Introduction

In Japan, the Act on the Protection of Personal Information (APPI)1 plays a central role in data protection legislation. There are currently not many specific regulations on industrial and other data.

Originally, in the protection of personal data, Japan mainly focused on stimulating industry through the use of data rather than protecting the privacy of individuals, and the original APPI, which was adopted in 2003, did not ensure thorough protection of privacy. Therefore, a business operator that handles personal information could do a variety of things without the consent of the individual (‘data subject’ for this chapter, but it is not ‘data subject’ per se because the APPI distinguishes between personal information and personal data as described below). In particular, the business operator was free to do so without any restrictions with regard to the cross-border transfer of personal data for outsourcing their work to overseas operators.

Subsequently, the General Data Protection Regulation (GDPR)2 was adopted and enforced in the EU, and the Japanese government aimed to promote the circulation of personal data between the EU and Japan by obtaining an adequacy decision from the European Commission (the EU Commission) as an adequate country in terms of the level of protection of personal data under Article 45 of the GDPR (Adequacy Decision). To this end, complementary rules have been developed to bridge the gap between the APPI and the GDPR, as well as amendments to the APPI. The current APPI, which has been repeatedly amended, incorporates many of the regulations contained in the GDPR.

The Japanese government’s idea of stimulating industry through data utilisation is evident from Article 1 of the current APPI, which has not changed significantly since the APPI was enacted. This trend can also be seen in AI technology, which may explain why AI regulation is less advanced than in other countries.

This chapter will focus mainly on regulations relating to the protection of personal data, with references to other regulations where necessary.

Year in review

The APPI was enacted in 2003 and was amended in 2015, 2020 and 2021, and the 2020 Amendment Act (fully enforced in April 2022) stipulates that it must be reviewed every three years after coming into force (Article 10 of the supplementary provisions of the APPI). The Personal Information Protection Commission (PPC) has been studying the triennial review, and on 5 March 2025 published ‘Considerations on Institutional Issues of the Act on the Protection of Personal Information’. For specific details of the summary of the ‘Considerations on Institutional Issues of the Act on the Protection of Personal Information’, see ‘Study for the review of the APPI’ in 'Outlook and conclusions' below.

Regulatory framework

Privacy and data protection laws and standards

To embody the APPI, there are Cabinet Orders to Enforce the APPI and Enforcement Rules for the APPI.3 General guidelines for compliance with them are the Guidelines on the Act on the Protection of Personal Information (General Rules) (General Guidelines) issued by the PPC.4

Business operators handling personal information who are obliged to comply with the APPI are defined as those who use personal information databases or equivalent for business purposes (hereinafter, such business operators, business operators handling anonymised information, business operators handling pseudonymised information and/or business operators handling person-related information shall be collectively and individually referred to as ‘business operator or business operators’). Since business operator only covers a person in private business, national government, local governments, independent administrative institutions, and local independent administrative institutions are excluded (Article 16 (2) of the APPI).

What is unique about the APPI is that it does not apply merely to those who handle personal information, but rather to those who use personal information databases or equivalent for business purposes. The term ‘personal information databases or equivalent’ mainly refers to collections of information containing personal information that are systematically structured so that specific personal information can be retrieved by using a computer. For example, it includes email address books in which email addresses and names are stored in combination with email software, and business card information that is entered and organised by using spreadsheet software. In contrast, this does not include business cards cluttered in an office desk drawer or emails containing personal information, nor information that is recorded on CCTV or other media.

Along with this, the APPI distinguishes between personal data and personal information, limiting the scope of the regulation.

Personal information is defined in the APPI as information that (1) relates to a living individual, (2) can identify a specific individual by name, date of birth or other description contained in this information (including (3) information that can be easily matched with other information and thereby identify a specific individual) or (4) contains a personal identification code (Article 2 (1) of the APPI). Personal identification codes are, for example, codes that are converted from somebody's features for electronic processing, such as facial recognition data, fingerprint recognition data, iris, voice print, walking pattern, finger veins, palm print, or codes assigned to each user in service or documents, such as passport number, basic pension number, driving licence number, resident registration code, MyNumber5 and insurer number.

Personal data, on the other hand, refers to personal data constituting personal information databases or equivalent (Article 16 (3) of the APPI). Therefore, business operators to whom the APPI applies are limited within this scope.

The APPI also defines personal information as requiring special consideration (‘sensitive information’). This includes race, creed, social status, medical history, criminal history, and the fact that the person has suffered harm as a result of a crime (Article 2 (3) of the APPI). However, sensitive information does not include credit card information even though credit card information may require more consideration than other personal information when handled because the definition of sensitive information was established to prevent individuals from being disadvantaged due to discrimination or prejudice caused by such information.

The APPI has also added provisions on anonymised information and pseudonymised information through amendments.

Anonymised information means information relating to an individual obtained by processing personal information in such a way that a specific individual cannot be identified and the personal information cannot be restored (Article 2 (6) of the APPI). In contrast, pseudonymised information is information relating to an individual obtained by processing personal information in such a way that the individual cannot be identified unless it is cross-checked with other information (Article 2 (5) of the APPI).

In general, in other countries’ legislation, anonymised data that cannot be restored is removed from personal data protection legislation, but under the APPI, it remains subject to regulation. It should therefore be noted that certain obligations are imposed not only on pseudonymised information, but also on business operators handling anonymised information, as discussed below.

Failure to comply with the obligations set out in the APPI may result in the PPC requesting reports, conducting onsite inspections, providing guidance, advice or admonishment, or issuing orders (Articles 146-148 of the APPI). If an order from the PPC is violated, the offender will become subject to imprisonment for up to one year or a fine of up to ¥1 million in case individual or a fine of up to ¥100 million in case of legal entity that is the business owner, according to the dual penalty provisions. In addition, if a false report is made to the PPC, the offender or the legal entity are respectively subject to penalties of up to ¥500,000 (Articles 178, 182-1 and 184 of the APPI).

General obligations of business operators

The main obligations that business operators have with regard to personal information, and personal data are as provided below.

Obligations in relation to personal information

The APPI states that personal information must not be acquired through deception or other wrongful means (Article 20 (1) APPI).

In addition, in handling personal information, the purpose of use must be specified to the extent possible (Article 17 (1) of the APPI). Furthermore, in principle, the purpose of use must be notified to data subjects or made public (Article 21 (1) of the APPI). For this reason, it is common for business operators to set out the purpose of use in their privacy policy and to make it publicly available on their websites. On the other hand, when a business operator acquires personal information directly from a data subject in writing (including electronic records), the business operator must, in principle, clearly indicate the purpose of use to the data subject in advance (Article 21 (2) of the APPI).

In this way, the handling of personal information is restricted and the data subject is protected by requiring the business operator to inform the data subject about how their personal information will be handled. Therefore, if the purpose of use is changed beyond the extent that is reasonably deemed to be relevant to the purpose of use or if personal information is handled beyond the extent necessary to achieve the specified purpose of use, the consent of the data subject is required because this is beyond the scope of the purpose of use initially notified to the data subject by the business operator (Articles 17 (2) and 18 (1) of the APPI).

Under the APPI, it is not necessary to obtain the consent of the data subject for the acquisition of their personal data because, as stated above, the APPI stipulates that the purpose of use must be specified, the data subject must be informed and the personal information must be handled to the extent necessary to achieve the purpose of use. Unlike GDPR, etc., the APPI does not include an overarching concept of ‘legitimate interest’ as one of the legal bases for handling personal information. Therefore, each purpose of use needs to be specified.

In principle, it is necessary to obtain the consent of the data subject in advance when acquiring sensitive information (Article 20 (2) of the APPI).

Obligations in relation to personal data

Business operators must take necessary and appropriate measures for safety management to ensure that no leakage, loss or damage of personal data (data breach) occurs (Article 23 of the APPI). For specific examples of necessary and appropriate measures for safety management, see ‘Company policies and practices' and for information on personal data breaches, see ‘Cybersecurity and data breaches'.

In allowing employees to handle personal data, business operators must carry out necessary and appropriate supervision of such employees (Article 24 of the APPI). If the handling of personal data is outsourced in whole or in part, business operators must carry out necessary and appropriate supervision of the outsourcee (Article 25 of the APPI).

As a general rule, the prior consent of the data subject is required when personal data is provided to third parties other than the data subject. However, there are exceptional cases where business operators can provide personal data to third parties without the consent of the data subject (Article 27 (1) and (5) of the APPI).

This includes cases where it is required by law, where it is necessary for the protection of the life, body or property of a person, or where it is necessary to improve public health or promote the sound development of children and it is difficult to obtain the consent of the data subject (Article 27 (1) of the APPI).

Where personal data relating to business is provided as a result of merger, spin-off or business transfer, the party to whom the data is provided does not constitute a third party (Article 27 (5)(ii) of the APPI). In this case, it is therefore not necessary to obtain consent from the data subject. However, even after the succession of the business, the personal data must be used within the scope of the purpose of use before the personal data was provided as a result of the succession of the business.6

If the personal data is provided to an outsourcee as a result of the business operator’s outsourcing of all or part of the work related to the handling of personal data within the scope necessary to achieve the purpose of use, such outsourcee is not considered as a third party (Article 27 (5)(i) of the APPI). Therefore, in such case, it is generally not necessary for the outsourcee to obtain consent from the data subject because the outsourcee can only handle such personal data within the scope of the business operator’s purpose of use.

Personal data may be provided without the consent of the data subject, provided that information such as the items to be jointly used with joint user or users, the scope of the joint users, the purpose of use of joint users and the person responsible for the management of the jointly used data are notified to the data subject in advance or is made readily available to the data subject.

In other words, the APPI divides personal data sharing into outsourcing and joint use.

Obligations in relation to pseudonymised information

The business operators, who have created pseudonymised information, may provide the pseudonymised information to third parties only in accordance with the law (Article 41 (6) of the APPI). However, the business operators can provide such pseudonymised information through outsourcing, business succession or joint use (Articles 41 (6) and 27 (5) of the APPI).

Although the publication of the purpose of use of pseudonymised information and handling of pseudonymised information within the scope of the purpose of use are required (Article 41 (3) and (4) of the APPI), since it is certain that pseudonymised information does not identify a specific individual by matching it with other information, the pseudonymised information will not be used in connection with any individual and the risk of infringement of individual rights and interests is quite low. Therefore, the business operators can change the purpose of use without the consent of the data subject (Article 41 (9) of the APPI).7 This allows personal data to be used for various analyses within business.8

Pseudonymised information is not subject to leakage reporting, requests for disclosure from the data subject, or requests for correction, suspension of use or suspension of provision to third parties (Article 41 (9) of the APPI).

Obligations in relation to anonymised information

The business operators creating anonymised information must appropriately process the information so that it will not be used to identify specific individuals or to restore the personal information that was used to create such information (Article 43 (1) of the APPI).

The business operators that create anonymised information must take (1) security control measures to prevent leaks of information, including methods of processing anonymised information, and (2) measures to ensure the proper handling of anonymised information and the publication of such measures (Article 43 (2) and 43 (6) of the APPI)

The business operators who have created anonymised information must, without delay after the creation of the anonymised information, make public the items of information relating to individuals contained in such anonymised information by using their websites or other means (Article 43 (3) of the APPI). In addition, when providing anonymised information to a third party, the business operator must make public beforehand the items contained in the anonymised information provided to the third party and the method of how the anonymised information was provided (Articles 43 (4) and 44 of the APPI).

When handling anonymised information, the business operators are not allowed to match anonymised information they have created or received with other information to identify the individual from whom the information was created, or to obtain information on the method of processing the anonymised information they have received, to identify the individual.

Data subject rights

The data subject may request the business operator for the disclosure (including the right to data portability), correction, addition, deletion and disclosure of records of such data subject’s personal data provided to third parties which are in the business operator’s possession.

Furthermore, if their personal data has been illegally handled or illegally obtained, the data subject may request the cessation of use, erasure or cessation of provision to third parties of their personal data. When these requests are made, the business operator must respond without delay (Articles 33–35 of the APPI).

Specific regulatory areas

Specific regulations relating to personal data mainly include the following:

Financial area

The Guidelines on the Protection of Personal Information in the Financial Sector9 (the Financial Guidelines) issued by the PPC and the Financial Services Agency are based on the General Guidelines and specifically set out the ‘exceptional measures’ that should be taken to protect personal information in the financial sector.

Under the Financial Guidelines, the business operators in the financial area generally may not acquire, use or provide to any third parties any sensitive information as defined in Article 2 (3) of the APPI or any other information relating to trade union membership, family origin, legal domicile, healthcare, and sex life that does not fall under sensitive information.

In addition, Article 27 of the APPI stipulates that, in principle, personal data may not be provided to any third parties without the data subject's prior consent. At the same time, the Financial Guidelines generally require such consent to be given in writing. The Financial Guidelines more specifically state that consent must be obtained after making the data subject aware of the recipient, the purpose of use and the items of personal data to be provided.

Medical area

Guidance for the Appropriate Handling of Personal Information by Medical and Nursing Care-Related Businesses (the Medical Guidelines)10 issued by PPC and Ministry of Health, Labour and Welfare is based on the General Guidelines and provides specific points of concern and examples to support the activities of Business Operators, such as hospitals, clinics, pharmacies and those who provide in-home service stipulated in the Long-Term Care Insurance Act,11 to ensure the proper handling of personal information.

The Medical Guidelines prohibit the acquisition of personal information by illicit means and state that, in principle, past medical history and other information necessary for medical treatment and other purposes should be obtained directly from the data subject or a person who has obtained consent from the data subject, to the extent that it is genuinely necessary.

Telecommunication area

The Act on the Appropriate Transmission of Specified Electronic Mail (Act No. 26 of 2002) provides that in principle, email sent for advertising purposes ('advertising mail') must not be sent to persons other than those who requested such advertising mail or who agreed to receive such advertising mail in advance. Even where consent has been given to the transmission of advertising mail, further transmission is prohibited if the sender receives a notification of refusal.

Technological innovation12

Cookie regulation

Cookie data itself is not personal data because cookie data itself normally does not store names or other information that can identify individuals. However, suppose a specific individual can be identified by easy reference to other information such as using cookie IDs. In that case, the cookie data together with the relevant information as a whole constitute personal information. Thus, cookie data is usually considered to be ‘person-related information'.

Where the business operator plans to provide all or part of person-related information database to a third party and it is assumed that the recipient will acquire such person-related information as personal information, the business operator providing the person-related information must not provide the person-related information without the prior consent of the data subject for the person-related information (Article 31 (1) of the APPI). For example, Article 31 (1) of the APPI applies when the business operator provides the platformer with cookie data and IDs assuming that the recipient platformer will use the cookie data as personal information by matching such cookie data with the personal information and IDs held by such recipient platformer. In such a case, the business operator must obtain prior consent from the data subject of the cookie data for the provision of the cookie data.

Facial recognition

Camera images or facial feature data obtained from them, which can be used to identify specific individuals using a camera system with facial identification, fall under the category of personal information and are therefore covered by the APPI.

When using camera images or facial feature data as a database, business operators must specify the purpose of use to the extent possible and use it within the scope of said purpose of use. In addition, business operators must not acquire personal information by wrongful means and must ensure that the data subject becomes easily aware that their personal information is being acquired by the camera, for example by giving a notice that the camera is ‘camera in operation’.

Business operators must take necessary and appropriate measures for the prevention of leakage of such personal data and other security management, taking into account their nature (in particular, the fact that facial feature data is highly immutable and enables the tracking of individual behaviour).

Behaviour-based advertising and profiling

The APPI does not specifically stipulate on ‘profiling'. However, the APPI applies when processing information such as the behaviour and interests of a person, which is handled together with personal information or which otherwise becomes personal information. It is necessary to specify for what purpose the results of the analysis are used, and the purpose of use should include the fact that such analysis and processing are carried out. Specifically, the purpose of use must include when information such as website browsing history or purchase history is analysed to deliver advertisements according to the person’s interests or preferences or when information such as behavioural history is analysed to calculate a credit score and provided to a third party, including analysis processing.

International data transfer and data localisation

International data transfer

The APPI states that, in principle, prior consent of the data subject must be obtained for the international transfer of personal data to third parties outside Japan (Article 28 of the APPI). However, if the recipient ensures the same protection as in Japan, the consent of the data subject is not required.

This may include cases where the recipient’s jurisdiction has a protection system equivalent to that of Japan and where it is certain that the recipient will perform its obligations under the APPI.

The recipient’s jurisdiction having a protection system equivalent to that of Japan means the country or region where the recipient is located has a personal data protection system that is at the same level as that of Japan in protecting the rights and interests of individuals. Currently, the EU and the UK are designated as such jurisdictions by the PPC.

Since Japan has obtained the Adequacy Decision under Article 45 of the GDPR from the EU and the UK, personal data can be transferred between the EU, the UK and Japan without requiring the consent of the data subject or taking other individual measures.

In addition, a case where it is certain that a recipient will perform its obligations under the APPI is a case where the recipient has the necessary system in place to continuously take the measures required by the APPI. Specifically, the ‘appropriate and reasonable methods’ that ensure the implementation of the measures by the recipient are as set out below.

The ‘appropriate and reasonable methods’ include the execution of a contract for the protection of personal data with the recipient or the establishment of common rules within a group of companies including transferring parties.

With regard to contracts between transferring parties, there are no standard contractual clauses in Japan, and many business operators make use of GDPR-compliant Standard Contractual Clauses (SCCs) issued by the EU Commission. As for intra-group rules, binding corporate rules (BCRs) can be considered, but unlike the BCRs under the GDPR, no specific procedures such as notification to or approval by the authorities are required in Japan.

The ‘appropriate and reasonable methods’ also include the case where the recipient of personal data is accredited under an international framework, such as being a business certified under APEC's Cross-Border Privacy Rules (CBPR). If the provider of personal data has obtained this certification and outsources the handling of personal data to an outsourcee outside Japan, the ‘appropriate and reasonable methods’ also include the case where such provider is also obliged to follow the relevant rules.

The APPI does not require procedures such as prior notification to, approval from or assessment by government authorities for international transfers and therefore, international transfers of personal data are possible to recipients outside Japan without going through such procedures, provided that the above requirements are met.

However, the APPI states that to obtain consent from the data subject, the data subject must be informed that their personal data will be protected by the recipient of personal data or what risks are involved. For this reason, in seeking the consent of the data subject to transfer their personal data to a recipient outside Japan, the APPI requires that business operators provide the data subject with information that should help the data subject, such as the protection system of the country where the recipient is located or the measures taken by the recipient to protect the data.

With regard to the protection system of the recipient’s country, the PPC has a webpage outlining the protection systems of the main countries, which are generally used by business operators intending to transfer personal data abroad.13

As mentioned above, under the APPI, data obtained through cookies and other similar technologies are not subject to the regulations on international transfers because they are generally not treated as personal data.

For example, even if the data obtained by Google Analytics is transferred outside Japan, no consent or other measures are required from the data subject. The Schrems II decision of the European Court of Justice,14 which concerned the effectiveness of the Privacy Shield between the EU and the US, had an impact on the use of Google Analytics in the EU, but not on the use of Google Analytics in Japan. Furthermore, although the US has not been designated by the PPC as a country with a protection system equivalent to that of Japan, many businesses in Japan use Google Analytics.

International outsourcing

Although the APPI generally requires the consent of the data subject when personal data is provided to a third party, outsourcing of handling of personal data does not constitute the provision of personal data to a third party. International outsourcing is, therefore, regulated only from the aspect of the international transfer of personal data.

Data localisation

As mentioned above, personal data can be transferred outside Japan if certain requirements set out in the APPI are met, and there are no strict data localisation restrictions.

However, with regard to specific data in the medical area, it is generally prohibited to take such data out of Japan. Namely, Safety Management Guideline for Information System/Service Provider Handling Medical Information issued by the Ministry of Internal Affairs and Communications, the Ministry of Economy, Trade and Industry and the Ministry of Health, Labour and Welfare prescribes safety management, crisis management and allocation of responsibilities with medical institutions applicable to service providers who provide services to medical institutions, such as providing applications and platforms.15 These guidelines state that medical information and medical information systems, including medical records that are legally required to be created and stored, must be within the scope of enforcement of Japanese law. On this point, the Ministry of Health, Labour and Welfare has clarified its position that it does not prohibit the transfer of medical information to foreign countries in all cases, but will allow such transfers if appropriate mechanisms are in place to ensure compliance with Japanese law. For example, in the event of an incident, it is necessary for overseas recipients to be ready to provide necessary data (e.g., log data) in response to an investigation by Japanese regulatory authorities.

Company policies and practices

In the General Guidelines, the PPC provides examples of the specific safety management measures to be taken by business operators and the methods for putting them into practice. The table below provides an overview of them. For the ‘Examples of methods', however, some of the contents in the guidelines mentioned above are extracted and summarised.

Details of security control measures to be taken.

Examples of methods.

1. Formulation of basic policy

--

2. Development of internal regulations

Develop rules for the handling of personal data.

3. Organisational measures

(1) Organisational structure

Establish a person responsible for the handling of personal data and clarify their responsibilities.

Establish a reporting and communication system for those responsible if an employee becomes aware of a fact or other violation of the law or internal regulations relating to the handling of personal data.

(2) Operation in accordance with the internal regulations on the handling of personal data

Enable the verification of the handling of personal data through the maintenance of records and the preparation of work diaries relating to the handling of personal data.

(3) Development by means of checking the status of the handling of personal data

Clarify in advance the types and names of personal information databases or equivalent, so that the status of personal data handling can be ascertained.

(4) Establishment of a system to deal with a data breach incident

Establish a system for investigating the facts, determining the causes and reporting to the PPC and other relevant authorities in the event of a data breach incident.

(5) Monitoring the handling situation and reviewing safety management measures

Carry out regular inspections on the status of the handling of personal data.

4. Personnel measures

 Employee training

Conduct regular training for employees.

Incorporate matters relating to the confidentiality of personal data in employment regulations.

5. Physical measures

(1) Control of areas where personal data is handled

Control access to the room and restrict the equipment brought into the room.

Prevent unauthorised persons from viewing personal data by installing partitions.

(2) Prevention of theft of equipment and electronic media

Store electronic media or documents on which personal data are recorded in a lockable cabinet or similar.

(3) Prevention of leakage and other problems when carrying electronic media

Encrypt and password-protect the personal data and store it on electronic media.

(4) Deletion of personal data and disposal of equipment and electronic media

Adopt measures that cannot be easily restored when deleting personal data in information systems, computers and other equipment.

Use dedicated data deletion software or adopt measures such as physical destruction when disposing of equipment and electronic media on which personal data is recorded.

6. Technical measures

(1) Access control

Limit the number of employees who can use information systems that handle personal information databases or equivalent through the access rights (i.e., use of IDs).

(2) Identification and authentication of access persons

Identification and authentication of employees using the information system by means of user IDs, passwords, magnetic and IC cards, etc.

(3) Prevention of unauthorised external access

Install firewalls or other means at the connection points between the information system and the external network to block unauthorised access.

(4) Prevention of leakage and other problems associated with the use of information systems

Ensure safety when designing information systems and review them on an ongoing basis.

Encrypt the route or content of communications containing personal data.

Set a password to the file when sending files containing personal data by email.

7. Understanding the external environment

If a business operator handles personal data in a foreign country, it must take the necessary and appropriate measures for the security management of personal data, after understanding the personal data protection system in such foreign country.

--

Public and private enforcement

Personal Information Protection Commission

In Japan, the PPC has been established to ensure the proper handling of personal information while taking into account its usefulness (Article 1 of the APPI). The PPC is an independent third-party organisation established in the Cabinet Office in January 2016 (Article 130 of the APPI).16

The PPC is primarily responsible for (1) formulating and promoting basic policies for the protection of personal information, (2) supervising and monitoring the handling of personal information by business operators and mediating where necessary in response to complaints, (3) publicising and raising awareness of personal information protection, and (4) international cooperation (Article 132 of the APPI).

The PPC has also established and published guidelines and Q&As containing interpretations of the APPI and case studies. In addition, from time to time, the PPC also issues alerts when there are matters that need to be taken into account when handling personal information protection.

As mentioned above, the PPC is an independent third-party organisation, but it also acts in concert with relevant ministries and agencies as necessary. For example, if leakage of personal information stored in electronic files has occurred or is feared to have occurred, the PPC with cybersecurity relevant ministries and organisations including the National Centre of Incident Readiness and Strategy for Cybersecurity to investigate the facts and cause.17

As mentioned above, the PPC also supervises business operators and other operators. In supervising business operators, the PPC has the power to perform the following acts:

  1. collection of reports, requests for submission of documents, and onsite inspections (Article 146 (1) of the APPI);
  2. guidance and advice (Article 147 of the APPI);
  3. admonishment of cessation or other corrective measures for violation of obligations under the APPI (Article 148 (1) of the APPI);
  4. order to take such measures if the recipient of the admonishment referred to in item (c) above fails to take the admonished measures without justifiable reasons (Article 148 (2) of the APPI); and
  5. emergency order to cease and desist or take other measures to correct the violation if the act is in breach of an obligation under the APPI and infringes serious rights and interests of an individual (Article 148 (3) of the APPI).

Significant recent alerts and supervision by the PPC

Alert on the use of generative AI services18

In light of the provision of generative AI services, on 2 June 2023, the PPC alerted business operators, administrative bodies and general users on the handling of personal information when using generative AI services.

The PPC required service providers of generative AI services to first confirm that the input of prompts containing personal information into the generative AI service is limited to the scope necessary to achieve the identified purposes of use of such personal information. The PPC also required the service providers, when entering prompts containing personal data into generative AI services without obtaining the prior consent of the data subject, to sufficiently confirm, among other things, that such personal data will not be used for machine learning.

At the same time, a detailed alert was also issued to OpenAI, LLC, and OpenAI OpCo, LLC, the providers of ChatGPT, regarding not obtaining sensitive information of users and non-users, and notifying or making public in the Japanese language the purpose of use of personal information of these individuals.19

Alert on the use of DeepSeek20

On 3 February 2025 (updated 5 March 2025), the PPC pointed out that the generative AI service newly developed and provided by DeepSeek21 differs from other services provided in Japan, and issued a warning regarding its use after providing information on the following points.

  1. Data, including personal information acquired by DeepSeek in connection with the use of its service, will be stored on servers located in the People's Republic of China.
  2. The laws of the People's Republic of China will apply to such data.

Charge by the PPC with the relevant investigating authorities

This is a case in which a business operator continuously posted the personal information of a number of bankrupt persons on its website. On 20 July 2022, the PPC admonished the business operator posting such personal information to immediately cease posting such personal information on the website because the business operator violated Article 19 of the APPI because there was a risk of inducing personality and property discrimination and, therefore, such posting constitutes inappropriate use.22 However, the business operator failed to comply with the admonishment without justifiable reasons and therefore, the PPC issued an order against the business operator on 2 November 2022 to immediately stop posting personal information on the said website.23 Furthermore, because the business operator failed to comply with the order without justifiable reasons, the PPC complained to the relevant investigative authorities on 11 January 2023, and the business operator became subject to the penalties under the APPI.24

Private lawsuit

Requests for deletion of search results

In the case in question, a petitioner of provisional injunction requested the search engine operator, Google Inc to remove from the search results items containing the URLs of websites where articles containing a fact relating to his privacy, namely an arrest record relating to child prostitution, were published.

On 31 January 2017, the Supreme Court did not allow the removal of these items, but stated, for the first time, the requirements for the court to grant the deletion request.25 In doing so, the Supreme Court indicated that, in addition to life, body and honour, the right to demand an injunction is recognised for privacy.

Specifically, if, after weighing the legal interests of the individual in not having such privacy-related facts made public against the various circumstances relating to the reason for the business operator providing the URLs in the search results, it is clear that the legal interests of the individual prevail, the individual may request the business operator to remove the URLs from the search results. The factors to consider here include the nature and content of the fact in question, the extent to which the fact in question is communicated through the provision of the URLs and the degree of concrete damage suffered by the individual, the individual’s social status and influence, the purpose and significance of the articles in which the fact concerning privacy is described, the social situation at the time when the articles were published, and any subsequent changes in society.

On 24 June 2022, the Supreme Court rendered its decision by using the above requirements.

In the case in question, a plaintiff in a civil litigation requested Twitter, Inc delete a tweet with a link to a news article about the facts that he had been arrested for allegedly breaking into the changing room of a women’s bathhouse in a Japanese inn. The plaintiff insisted that his interest in not having the privacy-related facts published unnecessarily had been infringed. The Supreme Court demanded the deletion of the tweet. The Supreme Court stated that the legal interest of the arrested person in not having the facts of the offence made public and the legal interest of Twitter, Inc in continuing to publish the targeted tweets were weighed against each other to determine whether the deletion was necessary.26

However, Japanese courts generally have not often ruled in favour of removing articles and other items.

Cases claiming damages for the leakage of personal data

As for a claim for damages relating to the leakage of personal information, there is a case in which an employee of subcontractor of group company of service providers, who developed and operated a system for a client who was engaged in the distance learning business, acquired and then sold the personal information of the client’s customers. The customers who suffered damage from the information leakage claimed damages against the client and (or) the service provider. In this case, several lawsuits filed by different plaintiffs were pending. In the judgments of the courts that approved the claims, the amount of damages was set between ¥2,000 and ¥3,300 each.27

In addition, court decisions that have recognised the amount of compensation for the leakage of personal information include the Osaka High Court’s judgment on 25 December 200128 that set the amount of compensation to an individual for the unauthorised leakage of basic resident register data at ¥10,000, and the Osaka High Court’s judgment on 21 June 2007 that set the amount of compensation to an individual for external leakage of personal information via internet connection services at ¥5,000 per individual.29

Thus, in Japan, although the amount of compensation for a single victim tends not to be very high in cases where personal information has been leaked, the total amount is expected to be somewhat high due to the large number of victims when personal information leakage becomes an issue.

Cybersecurity and data breaches

Cybersecurity legislation

In Japan, the Basic Act on Cybersecurity (Act No. 104 of 2014) has been enacted with regard to cybersecurity. Its content merely defines the basic principles of cybersecurity and stipulates the responsibility of the country to formulate cybersecurity strategies and other basic matters. Specific measures are set out in individual laws, including the Telecommunications Business Act (Act No. 86 of 1984), the Wire Telecommunications Act (Act. No. 96 of 1953), the Radio Act (Act No. 131 of 1950), the Act on the Appropriate Transmission of Specified Electronic Mail (Act No. 26 of 2002), the Act on the Prohibition of Unauthorised Computer Access (Act No. 128 of 1999) and the Copyright Act (Act No. 48 of 1970).

The PPC provides examples of detailed methods for the security management of personal data in its General Guidelines, as explained in ‘Company policies and practices' above.

Personal data breach

The 2020 Amendment Act of the APPI requires reporting to the PPC and notification to the data subject in data breach cases that are highly likely to harm the rights and interests of individuals.

A personal data breach is a situation involving a security breach of personal data, such as a leakage. Typical examples of leakage include misdelivery of documents, misdirected emails, making personal data available on the internet, theft of media and theft through unauthorised access. Data breaches that are not leakage, but are data breaches, include accidental disposal and loss. One of the notable forms of data breach in Japan is the leakage of personal data through paper. The cases that must be reported to the PPC are data breaches (1) that involve sensitive information, (2) that may cause property damage to the data subject due to unauthorised use, (3) that may have been committed for unauthorised purposes, or (4) that affect more than 1,000 data subjects, even if it cannot be confirmed that the breach has occurred.

Of these four cases, with regard to (3) data breaches that may have been committed for unauthorised purposes, the 2023 amendment to Enforcement Rules for the APPI (enforced on 1 April 2024) stipulates that even if the subject of the breach is personal information, not ‘personal data’ constituting a personal information database or equivalent at the time of the breach, it may still be considered personal data breach if a business operator has acquired or intends to acquire such personal information with the intention of handling it as personal data. For example, even in the case where personal information inputted by users by using an input form on an e-commerce site operator's server is leaked through web skimming, it will be subject to the reporting obligation.

Matters to be reported in the report should include (1) an overview of the data breach, (2) the items of personal data involved in the data breach, (3) the number of data subjects, (4) the cause, whether there is secondary damage or the threat of secondary damage and the nature thereof, (5) the response to the data subjects, (6) the status of public disclosure (and if not, the reasons), (7) measures to prevent recurrence, and (8) other matters that may be of interest (including the occurrence of a data breach in another country or reporting to the supervisory authority of another country).

In principle, reports to the PPC should be made twice, once as a preliminary report and once as a final report.

The preliminary report must be made within three to five days after becoming aware of the data breach. It is not necessary to state at the time of the preliminary report any matters that are unknown or unaddressed. On the other hand, the final report must be submitted within 30 days (or within 60 days if the data breach was committed for unauthorised purposes) after becoming aware of the data breach and must include all matters. This deadline is very strict and failure to meet it may result in guidance, admonishment or order from the PPC.

As a general rule, data breaches that are required to be reported to the PPC must be notified to the affected data subject.

In addition to the above, as mentioned in 'Specific regulatory areas' in the ‘Regulatory framework’ section above, special guidelines have been formulated for specific areas, such as financial and medical. In such special guidelines, reference is made to the content of reports on personal data breaches tailored to the specifics of such area, as well as the supervisory body responsible for overseeing the reporting.

Business operators in the financial area must report data breaches to the Commissioner of the Financial Services Agency and, in some cases, to the head of the local government, and the cases they are required to report are broader than those for general business operators.

In the medical area, the Ministry of Health, Labour and Welfare has issued a notification ‘Strengthening Cybersecurity Measures in Medical Institutions', alerting medical institutions (including hospitals, clinics and pharmacies) to take measures such as checking the security management system of relevant parties including the supply chain, risk reduction measures, early detection and incident response.

Special considerations

The Unfair Competition Prevention Act (Act No. 47 of 1993) protects ‘limited provision data’ together with trade secrets. Under Japanese law, ownership rights are granted only to tangible objects and except in special cases such as database protection, there was no legal system to protect the data itself. Therefore, the amendment of the Unfair Competition Prevention Act in 2018 established provisions on limited provision data as a mechanism to protect socially useful data and its accumulation from unauthorised acquisition, use and disclosure, to promote the creation, collection, accumulation and utilisation of data leading to the spread of IoT and AI technologies.

Limited provision data refers to technical or business information that is stored and managed in substantial quantities by electromagnetic means as information to be provided to specific persons in the course of business. This makes data that does not fall under the category of trade secrets eligible for protection. However, to be protected as limited provision data, a substantial amount of data must be stored. This ‘substantial amount’ is determined by taking into account the added value created by the accumulation of data, the potential for utilisation, the transaction price, and the effort, time and cost spent on collection and analysis.

Like trade secrets, unauthorised acquisition of limited provision data, use of the data for unauthorised purposes or use of the data with the knowledge that it has been illegally acquired or disclosed is prohibited as an act of unfair competition, and penalties of unfair competition are applicable. However, there is no mechanism for reporting to supervisory authorities.

Outlook and conclusions

GDPR

On 23 January 2019, the EU Commission and the PPC certified each other as having adequate systems for protecting personal data, but this certification must be reviewed regularly. Therefore, the EU Commission and the PPC conducted a joint review and on 22 March 2023, and the PPC decided to continue the designation of the EU as a jurisdiction having the protection system equivalent to that of Japan pursuant to Article 28 of the APPI for the EU (EEA) and the UK. The EU Commission also decided on 3 April 2023 to continue the Adequacy Decision under Article 45 of the GDPR.

In the future, the EU Commission and the PPC will consider the possibility of extending the scope of the adequacy decision for Japan, in light of the APPI’s extension of protection to the academic research sector and the public sector.

CBPR of APEC

Japan was approved to participate in the APEC CBPR system in 2014. The Japan Institute for Promotion of Digital Economy and Community was accredited as an accountability agent in January 2016 and certified for the first time in December 2016. As of January 2024, there are four operators in Japan with CBPR certification.

The PPC is actively engaged in raising awareness and promoting participation in the CBPR by organising workshops inside and outside Japan.

Study for the review of the APPI

The PPC published the ‘Considerations on Institutional Issues of the Act on the Protection of Personal Information’ on 5 March 2025.30 In summary, the study covers the following main issues.

Overall, it puts emphasis on the perspective of protecting individual rights and interests. From this perspective, it first reviews the requirements of the APPI. Specifically, it discusses relaxing the requirements for obtaining consent from data subjects and the obligation to notify data subjects when doing so would not harm the data subjects' rights and interests; conversely, it also discusses setting an age limit for protection in order to protect the rights and interests of children.

In addition, with the diversification of the ways in which personal data is handled, it discusses the appropriate risk-based regulations. These include (1) the obligations tailored to the actual circumstances of outsourcing, (2) the introduction of regulations corresponding to the potential infringement of data subjects’ rights and interests with regard to person-related information, including cookie IDs, which are subject to limited regulations in Japan, and (3) the strengthening of regulations on the handling of facial feature data that may be acquired without the data subjects being aware of it.

The study also discusses strengthening the authority of the PPC to make regulations effective, expanding the scope of criminal penalties, introducing a monetary penalty system, introducing a class action system similar to consumer protection, and simplifying the reporting of data breach.

Conclusion

In conclusion, Japan is committed to developing new laws and regulations and amending existing laws and regulations so that its laws and regulations will be consistent with the laws and regulations of other countries, with its current focus on personal data protection. Therefore, it is expected that Japan will continue to develop new laws and regulations and amend its existing laws and regulations on personal data protection, including the APPI, on an ongoing basis.

Footnotes

  1. ^ Act No. 57 of 2003.
  2. ^ General Data Protection Regulation (Regulation (EU) 2016/679).
  3. ^ Cabinet Order to Enforce the Act on the Protection of Personal Information (Cabinet Order No. 507 of 10 December 2003), and the Enforcement Rules for the Act on the Protection of Personal Information (Rules of the Personal Information Protection Commission No. 3 of 5 October 2016).
  4. ^ Issued in November 2016, last amended in December 2023, https://www.ppc.go.jp/files/pdf/240401_guidelines01.pdf.
  5. ^ MyNumber is a number issued by the Japanese government to efficiently manage information in the areas of social security, tax, and disaster countermeasures, and to verify that information on individuals held by multiple agencies is that of the same person.
  6. ^ 3-6-3, Guidelines on the Act on the Protection of Personal Information (General Rules).
  7. ^ Q21, Shojihomu ‘One Question and Answer: Amendment of Act on the Protection of Personal Information in 2020’, Kiyoshi Sawaki.
  8. ^ Q6, id.
  9. ^ Issued in March 2024, https://www.ppc.go.jp/files/pdf/240312_kinyubunya_GL.pdf.
  10. ^ Issued on 14 April 2017, last amended in March 2024, https://www.ppc.go.jp/files/pdf/01_iryoukaigo_guidance6.pdf.
  11. ^ Act No. 123 of 1997.
  12. ^ For more information, please see Q&As on ‘Guidelines on the Act on the Protection of Personal Information’, https://www.ppc.go.jp/files/pdf/2403_APPI_QA.pdf.
  13. ^ The PPC Webpage, https://www.ppc.go.jp/enforcement/infoprovision/laws/.
  14. ^ Data Protection Commissioner v. Facebook Ireland Ltd, Maximillian Schrems, CJEU, 16 July 2020.
  15. ^ Issued in August 2020, last amended in July 2023, https://www.meti.go.jp/policy/mono_info_service/healthcare/01gl_20230707.pdf.
  16. ^ Act No. 65 Extra Edition of 9 September 2015.
  17. ^ Personal Information Protection Commission, ‘Strengthening Cooperation between the Personal Data Protection Commission and Cyber Security Relevant Ministries and Organisations - Organisation of Cooperation Mechanisms and Conclusion of Memorandum of Understanding’ (15 March 2023), https://www.ppc.go.jp/files/pdf/230315_renkei.pdf.
  18. ^ Personal Information Protection Commission, ‘Alert on the use of generated AI services’ (2 June 2023), https://www.ppc.go.jp/files/pdf/230602_alert_generative_AI_service.pdf.
  19. ^ For summary of the alert, see Personal Data Protection Commission, ‘Summary of the Alert to OpenAI’ (2 June 2023), https://www.ppc.go.jp/files/pdf/230602_alert_AI_utilize.pdf.
  20. ^ Personal Information Protection Commission, ‘Information on DeepSeek’ (5 March 2025), https://www.ppc.go.jp/news/careful_information/250203_alert_deepseek/.
  21. ^ Hangzhou DeepSeek Artificial Intelligence Co, Ltd, Beijing DeepSeek Artificial Intelligence Co, Ltd and their affiliated companies.
  22. ^ Administrative Action by the PPC (20 July 2022), https://www.ppc.go.jp/files/pdf/220720_houdou.pdf.
  23. ^ Administrative Action by the PPC (2 November 2022), https://www.ppc.go.jp/files/pdf/221102_houdou.pdf.
  24. ^ Administrative Action by the PPC (11 January 2023), https://www.ppc.go.jp/files/pdf/230111_houdou.pdf.
  25. ^ John Doe v. Google, Inc, Supreme Court Civil Casebook, Vol. 71, No. 1, p. 63.
  26. ^ John Doe, v. Twitter, Inc, Supreme Court Civil Casebook, Vol. 76, No. 5, p. 1170, Hanrei Times Vol. 1507 (2023), p. 51.
  27. ^ This includes Benesse Co v. Synform Co, Tokyo District Court, 27 December 2008 (Hanrei Times No. 1460, p. 209), Tokyo High Court, 27 June 2019, https://www.courts.go.jp/app/files/hanrei_jp/945/089945_hanrei.pdf, Tokyo High Court, 27 June 2019 (Hanrei Jiho No. 2440, p, 39), and Tokyo District Court 6 September 2019 (Hanrei Hisho L07430189, D1-Law 28273526).
  28. ^ Uji Citizens et al. v. Uji City, Kyoto, Hanrei Chiho Jichi No. 265, p.11.
  29. ^ Class action lawsuits against Softbank BB Co and Yahoo Japan Co, Hanrei Hisho L06221131, D1-Law 28145194.
  30. ^ Personal Information Protection Commission, ‘Considerations on Institutional Issues of the Act on the Protection of Personal Information’, https://www.ppc.go.jp/files/pdf/seidotekikadainitaisurukangaekatanitsuite_250305.pdf.