Support Centre



Law: The Act on the Protection of Personal Information (Act No. 57 of 2003 as amended in 2020) ('APPI')

Regulator: The Personal Information Protection Commission ('PPC')

Summary: General data protection in Japan is governed by the APPI, while the Act on the Use of Numbers to Identify a Specific Individual in the Administrative Procedure ('My Number Act') regulates the use of certain individual social security codes (known as 'My Numbers'). Importantly, amendments to the APPI entered into effect on 1 April 2022, and introduces new obligations associated with data subject rights, breach notification, data transfers, and the processing of pseudonymised data, among other things. In addition, guidelines issued by the PPC, as well as other ministries, set out and clarify data protection requirements.

Furthermore, Japan is a participant of the Asia-Pacific Economic Cooperation Cross Border Privacy Rules system ('APEC CBPR') and has been recognised by the European Commission as providing an adequate level of personal data protection.


A new concept called 'personally referable information' was introduced into Japanese privacy law by the Act on Protection of Personal Information (Act No. 57 of 2003 as amended in 2015) ('APPI') and came into effect from April 2022. But what is it? Kensaku Takase and Yuki Kondo, from Baker McKenzie, provide clarity on what 'personally referable information' is and what it means for companies.

In this report, OneTrust DataGuidance provides a means of analyzing and comparing data protection requirements and recommendations under the General Data Protection Regulation (GDPR) and the Act on the Protection of Personal Information (Act No. 57 of 2003 as amended in 2020) (APPI).

The report examines and compares the scope, main definitions, legal bases, data controller and processor obligations, data subject rights, and enforcement capacities of the APPI and the Regulations with the  GDPR.

You can access the latest version of the report here.

The recent Amendments to the Act on the Protection of Personal Information (Act No. 57 of 2003 as amended in 2015) ('APPI'), which were introduced in 2020 ('the 2020 Amendments'), came into force on 1 April 2022. The 2020 Amendments introduce a new concept of 'pseudonymization' to Japanese privacy law and rules on how such information should be handled. Kensaku Takase and Hayato Higa, from Baker McKenzie's Tokyo IP Tech practice group, outline how pseudonymized information can be utilized under the APPI and the rules businesses need to be aware of in order to remain compliant with the amendments.

The processing of children's personal data, from collection to destruction, generally carries with it special considerations. Indeed, the level of protection afforded to children is often higher, due to in part their capacity to understand the consequences of providing their information and the potential risks associated with their use or misuse. In part one of this series, OneTrust DataGuidance considers the rules in the APAC region which govern children's personal data, featuring perspectives from Australia, China, India, and Japan.

For insight into handling children's personal data in New Zealand, the Philippines, and Singapore, please see part two here.

Forthcoming changes to the Act on the Protection of Personal Information ('APPI') have necessitated changes to the accompanying guidance issued by Japan's Personal Information Protection Commission ('PPC'). Hiroyuki Masuda, Lawyer at One Asia Lawyers, discusses some of the most important changes made in this regard.

Diversity and inclusion programmes are becoming increasingly popular across the globe due to a growth in awareness and a demand for organisations to support values, such as equity and inclusion. While actively engaging in diversity and inclusion initiatives may help organisations to better understand, manage, and develop the business, it is not always clear what data can, and cannot, be included in diversity monitoring surveys or what the rules are for such data collection.

The legal requirements surrounding information relating to an individual's race, gender, ethnicity, sexuality, and health differ from country to country, with some classifying such data as 'sensitive data', while others view it under the umbrella of 'personal information'.

OneTrust DataGuidance Research has consulted with a number of legal experts operating within the Asia Pacific region in order to uncover the requirements for the collection and use of employee data for diversity and inclusion surveys. The countries covered in this Insight article include Australia, China, Singapore, Japan, Hong Kong, and India.