Japan — Breach Notification

Japan's Act on the Protection of Personal Information (APPI, Act No. 57 of 2003, as amended by Act No. 37 of 2021) imposes mandatory breach notification obligations on personal information handling business operators (個人情報取扱事業者) when a breach meets specified statutory thresholds. Article 26 of the APPI, which became effective April 1, 2022, requires dual reporting: to the Personal Information Protection Commission (PPC, the national supervisory authority) and to affected data subjects.

## Who is obligated

Any business handling personal information in Japan falls within scope. The APPI defines a personal information handling business operator as an entity that uses a personal information database in its business. There is no small-enterprise exemption; even businesses processing personal data of a small number of individuals must comply if a breach meets the Article 26(1) notification triggers. Foreign operators offering goods or services to individuals in Japan are subject to extraterritorial application under Article 171 of the APPI.

## Triggering events — Article 26(1)

Article 26(1) requires notification to the PPC when a leak, loss, or damage of personal data occurs (or is suspected) and the breach falls within one of four statutory categories prescribed by Order of the Personal Information Protection Commission:

1. Sensitive personal information (要配慮個人情報) — Breach involving special care-required personal information as defined in Article 2(3) of the APPI, including data concerning race, creed, social status, medical history, criminal record, or the fact of being a victim of a crime.

1. Property damage risk — Breach of personal data that, if misused, may cause property damage to data subjects (e.g., leaked credit card numbers or financial account credentials).

1. Improper use or cyberattack — Breach resulting from, or suspected to result from, an intentional wrongful act, including unauthorized access, ransomware attacks, and other malicious conduct.

1. Volume threshold — Breach (actual or suspected) involving the personal data of 1,000 or more individuals.

A breach that meets any one of these triggers activates both the PPC reporting duty under Article 26(1) and, subject to limited exceptions, the data-subject notification duty under Article 26(2).

## PPC reporting deadlines and stages

Article 26(1) and the PPC enforcement rules establish a two-stage reporting process:

• Preliminary report: Business operators must submit a preliminary report to the PPC promptly after becoming aware of the breach or potential breach. PPC Guidelines clarify that "promptly" generally means within three to five business days of recognition.

• Final report: A detailed final report is due 30 days from the date the business operator became aware of the breach. If the breach was, or is likely to have been, committed for an improper purpose (e.g., a cyberattack under trigger category 3 above), the final report deadline extends to 60 days.

The PPC Enforcement Rules (Rules of the Personal Information Protection Commission No. 3 of 2016, as amended) prescribe nine mandatory items for the final report. If certain items cannot yet be ascertained despite reasonable efforts by the deadline, the business operator may submit an interim final report disclosing known items and supplement the report as additional facts are confirmed.

## Notification to data subjects — Article 26(2)

Article 26(2) requires business operators to notify affected data subjects promptly when a breach meeting the Article 26(1) triggers occurs. The APPI does not prescribe a numeric deadline (e.g., "within 72 hours"), but PPC guidance emphasizes that notification should occur without undue delay and as soon as the operator has sufficient information to inform individuals of the nature and scope of the breach and any protective measures they should take.

Notification to data subjects may be excused when the breach presents negligible risk to individuals' rights and interests. The PPC is considering regulatory amendments to formalize carve-outs for low-risk incidents, such as breaches involving only internal management IDs that cannot be correlated with identifying information by an unauthorized recipient.

## Processor obligations

When a processor (outsourcee handling personal data on behalf of a controller/outsourcer) experiences a breach meeting the Article 26(1) triggers, the processor must notify the controller of the breach. If the processor notifies the controller in the manner prescribed by PPC Order, the processor's direct obligation to report to the PPC and to data subjects is deemed satisfied; the controller bears primary responsibility for onward reporting. This avoids duplicative filings but does not relieve the processor of the duty to inform the controller immediately.

## Supervisory authority

The Personal Information Protection Commission (個人情報保護委員会) is the independent administrative commission with jurisdiction over APPI enforcement. The PPC accepts breach reports through its online portal and issues guidance, recommendations, and orders under Articles 146–147 and 150 of the APPI. Non-compliance with Article 26 reporting obligations can trigger administrative orders, public naming, and referral for criminal penalties.

Source: Act on the Protection of Personal Information (consolidated as of April 1, 2023), Articles 2, 26, 146–147, 150, 171; Personal Information Protection Commission enforcement materials

Japan's Act on the Protection of Personal Information (APPI) and the Personal Information Protection Commission (PPC) enforcement rules prescribe specific disclosure items for both the final breach report to the PPC and the notification to affected data subjects. These content requirements ensure that business operators provide sufficient detail for the PPC to assess the incident and that data subjects can take protective measures.

## PPC final report — nine mandatory items

The PPC Enforcement Rules (Rules of the Personal Information Protection Commission No. 3 of 2016, as amended) require the final breach report submitted to the PPC under Article 26(1) of the APPI to contain nine items. If a business operator cannot ascertain one or more items despite reasonable efforts by the final-report deadline (30 or 60 days, depending on the nature of the breach), the operator may submit an interim final report disclosing the known items and supplement the report as additional facts become available.

The nine mandatory items prescribed by the PPC Enforcement Rules address the following categories:

1. Overview of the breach — a factual description of the leak, loss, or damage that occurred (or is suspected to have occurred), including the date and time of discovery and, if known, the date and time the breach occurred.

1. Categories and volume of personal data involved — the types of personal data affected (e.g., names, contact information, financial account numbers, sensitive personal information under Article 2(3) of the APPI) and the number of affected data subjects. When the precise count is unknown at the time of the final report, a reasonable estimate with supporting explanation is acceptable.

1. Cause of the breach — the identified or suspected cause, such as unauthorized external access (cyberattack, ransomware), employee error, accidental disclosure, physical theft, or system failure.

1. Status of secondary damage — whether unauthorized use or further dissemination of the breached personal data has been confirmed, suspected, or ruled out. For example, whether stolen credentials have been used for fraudulent transactions or whether the data has appeared on public file-sharing sites.

1. Response measures taken — the steps the business operator has taken immediately following discovery to contain the breach, prevent further loss, and mitigate harm to data subjects. This includes technical remediation (e.g., closing the vulnerability, revoking compromised credentials) and organizational measures (e.g., establishing an internal incident response team, engaging forensic experts).

1. Measures to prevent recurrence — the controls and process changes the business operator has implemented or will implement to prevent similar breaches in the future, such as enhanced access controls, staff training, system monitoring, or third-party security audits.

1. Scope of notification to data subjects — the number of data subjects notified, the method of notification (direct contact, public announcement, or a combination), and any difficulties encountered in notifying individuals directly.

1. Consultation and cooperation with external parties — whether the business operator has reported the incident to other authorities (e.g., sectoral regulators, law enforcement), engaged external counsel or forensic investigators, or coordinated with affected third parties.

1. Other relevant matters — any additional information material to the PPC's assessment of the breach and the business operator's response.

The PPC has not published an official English-language consolidated list enumerating all nine items by number in a single statute or rule document. The items above are reconstructed from PPC guidance, APPI commentary, and secondary legal sources citing the Enforcement Rules. Business operators should consult the Japanese-language Enforcement Rules or seek advice from counsel familiar with PPC practice when preparing final reports.

## Data-subject notification — five required items

Article 26(2) of the APPI requires business operators to notify affected data subjects promptly when a breach meeting the Article 26(1) triggers occurs. The PPC Enforcement Rules and APPI commentary indicate that data-subject notification must include a subset of the items disclosed in the PPC final report—specifically, the items that enable individuals to understand the nature and scope of the breach and take protective measures.

According to authoritative APPI commentary, data subjects must be notified of the following five items, corresponding to items (i), (ii), (iv), (v), and (ix) of the nine-item PPC final report:

• Overview of the breach (item i) — what happened, when the breach was discovered, and what type of incident occurred.

• Categories and volume of personal data involved (item ii) — which data elements were compromised and how many individuals are affected (or an estimate if the precise count is unknown).

• Status of secondary damage (item iv) — whether unauthorized use or further dissemination has been confirmed or suspected, and whether individuals face immediate risks such as identity theft or financial fraud.

• Response measures taken (item v) — the steps the business operator has taken to contain the breach and protect the personal data, including technical fixes and organizational changes.

• Other relevant matters (item ix) — contact information for the business operator's breach response team or customer service line, resources available to assist affected individuals (such as credit monitoring if financial data was breached), and any recommended protective actions (e.g., changing passwords, monitoring account statements).

When direct notification to individual data subjects is impractical—for example, because contact information for a large number of affected individuals is unavailable or the breach itself involved destruction of contact records—the business operator may satisfy the Article 26(2) notification duty by making a public announcement in a manner reasonably calculated to inform affected individuals. The PPC Guidelines recommend posting a detailed notice on the business operator's website and, when appropriate, publishing a notice in a major national or regional newspaper. The public notice should include the same five items listed above and establish a dedicated inquiry contact point (phone line, email address, or web form) for affected individuals to obtain further information.

## Preliminary report content

The preliminary report submitted to the PPC promptly (generally within three to five business days) after recognition of the breach need only provide a concise summary of the known facts at that time: that a breach has occurred or is suspected, the general category of personal data involved, and the approximate number of affected individuals. The PPC understands that many details will remain under investigation at the preliminary-report stage. The purpose of the preliminary report is to alert the PPC to the incident and initiate supervisory engagement; the detailed factual and remedial analysis is reserved for the final report.

## Format and submission

The PPC accepts breach reports through its online portal. The portal provides structured forms corresponding to the preliminary and final report requirements. Business operators that cannot access the online portal (for example, due to system outages caused by the breach itself) may submit reports by email or, in exceptional cases, by postal mail to the PPC's Tokyo headquarters. The PPC has indicated that reports should be in Japanese; foreign operators without Japanese-language capacity should engage local counsel to prepare and submit the reports.

Source: Act on the Protection of Personal Information (consolidated as of April 1, 2023), Article 26; Personal Information Protection Commission enforcement materials

Japan's Act on the Protection of Personal Information (APPI) establishes both administrative and criminal penalties for violations of the Article 26 breach notification obligations. The Personal Information Protection Commission (PPC) has supervisory powers to investigate breaches, issue recommendations and orders, and refer serious violations for criminal prosecution. Unlike the European Union's GDPR, the APPI does not currently impose administrative fines or civil monetary penalties for breach notification violations—the enforcement regime relies on criminal sanctions for failure to comply with PPC orders.

## Administrative enforcement powers — Articles 146–148

The PPC's administrative enforcement authority under the APPI includes the following statutory powers:

Requests for reports (Article 146): The PPC may require business operators to submit reports on their handling of personal data and compliance with Article 26 notification obligations.

On-site inspections (Article 146): The PPC may conduct on-site inspections of business facilities, systems, and records to verify compliance with the APPI.

Guidance and advice (Article 147): The PPC may issue administrative guidance and recommendations to business operators to correct violations or improve data-protection practices.

Recommendations (Article 147): When a business operator's conduct violates the APPI or poses a risk to data subjects' rights and interests, the PPC may issue a formal written recommendation specifying the violation and the corrective measures required.

Orders (Article 147, Article 148): If a business operator fails to comply with a recommendation, or if the PPC determines that an order is necessary to protect data subjects' rights and interests, the PPC may issue a legally binding order to cease the violation, take remedial action, or implement specified data-protection measures. Failure to comply with a PPC order triggers criminal penalties under Article 178 of the APPI.

The APPI does not prescribe a mandatory sequence of enforcement steps. The PPC has discretion under Articles 146–148 to issue guidance, recommendations, or orders as it determines appropriate based on the nature and severity of the violation and the business operator's cooperation.

## Criminal penalties for non-compliance — Articles 178–180, 184

The APPI imposes criminal penalties for failure to comply with PPC orders and for obstructing PPC investigations. These criminal sanctions apply to both individuals (directors, officers, and employees) and corporate entities.

Article 178 — Failure to comply with a PPC order

Article 178 of the APPI provides that any person who fails to comply with an order issued by the PPC under Article 148 is subject to:

• Imprisonment for a term not exceeding one year, or
• A fine not exceeding ¥1,000,000 (approximately USD 6,700 at 2026 exchange rates).

Article 178 applies when a business operator has received a formal PPC order under Article 148 and failed to comply. It does not apply directly to the initial failure to report a breach under Article 26 in the absence of a PPC order. The PPC must first issue an order (which may follow guidance or a recommendation, or may be issued directly), and non-compliance with that order triggers criminal liability under Article 178.

Article 184 — Corporate criminal fines

Article 184(1) of the APPI imposes vicarious corporate liability when an individual representing a business operator (a director, officer, or employee acting in the course of the business operator's operations) commits a violation under Article 178. Under Article 184(1), the business operator itself (the corporate entity) is subject to a criminal fine not exceeding ¥100,000,000 (approximately USD 670,000). The individual violator may also be prosecuted under Article 178 concurrently; the corporate fine under Article 184 is in addition to individual criminal penalties.

Articles 179 and 180 — Obstruction of PPC investigations

Article 179 of the APPI provides that any person who:

• Fails to submit a report requested by the PPC under Article 146,
• Submits a false report to the PPC,
• Refuses a PPC on-site inspection under Article 146, or
• Interferes with or obstructs a PPC inspection

is subject to a criminal fine not exceeding ¥500,000 (approximately USD 3,300). This penalty applies regardless of whether the PPC has issued an order. For example, if a business operator submits a false breach report under Article 26(1)—by knowingly understating the number of affected individuals or concealing the fact that the breach resulted from a cyberattack—the operator and the responsible individual may be prosecuted under Article 179.

Article 180 extends vicarious corporate liability to Article 179 violations: the corporate entity is subject to a criminal fine not exceeding ¥500,000 in addition to any individual penalty.

## No administrative fines under current law

The APPI does not authorize the PPC to impose administrative fines or civil monetary penalties for violations of Article 26 or other APPI provisions. All financial sanctions under the current statute are criminal fines imposed by prosecutors and courts, not administrative penalties assessed by the PPC. This distinguishes the APPI enforcement regime from the GDPR's two-tier administrative fine structure (up to €20 million or 4% of global annual turnover under Article 83(5) GDPR for the most serious violations) and the California CCPA's statutory damages and civil penalties.

The PPC's enforcement authority is limited to the powers enumerated in Articles 146–148: requests for reports, on-site inspections, guidance and advice, recommendations, and orders. When a business operator does not comply with a PPC order, the PPC refers the matter to prosecutors for criminal investigation under Articles 178 and 184.

## Proposed administrative surcharge under 2026 amendments

On April 7, 2026, the Japanese Cabinet approved a bill to amend the APPI and submitted it to the Diet. The bill includes a provision to introduce an administrative surcharge for certain serious violations. Under proposed Article 148-3, when a business operator commits one of the specified violations listed in Article 148-3 and the violation results in infringement of data subjects' rights or interests, the PPC may order the business operator to pay an administrative surcharge equivalent to the economic benefit derived from the violation. The surcharge would apply to a limited set of violations, including unlawful provision of personal information to third parties in violation of Article 27(1) and providing personal information to third parties while recognizing that the recipient is likely to use it for illegal acts or unjust discriminatory treatment.

The proposed amendment does not list failure to report a breach under Article 26 as a violation subject to the administrative surcharge. If the bill is enacted as proposed, breach notification failures would continue to be subject to PPC orders and, in cases of non-compliance with orders, criminal penalties under Articles 178 and 184. The proposed surcharge targets serious substantive misuse of personal data, not procedural reporting violations.

The Diet is expected to deliberate the bill during 2026. If enacted, the administrative-surcharge provisions are expected to take effect in 2027, though the implementation timeline has not been finalized as of June 1, 2026.

## Criminal prosecutions and enforcement

Criminal penalties under Articles 178, 179, and 184 are enforced by Japanese prosecutors, not by the PPC. The PPC refers violations to prosecutors for investigation and potential indictment. The APPI does not establish mandatory referral thresholds; the PPC exercises discretion in deciding when to refer a matter for criminal prosecution.

Source: Act on the Protection of Personal Information, Act No. 57 of 2003 (consolidated as of April 1, 2023), Articles 146–148, 178–180, 184; Personal Information Protection Commission — Laws and Policies

Japan's Act on the Protection of Personal Information (APPI) does not impose a statutory obligation on business operators to maintain internal records or logs of personal data breaches, including breaches that do not meet the Article 26(1) reporting thresholds. This contrasts sharply with the European Union's General Data Protection Regulation (GDPR), which requires controllers under Article 33(5) GDPR to document all personal data breaches (whether notifiable to a supervisory authority or not) to enable the supervisory authority to verify compliance with the notification obligation.

## APPI Article 26 — notification but not recordkeeping

Article 26 of the APPI establishes the breach notification obligation to the Personal Information Protection Commission (PPC) and to affected data subjects when a breach meets one of the four statutory triggers: (1) sensitive personal information (要配慮個人情報) under Article 2(3); (2) personal data that may cause property damage if misused; (3) breaches resulting from intentional wrongful acts or cyberattacks; or (4) breaches involving 1,000 or more individuals.

Article 26 does not, however, mandate that business operators keep internal records of breaches that fall below these thresholds or that do not meet the notification triggers. A business operator that experiences a breach of personal data affecting fewer than 1,000 individuals, not involving sensitive information or property-damage risk, and not resulting from a cyberattack, is not required under Article 26 to report the incident to the PPC or to maintain a record of the incident for future reference.

The APPI Enforcement Rules (Rules of the Personal Information Protection Commission No. 3 of 2016, as amended) prescribe detailed recordkeeping obligations for third-party provision of personal data under Articles 29–30 of the APPI (formerly Articles 25–26 in pre-2022 numbering). Business operators must create and maintain records when providing personal data to third parties or receiving personal data from third parties, and these records must be kept for a retention period prescribed by PPC rules (generally three years from the last provision). These recordkeeping obligations under Articles 29–30, however, apply only to the ordinary course third-party provision compliance regime and do not extend to breaches as defined in Article 26(1).

## PPC investigation authority and de facto expectation

Although the APPI does not impose a statutory duty to maintain breach records, the PPC has supervisory and investigative powers under Article 146 of the APPI to require business operators to submit reports and to conduct on-site inspections of business facilities, systems, and records to verify compliance with the APPI. Under Article 146, the PPC may require a business operator to report on its handling of personal data, including past breaches, as part of an investigation or compliance review.

As a practical matter, business operators that cannot produce contemporaneous records of past breach incidents when the PPC exercises its Article 146 authority may face scrutiny regarding whether the operator has implemented appropriate safety management measures under Article 23 of the APPI. Article 23 requires business operators to take necessary and appropriate measures for the security control of personal data to prevent leak, loss, or damage. A business operator that experiences repeated breaches but has maintained no internal documentation of those incidents, the root causes, or the remedial steps taken may be unable to demonstrate to the PPC that it has implemented or improved its safety management measures in response to previous incidents.

The PPC's Guidelines for the Act on the Protection of Personal Information (個人情報の保護に関する法律についてのガイドライン, General Rules volume, published by the PPC) do not prescribe a specific breach-recordkeeping obligation, but the guidelines emphasize that business operators should conduct internal investigations when a breach or suspected breach occurs and should implement corrective measures based on the findings. Maintaining records of such investigations is implicit in the PPC's expectation that business operators will be able to explain their breach response and demonstrate accountability when the PPC conducts oversight activities.

## GDPR Article 33(5) documentation requirement — a comparative reference

The GDPR imposes an explicit breach-documentation duty. Article 33(5) GDPR provides that the controller "shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken." This documentation requirement applies to all personal data breaches, including those that the controller determines are unlikely to result in a risk to the rights and freedoms of natural persons and therefore do not require notification to a supervisory authority under Article 33(1) GDPR.

The European Data Protection Board (EDPB) Guidelines 9/2022 on personal data breach notification (formerly WP29 Guidelines WP250 rev.01, adopted by the EDPB) clarify that the Article 33(5) documentation obligation enables the supervisory authority to verify whether the controller has correctly assessed which breaches are notifiable. The PPC has published a Japanese translation of the EDPB Guidelines 9/2022 on its website as a reference for Japanese business operators handling EU personal data, acknowledging the GDPR's more extensive breach-recordkeeping framework.

Japanese business operators subject to both the APPI and the GDPR (for example, operators offering goods or services to individuals in the European Union or monitoring EU data subjects) must comply with the GDPR Article 33(5) documentation requirement for breaches involving EU personal data, even though the APPI imposes no parallel obligation for breaches of Japan-resident personal data. Such operators often implement a unified breach log covering all personal data breaches to satisfy the GDPR requirement and to maintain a consistent incident-response practice across jurisdictions.

## Best practice and industry standards

Although not statutorily mandated under the APPI, maintaining an internal breach log is widely recognized as a best practice in Japan's privacy-compliance community. Industry standards such as the JIS Q 15001 (PrivacyMark certification standard administered by the Japan Institute for Promotion of Digital Economy and Community, JIPDEC) and the ISO/IEC 27001 information security management system standard recommend that organizations document all security incidents, including personal data breaches, to support continuous improvement of information security controls.

The Japan Federation of Bar Associations (日本弁護士連合会, JFBA) and privacy-practitioner associations have published guidance recommending that business operators establish incident logs that record the date of discovery, the scope of personal data involved, the cause or suspected cause of the breach, the immediate containment measures taken, and the results of any internal investigation. Such logs enable operators to track breach trends, identify systemic vulnerabilities, and demonstrate diligence when the PPC or another authority requests information under Article 146.

Business operators that voluntarily maintain breach logs should ensure that the logs are secured and access-controlled to prevent unauthorized disclosure, as the logs themselves may contain details about vulnerabilities and affected individuals. The retention period for breach logs is a matter of internal policy; many operators retain breach logs for three to five years in alignment with the three-year retention period prescribed for third-party provision records under the APPI Enforcement Rules, though no statutory requirement mandates a specific retention period for breach logs.

## Summary

The APPI Article 26 requires business operators to report breaches meeting specified triggers to the PPC and to notify affected data subjects, but it does not require business operators to maintain internal records of all breaches, including non-reportable incidents. This distinguishes the APPI from the GDPR, which mandates comprehensive breach documentation under Article 33(5). Japanese business operators are nonetheless well-advised to maintain internal breach logs as a best practice to support PPC investigations under Article 146, to demonstrate continuous improvement of safety management measures under Article 23, and to satisfy industry certification standards. Operators subject to both the APPI and the GDPR must maintain breach records for EU personal data breaches in compliance with GDPR Article 33(5), and many adopt a unified breach-logging practice for all jurisdictions.

Source: Act on the Protection of Personal Information (consolidated as of April 1, 2023), Articles 23, 26, 29–30, 146; Enforcement Rules for the Act on the Protection of Personal Information, Articles 12–18; Personal Information Protection Commission — Laws and Policies

Japan's Act on the Protection of Personal Information (APPI) establishes the breach notification obligation in Article 26(1) by reference to three threshold events: "leak, loss, or damage" (漏えい、滅失又は毀損) of personal data. A business operator must report to the Personal Information Protection Commission (PPC) and notify affected data subjects when a leak, loss, or damage (1) has occurred or is suspected to have occurred and (2) falls within one of the four statutory notification triggers prescribed by PPC Order (sensitive personal information, property-damage risk, improper use or cyberattack, or 1,000+ individuals).

The APPI does not define these three threshold terms in Article 26 or elsewhere in the statute. The PPC has not published comprehensive English-language interpretive guidance elaborating the boundaries of "leak," "loss," and "damage" under the APPI. The following interpretation derives from the statutory language, the structure of the APPI's security-control obligations under Article 23, and authoritative APPI commentary by Japanese privacy practitioners.

## "Leak" (漏えい)

"Leak" refers to unauthorized disclosure of or access to personal data by a person who is not authorized to receive or access the data. This includes:

• External unauthorized access: Cyberattacks, hacking, ransomware, or other intrusion by external threat actors that result in access to or exfiltration of personal data.
• Accidental external disclosure: Sending personal data to the wrong recipient by email, posting personal data on a publicly accessible website or cloud storage location due to misconfiguration, or physically mailing documents to the wrong address.
• Internal unauthorized access: Access by employees or other insiders who do not have authorization under the business operator's access-control policies to view or handle the personal data in question. For example, if an employee in the marketing department accesses customer health records stored in a separate database to which the employee has no business need or authorization, this may constitute a "leak" even though the employee is an insider.

A "leak" occurs when personal data is disclosed to or accessed by a person (internal or external) who is not authorized to receive or view it under the business operator's security-control measures. Unauthorized access without confirmed exfiltration can constitute a reportable leak if one of the four Article 26(1) triggers applies. For instance, if system logs show that an unauthorized external actor accessed a database containing 1,000+ individuals' personal data, but forensic analysis has not yet confirmed whether the data was copied or exfiltrated, the business operator must file a preliminary breach report to the PPC within three to five business days based on the suspected leak, because the volume trigger (1,000+ individuals) is met.

## "Loss" (滅失)

"Loss" means that personal data no longer exists in a form accessible to the business operator, or that the business operator has lost control over or possession of the personal data. Loss includes:

• Permanent deletion or destruction: Data deleted from systems or physically destroyed (e.g., paper records shredded or incinerated) such that the business operator can no longer retrieve the data, even from backups.
• Loss of access due to encryption or system failure: For example, if a ransomware attack encrypts personal data and the business operator cannot decrypt the data because the decryption key is held by the attacker or has been lost, this is a "loss" even if the encrypted data files remain on the business operator's servers.
• Physical loss: Theft or misplacement of electronic media (laptops, USB drives, backup tapes) or paper documents containing personal data, such that the business operator no longer has the data in its possession.

The PPC has clarified in the context of ransomware attacks that encryption of personal data by ransomware constitutes both unauthorized access (a "leak") and, if the business operator cannot restore access from a backup, a loss of availability. If the business operator can restore the encrypted data from a secure backup without paying the ransom, the incident may be characterized as a leak (unauthorized access) rather than a permanent loss, but the Article 26(1) reporting obligation may still apply under the "improper use or cyberattack" trigger.

## "Damage" (毀損)

"Damage" refers to alteration, corruption, or incompleteness of personal data such that the data is no longer accurate, intact, or usable in its original form. Damage includes:

• Unauthorized alteration: Modification of personal data by an unauthorized party (e.g., an attacker changing customer account balances, contact information, or transaction records in a database).
• Data corruption: Technical failure, malware, or user error that corrupts data files, rendering the personal data unreadable or unreliable (e.g., database corruption following a power failure or disk error).
• Partial deletion: Deletion of fields or records within a personal data set such that the remaining data is incomplete. For example, if an attacker deletes the "date of birth" field for all records in a customer database, the personal data has been damaged even if names and addresses remain intact.

Damage is distinct from loss: damaged personal data still exists but is no longer in its original, accurate, or complete form. If the damage affects sensitive personal information, creates property-damage risk, results from a cyberattack, or affects 1,000+ individuals, the Article 26(1) notification triggers apply.

## "Suspected" leak, loss, or damage

Article 26(1) applies not only when a leak, loss, or damage has been confirmed, but also when such an event is "suspected" (おそれ). A business operator that becomes aware of facts suggesting that a breach may have occurred—for example, a security alert indicating possible unauthorized access, missing backup tapes, or user reports of suspicious account activity—must conduct an immediate investigation. If the preliminary investigation suggests that a leak, loss, or damage meeting one of the four triggers may have occurred, the business operator must file a preliminary report to the PPC within three to five business days, even if the full scope and impact of the incident are not yet confirmed. The PPC does not require absolute certainty before a preliminary report is due; reasonable suspicion based on available evidence is sufficient.

The business operator's final report, due 30 or 60 days after recognition of the breach, should include the results of the completed investigation and state whether the suspected leak, loss, or damage was confirmed or ruled out. If the investigation concludes that no reportable breach occurred (for example, the suspected unauthorized access was a false positive generated by a misconfigured intrusion-detection system), the business operator should update the PPC in the final report.

## Summary

Under the APPI Article 26(1), a business operator must report a breach to the PPC when (1) a leak (unauthorized disclosure or access), loss (destruction or loss of possession/control), or damage (alteration, corruption, or incompleteness) of personal data has occurred or is suspected, and (2) the breach meets one of the four statutory triggers. The PPC has not published detailed English-language guidance defining these three threshold terms; the definitions above reflect the statutory language and authoritative APPI commentary. When in doubt about whether an incident constitutes a leak, loss, or damage, business operators should consult with Japanese privacy counsel and, if a reporting trigger is met, file a preliminary report to the PPC promptly to preserve compliance with the Article 26(1) timeline.

Source: Act on the Protection of Personal Information (consolidated as of April 1, 2023), Articles 23, 26; Personal Information Protection Commission enforcement materials

Japan's Act on the Protection of Personal Information (APPI) Article 26, effective April 1, 2022, requires business operators to report breaches to the Personal Information Protection Commission (PPC) and notify affected data subjects when a leak, loss, or damage of personal data occurs and meets one of four statutory triggers. Widely cited commentary and PPC guidance materials describe a "necessary measures" exemption under which notification may not be required when robust technical safeguards—principally encryption—render the breach low-risk. This section reviews that exemption as understood in practice, notes a proposed 2026 legislative amendment introducing an additional low-risk carve-out, and distinguishes the exemptions from categorical exclusions for pseudonymized and anonymized data.

## Encryption exemption — "necessary measures" as described in commentary

Privacy practitioners and PPC guidance materials consistently describe an exemption from Article 26 notification obligations when a business operator has taken "necessary measures to prevent harm to the rights and interests of data subjects." The exemption is most commonly invoked when personal data was encrypted using a robust algorithm (e.g., AES-256) and the encryption key was not compromised in the breach. Under this interpretation, a breach involving encrypted personal data does not trigger the Article 26(1) PPC reporting or Article 26(2) data-subject notification obligations when the encryption renders the data unintelligible to unauthorized parties and the key management practices ensure the key was not accessible to the unauthorized recipient.

The exemption does not apply if the encryption key or security credentials were also compromised. If an attacker obtains both the encrypted database and the decryption key—because the key was stored on the same stolen device or the attacker infiltrated the key-management system—the necessary-measures threshold is not met and the business operator must report the breach as required by Article 26.

Unable to confirm the precise citation to the PPC Order, Enforcement Rules, or official guideline provision establishing the encryption exemption from primary sources as of 2026-06-02. The description above reflects the consensus interpretation in Japanese privacy-compliance practice and is consistent with PPC guidance materials referenced by practitioners, but the author has not verified the specific regulatory or statutory text specifying the exemption criteria. Business operators considering reliance on the exemption should consult PPC guidance directly or seek advice from counsel familiar with PPC enforcement practice.

## Proposed 2026 low-risk exemption — pending Diet deliberation

On April 7, 2026, the Japanese Cabinet approved a bill to amend the APPI and submitted it to the Diet. The bill proposes a risk-based exemption from the data-subject notification obligation under Article 26(2) for breaches presenting a "low risk of harming the rights and interests of the individual." Under the proposed amendment, business operators would be exempt from directly notifying affected individuals if PPC regulations (to be issued after enactment) designate the breach as low-risk and the business operator implements necessary alternative measures to protect data subjects, such as posting a public announcement.

The PPC reporting obligation under Article 26(1) would continue to apply even for low-risk breaches under the proposed amendment. The exemption applies only to data-subject notification, not to preliminary and final reports to the PPC.

The Diet is expected to deliberate the bill during 2026. If enacted, the PPC will issue implementing regulations defining which categories of breaches qualify as low-risk for purposes of the data-subject notification exemption. The regulations are expected to take effect in 2027 or 2028, though the implementation timeline has not been finalized as of June 2026.

## Categorical exemptions for pseudonymized and anonymized information

The APPI establishes categorical exemptions from Article 26 for breaches of pseudonymously processed information (PPI) under Article 41 and anonymized personal information (API) under Article 43. Article 41 provides that business operators handling PPI are exempt from the Article 26 breach notification obligations. PPI is defined in Article 2(5) as personal information processed so that it cannot be used to identify a specific individual without collation with other information. Article 43 similarly exempts API from the Article 26 notification obligations. API is defined in Article 2(6) as information processed from personal information so that a specific individual cannot be identified and the original personal information cannot be restored.

If the breached data qualifies as PPI or API at the time of the breach, Article 26 does not apply regardless of the number of affected individuals, the sensitivity of the underlying data, or the nature of the breach (cyberattack, accidental disclosure, etc.). These categorical exemptions are express statutory exclusions and do not require a case-by-case risk assessment.

The encryption / necessary-measures exemption described above, by contrast, applies to personal data (個人データ) that remains fully identifiable but is protected by technical safeguards such that the breach does not pose a risk warranting notification. Business operators analyzing whether a breach is notifiable must first determine whether the breached data is personal data, PPI, or API under Articles 2(1), 2(5), and 2(6), and then—if it is personal data—whether an exemption (encryption or, if enacted, the proposed low-risk carve-out) applies.

## Analytic comparison — GDPR Article 34(3)(a) encryption exemption

The encryption exemption described in Japanese privacy-compliance practice parallels the European Union GDPR Article 34(3)(a), which provides that notification to data subjects is not required when the controller has applied "appropriate technical and organisational protection measures" rendering the data unintelligible to unauthorized persons—specifically, encryption. Under both the APPI as interpreted in practice and the GDPR, robust encryption with the key not compromised serves as a mitigating factor that can eliminate the data-subject notification obligation.

A key difference in the GDPR framework: the encryption exemption under Article 34(3)(a) applies only to data-subject notification. The controller must still report the breach to the supervisory authority under Article 33 within 72 hours. The APPI necessary-measures exemption, as described in PPC guidance and Japanese commentary, applies to both the PPC reporting obligation and the data-subject notification obligation—when the threshold is met, neither the preliminary/final PPC report nor the data-subject notification is required. This broader exemption reflects the APPI's focus on harm to data subjects as the trigger for notification, rather than the occurrence of a breach per se.

Source: Act on the Protection of Personal Information (consolidated as of April 1, 2023), Articles 2, 26, 41, 43