Japan’s principal data protection legislation is the Act on the Protection of Personal Information (APPI). It provides the basic principles for the government’s regulatory policies and authority, as well as the obligations of private business operators that handle personal information (handling operators).

Before April 2022, national administrative bodies were regulated by the Act on the Protection of Personal Information Held by Administrative Organs and the Act on the Protection of Personal Information Held by Independent Administrative Agencies, etc. However, thereafter, the obligations prescribed in these two laws were integrated into the APPI.

In addition, local government bodies are regulated under their own local regulations (jourei), but these vary between bodies. In April 2023, the APPI introduced nationwide principles for jourei and related implementation guidelines to homogenise the administration of national data protection regulations. Under this set of amendments, standard rules regarding personal information handled by local governments are uniformly stipulated in the APPI, while jourei can only stipulate local rules in very limited situations allowed under the law.

Where a personal information handling business operator located outside Japan handles personal information outside Japan relating to individuals located in Japan in connection with the provision of goods or services to those persons, such handling is subject to the extraterritorial application of the APPI (Article 171).

For example, where a personal information handling business operator located outside Japan processes personal data outside Japan relating to users located in Japan pursuant to an outsourcing arrangement with a local business operator for the development and operation of an application intended for users in Japan, such processing by the foreign operator is considered to be in connection with the provision of goods or services to persons located in Japan and therefore falls within the scope of the extraterritorial application of the APPI.

In addition, as a general rule, personal information handling business operators located in Japan that provide personal data to personal information handling business operators located outside Japan are required to obtain the prior consent of the data subjects to the effect that the provision of personal data to third parties located outside Japan is permitted (Article 28.1).

Handling operators not limited to critical infrastructure must take necessary and appropriate action for security control over the personal data they handle, including preventing the leakage, loss or damage of or to personal data (Article 23).

Another important law is the Act on the Use of Numbers to Identify a Specific Individual in Administrative Procedures (the “My Number Act”), which stipulates special rules for what is known in Japan as the Number to Identify a Specific Individual in Administrative Procedures (“My Number”), a 12-digit individual number assigned to each resident of Japan.

In June 2023, the Telecommunications Business Act (TBA) introduced a regulation about sending cookies to external parties. It also imposed new obligations regarding user information on large telecommunications service providers (TSPs) that have either 5 million paid users or 10 million free users.

Furthermore, the Personal Information Protection Commission (PPC – the regulator primarily responsible for the APPI and the My Number Act) has published guidelines for handling personal information (the “PPC Guidelines”). For some industrial sectors, the ministries with jurisdiction over them have published data protection guidelines for those sectors. For example, the Financial Services Agency (FSA) and the PPC have jointly published data protection guidelines for the financial sector, and the Ministry of Internal Affairs and Communications (MIC) has issued data protection guidelines for telecommunications business operators.

The APPI follows the Organisation for Economic Co-operation and Development’s eight Privacy Principles. Japan has reached an agreement with both the EU and the UK to certify each other’s country or territory as an “adequate” country for Japan’s and the EU/UK’s data protection purposes; this decision was renewed in March and April 2023. However, this does not mean that the APPI is identical to Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR).

Japanese data protection law is, nonetheless, closer to the EU omnibus model than the US sectoral/subnational approach in the sense that Japan has a comprehensive data protection law: the APPI.

Draft Policy Outlining Reforms

On 9 January 2026, a draft policy outlining institutional reforms was released. The draft identifies four overarching themes:

• promotion of appropriate data utilisation;
• regulation appropriately tailored to risk;
• prevention of improper use and other misconduct; and
• measures to ensure the effectiveness of regulatory compliance.

The specific policy proposals under each theme are as follows.

Promotion of appropriate data utilisation

• With respect to the provision of personal data to third parties and the acquisition of publicly available sensitive personal information, consent of the data subject will not be required where such data is used solely for the creation of statistical information or similar purposes.
• Regarding regulations on use beyond the specified purpose, acquisition of sensitive personal information, and provision to third parties:
1. consent of the data subject will not be required where, in light of the circumstances of acquisition, it is clear that the handling does not run counter to the data subject’s intent and does not harm the rights or interests of the data subject;
2. the requirement that obtaining consent be difficult will be relaxed for cases where personal data is handled for the protection of life, body or property, or for the improvement of public health; and
3. it will be expressly clarified that institutions or organisations whose purpose is the provision of medical care are included within the scope of “academic research institutions” eligible for the academic research exception.

Regulation appropriately tailored to risk

• Where the data subject is under 16 years of age, it will be explicitly stipulated that consent acquisition, notifications and similar procedures shall be directed to the legal guardian of the data subject. In addition, the requirements for requests to suspend the use of retained personal data relating to such minors will be relaxed, and a duty provision will be introduced requiring that the handling of minors’ personal information give priority to the best interests of the minor.
• With respect to facial feature data and similar information:
1. obligations will be imposed to publish certain matters relating to its handling;
2. the requirements for requests for suspension of use will be relaxed; and
3. provision to third parties based on the opt-out scheme will be prohibited.
• For businesses entrusted with data processing and similar services, the obligations concerning the appropriate handling of entrusted personal data will be reviewed.
• In the event of a data breach or similar incident, where there is little risk of harm to the rights or interests of the data subject, the obligation to notify the data subject will be relaxed.

Prevention of improper use and other misconduct

• With respect to information that does not constitute personal information but enables targeted approaches to specific individuals, improper use and unlawful acquisition of such information will be prohibited.
• For systems that permit provision of personal data to third parties without consent subject to certain conditions (opt-out schemes), obligations will be imposed to verify the identity of the recipient and the purpose of use.

Measures to ensure the effectiveness of regulatory compliance

• The requirements for issuing orders will be reviewed to enable more prompt correction of violations. In addition, recommendations or orders may be issued requiring measures necessary to protect the rights or interests of data subjects, such as notification to or public disclosure for affected individuals regarding the facts of the violation.
• A statutory basis will be established for requesting third parties who assist or facilitate violations to take necessary measures to cease such violations.
• With respect to penalties for the unlawful provision of personal information databases, acts of provision carried out for the purpose of causing harm will also be subject to punishment, and statutory penalties will be increased. In addition, penalties will be introduced for acts of unlawfully acquiring personal information through fraud or similar means.
• In order to effectively deter egregious violations involving the handling of large volumes of personal information driven by economic incentives, administrative fines will be introduced whereby, in cases of serious violations that infringe upon the rights or interests of individuals, payment of surcharges equivalent to the economic benefits obtained through the violation may be ordered.

Handling Operator Duties

The obligations of handling operators under the APPI are as follows.

• They must specify and make known to data subjects the purpose of collecting their personal information (Articles 17 and 21).
• When a handling operator changes the purpose of use beyond what can be reasonably recognised as having relevance to the original purpose of use, the data subjects’ consent is required (Articles 17.2 and 18.1). Exceptions to this consent requirement include instances when the use of information is required by law or is necessary to perform governmental duties, to protect the life, body or property of a person, or to improve public health (Article 18.3). Handling operators must not utilise personal information in a way that possibly foments or prompts unlawful or unfair acts (Article 19).
• When a handling operator obtains personal information of a person directly from documents (including electronic records) provided by that person, it must explicitly inform that person of the purpose of use in advance (Article 21.2).
• They must establish appropriate safeguards to protect personal data (Article 23).
• They must report data breach incidents to the PPC and notify affected data subjects in cases where their rights or interests are likely to be infringed (Article 26).
• They may not transfer personal data to another entity without the opt-in consent of the data subjects, unless they meet the requirements of any of the exceptions provided by the APPI (Article 27.1). These exceptions include instances where a transfer is required by law or is necessary to perform governmental duties to protect the life, body or property of a person or to improve public health or is necessary for academic or research purposes (Article 27.1(i)–(vii)). Other major exceptions include cases of entrustment of the handling of personal data to another entity, joint use of personal data with another entity, business succession resulting from a merger or other legal reasons (Article 27.5), or the filing of a notification of opt-out consent with the PPC (Article 27.2).
• They may not transfer personal data to countries that do not have sufficient data protection safeguards without the data subjects’ consent (Article 28).
• They must keep records of the provision of personal data to third parties (Article 29).
• Upon receiving personal data from other handling operators, they must confirm the providing handling operator’s compliance with applicable regulations regarding the provision of personal data and keep a record of the confirmation process (Article 30).
• They must handle pseudonymously and anonymously processed information in certain ways (Articles 41 to 46).

Entrustment

Under Article 27.5(i) of the APPI, if a handling operator entrusts all or part of the handling of personal data it acquires to an individual or another entity, that individual or entity will not be considered a third party under Article 27.1. For example, if a handling operator uses third-party vendors of handling operator services and shares personal data with those vendors for them to use on the handling operator’s behalf and not for their own use, that transfer will be deemed an “entrustment” and is not subject to data transfer restrictions.

When a handling operator “entrusts” personal data, it must exercise appropriate supervision as necessary over the entrusted person to ensure security control over the entrusted personal data (Article 25).

Joint Use

Handling operators may share and jointly use personal data with specific individuals or entities as long as the handling operator notifies the data subjects or makes the following information accessible to them (Article 27.5(iii)) before any information sharing or joint use:

• the fact that personal data will be used jointly with specific individuals or entities;
• the personal data to be used jointly;
• who the joint users are;
• the purpose of the joint use; and
• the name of the individual or entity responsible for managing the personal data (the address of the responsible individual or entity and, if it is a corporate body, the name of its representative are also required).

After this information is published or the data subjects are notified of the same, the identified joint users will not be deemed third parties within the context of Article 27 and, therefore, the handling operator and the identified joint users may share and jointly use specific items of personal data as if they were a single entity.

Business Succession

Handling operators may transfer personal data to third parties without the opt-in consent of data subjects if the transfer accompanies a business succession caused by a merger or for other legal reason (Article 27.5(ii)).

Filing of Notification of Opt-Out Consent

Under Article 27.2 of the APPI, handling operators may provide personal data (excluding special-care-required personal information and personal data acquired by improper means or provided by another handling operator pursuant to the opt-out mechanism) to third parties without the opt-in consent of data subjects if the following conditions are met:

• they agree to stop providing personal data to the third party upon the data subjects’ demand;
• they notify the data subjects in advance of certain events outlined in Article 27.2 or make such notification of events readily accessible to the data subjects; and
• they submit a notification of certain matters to the PPC.

Please note that, in practice, the PPC does not readily accept the foregoing opt-out notification unless it is not practical to seek the data subjects’ consent and it is difficult to use the other exceptions.

Data Protection Officers

The APPI has no provision mandating the appointment of privacy or data protection officers; however, handling operators must take necessary and proper measures to prevent the leakage, loss or damage of or to personal data and to implement other security controls. Under the PPC Guidelines, those measures should include the following:

• organisational security measures, such as establishing rules for handling personal data and clarifying who is responsible for supervising such handling;
• HR security measures, including educating/training employees;
• physical security measures, including controlling the areas where personal data is handled, such as servers and offices;
• technical security measures, including controlling access to personal data; and
• understanding of the external environment – this security measure, introduced in the amendments to the guidelines, requires handling operators that process personal data in foreign countries to understand the foreign country’s legal system for personal information protection and, taking that legal system into consideration, to take necessary and appropriate measures to ensure the security of personal data.

Effective since April 2024, the PPC Guidelines also require handling operators to take security control over personal information that is collected and expected to be treated as personal data to prevent cyber-attackers from intercepting it on the operators’ behalf.

The PPC Guidelines indicate the appointment of a person to be in charge of the handling of personal data as an example of a proper and necessary measure. However, although handling operators are expected to adopt the measures described in the PPC Guidelines, any failure to adopt such measures is not a direct breach of the APPI.

Under the TBA, large TSPs are required to appoint a chief manager responsible for handling user information.

Privacy By Design/Default and Privacy Impact Analyses (PIAs)

The APPI does not mandate obligations regarding PIAs. However, the PPC has issued a report titled “Promoting the implementation of PIAs – Significance of PIAs and points to keep in mind in the implementation process”, which business operators are encouraged to follow voluntarily. The APPI does not refer to the concepts of privacy by design or default, but PPC guidelines on accredited personal information protection organisations recommend that these organisations promote privacy by design.

Internal or External Privacy Policy

The PPC Guidelines recommend releasing a privacy policy or statement.

Article 32.1 of the APPI requires handling operators to make the following information regarding retained personal data available to data subjects:

• the name of the handling operator, an address for the individual or entity responsible and, if it is a corporate body, the name of its representative;
• the purposes of use of retained personal data;
• the procedures for responding to requests from data subjects to disclose, correct, suspend the use of or erase retained personal data;
• contact information for accepting complaints regarding the processing of retained personal data; and
• security measures being implemented by the handling operator.

Most handling operators typically comply by using internal and external privacy policies.

The PPC Guidelines also recommend stating the following in a handling operator’s basic policies as part of the implementation of security control measures regarding personal data:

• the name of the handling operator;
• compliance with relevant laws, regulations and guidelines;
• an explanation of security control measures regarding personal data; and
• contact details for complaints and questions.

Most handling operators typically comply by using internal and external privacy policies.

The PPC Guidelines also recommend being transparent in disclosing the entrustment of work involving personal data (eg, disclosing whether entrustment has been made and what kind of work has been entrusted).

Data Subjects’ Rights

Data subjects may request handling operators to disclose their retained personal data and the record of its provision to third parties. Handling operators must comply with these requests unless there is a possibility that the disclosure could harm the data subject’s or a third party’s life, body, property or other rights or interests, or that it could seriously interfere with the handling operator’s business (Article 33).

Data subjects may also request handling operators to correct, add or delete retained personal data. The handling operator must investigate without delay and, based on the results of the investigation, comply with these requests to the extent necessary to achieve the purposes of use of the retained personal data (Article 34).

Furthermore, data subjects may request that handling operators discontinue the use of or erase retained personal data and stop providing retained personal data to third parties if:

• the data was or is being acquired, processed or provided to a third party in violation of the APPI;
• the retention of retained personal data has become unnecessary;
• a data breach has occurred regarding the retained personal data; or
• there is a possibility that the handling of the retained personal data would harm the rights or legitimate interests of the data subjects.

However, this obligation will not apply if it will be too costly or difficult to discontinue the use of or erase the retained personal data and the handling operator takes necessary alternative measures to protect the rights and interests of the data subjects (Article 35).

“Special care-required personal information” refers to personal information that requires special care in its handling so as not to cause unfair discrimination, prejudice or other disadvantages to the individual, including information relating to a person’s race, creed, social status, medical history, criminal record, or the fact of having been a victim of a crime.

The acquisition of special care-required personal information and the provision of such information to third parties require the prior consent of the data subject, and an opt-out mechanism is not available.

Where a leakage or other incident involving personal data containing sensitive personal information has occurred, or where there is a risk of such an incident occurring, the personal information handling business operator is required to report the incident to the PPC and notify the data subject.

APPI

The APPI recognises the concept of anonymously processed information, which is defined as information obtained by processing personal information such that ordinary people cannot identify a specific data subject using the processed information or restore any personal information from the processed information (Article 2.6). This framework intends to promote the use of anonymously processed information by clarifying the rules and was expected to lead to the use of big data, innovations and new businesses. Handling operators can provide anonymously processed information to third parties without the consent of the data subjects, provided that the handling operator:

• produces the anonymously processed information in compliance with the standards set forth in the PPC Ordinance (Article 43.1);
• takes measures for security control in compliance with the standards set forth in the PPC Ordinance to prevent leakage (Article 43.2);
• discloses information that will be included in the anonymously processed information pursuant to the PPC Ordinance (Article 43.3);
• when it provides anonymously processed information to third parties, discloses information that will be included in the anonymously processed information and the medium to be used to deliver the information in compliance with the PPC Ordinance, and explicitly informs the third-party recipients that the disclosed information is anonymously processed information (Article 43.4);
• does not do anything to identify the individual (Article 43.5); and
• takes measures to secure the safe control of, and address complaints regarding, the handling of anonymously processed information and to publicly announce such measures (Article 43.6).

According to the PPC Guidelines, statistical information, meaning information that can be obtained by extracting data concerning a common element from information taken from several people and tallying them up by category, is not anonymously processed information because statistical information is not information regarding an individual and, thus, is not covered by any regulations under the APPI.

The 2020 amendment of the APPI introduced the concept of pseudonymously processed information. This is information that is processed so that it cannot be used to identify a specific individual without collation with other information (Article 2.5). Pseudonymously processed information is exempted from certain regulations under the APPI, such as restrictions on changing the purpose of use and the obligation to comply with the data subject’s rights, and report/notification obligations in the case of a data breach (Article 43).

Next-Generation Medical Infrastructure Act

In May 2023, the Next-Generation Medical Infrastructure Act was promulgated as a special act under the APPI, with the aim of promoting the use of anonymised individual medical information – such as health check-up results and medical records – for research and development in the medical field. The law establishes a new system for creating and using “pseudonymously processed medical information”.

“Pseudonymously processed medical information” refers to information that has been processed so that an individual cannot be identified unless it is collated with other information. While it requires the removal of identifiers such as names and IDs from personal information, it does not require the removal of distinctive values or names of rare diseases.

The Next-Generation Medical Infrastructure Act is broadly composed of the following three elements.

Certification of businesses creating pseudonymously processed medical information

The government certifies businesses that receive medical information from medical institutions based on notification to the individuals concerned, and that create and provide pseudonymously processed medical information (“certified pseudonymously processed medical information creation businesses”).

Certification of users of pseudonymously processed medical information

Certified pseudonymously processed medical information creation businesses may provide pseudonymously processed medical information only to users certified by the government in accordance with standards such as security management (“certified pseudonymously processed medical information user businesses”).

Certified pseudonymously processed medical information user businesses are prohibited from re-identifying the information and from providing it to third parties. However, exceptions are permitted, such as submission to the Pharmaceuticals and Medical Devices Agency (PMDA), an incorporated administrative agency that conducts pharmaceutical approval reviews, and joint use among certified pseudonymously processed medical information user businesses.

Use of pseudonymously processed medical information to support pharmaceutical approval

For the purpose of applying for pharmaceutical approval, certified pseudonymously processed medical information user businesses are permitted to provide pseudonymously processed medical information to the PMDA and other relevant bodies.

Legal problems concerning AI have been the subject of intense discussion of late, including matters such as liability for the actions of AI and ownership of rights regarding AI-created content.

On 1 September 2025, the AI Act took effect, which addresses risks associated with AI while promoting innovation. It provides for the establishment of an AI Strategy Headquarters, headed by the Prime Minister and composed of other ministers, and sets forth the basic policies for measures to be implemented by the government to promote research, development and utilisation of AI. The law also defines fundamental measures relating to AI. The AI Act expresses the government’s overall stance on AI-related matters and does not contain specific compliance obligations, requirements or penalty provisions.

The PPC published an announcement in June 2023 stating its interpretation of the APPI in the context of generative AI and requesting generative AI service providers and users to comply with the law. MIC and the Ministry of Economy, Trade and Industry (METI) published their AI Business Guidelines for AI developers, service providers and users in April 2024. These guidelines include cautions and points to note regarding privacy and data protection.

The Institute for Information and Communications Policy (IICP) and MIC have jointly published the Draft AI R&D Guidelines for International Discussions, which explain the R&D and nine other principles for research into and development of AI. These are tentative guidelines for further international discussion. MIC also published the Guidelines for AI Utilisation in August 2019, which summarise the issues that users (including service providers) are expected to pay attention to in their utilisation phase of AI in the form of “principles” and provide explanations based on the principle of a human-centred AI society. Some other AI-related associations have also published similar principles or guidelines for research into and development of artificial intelligence.

There are no regulations specific to AI data, but please note that general regulations are applicable. For example, if AI data includes personal information, the APPI applies to the processing of that data.

According to the guidelines issued by the PPC, where a business operator handling personal information becomes aware of an actual or suspected data breach, it is required to take necessary measures with respect to the following matters, depending on the nature and circumstances of the incident.

• Internal reporting and prevention of further damage – The business operator must promptly report the incident to a person in a position of responsibility within the organisation and take necessary measures to prevent the damage caused by the leakage from spreading beyond what existed when the incident was discovered.
• Investigation of the facts and identification of the cause – The business operator must take necessary measures to investigate the facts surrounding the leakage and to identify its cause.
• Identification of the scope of impact – The business operator must take necessary measures to identify the scope of impact of the leakage.
• Consideration and implementation of measures to prevent recurrence – The business operator must take necessary measures to consider and implement measures to prevent recurrence of the leakage.

Further, business operators handling personal information must report to the PPC when they become aware of a data breach in any of the following circumstances (Article 26.1):

• where actual or suspected leakage involves personal data containing sensitive personal information (see 1.3 Special Categories of Personal Data);
• where actual or suspected leakage involves personal data that is likely to result in financial harm if improperly used;
• where actual or suspected leakage results from an act directed at the business operator that is suspected to have been carried out for an unlawful purpose; or
• where actual or suspected leakage involves personal data relating to more than 1,000 data subjects.

The matters that must be reported to the PPC are as follows:

(i) overview of the incident, including the date of occurrence, date of discovery, description of the incident, person who discovered it, the applicable reporting category, the existence of an outsourcing relationship (including the identity of the principal and contractor, if any), and the course of events;

(ii) items, media and types of personal data involved in the actual or suspected leakage;

(iii) number of data subjects whose personal data was involved;

(iv) cause of the leakage and the responsible party;

(v) existence and details of secondary damage, or the risk thereof;

(vi) status of responses to the data subjects;

(vii) status of public disclosure of the fact of the leakage;

(viii) measures taken to prevent recurrence; and

(ix) any other relevant information.

Business operators handling personal information are required to submit a preliminary report within three to five days after becoming aware of the above matters, and to file a final report within 30 days. However, in cases where actual or suspected leakage results from an act directed at the business operator that is suspected to have been carried out for an unlawful purpose, the final report must be submitted within 60 days. If it is difficult for the business operator to report all of the required items in the final report, it is allowed to report only identified items at that point and to supplement the remaining items as they are identified.

Business operators handling personal information must notify the data subjects of data breaches upon becoming aware of them with respect to items (i), (ii), (iv), (v) and (ix) above (Article 26.2 of the APPI).

According to the guidelines issued by the PPC, where a data breach has occurred, it is desirable to promptly disclose information concerning the facts of the incident and the measures taken to prevent recurrence.

The PPC is tasked with enforcing and implementing the APPI, and has the following powers:

• to require handling operators to report or submit materials regarding their handling of personal information; and to enter handling operators’ offices or other locations to investigate, make enquiries and view records or other documents (Article 146);
• to provide guidance or advice to handling operators (Article 147);
• to recommend that handling operators cease any violations of the APPI and take other necessary measures to correct the violations (Article 148.1);
• to order handling operators to take necessary measures to implement the PPC’s recommendations mentioned above and rectify certain violations of the APPI (Articles 148.2 and 148.3); and
• to publicly announce any handling operators’ violations of orders issued by the PPC pursuant to Articles 148.2 and 148.3 (Article 148.4).

The PPC initiates investigations based on information obtained not only from reports submitted by business operators but also through requests for reports and on-site inspections. The PPC makes available on its website detailed guidelines concerning the APPI, which are commonly relied upon in interpreting the law, including the obligations imposed on business operators.

For some sectors, other government authorities also enforce the APPI – for example, the FSA is the relevant authority for banks, whereas MIC is the appropriate authority for TSPs. There are no regulators specifically overseeing AI data.

The PPC does not have the authority to conduct criminal investigations, and the APPI explicitly stipulates that the commission’s power to conduct on-site inspections does not include criminal investigations (Article 146.3).

It is important to note that the APPI imposes no administrative fines. Criminal sanctions may only be imposed if a handling operator:

• refuses to co-operate with or makes any false report in response to an investigation by the PPC (Article 178);
• provides a personal information database to unauthorised persons or misuses the database for unlawful gains (Article 180); or
• violates any order given by the PPC as part of an administrative sanction (Article 181).

The PPC empowers private organisations called accredited personal information protection organisations (nintei kojin jouhou hogo dantai) to handle and promote the protection of the personal information held by handling operators. These accredited organisations process complaints against handling operators or provide information on them to ensure the reliability of the businesses of those handling operators, and promote the protection of personal information. They also establish their own rules, with which their members must comply.

The PPC finds potential violations of the APPI through data breach reports submitted by handling operators, telephone consultations made through their business support desk, and media coverage. Please see 1.7 Regulators for details.

The PPC has the power to enforce administrative sanctions, but the APPI does not provide for administrative fines; please see 1.7 Regulators for details. Introduction of administrative fines is under discussion; please refer to 1.1 Overview of Data and Privacy-Related Laws for more details. The PPC provides guidance or advice and does not take further action in most cases, although it does take strong action such as issuing orders in serious cases.

In June 2024, it was discovered that insurance agents handling products from multiple non-life insurance companies had, without obtaining the consent of policyholders, provided personal data of insurance policyholders (including names, policy numbers, premiums, and the names of the insurers with which contracts were concluded) to other non-life insurance companies. In addition, employees seconded from non-life insurance companies to insurance agents were found to have, without authorisation from the host insurance agent and without the consent of the data subjects, transmitted personal data (including names, policy numbers, premiums, insurer names and policy periods) by email or other means to their insurance companies.

Following an investigation by the FSA, a business improvement order was issued on 24 March 2025. The PPC also issued administrative guidance on 30 April 2025. The authorities pointed out that the sharing of personal information among companies for the purpose of acquiring insurance contracts had become a common practice, and that there was a lack of organisation-wide awareness regarding the proper management of personal information. The case underscores the importance of prioritising legal compliance over business convenience or industry customs and maintaining a strong compliance-oriented mindset throughout the organisation.

Data subjects may go to court to seek compensation for damages or distress caused by breaches of data protection. There are two major types of legal causes.

• First, Japanese courts recognise the right to privacy, which is the right of persons not to have their private lives disclosed except for legitimate reasons. Breaching the right to privacy constitutes tort under Article 709 of the Civil Code.
• Second, if a business promises to keep personal data confidential in an agreement (such as terms of use) but then compromises the data, the legal cause of breach of contract may also be available.

In October 2017, the Supreme Court rendered a decision granting a claim for damages for the infringement of privacy in a case where a company providing correspondence education services for children was sued for damages in tort. The case arose from a personal data breach caused by a former employee of a subcontractor responsible for the development and operation of the company’s systems, who unlawfully removed a large volume of personal information relating to the company’s customers from its database.

The Court held that even if there had been no allegation or proof that the plaintiffs had been harmed beyond mere discomfort or anxiety – such as being subjected to nuisance conduct or financial loss – as a result of the data breach, it was nevertheless necessary, in so far as the leakage resulted in an infringement of privacy, to examine whether the plaintiffs had suffered mental distress from the invasion of privacy itself, as well as the existence and extent of such distress.

The Act on Special Measures Concerning Civil Court Proceedings for the Collective Redress for Property Damage Incurred by Consumers allows for class actions to be filed by consumers. Please note that claims allowed under the law are limited to property damage and emotional distress within the scope of the class action itself if the distress is caused along with property damage or by intentional conduct.

As a practical matter, multiple data subjects may select the same lawyer to represent them, and that lawyer can file a single lawsuit on their behalf, which is similar to a class action. There is no difference in the standards for court acceptance or the duration of proceedings compared with ordinary cases of a similar scale.

Internet of Things (IoT) Services

Legal problems regarding the IoT and ubiquitous sensors have been the subject of intense discussion of late, but no specific laws or regulations are currently targeting either issue. However, MIC has published guidelines regarding comprehensive measures for IoT security (July 2016).

The Information-technology Promotion Agency introduced a security requirement compliance evaluation and labelling system for security features of IoT products (JC-STAR) in March 2025.

Big Data

As for big data analytics, data sharing will typically happen between companies subject to contracts between those companies. METI has published guidelines on contracts regarding sharing (big) data between companies. Big data may contain special care-required personal information, such as medical histories. Regarding regulation of special care-required personal information, see 1.3 Special Categories of Personal Data.

Personal data that has been processed so as to render specific individuals unidentifiable does not constitute personal information under the APPI and may therefore be provided to third parties subject to certain conditions without consent.

See 3.1 Objectives and Scope of Data Regulation.

See 3.1 Objectives and Scope of Data Regulation.

See 1.7 Regulators and 1.9 Enforcement Trends.

The use of cookies, web beacons and other tracking technology is not directly regulated under the APPI. Information collected by cookies or web beacons is not automatically deemed to be personal information, but it will be if the handling operator can easily collate information collected by cookies or web beacons with the names of individuals (for example, when an internet-based company can identify the cookie IDs of customers when logged in to its website).

In this regard, the transfer of personal data to third parties – whether the data is personal data or not – is determined based on the circumstances surrounding the transferor, not the transferee. In brief, if the data is not personal data in the hands of the transferor, regulations regarding the transfer of personal data to third parties are not applicable.

In the past, some schemes emerged whereby data management platforms provided non-personal information such as user data collected by cookies (eg, user browsing histories, interests, preferences) to third parties, with the knowledge that the data will be personal data in the hands of the recipient. The PPC was concerned by the expansion of this kind of data-sharing without the involvement of (control by) the data subjects.

As a result, the concept of personally referable information was introduced in April 2022, defined as a collective set of information comprising information relating to living individuals that does not fall under personal information or pseudonymously or anonymously processed information but that has been systematically organised to be searchable using a computer for specific personally referable or similar information prescribed by cabinet order. The APPI regulates the provision of personally referable information if the provider assumes that recipients will acquire a database of the provided personally referable information as personal data. In such cases, the transferor must confirm that the transferee has obtained the data subjects’ consent to transfer their data as personal data.

Please also refer to 4.2 Personalised Advertising and Other Online Marketing Practices for the TBA regulation for technology to send information to external parties.

Behavioural advertising is not directly regulated under the APPI, but any personal information collected to provide such advertising is subject to the law. For example, the APPI has regulations for certain cookies, web beacons and other tracking technology underlying behavioural or targeted advertising. Please see 4.1 Use of Cookies. It is good practice to have a cookie policy and to offer an opt-out from using cookies (especially for behavioural advertising). The Japan Interactive Advertising Association’s guidelines are useful for gaining an understanding of good practices in Japan.

Effective since June 2023, the TBA imposed new obligations on TSPs, which have a non-trivial impact on users’ interests. More specifically, a TSP is an entity that provides:

• any services of intermediating telecommunication of others, such as email or direct messaging services;
• social media services, bulletin board systems, movie sharing services, online shopping malls, live streaming services, online games, online education or the like;
• online search engines; or
• various information, such as news, weather, movies and maps, to unspecified people.

When a TSP makes users send their information (typically including cookies) to an external party, the TSP is required to make a notification or public announcement, obtain opt-in consent or provide an opt-out mechanism with respect to certain information, including the content of the information, the name of the recipient party and the recipient’s purpose of use of the information.

The Ministry of Health, Labour and Welfare (MHLW) has issued a notice regarding the handling of health information of employees by employers, including a condition that the employer shall not handle such information beyond the scope necessary to secure its employees’ health.

Furthermore, to prevent discrimination, the Employment Security Act has special restrictions on obtaining information about job applicants during their recruitment.

The employer has the right to monitor workplace communications in relation to work and to use cybersecurity tools, insider threat detection and prevention programmes, and digital loss prevention technologies, but privacy issues may arise regarding private communications and other privacy matters at the workplace. Thus, employers are recommended to establish internal rules prohibiting the use of company PCs and email addresses for private use, and to disclose the possibility of monitoring those devices and data, including emails.

In principle, there is no special role for labour organisations or works councils regarding employment-related data privacy, but there is a general requirement for employers to obtain the opinion of the employee representative in establishing work rules.

The APPI has some special rules for data processing in relation to M&A. Where personal information is provided in connection with a business succession, it is not necessary to obtain the data subject’s consent. See“Business Succession”under 1.2 Rights and Obligations.

Handling operators are required to specify the purpose of use when acquiring personal information (Article 27(a)) and to notify the data subject of or publicly announce such purpose (Article 27(5)(ii)). The operator may use personal information only to the extent necessary to achieve the specified purpose of use.

Where the target company and the buyer are integrated through a business succession, the personal information acquired prior to the integration is considered to have been obtained for different purposes based on the respective pre-integration privacy policies or similar documents of the target company and the buyer. Accordingly, such personal information may not be used, after the integration, for purposes that were not originally contemplated. Nor is it permissible to use personal information previously held for services newly created as a result of the business integration.

In such cases, the personal information handling business operator must either obtain the data subject’s consent to change the purpose of use, or clearly classify and manage personal information by distinguishing between information acquired prior to and after the integration.

There are special restrictions on the transfer of personal data to foreign countries. In principle, the APPI requires the transferor to obtain the prior consent of individuals whose personal data will be transferred to third parties located in foreign countries (Article 28). Thus, overseas transfer restrictions will apply if a foreign company transfers user data to another company outside Japan. However, if it does so to a company in Japan, overseas transfer restrictions will not apply. These restrictions apply even in cases of entrustment and joint use, which are exceptions to local third-party data transfer restrictions.

Data subjects’ consent to overseas data transfers is not necessary only if either of the following applies:

• the PPC designates the foreign country as a country with a data protection regime with a level of protection equivalent to that of Japan (only member countries of the EEA and the UK have been designated to date); or
• the third-party recipient has an equivalent system of data protection that meets the standards prescribed by the PPC Ordinance – ie, either of the following:
1. there is assurance, by appropriate and reasonable methodologies, that the recipient will treat the disclosed personal data in accordance with the spirit of the requirements for handling personal data under the APPI; or
2. the recipient has been certified under an international arrangement recognised by the PPC regarding its system of handling personal data.

Implementation of the PPC Ordinance is provided for in the PPC Guidelines, under which the “appropriate and reasonable methodologies” referred to above include agreements between the data importer and exporter, or intergroup privacy rules, which ensure that the data importer will treat the disclosed personal data in accordance with the spirit of the APPI. With respect to recognised international arrangements, the PPC Guidelines have identified the APEC Cross-Border Privacy Rules (CBPR) as a recognised international framework for the handling of personal information.

Please also refer to 5.5 Recent Developments for additional obligations effective since April 2022.

Overseas data transfer restrictions do not require government notification or approval.

There are no data localisation requirements under the APPI.

There are no blocking statutes under Japanese law.

Effective since April 2022, international data transfers are permitted only when additional requirements are met. First, when handling operators transfer personal data to foreign countries based on the aforementioned consent mechanism, they will be required to provide data subjects with certain information, as specified by the amended ordinance issued by the PPC (the “Amended PPC Ordinance”) (Article 28.2). According to the PPC Ordinance, the foreign country’s name, information about its personal information protection system and the measures to be taken by the recipient party to protect personal information are required to be provided to the data subjects.

Second, when handling operators transfer personal data relying on the recipient’s equivalent system of data protection, they will be required to take the necessary steps to ensure that the overseas recipient continuously takes equivalent measures and to provide data subjects with certain information about the measures to be taken upon request under the Amended PPC Ordinance (Article 28.3). In this regard, according to the PPC Ordinance, one of two assurance measures is to periodically confirm the implementation status of the equivalent measures taken by the recipient and the presence or absence of systems in the foreign country that might affect the implementation of the equivalent measures. The other measure is to take necessary and appropriate measures if the recipient party’s implementation of the equivalent measures is interfered with in some way, and to suspend the provision of personal data if it becomes difficult to ensure the continuous implementation of the equivalent measures.

The PPC Ordinance also states that the following information must be provided to data subjects upon request:

• the recipient party’s equivalent system of data protection;
• an outline of the equivalent measures taken by the recipient;
• the frequency and method of confirmation of the status of the equivalent measures and of the system in the foreign country that might affect the implementation of the measures;
• the name of the foreign country;
• the presence or absence of systems in that foreign country that might affect the implementation of the equivalent measures;
• the presence or absence of any impediments to the implementation of the equivalent measures; and
• an outline of the measures to be taken in response to such impediments.

As a result, data transfers to countries where proper government access is not implemented can be difficult. An example of this difficulty is the international data transfer regulations under the GDPR raised by the Schrems II case.