What is APPI (Act on the Protection of Personal Information)?

The Act on the Protection of Personal Information (APPI) is Japan's principal data protection law, originally enacted in 2003 and significantly amended in 2017 and again in 2022. The APPI applies to business operators handling personal information and establishes rules for the collection, use, storage, and transfer of personal data. The 2022 amendments expanded individual rights, tightened rules on cross-border data transfers, and introduced mandatory breach notification requirements.

The APPI distinguishes between personal information, personal data (personal information constituting a database), and retained personal data (personal data that a business operator has the authority to disclose, correct, or delete). It requires business operators to specify the purpose of use, not use personal information beyond what is necessary for that purpose, and take security control measures. Sensitive personal information known as "special care-required personal information" receives heightened protection and generally requires consent for acquisition.

The Personal Information Protection Commission (PPC) serves as the independent supervisory authority. Penalties for violations include criminal sanctions for certain offenses and administrative orders. The 2022 amendments raised maximum penalties significantly and introduced a requirement for foreign business operators to appoint a domestic representative. IQWorks helps organizations comply with APPI through DiscoverIQ for data inventory and ClassifyIQ for identifying special care-required personal information.