Global Data Protection Law Guide  Japan

Ushijima Partners

 

What law(s) specifically govern personal data / information?

The Act on the Protection of Personal Information (APPI) (Act No. 57 of 2003) is Japan’s principal data protection legislation, applicable to both public and private sectors.

Sectoral guidelines are jointly issued by the Personal Information Protection Commission (PPC) and relevant ministries, including:

• Telecommunications: Ministry of Internal Affairs and Communications (MIC)
• Financial: Financial Services Agency
• Healthcare: Ministry of Health, Labour and Welfare
• Genetic Information: Ministry of Economy, Trade and Industry

 

What are the key data protection principles in this jurisdiction?:

Lawfulness and Fairness

• Personal information must be collected and handled lawfully and fairly, without deception or other improper means.

Purpose Limitation

• The purpose of use must be specified as clearly as possible at the time of collection, and personal information must not be used beyond that scope without the individual’s consent or as otherwise permitted by law.

Data Minimisation

• Only the minimum necessary personal information should be collected to achieve the specified purpose of use.

Accuracy and Currency

• Personal data must be kept accurate and up to date to the extent necessary for achieving the purpose of use.

Security Safeguards

• Necessary and appropriate measures must be taken to prevent unauthorised access, loss, destruction, falsification, or leakage of personal data.

Accountability and Transparency

• Business operators must make certain information publicly available, including their name, purpose of use, and procedures for data subject requests, and must respond appropriately to such requests.

 

What is the supervisory authority / regulator in charge of data protection?

The Personal Information Protection Commission (PPC)

 

Is there a requirement to register with a supervisory authority / regulator?

No.

 

Is there a requirement to notify the supervisory authority / regulator?

When providing personal data to a third party, the “opt-out” mechanism is recognised as one of the exceptions that allows such provision without obtaining the individual’s consent. However, to rely on the opt-out mechanism, it is necessary to submit a prior notification to the PPC specifying the matters prescribed by law.

 

Is it possible to register with / notify the supervisory authority / regulator online?

Yes, the PPC provides online submission portals for notifications and reports.

 

What are the key data subject rights under the data protection laws of this jurisdiction?

Right to be Informed / Right to Disclosure

• Individuals may request disclosure of the purposes for which their personal data is used, as well as disclosure of retained personal data held by the business operator.

Right to Correction, Addition, or Deletion

• If the retained personal data is incorrect, incomplete, or outdated, individuals may request its correction, addition, or deletion.

Right to Cessation of Use / Erasure

• Individuals may request cessation of use or erasure of their personal data if it has been handled beyond the stated purpose of use, obtained by improper means, or used/retained in violation of the APPI.

Right to Stop Third-Party Provision

• Individuals may request that the business operator stop providing their personal data to third parties, including cessation of provision under the opt-out mechanism.

Right to Be Informed of Third-Party Provision

• Individuals may request information about the third parties to whom their personal data has been provided.

Right to Lodge a Complaint

• Individuals may lodge complaints with the Personal Information Protection Commission (PPC) regarding the handling of their personal data.

 

Is there a requirement to appoint a data protection officer (or equivalent)?

Not mandatory, but recommended. Under Japan’s Act on the Protection of Personal Information (APPI), there is no statutory requirement to appoint a “Data Protection Officer” (DPO) in the same sense as under the EU GDPR. However, the APPI requires business operators handling personal information to take necessary and appropriate measures to ensure proper management of personal data, which includes appointing a person responsible for the handling of personal data within the organisation.

 

Do data protection/ privacy impact assessments need to be carried out in certain circumstances?

Under Japan’s Act on the Protection of Personal Information (APPI), there is no general statutory requirement to conduct a Data Protection Impact Assessment (DPIA) equivalent to the GDPR. However, certain industries (e.g., telecommunications, finance, healthcare) are subject to sectoral guidelines jointly issued by the Personal Information Protection Commission (PPC) and relevant ministries, which may recommend or effectively require risk assessments for high-risk processing.

 

Does this jurisdiction have any specific data breach notification requirements?

Notification is required when a breach, loss, or unauthorised disclosure of personal data involves any of the following:

• Sensitive (special-care required) personal information — e.g., health, criminal history.
• Risk of wrongful use — where the data may be used for fraud, identity theft, etc.
• Large-scale breaches — affecting personal data of more than 1,000 individuals.
• Other cases prescribed by PPC regulations — serious incidents specified in guidelines.

Timing and process
Two-stage reporting:
Preliminary (prompt) report — generally within 3–5 days of becoming aware of the incident.

Final report — after investigation is complete, covering cause, scope, and remedial measures.
Individual notification: Must be made promptly unless it would be difficult to do so (in which case public announcement is required).

 

What restrictions apply to the international transfer of personal data / information?

Under Japan’s Act on the Protection of Personal Information (APPI), the international transfer of personal data to a third party located in a foreign country is generally prohibited unless one of the following conditions is met:

Adequacy
The recipient is located in a country designated by the Personal Information Protection Commission (PPC) as having a data protection system equivalent to Japan’s. As of now, the EU/EEA and the UK are on this adequacy list.

Data Subject Consent
The individual has given prior consent to the transfer after being informed of the destination country and the data protection system in place there.

Appropriate Safeguards
The recipient has established a system to continuously ensure protection of personal data equivalent to APPI standards, typically through contractual clauses or binding corporate rules, and the Japanese business operator has confirmed and documented such measures.

Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?

Yes. The APPI applies to foreign entities that process personal data of individuals in Japan in connection with offering goods or services.

 

What rules specifically deal with marketing?

Under Japan’s Act on the Protection of Personal Information (APPI) and other sectoral laws, marketing activities are regulated mainly through rules on the collection, use, and provision of personal data, as well as anti-spam provisions.

Direct marketing using personal data (APPI)

• Purpose specification — Personal data must be collected and used within the specified purpose of use disclosed to the individual at or before collection. Using data for marketing requires that “marketing” be included in the stated purpose.
• Third-party provision — Providing personal data to another entity for its marketing purposes generally requires the individual’s prior consent, unless an exception (e.g., opt-out with PPC notification) applies.
• Data subject rights — Individuals can request cessation of use or provision of their personal data for marketing purposes.

Email and SMS marketing (Act on Regulation of Transmission of Specified Electronic Mail – “Anti-Spam Law”)

• Opt-in requirement — Commercial email generally may not be sent without the prior consent of the recipient (opt-in rule).
• Sender identification — Messages must clearly identify the sender and provide a functional unsubscribe mechanism.
• Prohibition of deceptive practices — False sender information or misleading subject lines are prohibited.

Telemarketing (Act on Specified Commercial Transactions)

• Requires disclosure of certain information (e.g., identity of seller, purpose of call) and prohibits misleading representations or aggressive solicitation.

Do different rules apply to business-to-business and business-to-consumer marketing?

Under Japan’s laws, there is no broad distinction between business-to-business (B2B) and business-to-consumer (B2C) marketing in the APPI itself — the Act applies to the handling of any “personal information,” which means information about an identified or identifiable living individual.

Other laws with practical differences

• Anti-Spam Law (Specified Electronic Mail Act) — Does not distinguish between B2B and B2C; the opt-in rule applies to commercial email regardless of whether the recipient is an individual consumer or a company employee.
• Act on Specified Commercial Transactions — Primarily regulates certain B2C marketing and solicitation activities, such as door-to-door sales, mail-order sales, and telemarketing.

What rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc)?

Please see “What rules specifically deal with marketing?”

 

What rules specifically deal with cookies?

Cookies as “Personal Information”

• A cookie ID or similar identifier is not personal information by itself unless it can be easily matched with other data to identify a specific individual.
• If the cookie data can be linked to an identifiable person (e.g., by combining with membership registration information), it is treated as “personal information” and all APPI obligations apply (purpose limitation, consent for certain uses, security measures, etc.).

Provision of “Personally Referable Information” to a Third Party (2022 APPI amendment)

• Even if a cookie ID is not personal information, from April 2022, when a business operator provides such identifiers to a third party and the recipient is expected to acquire them as personal information (e.g., by linking with other datasets), the transfer is subject to prior consent from the individual.
• This rule effectively captures certain adtech data-sharing scenarios (e.g., cross-site targeted advertising).

Telecommunications Business Act – Rules on Cookies and Similar Technologies

• Businesses that transmit cookies or similar tracking technologies to a user’s device in connection with telecommunications services must inform users of the purposes of such transmissions, the types of information collected, and the recipients, or otherwise obtain user consent. This obligation applies regardless of whether the information constitutes “personal information” under the APPI.

Sectoral self-regulation

• The Japan Interactive Advertising Association (JIAA) has issued guidelines for online behavioral advertising, requiring notice and opt-out options for tracking-based ads.
• Major ad networks operating in Japan follow these guidelines in addition to complying with the requirements of the APPI and other relevant laws.

 

What are the consequences of non compliance with data protections laws (including marketing laws)?

Under Japan’s Act on the Protection of Personal Information (APPI) and related marketing laws, consequences of non-compliance include administrative orders, criminal penalties, and reputational sanctions.

Administrative measures (APPI

• Recommendations and Orders — The Personal Information Protection Commission (PPC) may issue recommendations to remedy violations.
• If not complied with, the PPC can issue legally binding orders.
• Orders can apply to both domestic and foreign entities subject to APPI’s extra-territorial scope.

Criminal penalties (APPI) — Representative Examples

• Failure to comply with a PPC order:
  • Imprisonment of up to 1 year or fine up to JPY 1 million for responsible individuals.
  • Corporate fine up to JPY 100 million for the organisation.
• Unlawful provision/use of a personal information database for gain:
  • Imprisonment of up to 1 year or fine up to JPY 500,000 for responsible individuals.
  • Corporate fine up to JPY 100 million for the organisation.
• Failure to report/false reports/inspection obstruction:
  • fine up to JPY 500,000.

Civil liability

• Individuals whose rights are infringed may claim damages under the Civil Code (tort liability) or seek injunctive relief.

Consequences under marketing laws

• Anti-Spam Law (Specified Electronic Mail Act):
  • Violations (e.g., sending without consent, false headers) can lead to PPC-equivalent administrative orders from the MIC (Ministry of Internal Affairs and Communications) and fines.
• Act on Specified Commercial Transactions:
  • Violations in telemarketing (e.g., failure to provide required disclosures, misleading statements, undue pressure) or in advertising (e.g., false or exaggerated representations) can result in administrative measures by the Consumer Affairs Agency, including instructions and legally binding orders such as suspension of part or all of business operations. Criminal penalties or fines may be imposed for certain violations specified in the ASCT.

 

In broad terms, multinational organisations should be aware of what key factors if they process personal data / information from individuals within this jurisdiction, without being located there?

Under Japan’s Act on the Protection of Personal Information (APPI), multinational organisations without a physical presence in Japan should be aware of the following key factors when processing personal data of individuals located in Japan:

Extra-territorial scope

• The APPI applies to foreign entities that handle personal information of individuals in Japan in connection with providing goods or services to them, regardless of where the processing takes place.

Same obligations as domestic operators

• Foreign organisations in scope must comply with the full APPI regime, including purpose specification, security measures, restrictions on third-party provision, data subject rights, breach notification, and cross-border transfer rules.

Cross-border transfer restrictions

• Transfers to third parties outside Japan require adequacy, consent, or appropriate safeguards.

Breach notification requirements

• Certain personal data breaches must be reported promptly to the Personal Information Protection Commission (PPC) and to affected individuals, even if the breach occurs overseas.

No statutory local representative requirement

• Unlike the GDPR, there is no legal obligation to appoint a Japan-based representative, but appointing a contact point in Japan is recommended for PPC communications and incident response.

Enforcement risk

• The PPC may issue recommendations and legally binding orders to foreign entities. Non-compliance can result in public disclosure of the violation, criminal fines, and reputational harm.

 

What upcoming data protection developments should multinational organisations be aware of?

Upcoming APPI Amendments (Review Cycle in 2025)
Japan’s Act on the Protection of Personal Information (APPI) undergoes a mandatory review every three years. The next round of amendments is expected in 2025, as indicated in the PPC’s Interim Summary released in June 2024.
Key proposals currently under consideration include:

• Monetary penalties: Introduction of administrative fines alongside existing criminal penalties (e.g., damages or injunctions), enhancing enforcement tools
• Expanded rights and protections:
• Stronger rights to suspend use or delete sensitive personal data, especially biometric data and minors’ data—even absent misuse
• Possible exemptions for consent for certain socially beneficial uses, potentially including research, public health, and AI-driven statistical purposes, aimed at promoting innovation while balancing privacy
• Compliance incentives:
• Reduced reporting obligations, including a potential framework under which preliminary reporting to the PPC could be waived in certain cases if the organisation’s breach-handling systems and procedures have been verified by a third party, such as a Certified Personal Information Protection Organization (e.g., JIPDEC).

 

Search by:

Need more information?
Contact a member firm:

Kohei Tsuji

Ushijima & Partners

Japan

Disclaimer:

© 2025, Ushijima Partners. All rights reserved by Ushijima Partners as author and the owner of the copyright in this chapter. Ushijima Partners has granted to Multilaw non-exclusive worldwide license to use and include this chapter in this guide and to sublicense Lexis Nexis, a division of RELX Inc. and its affiliates certain rights to use and distribute this Guide.

The information in the International Data Protection Laws Guide provides a general overview at the time of publication and is not intended to be a comprehensive review of all legal developments nor should it be taken as opinion or legal advice on the matters covered. It is for general information purposes only and readers should take legal advice from a Multilaw member firm.

Publication Date: 2025