Data Protection Law in Japan: tricky details

Like many tourists in recent years, we decided to pay attention to Japan, especially during cherry blossom season. And since we are privacy consultants, we are going to talk about Japan through the lens of personal data regulation.

At first glance, Japan’s framework might feel familiar: it contains principles you’ve already known, consent as a legal basis, recognisable safeguards, breach notification obligations, broadly similar data subject rights and more. But if you take a closer look, those familiar outlines start to blur and give way to distinct regulatory features and nuances. That is because the Japanese regulatory regime is organized differently from the GDPR and other laws built on the legacy of Convention 108. It focuses on purpose rather than legal basis, sets specific rules for transfers of personal data, introduces the concept of “information related to personal information”, and relies heavily on reputational measures and criminal liability. As a result, privacy compliance for foreign companies operating in Japan may not be what it seems. In this article, we explain what it really looks like and what risks it creates for international business.

A quick overview of the Japan’s data protection framework

Japan’s data protection law is centred on the Act on the Protection of Personal Information (APPI) (個人情報の保護に関する法律, Kojin Jōhō no Hogo ni Kansuru Hōritsu) and the enforcement practice of the Personal Information Protection Commission (PPC) (個人情報保護委員会, Kojin Jōhō Hogo Iinkai), Japan’s supervisory authority.

For businesses, APPI is not the only thing that matters. You also need to consider the My Number Act, which governs the “My Number” ID card held by every Japanese resident, including foreign residents with a residence status in Japan.

It is also important to follow PPC guidance, in particular the key General Guidelines, the Foreign Transfer Guidelines, and the PPC’s Q&A. While you can find APPI and some other laws in English, many guidelines and FAQ materials are available only in Japanese.

Scope of APPI

APPI states that its purpose is to protect individuals’ rights and interests while recognising the utility of personal information, and it explicitly references international harmonisation. The core principles are set out in Articles 17 to 23 (Chapter 4) of APPI.

The law applies to the processing of personal data relating to living individuals within Japan. Article 171 of APPI also extends the regime to controllers outside Japan where they provide services or supply goods to individuals in Japan.

APPI also regulates pseudonymised and anonymised data, as well as “information related to personal information”, which we mentioned at the start.

“Information related to personal information” (個人関連情報) refers to data that does not allow the sender on its own to identify an individual, but may become personal data in the hands of the recipient if the recipient has additional information. For example, a website may collect a cookie ID and browsing history but have no accounts and no ability to identify the user. For that website, the information might not be personal data. However, if an advertising platform receives the same data and matches it to user profiles in its own systems, it can identify the individual. At that point, the information becomes personal data for the recipient, and the transfer falls under APPI’s rules.

Sanctions for violation data protection law in Japan

APPI follows an escalating enforcement model. The PPC may first request reports or materials, then issue recommendations, and after issue binding orders (Articles 146, 147 and 148 of APPI). For foreign controllers, Article 163 is also important: it provides a special procedure for overseas controllers or where the violator’s address is unknown.

Chapter 8 of APPI sets out both administrative penalties and criminal sanctions including imprisonment. Failure to comply with a PPC order may result in imprisonment for up to one year or a fine of up to one million yen (Article 178 of APPI). In addition, the company involved may face a fine of up to 100 million yen (Article 184 of APPI). In practice, that means personal liability can run in parallel with corporate fines, which is worth keeping in mind for anyone considering a privacy career in Japan.

Japan is also a jurisdiction where reputational consequences tend to carry significant weight. Organisations should build a robust PR and incident response playbook for breaches, fines and other negative privacy events and budget in advance for potential compensation to affected individuals.

The supervisory authority (Personal Information Protection Commission)

The PPC is the main regulator. It has powers to request reports and materials, conduct inspections (including on site inspections) and issue advice, recommendations and orders. The PPC may also delegate certain powers to relevant ministries, which supports sector specific regulation across industries.

Rights and obligations

Article 57 of APPI exempts certain activities, in part, including the press, professional writers, academic institutions, religious organisations and political entities within the scope of their respective activities.

For businesses, APPI compliance starts with defining the purposes of processing. The controller must specify purposes as precisely as possible, must not use data beyond those purposes without consent, must not use data in a way that could facilitate unlawful or improper conduct and must notify individuals or publicly disclose the purposes of use.

Unlike the European approach, APPI does not set out a classic list of legal bases. While it does, in fact, recognise many cases where personal data can be processed based on consent, statutory requirements or the public interest, the concept of legitimate interests is not part of the formal framework.

The next set of obligations relates to personal data management. Companies must maintain accuracy within the stated purposes, implement necessary and appropriate security measures, supervise employees and monitor contractors.

A separate block of obligations concerns transfers. Article 27 regulates transfers to third parties, Article 28 governs cross border transfers, Articles 29 and 30 require verification and documentation for certain transfers, and Article 31 introduces a special regulation of information related to personal information.

Breach response process in Japan also has its own specifics. Article 26 of APPI requires notification to the PPC and affected individuals in certain cases. The PPC explains on its official website that it expects an initial notice without delay, typically within 3 to 5 days, followed by a final notice within 30 days or within 60 days in some situations.

Data subject rights under APPI focus on stored personal data. Articles 32 to 39 provide a right of access to mandatory information about stored personal data as well as rights to rectification, deletion, and (in certain cases) a right to request that transfers to third parties be stopped. APPI does not include a right to data portability, and it does not contain GDPR-style rules on automated decision making without human involvement.

Article: Personal Data Protection in United Arab Emirates: UAE law overview

Delving into the Emirates’ privacy regulation, which has undergone significant changes over the past years.

3 key risks for foreign companies

1. Underestimating “information related to personal information”

In our opinion, the biggest risk is that data may not be personal data for the sender but becomes personal data for the recipient, and it might not come easy for companies.

Article 31 of APPI permits such transfers only with the individual’s consent. If the transfer is cross-border, the sender must also provide advance information about the level of protection in the destination country along with details of the safeguards applied by the recipient.

The PPC notes that this often captures identifiers, browsing history and other data that, by default and in isolation, is not treated as personal data by the sender under Japanese law.

For example, a website may embed a video via a video hosting platform. The website tracks which videos a user watches but doesn’t have their login and can’t identify who watched what. It transfers viewing data to the hosting platform or a partner that does have user accounts and can link views to a specific person. In the partner’s hands, the information becomes personal data.

This is risky for foreign companies because information that internal compliance teams may classify as non-personal and low risk can become personal once it is shared with vendors, cloud providers or marketing platforms. To assess the risk, you need a clear understanding of how the vendor will process the data which in turn requires careful vendor management.

2. Not paying enough attention to personal data transfers

A second risk is assuming that transfers are not a practical enforcement priority. Under APPI, any transfer of personal data, even between Japanese companies, generally requires consent or a statutory exception (Article 27 of APPI) such as:

🔹 outsourcing within the scope of the company’s stated purposes;

🔹 transfer of personal data in the context of M&A transactions;

🔹 joint use arrangements (similar to joint controllership) provided that the terms of the arrangement are disclosed to individuals.

APPI also includes an exception that allows organisations to avoid collecting consent on an ongoing basis: an opt-out model under Article 27(2). This model requires notification to the PPC and public disclosure of the scheme. In practice, it is associated with data brokerage concerns and therefore receives heightened scrutiny. For sensitive personal data and for certain other scenarios, this path is unavailable or significantly restricted including in relation to information related to personal information.

Cross-border transfers shall meet Article 28 of APPI. You might avoid consent if the data is transferred to an “adequate” jurisdiction which Japan has so far recognised only for the UK and the EU.

If the destination country is not recognised as adequate, organisations can follow an approach that resembles the GDPR’s SCCs (Standard Contractual Clauses) and a TIA (Transfer Impact Assessment). In that case you need to:

1) confirm that the recipient applies safeguards equivalent to those required under APPI (like in TIA);

2) reflect those safeguards contractually (like in SCCs);

3) monitor compliance on an ongoing basis.

The PPC has already reviewed the legal frameworks of certain countries and published reports on its website. Where PPC materials exist, for example for Russia, certain US states, the UAE, Hong Kong, Canada etc., you may be able to rely on that analysis instead of doing a TIA from scratch. Where neither adequacy nor equivalent safeguards can be relied on, consent for the cross-border transfers will be required.

In other words, any transfer requires that you comply first with Article 27 and then with Article 28 for cross-border transfers. And, as aforementioned, where the data may become personal data in the recipient’s hands, Article 31 must also be addressed.

3. Rolling out a global data privacy policy in Japan without adapting it

The third risk is documentation-related. APPI requires a stronger focus on purpose specification and a more granular description of the purposes of use.

The PPC’s Q&A explicitly states that purposes such as “service improvement” or “marketing purposes” might be too vague. The regulator recommends describing purposes as clearly as possible. For example, analysing browsing and purchase history may be necessary to display ads that better match an individual’s interests. Analysing behaviour across websites may be required to calculate a credit score and provide it to third parties such as banks.

That is why we recommend reviewing privacy policies and notices before launching products in Japan. Chances are, they will need to be revised.

Planning to enter the Japanese market, or already processing customer data in Japan?

Book a free consultation and we’ll review your scenario, identify APPI risks and outline clear, practical compliance steps.

Conclusion

For foreign companies, Japanese privacy compliance starts with these 3 questions:

🔹 Which data in your product could qualify as information related to personal information?

🔹 Who has access to the data within your group and among external vendors?

🔹 How specific are your stated purposes for processing personal data?

If you address these 3 points, most Japanese privacy-associated risks would become manageable. Read the law and guidelines carefully, tailor your policies and processes to regulation specifics and don’t be afraid to engage with the regulator.

Personal Data Protection Help and Support under GDPR and National Laws

We help establish systematic personal data protection practices through training and consulting services.

Personal Data Protection Consulting Services

Consulting services on data privacy according to GDPR, ISO 27701 and other international standards.

EU Representative Service

EU Representative Services under GDPR is a pay-as-you-go service where representation is free during periods without data subject requests or communication with supervisory authorities. The service remains free if the company has not significantly altered its data processing practices since its onboarding process.

Training — GDPR Data Privacy Professional

A fundamental course that covers all aspects of GDPR and teaches how to apply them in practice.

Corporate Programs for Team – Wide Awareness and Privacy Department Operations

Privacy training programs for teams both in live online and e-learning formats with diverse level of depth. Customizable and interactive solution for fair price.