Japan Act on the Protection of Personal Information (APPI)

Japan has its own data protection law which is usually referred to as the Act on the Protection of Personal Information, or APPI. Any party dealing with the personal information of a Japanese citizen is bound by the terms of the APPI.

This article covers the major components of the APPI, including what this law is, what personal information is, the obligations of the personal information handling operator, the penalty for violating this Act, and more.

What is the Japan Act on the Protection of Personal Information (APPI)?

First passed in 2005 and enforced by the Personal Information Protection Commission (PPC), this act is meant to ensure proper handling and use of the personal information of Japanese citizens.

Businesses and organizations operating in or outside Japan and dealing with personal information belonging to a Japanese national must fully comply with the APPI.

A few changes granting more rights to customers have been made to the original version of the act, which is in line with new trends in privacy law.

Who Does the Japan Act on the Protection of Personal Information (APPI) Apply to?

If your business handles the Japanese citizens' personal information, you'll need to comply with the APPI. This is true whether your company operates from within Japan or offers goods and services to Japanese citizens from outside of Japan.

What is Personal Information as Defined by the APPI?

Personal information in the APPI means any information relating to an individual. This includes information such as names, dates of birth, physical addresses, and personal identification codes.

This information could be in various forms. For instance, it can be written down, recorded, or stored in the form of voice a in a document.

What Information is Protected Under the Japan Act on the Protection of Personal Information (APPI)?

The APPI covers two categories of personal data: personal information, and special care-required personal information.

Personal information is generally information that can be used to identify an individual, like a name, email address, passport number, and others.

On the other hand, special care-required personal information relates to an individual's race, social status, medical history, criminal records, creed, or one that can lead to discrimination against the owner. Businesses must seek the consent of the owner before using such information.

The APPI is not very strict on anonymized information, as it can't be used to identify the owner. But, businesses must notify third parties that the information is anonymized while sharing it with them.

Obligations of Data Handlers Under the Japan Act on the Protection of Personal Information (APPI)

The APPI states the obligations you, as a personal information handler (business), have towards the consumers, who, in this case, own the information. Here's an overview of these obligations.


You must use legal means to acquire users' personal information and shouldn't rely on deceit to get information about individuals. If the personal data is special care-required, a business must obtain a principal's consent before getting this information.


The APPI requires that a business notifies an individual of the purpose for collecting their personal information. Simply put, the business should disclose the utilization purpose, which must be done clearly, providing as much detail as possible.

If the utilization purpose is altered along the way, the business needs to inform the individual(s) about the changes.

A business is exempted from notifying individuals about how it intends to use their personal information under the following circumstances:

  • If there's an urgent need to protect human life or destruction of wealth
  • In case specific laws and regulations don't deem it necessary to reveal the purpose
  • When a business needs to cooperate with a law enforcement agency or the government


You must ensure that all personal information you obtain from an individual must be accurate. Strive to keep your records up to date at all times and put in place ways to identify inaccurate information.

Security Control

It's your duty to protect users' personal information. You must therefore put in place all necessary measures to prevent loss, leakage, or even destruction of the information it handles. Encrypt and anonymize user data whenever it's required.


Supervise employees, trustees, and any other parties you allow to handle customer information. It's up to you to check and direct the way entrusted persons handle personal information. Supervision is essential in ensuring the security of user data.

Third-Party Provision

Notify your customers before you share their personal data with third parties. However, you can provide personal information to a third party if it is a requirement by law or in case the intention is to save life or prevent the destruction of fortune.


Delete an individual's personal information when you don't need it anymore or when the purpose of utilization expires.


An individual may demand to know the personal information related to them that a business holds. You must disclose all retained personal data pertaining to a customer in case the owner makes such a request.


Customers are free to ask for a correction of their data if they feel that the information you hold about them is incorrect or requires additional details. You must make these changes when your customers request them.

Overseas Transfer

If your business needs to transfer user data to a party in a foreign country, proceed after seeking additional consent from the users.

Rights of Data Owners

The APPI allows individuals to request that businesses disclose the purpose of collecting their personal information and how they can make changes to their data (if necessary). Data subjects also have a right to request that businesses delete their personal information.

Customers who request disclosure of their personal information can get it in hard or soft copy.

If you fail to answer any of these requests, an individual can sue you within two weeks.

Information a Business Must Include in Its Policy Under APPI

An operator needs to create a policy for the sake of security control. These are the details you should include in the document:

  • The business operator's name
  • A statement affirming your commitment to implementing all measures necessary to secure personal user data
  • Another statement with a message that your business is APPI compliant in all its dealings
  • Contact information individuals can use whenever they have complaints or concerns

Reporting Duties

The APPI requires you to report any breach of user data. It applies in the following circumstances:

  • A violation of users' personal information
  • Instances when user data is stolen
  • A breach that would result in economic sabotage, for example, if an individual's credit card credentials land in illegal hands

Penalties for Noncompliance

Businesses that fail to comply with the APPI are punished in various ways. Noncompliant parties may be required to pay fines ranging from 1,000,00 to 100,000,000 Yen. The PPC could punish the offender further by publicizing their names to warn others against dealing with them.

The Bottom Line

It's advisable that you understand the APPI if your business deals with or plans to work with individuals of Japanese origin.

Ensure you follow lawful means while obtaining user data, and let your users know what you intend to do with their information. Once you have acquired the data, protect it by keeping it safe from destruction or unauthorized hands. Revise the data from time to time, update it and add any extra details.

After attaining your purpose with the information or just don't need the data anymore, delete it from your systems.

Noncompliance not only leads to disciplinary action but may also jeopardize the success of your business.