APPI (Japan)

The Act on the Protection of Personal Information is Japan's comprehensive privacy law. The 2022 amendments strengthened cross-border transfer rules and data subject rights, aligning more closely with GDPR.

APPI overview

The Act on the Protection of Personal Information (Act No. 57 of 2003, substantially amended in 2015, 2020, and 2022) is Japan's comprehensive privacy law. It is enforced by the Personal Information Protection Commission (PPC), which is also Japan's designated authority for the EU adequacy decision. Japan was granted EU adequacy in 2019, with mutual adequacy from Japan to the EU — a meaningful procurement advantage for EU-Japan data flows.

Key APPI requirements

APPI defines personal information broadly (any information identifying a living individual) and adds the category of "special care-required personal information" (race, creed, social status, medical history, criminal record, etc.) which requires explicit consent. The 2022 amendments introduced expanded data subject rights (request for use cessation, disclosure of usage records), a 3-day breach notification SLA for major incidents, and required appointment of a representative in Japan by foreign businesses handling Japanese personal data.

AI vendor considerations

For AI vendors targeting Japanese customers: APPI's cross-border transfer rules require either consent, transfer to an "adequately protected" country (EU is recognized; the U.S. requires supplementary measures), or specified standards equivalent to APPI. Pseudonymously processed information (kameimei kako joho) was introduced in 2020 and is a useful category for model training when consent is impractical. PPC has issued specific guidance on AI and APPI (most recently 2024), and enforcement is increasingly active in the AI domain.