Law: The Act on the Protection of Personal Information (Act No. 57 of 2003 as amended in 2020) ('APPI')
Regulator: The Personal Information Protection Commission ('PPC')
Summary: General data protection in Japan is governed by the APPI, while the Act on the Use of Numbers to Identify a Specific Individual in the Administrative Procedure ('My Number Act') regulates the use of certain individual social security codes (known as 'My Numbers'). Importantly, amendments to the APPI entered into effect on 1 April 2022, and introduces new obligations associated with data subject rights, breach notification, data transfers, and the processing of pseudonymised data, among other things. In addition, guidelines issued by the PPC, as well as other ministries, set out and clarify data protection requirements.
Furthermore, Japan is a participant of the Asia-Pacific Economic Cooperation Cross Border Privacy Rules system ('APEC CBPR') and has been recognised by the European Commission as providing an adequate level of personal data protection.