- Summary Introduction
- Act on Personal Information Protection
- Definition of “Personal Information” under APPI
- What is “ Information Related to Personal Information”?
- What is a “Businesses Handling Personal Information”?
- What is the difference between “Personal Information” and “Personal Data”
- Key Obligations Imposed on Business Operators Handling Personal Information
- Points to Note When Entering the Japanese Market
- Summary
Summary Introduction
Japan’s Act on the Protection of Personal Information (“APPI”) is a comprehensive data protection framework designed to balance the protection of individual (data subject) rights while promoting the effective use of data. APPI imposes obligations such as specifying and notifying the purpose of use, prohibiting use beyond the specified purposes, implementing security safeguards, restricting the provision of personal information to third parties, and responding to requests from individuals.
While APPI shares similarities with other major data protection regimes, including the GDPR, it also incorporates several unique concepts, such as “Personal Related Information”, that require companies entering or operating in the Japanese market to adapt their compliance frameworks accordingly.
Act on Personal Information Protection
Japan’s Act on Personal Information Protection (APPI) was enacted in 2003 and fully implemented in 2005. Since then, it has undergone several major amendments to reflect the rapid advancement of digital technologies and maintain consistency with the evolving international standards. The 2022 and 2023 amendments significantly strengthened the framework by consolidating regulatory requirements across administrative agencies, local governments, and private sector companies.
A notable characteristic of APPI is its dual focus on protecting rights and interests of individuals while promoting the effective and beneficial use of personal information. Rather than imposing strict regulations alone, APPI is characterized by its balanced approach that takes into account both the need for privacy protection and the broader societal and economic value of data.
Definition of “Personal Information” under APPI
Under APPI, “personal information” refers to information that meets any of the following criteria:
1.Information that can identify a living individual
This refers to information about an individual that can identify a specific person through their name, date of birth, or other descriptive attributes. This includes information that can identify a specific individual on its own, as well as information that can identify a specific individual when easily cross-referenced with other information.
Caution is required when obtaining a customer’s email address. While email addresses are freely created by the individual and are often considered not to be personal information, many email addresses incorporate names, or dates of birth, making them potentially subject to personal information regulations and therefore requiring appropriate handling under APPI.
2.Information Containing Personal Identification Codes
Information such as fingerprint data, iris data, DNA sequences, driver’s license numbers, passport numbers, and My Number (individual identification number) also constitutes personal information because such identifiers inherently allow the individual to be distinguished.
3.Sensitive Personal Information
APPI designates a specific category called “special care-required personal information”, which generally corresponds to what other jurisdictions refer to as sensitive personal data. This includes information relating to race, beliefs, criminal history, medical history, and disability status, and other characteristics which could potentially cause unfair discrimination or disadvantage. In principle, obtaining this information requires the consent of the individual.
Many businesses operate health tech services handling health or behavioral data, or platforms requiring identity verification. Therefore, when providing services in Japan, it is crucial to accurately classify data from the outset.
Under APPI, not all data about an individual is classified as Personal Information. However, APPI also regulates a separate category called “Information Related to Personal Information.” This refers to information about a living individual that does not, by itself, identify the person and does not fall under Personal Information, Pseudonymized Personal Information, or Anonymized Personal Information.
Typical examples include website browsing logs, purchase history, location data, interest or preference indicators, and demographic information such as age or gender linked to an email address. Although this type of data cannot identify a specific individual on its own, it is treated as Information Related to Personal Information because it may become identifiable when combined with other data.
If Information Related to Personal Information is provided to a third party who is reasonably expected to be able to identify the individual using that information together with other data they hold, it is required that the consent of the relevant individual has been obtained to the effect that the third-party recipient may receive Information Related to Personal Information from the Information Related to Personal Information Handling Business Operator and use such information as Personal Information by which the individual can be identified.
Many businesses mistakenly assume that Information Related to Personal Information is freely usable because it is not Personal Information. However, APPI imposes obligations in situations where the information could effectively identify a person, and failure to understand this distinction is a common compliance pitfall for companies entering the Japanese market.
What is a “Businesses Handling Personal Information”?
Entities subject to regulation under APPI are referred to as ” Businesses Handling Personal Information.” A Business Operator Handling Personal Information refers to any person or organization that uses personal information databases, etc., for its business operations. A personal information database, etc., refers to a collection of information that is systematically organized so that specific personal information can be easily retrieved. Examples include customer lists, CRM systems, HR databases, and membership records (in APPI, these databases are referred to as “Personal Data”). Based on this definition, nearly all types of organizations fall within the scope of APPI, including for-profit companies, NPOs, and sole proprietorships.
Furthermore, business operators located outside Japan are also subject to APPI if they handle information relating to individuals in Japan. Since services such as mobile apps, online platforms, and SaaS solutions frequently collect personal information from users in Japan, attention must be paid to the extraterritorial application perspective of APPI even before entering the Japanese market.
What is the difference between “Personal Information” and “Personal Data”
In the preceding section, the concept of “Personal Data” was introduced.
“Personal Data” is defined as personal information that constitutes a personal information database, etc. (Article 16, paragraph (3)). In other words, Personal Data can be understood as personal information that is managed and stored within a personal information database.
Under Japan’s APPI, restrictions on third-party provision apply not to personal information in general, but specifically to Personal Data.
The reason why restrictions on third-party provision are limited to “Personal Data,” rather than extending to all “personal information,” is to avoid unduly hindering the use and utilization of information. The scope of “personal information” is broad and includes, for example, oral communications and temporary handwritten notes. If restrictions on third-party provision were imposed on all such personal information, practical operations and everyday business activities would be excessively constrained.
Accordingly, by limiting regulatory restrictions to Personal Data—namely, information that is systematically organized in a searchable form and therefore carries a higher risk of repeated use or widespread dissemination—the APPI seeks to strike an appropriate balance between the protection of individuals’ rights and interests and the facilitation of social and economic activities.
Key Obligations Imposed on Business Operators Handling Personal Information
Business Operators Handling Personal Information are broadly subject to the following five obligations:
1.Specifying and Notifying the Purpose of Use
Before collecting personal information, personal information handling business operators must specify the purpose of use as specifically as possible and notify the individual (Articles 17, 21) of such purposes. The purpose must be described in terms that can be clearly understood solely from the description, such as “to ship products and to provide related after-sales service” or “to send promotional campaign notices and email newsletters.”
2.Prohibition of Use Beyond Specified Purposes
Personal information collected may only be used within the scope of the specified purpose notified to the individual (Article 18). If the intended use exceeds the originally specified purpose, the business operator must re-notify the individual and obtain consent before using the personal information for the new purposes.
3.Restrictions on Third-Party Provision
Providing Personal Data (personal information stored in databases) to a third party generally requires the individual’s prior consent (Article 27). However, there are certain exceptions where consent is not required, such as when required by law or when necessary to protect human life or property.
In practice, business operators frequently need to share Personal Data with contractors to carry out outsourced tasks . Under APPI, provision of Personal Data to contractor is not treated as a third-party provision when such provision is necessary to achieve the purpose of use for which such Personal Data was obtained (Article 27, Paragraph 5, Item 1). For example, logistics providers, customer supports, etc.. However, please note that if a leak or other incident occurs at the contractor, the business operator may also bear responsibility for such incidents. Establishing a robust supervision system for contractors is therefore crucial.
4.Security Management Measures of Business Operator Handling Personal Data
In case where the business operator uses the Personal Data, it is required to implement necessary and appropriate security measures to prevent leakage, loss, or damage (hereinafter referred to as “leakage, etc.”) of the Personal Data to ensure its security (Article 23). These measures must be sufficient and appropriate, taking into account the scale and nature of the business, the circumstances of the handling of Personal Data (including the nature and volume of the Personal Data handled), and the risks arising from the nature of the media on which the Personal Data is recorded, considering the extent of infringement of the rights and interests of the individual that would occur if the Personal Data were leaked, etc.
5.Responding to Disclosure Requests from Individuals
Individuals may request disclosure, correction, suspension of use, deletion, etc., of their retained Personal Data (Article 37). Business operators must establish systems to respond promptly to such requests.
Points to Note When Entering the Japanese Market
In response to the above regulations, businesses planning to operate in Japan must undertake the following practical measures during the initial stages:
・Developing and disclosing a privacy policy
・Establishment of a Personal Information handling system (implementation of security management measures)
・Establishing contractual relationships with contractors
・Establishing a system to respond to requests from individuals
Summary
Japan’s Act on the Protection of Personal Information (APPI) features a unique, balanced institutional design that combines two objectives: protecting the rights and interests of individuals and promoting the utilization of data. Business Operators Handling Personal Information are subject to fundamental obligations, including specifying and notifying the purpose of use, prohibiting use beyond the specified purpose, implementing security management measures, restricting provision to third parties, and responding to requests from individuals. Properly fulfilling these obligations is central to compliance.
GVA Global Law Office can provide optimal advice tailored to your company’s specific circumstances. When considering entering the Japanese market, please consult with GVA Global Law Office.
