Launch Q3 2026
BearGuard®
BearGuard®
Governance & AI Guardrails
DE EN
🔒 International Privacy

APPI – Act on the Protection of Personal Information (Japan)

Japan's APPI has protected personal data since 2003 and was reformed in 2022. The PPC supervises compliance with extraterritorial reach.

LinkedIn X WhatsApp

Summary

The Act on the Protection of Personal Information (APPI) is Japan's comprehensive data protection law. Enacted in 2003 and amended significantly multiple times, the current version following the 2020 reform (effective April 2022) is considered one of Asia's most modern data protection frameworks.

  • Supervisory authority: Personal Information Protection Commission (PPC).
  • Extraterritorial scope: Applies to foreign businesses processing personal data of Japanese users.
  • Special categories: Sensitive information (race, creed, health, criminal records) subject to heightened requirements.
  • Data breach notification: Mandatory reporting to PPC and data subjects since 2022.

History

Japan enacted the APPI in 2003 as one of the first comprehensive data protection laws in Asia. The law entered fully into force in 2005. In subsequent years it was criticized as insufficiently flexible and poorly harmonized with international standards.

A first major reform occurred in 2015 (effective 2017), creating the PPC as an independent supervisory authority and introducing the concept of anonymously processed information (tokumei-ka-jōhō). A further comprehensive reform followed in 2020 (effective April 2022): it introduced breach notification obligations, extraterritorial scope, expanded data subject rights (restriction of use, portability), and stricter sanctions. Japan received an EU adequacy decision in 2019, facilitating mutual data flows with Europe.

The third mandatory three-year review commenced in 2024. The PPC published an Interim Summary in June 2024 and "Next Steps" in January 2025, proposing introduction of administrative fines (kacho-kin), enhanced protections for biometric and children's data, AI training data exemptions, and streamlined breach reporting. A reform bill is expected in 2025, with implementation anticipated in 2026–2027.

Scope

The APPI applies to businesses and organizations (private and public bodies) that use personal information in their business activities. Since the 2020 reform, the law also applies to foreign businesses processing personal data of individuals in Japan. Exempt parties include:

  • Individuals (for personal/household purposes)
  • Print media/journalism
  • Religious organizations (for religious activities)
  • Political parties (for political activities)
  • Academic research institutions (with limitations)

The law distinguishes between personal information, specially protected personal information (sensitive data), and anonymously processed information.

Key Requirements

  • Purpose specification: The purpose of use must be specified as precisely as possible.
  • Purpose limitation: Use only for the specified purpose; changes require notification or consent.
  • Data security: Appropriate security measures to protect personal data.
  • Disclosure restrictions: Third-party provision only with consent or under statutory exceptions.
  • Third-country transfers: Only to countries with adequate protection levels or under contractual guarantees.
  • Right of access: Data subjects may request disclosure and usage history.
  • Right to correct: Correction of inaccurate data.
  • Right to restrict use: Restriction of use for unlawful processing.
  • Data breach notification: Mandatory reporting to PPC and affected individuals within statutory timeframes.
  • Sensitive data: Separate consent required for collection and use of specially protected personal information.
  • Sanctions: Fines up to JPY 100 million for corporations; JPY 1,000,000 for individuals; criminal sanctions (imprisonment up to 1 year) possible.

Corrections & Errata

2026-QA-014 Correction 28 February 2026
Quality Audit: APPI – Act on the Protection of Personal Information (Japan)

1 correction:
- Incorrect maximum individual fine (500,000 JPY instead of 1,000,000 JPY)
3 clarifications.

Full details on the errata page →

Content last reviewed: 23 February 2026. Found an error or need an update? [email protected]