Security + privacy regulations in Japan

APPI (Act on the Protection of Personal Information 2003, amended 2015, 2020, and 2022) is Japan's primary privacy law. It has been progressively tightened, most notably by the 2020 amendments which added breach-notification obligations, introduced the concept of pseudonymized data, and strengthened data-subject rights. The 2022 amendments focused on cross-border transfer rules and sensitive categories. PPC (Personal Information Protection Commission) is the unified national regulator — notable because earlier APPI was enforced by different ministries per sector. PPC has been steadily more active; enforcement is typically collaborative rather than punitive first, with fines reserved for serious non-compliance. Japan-EU mutual adequacy (2019, renewed 2023) is one of the most important cross-border arrangements for any global SaaS. Data flows between Japan and the EU without Standard Contractual Clauses in either direction. This makes Japan-headquartered or Japan-using SaaS less friction-heavy than US-EU data flows. My Number Act has specific, strict rules for Japan's individual ID number (similar in sensitivity to Social Security Numbers). If you process My Number data, treat it as a separate compliance vertical with its own consent, retention, and deletion rules.

Key laws + frameworks

APPI

Act on the Protection of Personal Information. Japan's general privacy law.

My Number Act

Specific rules for Japan's individual ID number. Treat as sensitive category.

Telecommunications Business Act

Applies to communications-adjacent services including some SaaS.

Antimonopoly Act data-related guidance

Japan Fair Trade Commission guidance on data as a competition concern.

Regulators
  • Personal Information Protection Commission (PPC)
Breach notification

To PPC and affected individuals under specified conditions (scale, sensitive data categories, risk of harm). Timelines are 'promptly' without a fixed hour count.

Cross-border transfer

EU adequacy (both directions) removes most EU-Japan friction. APEC CBPR participation established. Specific consent or contractual agreement otherwise.

Startup priority

Priority stack for Japan-facing SaaS: (1) APPI-compliant Privacy Policy in Japanese (required — English is not sufficient for Japanese data subjects); (2) Consent mechanisms meeting APPI specificity; (3) Japan-EU adequacy makes dataflow to/from EU straightforward if you're already GDPR-compliant; (4) My Number specific compliance only if you actually handle My Number data.