Japan’s data protection law, the Act on the Protection of Personal Information (APPI), might be nearly 20 years old now, but its most recent amendments came into effect in April this year. Lawyers discuss how their clients are keeping up with the latest spate of changes.

The latest round of amendments to Japan’s APPI, which was drafted in 2020 following a public consultation, has been generally well-received. They bring the APPI into even closer alignment with the European Union’s General Data Protection Regulation (GDPR) by expanding the scope of Japanese data subjects’ rights, making data breach notifications mandatory, and limiting the range of personal information that can be provided to third parties. A data subject is any natural person who can be identified, directly or indirectly, via an identifier such as name, ID number and location data.

More than four months since the amended APPI took effect, companies appear to be meeting the purely domestic requirements, says Yuko Kawai, partner of Nishimura & Asahi. “Most of our clients have timely and appropriately updated their privacy policies and internal rules, as well as security control measures aiming to comply with the amended APPI. However, there are some challenges.”

The challenges stem from the fact that the amended APPI is considerably complicated when it comes to international data transfer, and companies are still scrambling to meet those requirements, according to Ryuichi Nozaki, senior partner of Atsumi & Sakai. “Typically, such clients include those who conduct online business globally, like airlines, tourism booking companies, online retailers and platform service providers,” he adds.

Different protection measures are needed, based on location and scenario, says Nozaki. “For example, you must explain regulatory differences between the destination countries and Japan and ask each data subject whether they would allow the transfer of their personal data there or not. Or, in a scenario like outsourcing data processing and/or storage, you must take appropriate security measures before transferring the data.” he explains.

Kawai points out another problem, namely keeping abreast of the changing rules in each jurisdiction where APPI is not equivalent to local regulations. “It is not a simple process to fill the gap.”


Probably the two jurisdictions that Japanese clients need to keep in mind when it comes to data transfer issues are the U.S. and China. “In the U.S., some states have made their own data protection laws and regulations. Aside from these moves, a federal data protection bill is under discussion. With assistance from local attorneys, we advise on cases involving each of these state regulations as well as sector-specific regulations (e.g., the financial and medical institutions, facial recognition technology users etc.),” Kawai says.

Nozaki agrees that the U.S. isn’t easy. “There is additional complication because data privacy laws and regulations vary from state to state,” he notes. “The Japanese government has been trying to help by publishing guidelines for each state, but it has taken a long time and is far behind. The government has not yet prepared guidelines even for Texas despite its importance in information technologies.”

In the case of China, the Personal Information Protection Law is in place, and Measures on Security Assessment of Cross-Border Data Transfer will take effect on Sept. 1. In the meantime, other regulations are undergoing public consultation.

However, compliance with China is not as difficult as one might think. “It’s true that we should continue to keep abreast of China’s evolving regulations, but so far the Japanese government has closely studied those regulations and published useful guidelines for compliance,” says Nozaki.


Data protection and compliance will be an important issue for companies to tackle for years to come, say both Kawai and Nozaki. It is not only because of the mandatory review and updates of APPI that the law requires every three years, but rising concerns over and changing regulations on data protection across the world, they add.

Another important factor for likely sustained demand is the rising need for a more holistic approach to data from businesses.

“Handling personal data appropriately is not just compliance with hard laws. You should clearly explain to your customers and other data subjects how you handle their personal data. Such efforts would lead to enhancing company reputation and vice versa,” notes Kawai.

Also important is the global trend of keeping up with the GDPR, says Nozaki. “Globally speaking, international companies tend to tackle the GDPR first as it is the strictest regime, then add necessary measures to comply with laws and regulations in the other countries and areas they operate. This has made steps for compliance easier for them. However, the approach of Japanese companies is reversed as they are often too busy with APPI compliance to study GDPR. Given the fact that global laws and regulations continue evolving based on the stricter GDPR, Japanese companies are likely to keep facing bigger challenges than their global rivals to keep up with trends in data security, etc. Our firm helps not only with the APPI but also GDPR,” he adds.




APPIの施行日である4月1日から4ヶ月経ち、国内で完結するデータの取り扱いについては、企業は十分に対応できていると、西村あさひ法律事務所のパートナー、河合優子弁護士は話す。「大半のクライアントは適時かつ適切に、プライバシ ーポリシー・社内規則、安全管理体制を更新して、改正APPIの遵守に努めています。しかし課題もあります」



もう1つの課題としては、個人データの越境移転を行う場合、企業は各国のデ ータ保護制度を継続的に調査し、データ漏えいやセキュリティ侵害を防ぐための適切な措置を行う必要があることだ。移転先の規制とAPPIの規制が異なる場合、「このギャップを埋めるのは簡単ではありません」と河合弁護士は述べる。











「世界的には、国際企業はまず始めに最も厳格なGDPRに取り組んでから、次に事業を運営するそれぞれの国と地域の法規制に準拠するために追加措置を講じるという傾向がみられます。こうすることで、コンプライアンスが容易になります。これと比較すると、日本企業のアプローチは反対です。日本企業は多くの場合、APPIへのコンプライアンスに忙しく、GDPRについて調査する余裕がありません。世界の法律と規則がより厳格なGDPRをベ ースに進化し続けているという事実に照らすと、日本企業は海外の競合他社よりも大きな課題に直面し続けることになりそうです。私たちは、APPIだけではなくGDPRへの準拠についても助言したいと考えています」と野崎弁護士は言う。


Related Articles

IN-HOUSE INSIGHT: The Ethical Imperative - The In-House Counsel’s Role in Data Governance

by Ishita Shome |

As you step into the digital labyrinth of data protection, imagine for a moment that you, as an in-house counsel, are the guardian of secrets in a high-tech fortress, entrusted with the task of defending the treasure trove of personal information from the relentless onslaught of data marauders!  

DATA PROTECTION: Cyber Guardians

by Sachin Dave |

As digitisation and cyber threats rise, countries in Southeast Asia have enacted laws to protect personal data and prevent cyber-attacks. But with varying requirements across jurisdictions, the compliance burden for companies has only increased, and in-house counsel play a critical role in ensuring compliance with these laws by providing guidance on legal requirements and best practices. 

Safe and Secure (EN/JA)

by Mari Iwata |

Japan’s data protection law, the Act on the Protection of Personal Information (APPI), might be nearly 20 years old now, but its most recent amendments came into effect in April this year. Lawyers discuss how their clients are keeping up with the latest spate of changes.