The amendments to Japan’s Act on the Protection of Personal Information went into effect on May 30, 2017. The amendments provide clarity on what types of personal information will be regulated and steps operators need to take to be in compliance.

The Act, Generally

Formulated “to protect an individual’s right and interests while considering the utility of personal information,” the Act (1) sets forth the overall vision and policy regarding the proper handling and protection of personal information, (2) clarifies the responsibilities and obligations of the central and local governments in the protection of personal information, and (3) ensures that the proper application of personal information contributes to the creation of new industries, the realization of a vibrant economic society, and an enriched quality of life for the people of Japan.

Recent Amendments

The 2015 amendments  provide a clearer definition of what constitutes “personal information,” which it now defines as information relating to a living individual that contains:

(i) a name, date of birth, or other similar description that has been stated, recorded, or otherwise expressed using voice, movement or other methods in a document, drawing or electromagnetic record (including those which can be readily collated with other information and thereby identify a specific individual); or

(ii) an individual identification code.

Article 2(1).  The amendments introduce and define “special care-required personal information” as “personal information comprising a principal’s race, creed, social status, medical history, criminal record, fact of having suffered damage by a crime, or other descriptions etc. prescribed by cabinet order as those of which the handling requires special care so as not to cause unfair discrimination, prejudice or other disadvantages to the principal.” Article 2(3).

The amendments also lay out the obligations of a “personal information handling business operator,” which they define as “a person providing a personal information database for use in business” that is not a central government organization, a local government, an incorporated administrative agency, or a local incorporated administrative agency. Article 2(5)  A personal information handling business operator must explicitly specify the purpose of utilizing the personal information and it cannot handle personal information beyond this purpose without obtaining advance consent from the data principal. Article 15, 16.

The amendments establish the Personal Information Protection Commission (PIPC), which now serves as the central supervising and enforcement authority for the Act.  Prior to the creation of the PIPC, this oversight was performed by government ministers for each industry sector.

The amendments also introduce new measures relating to cross-border transfers of personal information.  In most instances, a personal information handling business operator should not provide personal data to a third party in a foreign country without obtaining the data principal’s consent in advance.  Article 24.  The operator must also maintain a record of information relating to third-party transfers, including the name of the third party, date of transfer, a description of the information, and other matters prescribed by the PIPC.  Article 25.


The amendments provide greater clarity about what types of personal information are subject to regulatory oversight, how and by whom that oversight will be performed, how companies should handle cross-border transfers, and what steps data operators should take to comply.

As with other privacy protection regulations, there is a wide range of penalties for non-compliance with the Act, which include monetary fines, imprisonment, and imprisonment with labor.  Companies that handle personal information in Japan may need to adjust their internal privacy and data protection policies and contractual agreements with foreign entities, including technology or outsourcing vendors, affiliate companies and foreign governments.  The amendments do not provide a grace period for compliance, so these companies should move to ensure compliance with haste.