APPI (Act on Protection of Personal Information)

What is APPI (Act on Protection of Personal Information)?

APPI is Japan’s highest-level personal information protection law. Enacted in 2005 and substantially revised in 2022, it reflects the global impact of GDPR. All Japanese companies and foreign companies handling Japanese user data must comply.

In a nutshell: Japan’s GDPR equivalent. Personal information is a fundamental right; companies can’t arbitrarily collect or use it.

Key points:

• What it does: Defines rules for personal information processing within Japan
• Why it matters: Protects privacy as a fundamental right in the digital era
• Who must comply: All Japanese companies and foreign companies processing Japanese personal information (no employee size exemptions)

Why it matters

For nearly two decades, APPI was perceived as “relatively lenient regulation.” While GDPR imposed “4% of revenue in fines,” Japan’s APPI had lower penalties, raising enforcement questions.

However, 2022 amendments changed everything. Penalties increased substantially, whistleblower systems were introduced, and privacy policy disclosure obligations became stricter. Additionally, “personal-related information”—data not directly identifying individuals but linkable to them—gained protection status. This closer international alignment suggests Japan will further tighten regulations toward GDPR standards.

Scope

APPI applies to organizations meeting these conditions:

All companies, sole proprietors, and organizations with Japanese operations. The 2022 amendment eliminated employee-count exemptions, meaning even sole proprietors handling personal information must comply.

Additionally, foreign companies processing Japanese residents’ personal information must comply. For example, a Singapore company collecting Japanese user emails must follow APPI.

Critical is “personal-related information”—data not directly identifying individuals (user IDs, device IDs) but combinable with other information to identify them gains protection status.

Key requirements

Post-2022 amendments, main requirements are:

Consent is foundational. Personal information collection requires explicit consent. Unlike GDPR’s individual consent requirement, APPI sometimes permits “comprehensive consent.”

Transparency and accountability. Organizations must explain personal information use in understandable language. Privacy policies must be written for general audiences.

Security safeguards. Proper security (encryption, access restrictions) protects against unauthorized access.

Data deletion. When users request “delete my information,” companies must comply—with legal retention exceptions.

Transparency policies. Organizations must publicly disclose personal information handling.

Violations

Violations carry these penalties:

Criminal penalties: Unauthorized use or leaks carry sentences up to 1 year imprisonment or ¥1,000,000 fines (severe cases: 2 years/¥2,000,000).

Administrative guidance: The Personal Information Protection Commission may issue guidance; non-compliance triggers further fines.

Reputation damage: Data breach news destroys customer trust and business opportunity.

Related terms

• Data Minimization — Fundamental APPI-recommended principle
• Right to be Forgotten — Right guaranteed under APPI
• DPIA (Data Protection Impact Assessment) — Required for large personal information processing
• Privacy Policy — APPI mandates public disclosure
• GDPR — EU equivalent, functioning as international standard

Frequently asked questions

Q: Must 5-employee companies comply with APPI?

A: Yes. The 2022 amendment eliminated employee-count exemptions. Even sole proprietors handling customer or employee information must comply.

Q: How does APPI differ from GDPR?

A: Scope differs: APPI covers Japan, GDPR covers EU. APPI permits “comprehensive consent” in some cases; GDPR always requires “explicit consent.” GDPR penalties are stricter. However, when both apply (Japanese company handling EU user data), GDPR’s stricter requirements control.

Q: Is purchased email list marketing APPI-compliant?

A: Depends on collection method. If original data had explicit opt-in consent and “no third-party transfer” wasn’t declined, receiving list is permitted. Safest approach: obtain fresh consent before purchase.