+44 (0) 121 582 0192 [email protected]




In today’s global operations arena, the importance of data privacy and protection has never been more critical. Japan, like many other countries, has recognised the need to safeguard personal information and has enacted the Act on the Protection of Personal Information (APPI). But does Japan’s data privacy law apply to you? Let’s dive into the critical aspects of navigating Japan’s APPI data privacy law and understand how it may affect your business, whether based in Japan or abroad.


Who Does the APPI Apply to?


If your business is based in Japan and handles the personal data of Japanese data subjects, compliance with the APPI is mandatory. However, foreign organizations can also fall under the APPI’s jurisdiction if they meet the following criteria:

  1. Personal Scope: The APPI applies if your business handles Japanese data subjects’ personal information, regardless of location.
  2. Territorial Scope: If you collect personal data for the purpose of providing products or services and handle such data subjects’ personal information abroad, you will be subject to APPI requirements.
  3. Material Scope: The APPI covers various aspects of personal data handling, including collection, retention, use, transfer, and other related activities.


Compliance Requirements


Complying with the APPI requires a thorough understanding of its provisions is important. Here are some of the essential compliance requirements:

  1. Purpose of Use: Before handling personal data, you must specify a purpose for its use and inform data subjects of this purpose. Any changes to the purpose require consent.
  2. Legal Bases: You must identify a legal basis for collecting and handling personal data, which can include consent, contract, legal obligation, public interest, or the interest of the data subject.
  3. Sensitive Data: Sensitive data, such as race, religion, and medical records, require prior consent for handling.
  4. Minimization: Personal information should only be used to the extent necessary to achieve the specified purpose.
  5. Data Deletion: Personal information should be deleted when no longer needed for the specified purpose.
  6. Data Accuracy: Implement measures to ensure that personal information is accurate and up-to-date.
  7. Security: Implement appropriate security measures to prevent unauthorized access and use of personal information, including physical security measures.
  8. Illegal Activities: Avoid involvement in the processing of personal data for illegal purposes.
  9. Employee Controls: Exercise necessary controls over employees to ensure proper handling of personal data, including access controls and security training.
  10. Data Transfers: Generally, obtain consent from data subjects before transferring personal data to third parties or overseas recipients.
  11. Data Breaches: In the event of a data breach, promptly inform the Japan Data Protection Authority (PPC) and the affected data subjects.


Legal Bases for Processing of Personal Data


When collecting or processing non-sensitive personal data, the following legal bases may apply:

  • Providing appropriate notice or making it available to the data subject.
  • Obtaining consent from the data subject for the identified purposes.
  • Necessity to perform a contract with the data subject.
  • Necessity to comply with a legal obligation.
  • Necessity to protect vital interests.
  • Necessity for public interest.
  • Necessity to fulfill legitimate interests, provided the data subject’s privacy interests are not overridden, and the data subject has not objected.


Consent for Cookies in Japan


The APPI doesn’t specify rules for cookies, as cookies are generally not considered personal information. However, consent may be required when transferring cookies to third-party recipients that can identify individuals. These are categorized as “person-related information,” and consent from data subjects may be necessary.


Penalties for Non-Compliance


Non-compliance with the APPI can result in various penalties imposed by the Personal Information Protection Commission (PPC). These penalties include requiring reports, on-site inspections, orders to remedy violations, fines, and imprisonment for responsible individuals in severe cases.

Unauthorized Disclosure of Personal Information:

  • In case of an unauthorized disclosure of personal information, whether for the benefit of the disclosing party or any third party, the penalties can be severe. Those responsible for such unauthorized disclosures, whether individuals or entities, may face imprisonment for up to one year or a fine of up to JPY 500,000.
  • If an entity is involved in the unauthorized disclosure, the penalties extend to the relevant officers, representatives, or managers responsible for the disclosure, and the entity itself may incur fines of up to JPY 100,000,000.

In conclusion, understanding and complying with Japan’s data privacy law, the APPI, is essential for businesses operating in Japan or handling the personal data of Japanese data subjects. Ignoring these regulations can lead to severe penalties, making it imperative for organizations to prioritize data privacy and protection in today’s digital age.

Formiti Global Privacy Services  are helping our clients around the globe to ensure their data processing remains compliant with all global privacy laws.