art 24 restricts transfers to jurisdictions outside Japan unless: (a) the recipient is in an adequacy-listed country (currently the EEA + UK), (b) the recipient has implemented “appropriate measures” equivalent to APPI, or (c) the data subject has consented after being told the destination country.

The 2022 amendments require disclosure of the destination country at the time of consent — not just generic “we may transfer abroad”. This is stricter than the equivalent GDPR Art 49(1)(a) consent path.

Breach notification

Mandatory since the 2022 amendments. Two thresholds:

  1. Promptly to the PPC upon discovering a covered breach (sensitive data, financial data, ≥1000 records affected, or breach for unlawful purpose).
  2. Promptly to affected individuals — except where contacting them is difficult and alternative public notice is given.

“Promptly” is interpreted as within roughly 3-5 days for the initial notification, with a final report within 30-60 days.

Enforcement

The 2022 amendments raised maximum corporate fines to ¥100 million (~€600k) or 1% of relevant turnover. Pre-2022 caps were ¥500k — a meaningful escalation. The PPC has historically focused on guidance over fines, but recent administrative orders against major retailers and platform operators signal a more enforcement-forward stance.

Notable: the LINE incident (2021) — Korean affiliate access exposure — triggered PPC administrative guidance and accelerated the 2022 amendment passage.

Key references

  • PPC official guidance (Japanese): ppc.go.jp
  • EU adequacy decision (2019): European Commission
  • 2022 amendments overview: PPC Bulletin No. 21

Where it applies — 1 jurisdictions

🇯🇵Japan
JP

Seven principles (Article 5)

The constitutional backbone — every processing activity must satisfy all seven simultaneously.

  1. 01
    Lawfulness of acquisition Art 17

    Personal information must be acquired by proper means — no deception, fraud, or covert collection.

  2. 02
    Purpose specification Art 17

    Specify the purpose of use as clearly as possible before or at the time of acquisition.

  3. 03
    Use restriction Art 18

    Do not use personal information beyond the specified purpose without consent of the data subject.

  4. 04
    Accuracy Art 22

    Keep personal data accurate and up to date within the scope necessary to achieve the purpose of use.

  5. 05
    Security control Art 23–25

    Take necessary and appropriate measures to safeguard personal data, including supervision of employees and processors.

  6. 06
    Transparency Art 21, 32

    Notify or publicly announce the purpose of use; make matters concerning retained personal data accessible to data subjects.

  7. 07
    Accountability Art 40

    Endeavor to handle complaints appropriately and respond to PPC reports/inspections; document handling procedures.

  8. 08
    Cease-use enforcement (2022) Art 35

    2022 amendment broadened data subjects' right to demand cessation of use beyond original GDPR-equivalent grounds — including risk of rights infringement.

Six lawful bases (Article 6)

You must identify and document one before processing — and consent isn't always the right one.

Art 18(1)

Consent of the data subject

Default basis — required to use data beyond specified purpose or to share with third parties.

Common for: Marketing analytics, third-party transfers, sensitive data
Art 18(3)(i)

Based on laws and regulations

Processing required by Japanese law (tax, AML, employment).

Common for: Statutory record-keeping, AML/KYC
Art 18(3)(ii)

Protection of life, body, or property

Necessary to protect human life or property when consent is hard to obtain.

Common for: Medical emergencies, disaster response
Art 18(3)(iii)

Improvement of public health

Especially necessary for public health or sound development of children, and consent is hard to obtain.

Common for: Public-health research, child welfare
Art 18(3)(iv)

Cooperation with public bodies

Cooperation with national or local government performing statutory duties; consent might impede the duty.

Common for: Census, statistical surveys, government inquiries
Art 18(3)(v–vii)

Academic research purpose

Personal data handled by academic institutions for research, where the purpose is academic in nature.

Common for: University research, peer-reviewed studies
Cookie banner under GDPR Consent Mode v2

Eight data-subject rights (Articles 12–22)

What individuals can demand from you, with the response window and scope.

RightArticleResponseScope
Notification of purpose of use Art 32 At collection Right to know the purpose of use of one's retained personal data — must be publicly announced or disclosed on request.
Right to disclosure Art 33 At collection Right to receive a copy of retained personal data — including in electronic form (added 2022). Response 'without delay'.
Right to correction / addition / deletion Art 34 At collection Right to correct, add, or delete inaccurate retained data; response 'without delay'.
Right to cease use / erasure Art 35 At collection 2022 amendment broadened: cessation when data is no longer needed, after a breach affecting the subject, or when there is a risk of rights/legitimate-interest infringement (broader than GDPR Art 17).
Third-party transfer log access Art 26, 30 At collection Right to access records of third-party provision (sender/recipient logs) — controllers must keep such logs.
Right to lodge a complaint Art 40 At collection Right to file a complaint with the controller, certified accreditation body, or directly with PPC.
Topic: DSARs in practice Template: DSR reply (Art 15)

National addons

GDPR is a Regulation — directly applicable, no transposition required. But Member States layer additional rules on top via national acts.

CountryNational actStricter than GDPR baseline?Note
🇯🇵 Japan JP APPI (個人情報の保護に関する法律) Stricter Primary regulator: PPC. EU adequacy mutual since Jan 2019; renewed scope under 2022 amendments. Three-yearly amendment cycle — next review expected 2025.
🇰🇷 South Korea KR PIPA (Personal Information Protection Act) Stricter PIPC regulator. EU adequacy decision Dec 2021. PIPA generally stricter than APPI on consent and child data; major 2023 amendment introduced GDPR-style automated-decision rights.
🇸🇬 Singapore SG PDPA (Personal Data Protection Act 2012) Aligned PDPC regulator. APAC peer with consent + notification model; 2020 amendments added mandatory breach notification ≥500 individuals or significant harm.
🇦🇺 Australia AU Privacy Act 1988 + APPs Aligned OAIC regulator. 2022 amendment raised max fines to AUD 50M / 30% adjusted turnover. Extensive 2024 reform pending (statutory tort, children's code).
🇹🇼 Taiwan TW PDPA (個人資料保護法) Aligned Long-standing law (1995/2010); new dedicated PDPC regulator established Aug 2025. Generally less prescriptive than APPI on cross-border but stricter on penalties for sensitive-data misuse.
🇭🇰 Hong Kong HK PDPO (Personal Data (Privacy) Ordinance) Aligned PCPD regulator. Cross-border transfer §33 not yet in force after 30 years; doxxing offence added 2021.

Compared to other laws

Side-by-side rule comparison with the same field on each side.

COMPARE · 2 ENTITIES
GDPR vs CCPA / CPRA
Opt-in EU baseline against opt-out California — same rows on each side.
COMPARE · 2 ENTITIES
GDPR vs UK GDPR
Post-Brexit divergence — DPA 2018, ICO, UK Extension to DPF.
COMPARE · 2 ENTITIES
GDPR vs LGPD
EU baseline vs Brazilian privacy law modeled on it.

Common questions

Does APPI apply to my non-Japanese website?
Yes if you handle personal information of people in Japan in the course of supplying goods or services to them — APPI's extraterritorial scope was clarified in the 2020 amendments (effective Apr 2022). PPC may directly issue orders to overseas operators; non-compliance triggers public naming and the same fine cap as domestic operators.
Is there mutual EU↔Japan adequacy?
Yes — the European Commission adequacy decision (23 Jan 2019) and Japan's reciprocal designation under APPI Art 28 created the world's largest mutual adequacy zone. Renewed and confirmed under the 2022 amendment review; covers transfers in both directions for commercial sectors. Public-sector data is partly excluded.
When must I notify PPC of a breach?
Mandatory under 2022 amendments (Art 26). Triggers: (1) leakage of special-care-required information, (2) leakage that may cause property damage by malicious purpose (e.g. credit-card data), (3) leakage by unauthorized purpose (insider/hack), or (4) leakage involving more than 1,000 individuals. Preliminary report 'promptly' (3–5 days in PPC practice); final report within 30 days (60 for unauthorized-purpose cases). Data subjects must also be notified.
What's the maximum APPI fine?
Under the 2022 amendments, corporate fines were raised dramatically: up to ¥100 million (≈€600,000) per offence for the most serious violations (illegal provision, ignoring PPC orders). Individual penalties up to ¥1 million / 1 year imprisonment. The cap is small versus GDPR's €20M/4%, but PPC also wields administrative orders and public naming, which can be commercially severe (LINE/LY case 2024).
Do I need to designate a Chief Privacy Officer?
APPI does not legally require a CPO/DPO equivalent, but PPC guidelines strongly recommend one for all controllers handling personal data and effectively expect one for medium-and-large businesses. Many Japanese companies appoint a 個人情報保護管理者 (personal information protection manager) as part of organisational security measures under Art 23.
How are cross-border transfers regulated?
Art 28 requires one of: (1) transfer to a country with PPC-recognised adequacy (currently EEA + UK), (2) consent of the data subject after disclosing recipient country and protection regime details, or (3) the recipient implementing equivalent protections via contract or binding scheme (APEC CBPR is recognised). 2022 amendments added mandatory disclosure of recipient-country regime details to data subjects.
What counts as 'special-care-required personal information' (要配慮個人情報)?
APPI Art 2(3) defines a category broader than GDPR special-category data: race, creed, social status, medical history, criminal record, history of being a crime victim, and other items prescribed by cabinet order (e.g. genetic data, disability info). Acquisition requires prior consent (Art 20(2)); session-replay tools risk capturing this inadvertently.
What's the M&A asset-transfer rule?
Art 27(5)(ii) — transferring personal data as part of a business succession (M&A, demerger, asset sale) is not 'third-party provision' and does not require fresh consent, provided purpose of use does not materially change. If the acquirer wants to use the data for new purposes, fresh consent or amended notification is required.
How fast must I respond to a disclosure or correction request?
APPI uses 'without delay' (遅滞なく) rather than a fixed clock. PPC guidance interprets this as approximately 2 weeks for simple requests; complex requests may take longer with interim communication. The 2022 amendments added the requirement to provide retained data in electronic form on request.
How does APPI interact with sectoral laws?
Specific sectors layer additional rules: telecom (Telecommunications Business Act), financial services (FSA guidelines on customer data), medical (Next-Generation Medical Infrastructure Act), and government bodies (separate Act on the Protection of Personal Information Held by Administrative Organs, harmonised into APPI in the 2021 amendment). Sectoral guidance generally supplements rather than replaces APPI.