Japan

The PPC is an independent authority with oversight, guidance, and enforcement powers. Active in issuing guidelines and promoting international cooperation.

Consent required for use beyond specified purposes and for third-party provision. Opt-out mechanism available for some third-party sharing with prior notification to PPC.

Rights to disclosure, correction, cessation of use, cessation of third-party provision. 2020 amendments expanded to include digital data and pseudonymised information.

Consent or equivalent protection in recipient country. Mutual adequacy with EU. PPC guidelines specify acceptable transfer mechanisms.

Mandatory reporting to PPC and notification to individuals for breaches likely to harm rights. Introduced in 2020 amendments.

No mandatory DPO. However, business operators handling personal information of 5,000+ individuals have enhanced obligations.

No specific age-based provisions in APPI. "Special care-required personal information" includes some categories relevant to children. Industry guidelines apply.

Individual: up to 1 year imprisonment or JPY 500K fine. Corporate: up to JPY 100 million. PPC can issue orders and recommendations.

Sector-specific guidelines for finance, healthcare, telecom, and employment. My Number Act governs Japan's national ID system data.

2020 amendments introduced "individually referable information" covering cookies when combined with other data. Cookie consent requirements strengthened.

No specific AI legislation. Social Principles of Human-Centric AI (2019) provide voluntary framework. PPC guidance on AI and personal data.

No general data localisation requirement. Cross-border transfer rules apply but do not mandate local storage.

No direct equivalent. All business operators handling personal information are subject to APPI obligations.

APPI Chapter V governs government agency processing. Separate Act on Protection of Personal Information Held by Administrative Organs was merged into APPI in 2022.