Japan's APPI Explained: A Compliance Guide for Foreign Companies (2026)

Part of our guide to Japan’s cybersecurity laws. For the full regulatory map — the authorities, the guidelines, and how everything connects — start with Japan’s Cybersecurity Laws & Guidelines: What Foreign Companies Must Know.

The Act on the Protection of Personal Information (APPI / 個人情報保護法) is the law foreign companies collide with first when they touch the Japanese market. If your team already runs a GDPR program, the fastest way to get oriented is this: APPI is, roughly, Japan’s GDPR — a comprehensive personal-data law, a single supervisory authority, and real cross-border restrictions — but several of the details that matter operationally are different. Copying your GDPR controls over wholesale will leave specific, identifiable gaps.

I work in information security inside a Japanese enterprise and hold CISSP and CCSP; I am also a Registered Information Security Specialist (情報処理安全確保支援士) in Japan. This is the APPI walkthrough I give foreign colleagues before they assume “we’re GDPR-compliant, so we’re fine.”

What is the APPI?

The APPI is Japan’s principal data-protection statute, enforced by the Personal Information Protection Commission (PPC / 個人情報保護委員会) — an independent authority broadly analogous to an EU data protection authority. It governs how “personal information handling business operators” collect, use, store, and transfer personal data.

The PPC is active: in FY2024 (April 2024–March 2025) it required reports or materials from operators in 67 cases and issued guidance or advice in 395 cases (ICLG, Data Protection 2025–2026 — Japan). This is not a dormant law on the books.

Does APPI apply to your company?

This is the question I am asked most, and for many foreign companies the answer is yes — even with no office, entity, or server in Japan.

APPI applies extraterritorially. A foreign business that handles the personal information of individuals located in Japan in connection with supplying goods or services to those individuals is in scope. The PPC can require reports from, and issue orders to, overseas operators (ICLG).

So a US SaaS vendor with Japanese users, or an EU retailer shipping to Japan, cannot treat APPI as someone else’s problem. The practical test is not “do we have a Japanese entity?” but “do we handle data about people in Japan as part of selling to them?”

APPI vs GDPR: the differences that actually bite

Most of your GDPR muscle memory transfers. These are the gaps that don’t:

The headline I want foreign executives to internalize: APPI’s maximum corporate penalty (¥100 million) is far smaller than GDPR’s revenue-based exposure — but the reputational and operational cost of a PPC order, plus the breach-notification mechanics below, make “we’ll just risk it” a poor strategy.

The concept of “special care-required” information is the gap I see missed most. Categories that you might process under GDPR’s legitimate-interest basis can require prior, explicit consent under APPI.

Cross-border transfer under APPI

If you move personal data out of Japan — to a parent company, a cloud region, or an offshore support team — APPI restricts it. Broadly, you need one of:

1. the individual’s consent to the cross-border transfer;
2. a recipient in a country deemed to have an adequate protection level, or one that has built a compliant system meeting Japanese standards; or
3. a recognized framework such as Global CBPR.

Each route has trade-offs against the SCCs and adequacy decisions you already use for GDPR. The CBPR route in particular is one Japan actively backs.

→ Read the full guide: Global CBPR Certification — Process, Cost & Cross-Border Transfer

Breach notification: the deadlines that surprise people

Since the amended APPI, breach notification is mandatory, and the timing is tighter than many GDPR-trained teams expect. Reporting to the PPC is generally triggered when a breach (or suspected breach) involves special care-required information, a risk of property damage, improper use such as a cyberattack, or more than 1,000 affected individuals (IAPP).

When triggered, there are two clocks:

• a preliminary report to the PPC promptly — in practice within roughly 3–5 days of awareness; and
• a final report within 30 days, extended to 60 days where the breach likely stems from an improper purpose such as a cyberattack (IAPP).

From inside an incident, the preliminary clock is the dangerous one. You will not have root cause in three days — the law does not require it. It requires you to report promptly anyway. The failure mode I have watched teams fall into is treating the preliminary report as something to perfect rather than something to file. Build the reporting path, the decision tree, and the owner before you need them. This is a design problem, not a heroics problem.

Penalties & enforcement

Following the 2020 amendment, individuals violating the APPI may face fines up to ¥1 million and imprisonment up to one year, while non-compliant businesses may face fines up to ¥100 million (Endpoint Protector). Crucially, penalties typically attach when an operator fails to comply with a PPC order to correct its practices, rather than to the underlying breach in isolation.

That enforcement structure rewards engagement: an operator that responds to PPC guidance and remediates is in a very different position from one that ignores an order.

A starting APPI compliance checklist

Not legal advice — a practitioner’s first pass:

• Confirm scope. Do you handle data of people in Japan in connection with supplying goods/services? If yes, APPI applies.
• Inventory “special care-required” data. Identify anything needing prior consent you may currently process on another basis.
• Designate a responsible person for data management (APPI’s analogue to, but not the same as, a DPO).
• Pre-build the PPC breach-reporting path so the 3–5 day preliminary clock is survivable.
• Choose your cross-border transfer basis (consent / standards-compliant recipient / CBPR).
• Reconcile with your GDPR program and close only the Japan-specific gaps — don’t rebuild what already transfers.

The bottom line

APPI is not harder than GDPR — it is differently shaped. Your existing program is most of the way there; the work is finding the Japan-specific gaps (special care-required data, the breach clocks, the transfer basis) and closing those, rather than assuming either “GDPR covers us” or “we have to start over.” Neither is true.

For where APPI sits among Japan’s other authorities and laws, return to the pillar guide.

References

• Personal Information Protection Commission (PPC) — English (confirmed 2026-06-11)
• Act on the Protection of Personal Information — English translation (Japanese Law Translation, confirmed 2026-06-11)
• Data Protection Laws and Regulations 2025–2026 — Japan (ICLG, confirmed 2026-06-11)
• Japan updates enforcement rules for amended APPI (IAPP, confirmed 2026-06-11)
• Practical notes for Japan’s APPI guideline updates (IAPP, confirmed 2026-06-11)
• Japan APPI vs. EU GDPR (TermsFeed, confirmed 2026-06-11)
• Data Protection in Japan: APPI (Endpoint Protector, confirmed 2026-06-11)