Last review date: 17 January 2025

☒         omnibus – all personal data

There is no sector-specific law. However, there are some guidelines for specific sectors, including those in the financial, medical and telecommunications sectors.

Last review date: 17 January 2025

• Act on the Protection of Personal Information (APPI)
• Basic Policy for protecting Personal Information
• Enforcement Regulation of APPI
• Enforcement Order of APPI
• Guidelines on the Act on the Protection of Personal Information: General Rules
• Guidelines on the Act on the Protection of Personal Information: Transfer to Overseas Third Party
• Guidelines on the Act on the Protection of Personal Information: Confirmation and Record-keeping Obligations for Third Party Transfer
• Guidelines on the Act on the Protection of Personal Information: Anonymized Information
• Public Notice on the Act on the Protection of Personal Information: Actions after Data Breach
• Supplementary Rules under the Act on the Protection of Personal Information for Handling of Personal Data Transferred from the EU based on an Adequacy Decision

Last review date: 17 January 2025

• The Basic Act on Cybersecurity
• Telecommunications Business Act
• Act on Prohibition of Unauthorized Computer Access

Last review date: 17 January 2025

There are no specific laws or regulations governing the collection, processing, transfer and other activities related to non-personal data in Japan.

Last review date: 17 January 2025

Yes.

The APPI was amended in 2020, and the amendments (as well as relevant ordinances and guidelines) became effective on 1 April 2022. The APPI was further amended in 2021 to consolidate three existing data privacy laws applicable to private entities and governmental bodies into one single law. The existing obligations under the APPI did not change based on the 2021 amendment.

The 2023 amendments of the APPI will slightly expand the scope of personal data subject to security measures and the reporting obligation for personal data breaches. Specifically, the scope of security measures now includes personal information that is about to be obtained by a business operator. In addition, breach reporting requirements have been expanded to cover personal data that is about to be obtained by a business operator. In practice, this means that a business operator must implement appropriate security measures to ensure that online forms where data subjects enter their personal information are secure and not vulnerable to cyberattacks. If the online forms are compromised, the business operator must notify the authority, even if technically speaking, the stolen data has not yet been actually collected by the business operator.

In addition, the PPC has started its three-year review process as mandated by a clause in the 2020 amendments to the APPI. This clause requires the Japanese government to review the enforcement of the APPI every three years after its implementation and to make necessary reforms. The details of the expected amendments following the three-year review have yet to be published. We anticipate that a public consultation will be conducted once the details of the amendments are finalized.