What Is Act on the Protection of Personal Information?
The Act on the Protection of Personal Information (APPI, Law No. 57 of 2003) is Japan's national data protection law. Originally enacted in 2003, it was comprehensively amended effective April 2022 to strengthen data subject rights, introduce mandatory data breach notifications, create cross-border data transfer rules, and establish significant penalties. APPI is enforced by the Personal Information Protection Commission (PPC), an independent agency established by the 2015 amendments that centralized previously sectoral enforcement. Japan and the EU mutually recognized each other's adequacy decisions in January 2019 (Japan being the first country to receive a full EU adequacy decision post-GDPR), facilitating bilateral data flows without additional safeguards. The 2022 amendments introduced: mandatory breach notification to PPC and affected individuals for certain breaches (72 hours for initial notice, 30 days for detailed); data subjects' rights to request cessation of use, deletion, or cessation of third-party provision; a new 'pseudonymized information' category with lighter obligations; and expanded cross-border transfer requirements.
At a glance
- Full name
- Act on the Protection of Personal Information
- Short code
- APPI
- Jurisdiction
- Japan
- Enacted
- 2003
- Last major update
- Major amendment April 2022; triennial review ongoing (2025 amendments proposed)
- Regulator
- Personal Information Protection Commission (PPC)
- Private right of action
- Limited
- Statutory citation
- Act No. 57 of 2003 (as amended)
Scope — who APPI covers
Protected data
Data subject rights
Right of disclosure — request the business operator disclose what personal information is held
Right of correction, addition, or deletion of incorrect personal information
Right to request cessation of use or deletion when handling has been unlawful (2022 amendment expanded this)
Right to request cessation of third-party provision
Right to request disclosure of provision records (who the data was shared with)
Right to receive data in a digital format for portability-type use cases (not a formal portability right)
Right to file a complaint with the PPC
Notable features
APPI's distinctive features include the 'opt-out' provision for third-party data sales (Article 27(2)) — a legacy provision that allows certain data sales without consent if the operator provides notice to the PPC and data subjects can opt out. This differs markedly from GDPR's consent-based framework. Japan also has a unique 'pseudonymized information' category (2022 amendment) that allows limited processing without individual consent for research and product development. EU-Japan mutual adequacy is the first such mutual recognition post-GDPR.
Enforcement & penalties
Regulator: Personal Information Protection Commission (PPC)
Penalties: 2022 amendments significantly raised corporate penalties: up to ¥100 million (approximately USD 670,000) for providing personal information databases for unlawful commercial purposes. Individuals face up to ¥1 million and one year imprisonment for similar violations, or up to ¥500,000 for failing to comply with PPC orders. The PPC can also issue orders with public disclosure — a significant reputational sanction in Japan.
Private right of action: APPI does not create a specific statutory private right of action with set damages, but individuals can bring tort claims under the Civil Code for harm arising from APPI violations — courts have consistently recognized privacy-rights torts. Class actions are unusual in Japan but collective consumer redress is available via qualified consumer organizations.
Relevance to data brokers
Japanese data brokers (called 'meibo-gyosha' for list-brokers) have operated under APPI's opt-out provision (Article 27(2)) for decades, though 2022 amendments added notification requirements. Foreign data brokers handling data of Japanese residents face APPI obligations — particularly the PPC's cross-border transfer rules, which require the recipient to provide equivalent protection. PPC enforcement has been notably active on cross-border transfers and breach handling since 2022.
Exercise your rights
Remove your data from 300+ brokers for $5
OfflistMe drafts opt-out emails citing APPI and other applicable laws. Citations included. You send from your own inbox. No account, no ID upload.
Start for $5 →FAQ
Is there an adequacy decision between the EU and Japan?+
Yes — the EU and Japan mutually recognized each other's data protection as 'adequate' in January 2019. This allows personal data to flow between the EU and Japan without the additional safeguards normally required under GDPR Article 46. Japan was the first country to receive mutual adequacy with the EU.
How do I file a complaint under APPI?+
Complaints can be submitted to the PPC Call Center via ppc.go.jp/en/aboutus/submissions_inquiries/. Most individuals are encouraged to first approach the business operator's personal information complaint desk. Local consumer centers (shouhi seikatsu senta) also handle privacy inquiries.
What is the 'opt-out' provision in APPI?+
Article 27(2) allows business operators to provide personal information to third parties without obtaining consent, if they (1) notify the PPC, (2) notify data subjects or make the notice readily available, and (3) stop providing the information of any data subject who opts out. This is narrower than it once was — 2022 amendments excluded certain sensitive data and tightened notification requirements.
Official sources & citations
Other international privacy regimes
APPI sits in a global ecosystem of data-protection laws. Compare with other jurisdictions that shape cross-border data flows: