APPI
Act on the Protection of Personal Information (APPI)
The APPI is Japan's principal data protection law, originally enacted in 2003 and significantly amended over time, with the most recent major amendment effective 1 April 2022. It is enforced by the Personal Information Protection Commission and governs how businesses handle personal information, including sensitive data and cross-border transfers.
Who it applies to
Personal information handling business operators that handle personal information in the course of business, including foreign operators handling the personal information of individuals in Japan in connection with supplying goods or services.
Identity requirements
- Specify and notify or publicly announce the purpose of using personal information and use it within that purpose
- Obtain prior consent before acquiring sensitive personal information (special care-required personal information)
- Obtain consent and meet transfer conditions before providing personal data to third parties, including cross-border transfers
- Take necessary and appropriate security control measures to protect personal data
- Honor individuals' rights to disclosure, correction and cessation of use of their retained personal data
- Report leaks of personal data to the PPC and notify affected individuals where required
How it impacts identity systems
| Identity area | Impact |
|---|---|
| Customer identity & consent (CIAM) | Purpose specification and consent rules shape how identity and personal data are collected and used in customer systems. |
| Data residency & cross-border transfer | Transfers of personal data abroad require consent or equivalent safeguards and added transparency to data subjects. |
| Breach notification | Leaks of personal data must be reported to the PPC and affected individuals where prescribed thresholds are met. |
| Audit, logging & accountability | Operators must implement security control measures and remain accountable for personal data handling. |
Penalties
The PPC can issue guidance, recommendations and corrective orders; violating an order can lead to criminal penalties, including imprisonment or fines, with higher fines for corporations.
APPI: frequently asked questions
- Who enforces the APPI?
- The Personal Information Protection Commission (PPC), an independent central authority, supervises and enforces the APPI, including inspections, recommendations and corrective orders.
- Does the APPI apply to companies outside Japan?
- Yes. Foreign business operators that handle the personal information of individuals in Japan in connection with supplying goods or services are subject to the APPI.
- Is breach reporting required under the APPI?
- Yes. Since the amendments effective April 2022, operators must report qualifying leaks of personal data to the PPC and notify affected individuals.