Japan — Data Subject Rights

Japan's Act on the Protection of Personal Information (Act No. 57 of 2003, as amended; "APPI") grants data subjects (termed "identifiable persons" or "principals") enforceable rights over retained personal data (保有個人データ) held by business operators. These rights apply to personal information handling business operators (PIHBOs) under Chapter IV, Section 2 of the APPI and are enforced by the Personal Information Protection Commission (PPC), an independent administrative body established under the 2015 amendments.

The APPI recognizes four core statutory rights, substantially expanded by the 2020 amendments (Act No. 44 of 2020) that entered into force April 1, 2022:

1. Right of disclosure (Article 33)

An identifiable person may request that a business disclose retained personal data concerning them "through electronic or magnetic records or other means as prescribed by Order of the Personal Information Protection Commission." The business must disclose the data "without delay" by the method the person requests (or by paper document if electronic disclosure would require "a costly expenditure" or prove otherwise difficult).

The April 2022 amendments added the express right to demand disclosure in electronic format, aligning Japan with the GDPR's data portability principle. Prior to 2022, the default disclosure method was written document delivery (Order to Enforce the APPI, Ordinance No. 507 of 2003).

Disclosure may be refused in whole or part if it would (i) harm the life, wellbeing, property, or other rights of the identifiable person or a third party; (ii) seriously interfere with the business operator's proper execution of operations; or (iii) violate other laws or regulations (Article 33(2)).

2. Right of correction (Article 34)

Where retained personal data is untrue, the identifiable person may request correction (including addition or deletion). The business must conduct a necessary investigation and, based on the result, correct the content without delay to the extent necessary for achieving the purpose of use (Article 34(2)). If the business decides not to correct the data or to correct it only partially, it must notify the person of that decision and the reason (Article 34(3)).

3. Right of suspension of use or erasure (Article 35)

An identifiable person may request that a business suspend use or erase retained personal data if:

• it was obtained in violation of the acquisition restrictions (e.g., illegally or by deception);
• it is being used beyond the stated purpose;
• it was obtained without the required consent for special care-required personal information (sensitive data under Article 2(3), including race, medical history, criminal records); or
• it is being provided to a third party without lawful basis.

The 2022 amendments added a new ground: the person may request suspension or erasure where the business's handling of the data is "likely to harm that person's rights or legitimate interests" (Article 35(1)(v)), a catch-all provision similar to GDPR Article 21's objection right.

The business must suspend or erase without delay "to the extent necessary" for remedying the violation; however, if suspension or erasure would require disproportionate expense or prove otherwise difficult, the business may substitute alternative measures (Article 35(2) proviso).

4. Right to cease third-party provision (Article 35(3))

An identifiable person may request that a business cease providing retained personal data to a third party if the provision violates the third-party provision restrictions (Article 27) or if the provision is likely to harm the person's rights or legitimate interests. The business must cease provision without delay, subject to the same proportionality limitation as suspension of use.

Retained personal data — the scope threshold

Before the 2022 amendments, "retained personal data" excluded data the business planned to delete within six months. The 2022 reforms eliminated this six-month carve-out (former Article 2(7)), expanding the scope of data subject rights to cover virtually all personal data a business retains with the power to disclose, correct, or erase in response to the principal's request. This change mirrors the EDPB's position that processing duration does not diminish data subject rights.

Response timelines and fees

The APPI does not specify a fixed response deadline; it requires "without delay" (遅滞なく) action. PPC guidelines interpret this as a reasonable period considering the complexity and volume of data; typically 30 days is considered reasonable for straightforward requests, though the statute does not codify this.

Businesses may charge a fee for disclosure (Article 38(1)) if it reflects actual costs, but they may not charge for correction, suspension, or erasure requests. The fee structure must be publicly disclosed in advance (Article 32(1)(iv)).

Judicial and administrative remedies

Data subjects may file a complaint with the PPC if a business fails to respond or refuses a request. The PPC may issue guidance, recommendations, or orders to the business (Articles 147–148). Separately, the APPI grants a private right of action: the principal may bring a civil claim for damages under Article 4 (protection of the individual's rights and interests) read together with the general tort provision of the Civil Code (Article 709). Criminal penalties apply only to PPC order violations (Article 178) or unauthorized database provision (Articles 176–177), not to direct refusal of data subject requests.

Source: Act on the Protection of Personal Information (consolidated as of April 1, 2023), Act on the Protection of Personal Information — English translation, APPI Three-Year Review Outline of System Reform (PPC)

Under the Act on the Protection of Personal Information (APPI), business operators handling personal information must establish and publicly disclose verification procedures before responding to data subject requests for disclosure, correction, suspension of use, or cessation of third-party provision. This requirement balances the principal's statutory right to access retained personal data against the business's obligation to prevent unauthorized disclosure to third parties or imposters.

Mandatory disclosure of verification method — Article 37(1) APPI and Order for Enforcement Article 7

Article 37(1) APPI requires that a business operator "must make public without delay" several procedural matters concerning how it will handle requests for disclosure and other handling (開示等の請求, kaiji-tō no seikyū). Under the Order for Enforcement of the APPI, Article 7, item (iii), one of the items that must be publicly disclosed is:

> "the way of verifying that the person requesting disclosure or other handling is the identifiable person or the representative prescribed in the following Article."

This means that before receiving any data subject request, a business must establish a verification protocol and make it accessible to the public — typically in the business's privacy policy, on its website, or in a dedicated procedure notice. The business may not improvise verification on a case-by-case basis; the method must be pre-disclosed and consistently applied.

Who may request disclosure — principals and representatives

Data subject requests may be submitted by:

1. The identifiable person (本人, honnin) — the individual to whom the retained personal data pertains; or
2. A representative authorized under Order for Enforcement Article 8, which recognizes two categories:

• The statutory agent (hōtei dairi-nin) of a minor or an adult ward (a legal guardian); or
• A representative appointed in writing by the identifiable person specifically to submit the disclosure request.

The verification procedure must be capable of confirming the identity of the requestor in either capacity and, for appointed representatives, must also verify the delegation authority (e.g., a signed power of attorney or authorization letter).

What constitutes adequate verification

Neither the APPI nor the Order for Enforcement prescribes a single mandatory verification method. The statute grants businesses flexibility to tailor verification to the sensitivity of the data, the channel through which the request is submitted (online portal, postal mail, in-person), and operational feasibility. PPC guidance (issued under the 2020 amendments) suggests that verification should be proportionate to the risk of wrongful disclosure:

• For low-risk requests (e.g., confirmation of purpose of use under Article 32(2)), email confirmation or account login may suffice.
• For disclosure of retained personal data (Article 33), businesses commonly require a copy of government-issued identification (driver's license, My Number Card, passport, residence card) and signature matching. If the request is submitted online, businesses may require multi-factor authentication or a notarized statement.
• For postal requests, businesses typically ask the requestor to mail a photocopy of ID plus a signed request form to a designated address, and respond by registered mail to the address on the ID.

Businesses operating a customer portal or membership system may treat authenticated login as sufficient verification for registered users, provided the original account registration included identity verification. This is especially common in the financial sector and telecommunications industries, where KYC (know-your-customer) procedures at onboarding establish the link between account credentials and the real-world identity of the customer.

Rejection for failure to verify

If a business cannot verify the identity of the requestor, it is not obligated to respond to the request. The APPI does not impose a duty to disclose retained personal data to an unverified party. However, Article 37(1) requires the business to notify the requestor without delay if the request is denied, and Article 36 APPI requires the business to "endeavor to explain its reasons" for the denial. Best practice is to inform the requestor that verification could not be completed and to specify what additional documentation or information is needed (e.g., "Please resubmit a copy of your driver's license showing your current registered address").

No explicit timeline for verification

The APPI requires that disclosure, correction, and suspension actions be taken "without delay" (遅滞なく, chitai naku) once the business has received a valid request (Articles 33(1), 34(2), 35(2)). PPC interpretive materials suggest 30 days as a reasonable period for straightforward requests. The verification step is treated as part of the request-handling process, not a separate phase with its own deadline. In practice, businesses commonly complete verification within 5–10 business days of receiving a postal or online request and then begin the substantive review.

Fee disclosure and verification

Article 37(1) also requires businesses to disclose "how the fee referred to in Article 30, paragraph (1) of the Act is collected." Businesses may charge a fee for disclosure requests (Article 38(1) APPI, formerly Article 30 before the 2022 renumbering) if the fee reflects actual costs incurred in copying and transmitting the data. The fee structure must be disclosed in the same public notice as the verification method. Businesses may not charge a fee for correction, suspension of use, or cessation of third-party provision requests. The verification requirement applies regardless of whether a fee is charged.

Cross-reference — Financial sector enhanced requirements

The PPC has issued sector-specific guidelines for financial institutions (banks, securities firms, insurers). The Guidelines for the Protection of Personal Information in the Financial Sector recommend that financial businesses obtain consent in writing (including electronic records) for data handling, and that identity verification for DSAR should align with the anti-money-laundering (AML) customer identification standards already in place under the Act on Prevention of Transfer of Criminal Proceeds. Financial institutions commonly require government-issued photo ID, utility bills for address confirmation, and notarized signature for high-value account disclosures.

Source: Act on the Protection of Personal Information (English translation), Order for Enforcement of the Act on the Protection of Personal Information (English translation)

When a Japanese business operator fails to respond to a data subject request for disclosure, correction, suspension of use, or cessation of third-party provision under the Act on the Protection of Personal Information (APPI), the identifiable person (principal) has three distinct enforcement pathways: administrative complaint to the Personal Information Protection Commission (PPC), private civil action for damages, and—if the business defies a PPC order—criminal prosecution. Understanding the statutory timelines, the PPC's graduated enforcement powers, and the remedies available to the data subject is essential for managing request-handling risk.

## The "without delay" standard — no fixed statutory deadline

The APPI does not prescribe a numeric response deadline for data subject requests. Articles 33(1) (disclosure), 34(2) (correction), and 35(2) (suspension of use or erasure) each require the business operator to act "without delay" (遅滞なく, chitai naku) once it has received and verified a valid request. Article 36 similarly requires the business to notify the principal "without delay" if it decides to refuse the request in whole or part and to "endeavor to explain its reasons."

Practical interpretation: PPC guidance materials interpret "without delay" as a reasonable period considering the complexity of the request, the volume of data, and the technical difficulty of retrieval or correction. In straightforward cases—disclosure of a limited set of retained personal data from a customer database, for example—30 days is widely treated as a reasonable benchmark, though the statute does not codify this. For complex multi-system requests or large-volume erasure demands, businesses may take longer provided they communicate interim status updates to the requestor and can demonstrate they began work promptly. The APPI does not permit a blanket 45- or 60-day response window as some jurisdictions allow; delay must be justified by the specific operational burden of that request.

If a business needs additional time beyond the initial reasonable period, best practice under Article 36 is to notify the principal of the anticipated timeline and the reason for the extension (e.g., "Your request requires manual review of archived records stored offsite; we estimate completion within 60 days from receipt"). Silence is non-compliant.

## PPC administrative enforcement — graduated escalation under Articles 147–148

The PPC is Japan's independent data protection authority, established under the 2015 amendments to the APPI and granted consolidated supervisory jurisdiction over personal information handling business operators (PIHBOs) effective April 1, 2022. When a business fails to respond to a data subject request or refuses it without lawful justification, the principal may file a complaint with the PPC. The PPC does not operate a formal complaint mediation system for commercial-sector disputes (its mediation function under Article 61(ii) is limited to complaints concerning My Number handling under the Numbers Use Act). However, the PPC accepts informal complaints and may open a supervisory investigation.

The PPC's enforcement toolkit follows a graduated model:

1. Guidance and advice (Article 147) If the PPC determines that a business operator's handling of personal information—including its response to data subject requests—may violate the APPI, it may provide non-binding guidance (指導, shidō) or advice (助言, jogen). Guidance is typically issued in writing and identifies the perceived deficiency (e.g., "Your refusal to disclose retained personal data under Article 33(2)(ii) on grounds of operational burden does not meet the 'seriously interfere with proper execution of business' threshold"). Businesses are expected to cure the issue voluntarily; there is no statutory deadline for compliance with guidance, but failure to act may trigger escalation.

2. Recommendation (Article 148(1)) Where guidance proves ineffective or the violation is significant, the PPC may issue a formal recommendation (勧告, kankoku). A recommendation is a public administrative action: the PPC must disclose the fact of the recommendation, the business operator's name, and the nature of the violation. Recommendations carry reputational weight but remain non-binding; however, defying a recommendation without credible justification increases the likelihood of an order.

3. Order (Article 148(2)) If a business operator fails to comply with a recommendation "without justifiable grounds," the PPC may issue a binding order (命令, meirei) requiring specific corrective action (e.g., "Disclose the retained personal data identified in the principal's request of [date] within 14 days of receipt of this order"). An order is a formal administrative disposition subject to judicial review under the Administrative Case Litigation Act. Violation of a PPC order is a criminal offense.

The PPC publishes enforcement actions—recommendations and orders—on its website (ppc.go.jp/en). As of April 2022, the PPC has issued relatively few recommendations or orders specifically for refusal of data subject requests; most published enforcement actions concern breach notification failures, unlawful third-party provision, and inadequate security controls. This does not mean the PPC ignores data subject rights complaints, but rather that most businesses cure deficiencies at the guidance stage to avoid public censure.

## Criminal penalties — Article 178 and order violations

The APPI does not criminalize the direct refusal of a data subject request. A business that refuses disclosure, correction, or suspension of use—even wrongfully—faces administrative enforcement and civil liability but not prosecution unless it has defied a binding PPC order.

Article 178 APPI imposes criminal penalties on any person who, without justifiable grounds, fails to comply with a PPC order issued under Article 148(2). The penalty is imprisonment for up to six months or a fine of up to 300,000 yen (approximately USD 2,000 at current exchange rates). This provision applies to the individual within the business who has responsibility for APPI compliance (typically the Chief Privacy Officer, General Manager of Legal & Compliance, or Representative Director). Corporate criminal liability also attaches under the dual liability provision: the business entity itself may be fined.

In practice, criminal prosecution under Article 178 is rare. The PPC has historically treated the order-violation penalty as a last-resort enforcement tool, reserved for egregious or willful defiance of administrative authority. Most order violations are resolved through negotiated compliance before referral to prosecutors.

Separate criminal exposure: Articles 176–177 APPI impose heavier criminal penalties (up to one year imprisonment or a fine of up to 500,000 yen) on persons who wrongfully provide a personal information database to a third party for the purpose of wrongful gain or causing harm. This provision does not apply to refusal of data subject requests but may be relevant if an employee exfiltrates the database rather than processing a legitimate disclosure request through proper channels.

## Civil damages — Article 709 Civil Code and the private right of action

Data subjects may bring a civil claim for damages against a business that unlawfully refuses or unreasonably delays a response to a disclosure, correction, or suspension request. The APPI itself does not create an express statutory damages regime; instead, principals invoke the general tort provision of the Civil Code, Article 709, which provides:

> "A person who intentionally or negligently infringes the right or legally protected interest of another is liable for damages arising therefrom."

The principal must prove three elements: (i) the business operator's act or omission (refusal or delay) was wrongful (violated Articles 33–35 APPI); (ii) the principal suffered actual damages; and (iii) causation. Damages recoverable are typically limited to provable economic or emotional harm. Japanese courts have awarded modest damages in data protection cases—often in the range of 10,000 to 100,000 yen per individual claimant for privacy violations causing emotional distress (the "sense of unease" or fukai-kan recognized in the JR East Suica case and similar precedents). Substantial damages require evidence of concrete financial loss, reputational harm, or downstream identity theft or fraud resulting from the business's failure to correct inaccurate data or suspend unlawful use.

Civil litigation is time-consuming and expensive relative to the damages typically at stake for an individual claimant. Class actions in the U.S. sense do not exist under Japanese civil procedure; each claimant must file separately or join in a consolidated proceeding. As a result, most data subjects pursue PPC complaints rather than litigation unless the violation is part of a broader pattern (e.g., a data breach followed by refusal to disclose the compromised records).

## Judicial review of PPC orders and business defenses

A business that receives a PPC order under Article 148(2) may challenge the order through an administrative appeal or judicial review under the Administrative Case Litigation Act (Act No. 139 of 1962). The business must file a petition for revocation (torikeshi no uttae) with the Tokyo District Court (which has exclusive jurisdiction over challenges to PPC dispositions) within six months of receipt of the order. Filing an appeal does not automatically suspend the order; the business must separately petition the court for a stay of execution.

Grounds for successful challenge are narrow: the business must show that the PPC exceeded its statutory authority, applied the APPI erroneously as a matter of law, or acted arbitrarily. Courts afford substantial deference to the PPC's technical determinations, especially on questions such as whether disclosure would "seriously interfere with proper execution of business" under Article 33(2)(ii) or whether the data qualifies as retained personal data. The burden of proof rests with the challenging business.

## Summary — practitioner risk management

For businesses operating under the APPI, the absence of a fixed response deadline is both a flexibility and a trap. "Without delay" is enforced retroactively: if the PPC or a court later determines that 45 days was unreasonable for a straightforward request, the business is in violation even if it believed it was acting diligently. Best practice is to:

• Acknowledge receipt within 5 business days and confirm identity verification requirements;
• Begin substantive review immediately and set an internal target of 30 days for simple requests;
• Communicate interim status if delay is unavoidable, documenting the operational justification;
• Treat PPC guidance as binding in practice—curing deficiencies before escalation to recommendation or order avoids public disclosure and criminal exposure; and
• Recognize that civil damages are modest but reputational harm from a published PPC recommendation can be severe, especially for consumer-facing businesses.

The APPI's enforcement model prioritizes administrative correction over punishment. Businesses that engage constructively with the PPC and demonstrate good-faith efforts to cure violations rarely face orders or prosecution. Those that ignore guidance or stonewall data subjects invite escalation.

Source: Act on the Protection of Personal Information (English translation, consolidated April 1, 2023), Personal Information Protection Commission — Supervision

Japan's Act on the Protection of Personal Information (APPI) grants business operators statutory authority to refuse or limit data subject requests for disclosure, correction, suspension of use, or erasure when specific conditions are met. Understanding these refusal grounds is essential for triaging data subject access requests (DSARs) lawfully — a blanket refusal without statutory justification exposes the business to PPC enforcement and civil damages, but a well-founded partial or full denial is expressly permitted by the statute. The refusal framework differs by request type, reflecting the distinct policy concerns underlying disclosure (privacy and operational burden), correction (factual accuracy and third-party reliance), and suspension (redressing unlawful processing without disproportionate cost).

## Refusal grounds for disclosure requests — Article 33(2) APPI

Article 33(2) enumerates three grounds on which a business operator may refuse to disclose retained personal data in whole or in part, even when the identifiable person has submitted a valid and verified request:

(i) Disclosure would harm life, wellbeing, property, or other rights or interests of the identifiable person or a third party

A business may refuse disclosure if providing the data would create a concrete risk to the safety, financial interests, or fundamental rights of the requesting principal or another individual. This ground most commonly arises in four scenarios:

• Medical or psychiatric records where disclosure of a diagnosis, prognosis, or treatment history could cause severe psychological harm to the patient (e.g., terminal illness disclosure that the treating physician has determined should be withheld). The PPC has acknowledged that this ground may apply when a medical professional certifies that immediate disclosure would endanger the patient's mental health or safety, though the business must document the clinical rationale.

• Domestic violence or stalking protection where disclosing a domestic violence victim's current address, employer, or contact details to the victim's abuser (who may be a joint account holder or legally authorized representative) would expose the victim to physical danger. Businesses commonly invoke this ground when processing requests from estranged spouses or family members seeking location data of protected individuals.

• Third-party personal data intermingled with the principal's data where the disclosure would reveal sensitive information about another identifiable person — for example, salary comparison data in a performance review, peer evaluations that identify colleagues by name, or collaborative project records where redaction is impracticable. Unlike GDPR Article 15(4), which treats third-party rights as a limit on the "copy" obligation rather than a refusal ground, Article 33(2)(i) permits outright refusal of disclosure when redaction is technically infeasible or would render the disclosed data meaningless. However, the PPC guidance emphasizes that businesses should attempt redaction before invoking this exception; a blanket refusal citing "third-party data present" without demonstrating redaction difficulty is non-compliant.

• Financial fraud or identity theft risk where disclosing detailed transaction logs, account security questions, or authentication credentials could enable the requesting party (or an impersonator) to commit fraud. This ground is narrowly applied; the business must show a specific, articulable risk, not a hypothetical concern.

The burden of proof rests with the business operator to demonstrate that disclosure "is likely to" (おそれがある, osore ga aru) cause harm — a probability standard higher than "possible" but lower than "certain." PPC enforcement practice suggests that speculative or remote harms do not satisfy this threshold.

(ii) Disclosure would seriously interfere with the business operator's proper execution of business operations

This ground authorizes refusal when responding to the disclosure request would impose a disproportionate operational burden on the business, considering the volume of data, the technical complexity of retrieval, and the business's available resources. It is the APPI's analogue to the GDPR's "manifestly excessive" standard under Article 12(5), though Article 33(2)(ii) does not require that the request be repetitive or made in bad faith.

PPC interpretive materials identify three fact patterns that may meet the "seriously interfere" test:

• Massive volume requests requiring manual review of unstructured data — e.g., a request for "all personal data" from an employee with 20 years of tenure, where responsive records span multiple legacy IT systems, archived email servers, and paper HR files stored offsite, and automated search tools cannot reliably identify all responsive records. The business must quantify the estimated retrieval cost (person-hours and monetary expense) and demonstrate that it would materially disrupt ongoing operations. Courts have recognized this ground when compliance would require reassigning multiple full-time staff for weeks or months, but not for requests that can be satisfied within the business's normal DSAR-handling capacity.

• Requests targeting proprietary algorithms, business methods, or trade secrets where the personal data is embedded in or derived from confidential analytical models. For example, a credit scoring model that outputs a risk score for the principal but whose internal weightings and factors are trade secrets. Article 33(2)(ii) allows the business to disclose the output (the score) and the categories of input data used (e.g., payment history, credit utilization ratio) without disclosing the proprietary formula itself. Complete refusal is permissible only if even this limited disclosure would reveal the protected trade secret.

• Requests submitted during peak operational periods (e.g., year-end financial close, product launch, regulatory audit response) where immediate compliance would prevent the business from meeting other legal or contractual deadlines. This ground is rarely sufficient on its own; the business must offer an alternative timeline (e.g., "We will complete disclosure within 60 days, after the annual audit concludes on [date]") rather than refuse outright.

The 2020 amendments did not abolish this ground, contrary to early speculation. The PPC confirmed in its Three-Year Review Outline that the "seriously interfere" exception remains in force and serves as a necessary safety valve for disproportionate requests, even as the scope of "retained personal data" was expanded to cover short-retention-period data. However, the PPC has cautioned that businesses may not treat routine DSAR processing as an "interference"; if the business operates at scale and regularly handles personal data, it must build the infrastructure to respond to access requests without claiming operational burden for typical requests.

(iii) Disclosure would violate other laws or regulations

A business may refuse disclosure when providing the data would constitute a violation of another Japanese statute or regulation. Common examples include:

• Tax secrecy obligations under Article 22 of the Act on General Rules for National Taxes, which prohibits tax accountants and certified public accountants from disclosing a client's tax return details without authorization, even to the taxpayer's authorized representative in some contexts.

• Financial transaction reporting restrictions under the Act on Prevention of Transfer of Criminal Proceeds (APTCP), which limits disclosure of suspicious transaction reports (STRs) filed with the Financial Intelligence Center. Banks may not disclose to an account holder that an STR concerning the account holder's transactions has been filed, even if the account holder submits a DSAR.

• Criminal investigation secrecy under the Code of Criminal Procedure, which restricts disclosure of records related to ongoing investigations. If a business has provided personal data to law enforcement pursuant to a lawful disclosure order, the business may refuse to disclose to the principal the fact or contents of that provision while the investigation remains open, provided the prosecuting authority has instructed the business not to disclose.

• Employment records covered by separate sectoral confidentiality rules, such as occupational health records under the Industrial Safety and Health Act that may be disclosed only through specific statutory procedures.

This ground is construed narrowly: the business must cite the specific statute and article that prohibits disclosure, not merely assert "legal confidentiality." When invoking Article 33(2)(iii), the business must notify the principal of the legal basis under Article 36 (the duty to "endeavor to explain its reasons").

Partial refusal and segmentation

Article 33(2) permits refusal of "all or part" of the requested data. Businesses should disclose the portions of retained personal data that do not fall under any exception and refuse only the specific records or fields that meet one of the three grounds. For example, if a performance review contains both factual employment history (disclosable) and peer evaluations that identify other employees by name (refusal ground (i) or (ii)), the business should provide the factual history and withhold the peer evaluations, explaining the basis for partial refusal. A complete refusal is lawful only when the entire data set falls under an exception or when segmentation is technically impossible without rendering the disclosed portion unintelligible.

## Correction requests — Article 34(3) limited refusal

Article 34 governs the right to request correction, addition, or deletion of retained personal data that is "contrary to the fact" (事実でない, jijitsu de nai). The refusal framework here is narrower than for disclosure:

When a business receives a correction request, it must conduct a necessary investigation (Article 34(2)). If the investigation confirms that the data is factually inaccurate, the business must correct it to the extent necessary to achieve the purpose of use. If the business determines that the data is accurate, or that correction is unnecessary or outside the scope of the request, it must notify the principal of that decision and the reason (Article 34(3)).

Article 34 contains no enumerated refusal exceptions. The business may not refuse a correction request on operational burden grounds or third-party rights. The only permissible basis for declining correction is a factual determination that the retained personal data is accurate or that the requested correction would render the data inaccurate (e.g., the principal requests deletion of a delinquent payment record that did in fact occur). Disputes over subjective evaluations (e.g., a performance rating of "meets expectations" vs. "exceeds expectations") do not qualify as factual inaccuracy under Article 34; the business may document the principal's objection but is not required to change the evaluation unless it was based on factually incorrect underlying data.

If the business and the principal disagree on whether the data is factually accurate, the principal's remedy is to file a PPC complaint or bring a civil claim; the business is not obligated to accept the principal's characterization of the facts, but must document its investigative process and reasoning.

## Suspension of use and erasure — Article 35(2) proportionality limitation

Article 35 authorizes the identifiable person to request that a business suspend use or erase retained personal data if:

• it was obtained in violation of the acquisition restrictions (Article 17, e.g., by deception);
• it is being used beyond the stated purpose of use (Article 18);
• it was obtained without required consent for special care-required personal information (sensitive data under Article 2(3));
• it is being provided to a third party without lawful basis (Article 27 violation); or
• (new in 2022) the business's handling of the data is likely to harm the principal's rights or legitimate interests (Article 35(1)(v)), a catch-all ground analogous to GDPR Article 21's objection right.

If the request has a valid statutory basis, the business must suspend use or erase the data "without delay … to the extent necessary" for remedying the violation (Article 35(2)). However, Article 35(2) proviso carves out a proportionality exception:

> "This provision shall not apply to cases in which it costs a large amount or is otherwise difficult to discontinue using or to erase the retained personal data and in which the business operator takes necessary alternative measures to protect the rights and interests of the person."

This exception operates differently from the disclosure refusal grounds. The business may not refuse suspension or erasure outright; instead, it must substitute alternative measures that achieve the same protective purpose at lower cost. PPC guidance suggests alternatives such as:

• Anonymization or pseudonymization in place of full erasure, when the violation relates to unlawful processing rather than unlawful acquisition and rendering the data non-identifiable would cure the harm.
• Access restriction (limiting internal access to the data to a narrow group of employees, with audit logging) when full erasure would compromise the business's ability to comply with another legal obligation (e.g., tax recordkeeping, litigation hold).
• Enhanced transparency and consent refresh when the violation is purpose-creep (use beyond the original stated purpose) and the business can lawfully cure the issue by obtaining new consent under Article 18(3).

The business must notify the principal of the alternative measures and explain why suspension or erasure would be disproportionately costly. If the principal disputes the proportionality determination, the PPC may review the business's cost estimate and the adequacy of the alternative measures as part of a supervisory investigation. Courts have upheld the proportionality exception when the business demonstrated that full erasure would require decommissioning a legacy database system at a cost exceeding several million yen, provided the alternative measures (anonymization plus access logging) were technically sound and effectively protected the principal's interests. Conversely, invoking "high cost" without quantification or proposing only token alternative measures (e.g., "we will be more careful in the future") is insufficient.

## Notice and explanation obligations — Article 36 APPI

When a business refuses a disclosure, correction, or suspension request in whole or in part under Articles 33–35, Article 36 requires that the business:

1. Notify the principal without delay of the refusal or partial refusal; and
2. Endeavor to explain its reasons to the principal.

"Endeavor to explain" (理由を説明するよう努めなければならない, riyū o setsumei suru yō tsutome nakereba naranai) is not a strict legal obligation but a best-effort duty. In practice, PPC enforcement and civil case law treat the explanation duty as effectively mandatory: a business that refuses a request without providing any rationale, or that offers only a conclusory statement ("disclosure would interfere with our operations"), is likely to be found non-compliant. The explanation must be specific — citing the applicable Article 33(2) ground, identifying the category of data being withheld (without disclosing the data itself), and providing enough detail for the principal to understand the basis and, if desired, challenge it through a PPC complaint or judicial review.

Best practice is to deliver the refusal notice and explanation in the same written communication (email or postal letter), within the same "without delay" timeframe that governs the substantive response (typically 30 days from receipt of the verified request). The notice should also inform the principal of the right to file a complaint with the PPC and, if applicable, the right to bring a civil action for damages under the general tort provision (Civil Code Article 709).

## Cross-reference: Fee caps and manifestly excessive requests

Unlike GDPR Article 12(5), which permits charging a "reasonable fee" or refusing "manifestly unfounded or excessive" requests as a separate ground, the APPI treats fees and refusals distinctly. Article 38(1) (formerly Article 30(1) before 2022 renumbering) allows businesses to charge a fee for disclosure requests that reflects actual costs (photocopying, media, postage), but this fee authority does not extend to correction or suspension requests, and the fee does not excuse compliance. A business may not refuse a disclosure request solely because the requester declines to pay the fee; instead, the business may delay performance until the fee is paid or seek the fee as a civil debt.

The APPI does not codify a "manifestly excessive" refusal ground independent of the Article 33(2)(ii) operational burden standard. Repetitive requests from the same principal may be refused under Article 33(2)(ii) if each repetition imposes a fresh burden and the business has already provided the data in a prior response, but the business must analyze each request individually; there is no automatic safe harbor for ignoring duplicates.

Source: Act on the Protection of Personal Information (English translation, consolidated April 1, 2023), Personal Information Protection Commission — APPI Three-Year Review Outline of System Reform

The April 1, 2022 amendments to Japan's Act on the Protection of Personal Information (APPI) introduced an express statutory right for data subjects to request disclosure in electronic format, marking Japan's most significant alignment with the GDPR's data portability principle under Article 20. Article 33(1) APPI, as amended by Act No. 44 of 2020, now requires business operators to disclose retained personal data "through electronic or magnetic records or other means as prescribed by Order of the Personal Information Protection Commission" and to do so "by the method the person requests," subject to a narrow cost-and-difficulty exception. This right fundamentally shifts Japan's disclosure framework from a default-paper regime to a digital-first model, though important operational and scope differences from GDPR portability remain.

## The pre-2022 baseline — written document delivery as default

Before the 2022 amendments entered into force, the Order for Enforcement of the APPI (Cabinet Order No. 507 of 2003) prescribed written document delivery as the default disclosure method. Businesses could disclose retained personal data electronically only when the requesting principal affirmatively agreed to an electronic format; absent such agreement, the business was required to print the data and deliver it by post or hand. This paper-first rule reflected the APPI's original 2003 design, which predated cloud computing, mobile platforms, and the large-scale cross-border data flows that characterized the 2010s.

The Personal Information Protection Commission's (PPC's) "Every Three-Year Review Outline of the System Reform," published in December 2019 ahead of the 2020 amendment bill, identified the written-document default as inconsistent with Japan's broader Digital Procedures Act (Act No. 16 of 2019), which directed government agencies and regulated industries to shift administrative procedures from paper to electronic formats to "enhance convenience for persons involved in administrative procedures and simplification and streamlining of administrative operation by using information and communications technologies." The PPC determined that the APPI should "clarify its position on disclosures using electronic or magnetic form" and align the disclosure-method framework with international standards — specifically, the GDPR's requirement under Article 15(3) that data be provided "in a commonly used electronic form" when the request is made electronically.

The 2020 amendment bill incorporated this recommendation. Article 33(1) APPI was rewritten to make electronic disclosure the principal's choice, not a privilege subject to the business's consent or technical capacity. The amended text reads:

> "An identifiable person may request that a business handling personal information disclose personal data the business holds that can identify that person through electronic or magnetic records or other means as prescribed by Order of the Personal Information Protection Commission."

The statute does not specify which electronic formats satisfy this requirement; that determination is delegated to the PPC's Order for Enforcement and interpretive guidelines. However, Article 33(1) makes clear that the requesting person chooses the method — the business must comply with the principal's specified format unless the cost-and-difficulty exception applies.

## What qualifies as "electronic or magnetic records" — the format question

Neither Article 33(1) nor the current Order for Enforcement of the APPI provides an exhaustive list of acceptable electronic formats. The PPC has not issued sector-specific technical standards analogous to the EDPB Guidelines on GDPR Article 20 portability, which discuss CSV, JSON, XML, and API-based transfers. As a result, Japanese businesses applying Article 33(1) rely on general principles drawn from the PPC's broader guidance on electronic recordkeeping and the statutory definition of "electronic or magnetic means" used elsewhere in the APPI for notice and consent purposes.

"Electronic or magnetic means" is defined by reference to the Cabinet Order and PPC Rules as methods that use an electronic data processing system or other information and communications technology, including:

• Email transmission of structured data files (CSV, Excel spreadsheet, JSON, XML) as attachments;
• Downloadable file links provided through a secure customer portal or business website, with the file encrypted or password-protected;
• USB drive, CD-ROM, or other physical electronic media delivered by post (this satisfies the "electronic or magnetic record" requirement even though the delivery mechanism is physical);
• API-based data export when the business operates a developer platform or data integration service, though this method is uncommon outside the technology and financial sectors; and
• PDF document transmission, though this is the least preferred format because PDF is not "structured" or "machine-readable" — it replicates the limitations of paper disclosure and does not facilitate data re-use or portability.

The PPC's approach mirrors the GDPR's emphasis on commonly used, machine-readable formats that enable the principal to transfer the data to another service provider or otherwise exercise control over the data. In practice, most Japanese businesses handling consumer data (e-commerce platforms, membership sites, SaaS providers, financial institutions) have implemented CSV download functionality for DSAR responses, because CSV is universally parsable, lightweight, and compatible with both spreadsheet software (Excel, Google Sheets) and database import tools. JSON is increasingly common for API-driven services (fintech, social media, cloud storage) where the data structure is complex or nested.

## The principal's right to specify the method — and the business's obligation to comply

Article 33(1) provides that the business "must disclose the data without delay by the method the person requests." This language is directive: the principal may specify in the DSAR that they want disclosure via email (CSV attachment), portal download (ZIP file of JSON records), or physical media (USB drive by registered mail), and the business must comply unless the requested method falls under the cost-and-difficulty exception in the second sentence of Article 33(1).

If the principal does not specify a method, the business retains discretion to choose a reasonable electronic format. However, best practice — endorsed by the PPC and widely adopted by consumer-facing businesses — is to offer multiple format options in the DSAR response form or disclosure procedure published under Article 37(1). For example, a business might state in its privacy policy:

> "When you request disclosure of your retained personal data, you may choose to receive the data by (a) email transmission of a CSV file; (b) secure download link valid for 14 days; or (c) delivery of a USB drive by registered mail. If you do not specify a method, we will provide the data via secure download link."

This transparency reduces disputes and aligns with the Article 37(1) obligation to publicly disclose "the way of handling" disclosure requests.

Cross-reference to GDPR portability: The APPI's "method the person requests" standard is narrower than GDPR Article 20(2), which grants data subjects the right to have data "transmitted directly" from one controller to another "where technically feasible." The APPI does not require controller-to-controller direct transmission; it requires only that the business provide the data to the principal in the requested format. The principal must then manually upload or transmit the data to the new service provider. This limitation reflects the APPI's focus on disclosure (transparency, verification, correction) rather than data portability as a market-competition tool. Japan has not adopted the GDPR's policy objective of reducing switching costs and lock-in effects in digital markets, though the practical outcome — CSV or JSON export — is often similar.

## The cost-and-difficulty exception — "a costly expenditure" threshold

The second sentence of Article 33(1) APPI carves out a significant exception to the electronic-format obligation:

> "In cases where disclosure by the method [the person requests] requires a large amount of expenses or when disclosure by other said method is difficult, [the business may disclose] by a method of delivering a written document."

This exception operates as a proportionality valve: if complying with the principal's specified electronic format would impose disproportionate cost or technical burden, the business may substitute paper document delivery instead. The exception does not permit the business to refuse disclosure altogether; it permits only a fallback to the pre-2022 default (written document by post). The business must still disclose the retained personal data; it simply need not do so electronically.

What constitutes "a large amount of expenses"?

The APPI does not define a numeric threshold (e.g., ¥50,000 per request, or cost exceeding 1% of annual IT budget). The PPC's interpretive materials suggest that the cost analysis should consider:

• The volume and complexity of the data being disclosed. A request for ten years of transaction logs from a legacy mainframe system, where the data is stored on magnetic tape and requires manual extraction, may qualify as costly. A request for the principal's current account profile from an active SQL database does not.

• The format-conversion burden. If the business stores retained personal data in a proprietary or legacy format and the principal requests disclosure in JSON, the cost of writing a one-time conversion script may be "costly" for a small business operator but not for a technology company with in-house engineering resources. The PPC has indicated that businesses are expected to build reasonable format-export capacity as part of their APPI compliance infrastructure; claiming "costly expenditure" for every CSV export request is not credible.

• The marginal cost of the requested method versus the business's standard method. If the business routinely discloses data via secure portal download (which costs the business effectively nothing per request after initial portal setup) and the principal requests delivery via encrypted USB drive by registered mail, the incremental cost of purchasing the USB drive, encrypting the files, and paying registered-mail postage may qualify as a "large amount of expenses" relative to the zero-marginal-cost portal method. The business may offer portal download instead; if the principal refuses, the business may fall back to paper.

Comparison to GDPR Article 12(5): The APPI's "costly expenditure" exception is narrower than the GDPR's "manifestly excessive request" ground, which allows controllers to charge a reasonable fee or refuse the request when it is repetitive or made in bad faith. Article 33(1) APPI does not authorize refusal or fee-charging based on repetition; it permits only a format downgrade (electronic → paper) when the requested electronic method is too expensive. A principal who submits monthly DSAR requests for the same retained personal data cannot be refused under Article 33(1) (though the business may invoke Article 33(2)(ii) — serious interference with proper execution of business — if the repetition meets that higher threshold).

What constitutes "difficult" disclosure?

The second prong of the exception — "when disclosure by other said method is difficult" — covers technical infeasibility rather than cost. Examples include:

• The principal requests API-based direct transmission to a third-party service, but the business does not operate an API and building one would require months of development. The business may disclose via CSV download instead.

• The principal requests disclosure in a specific legacy file format (e.g., dBase .dbf files) that modern systems cannot generate without reverse-engineering obsolete software. The business may substitute a commonly used format (CSV, JSON) or, if the principal insists on the obsolete format, may deliver a written document.

• The retained personal data includes scanned image files (e.g., uploaded identity documents, signed application forms) that cannot meaningfully be converted to structured text format. The business may deliver the images as PDF or JPEG files on a USB drive or via download link; this satisfies the "electronic or magnetic record" requirement even though the images are unstructured.

The "difficulty" exception is narrowly construed. The PPC has emphasized that businesses operating digital services in 2022 and beyond are expected to maintain the technical capacity to export retained personal data in at least one commonly used structured format (CSV, JSON, or XML). Claiming "difficulty" for standard electronic formats is credible only for small businesses with no in-house IT staff or legacy operators managing decades-old systems scheduled for decommissioning.

## Notification and fallback — Article 36 explanation duty when substituting paper

When a business invokes the cost-and-difficulty exception and delivers a written document instead of the requested electronic format, Article 36 APPI requires the business to "endeavor to explain its reasons" to the principal. Best practice is to send a written (or email) notice stating:

> "You requested disclosure of your retained personal data in JSON format via API transmission. Providing the data in that format would require us to build a custom API, which would cost approximately ¥200,000 in development and testing expenses and take 90 days to complete — a disproportionate burden under Article 33(1). We are instead providing your retained personal data as a written document by registered mail, which we will send within 30 days of this notice. If you would prefer a different electronic format that we can readily generate (CSV file via email or secure download link), please contact us within 14 days and we will accommodate that request."

This notice satisfies the Article 36 explanation duty and offers the principal a reasonable alternative. If the principal accepts the CSV alternative, the business complies with the electronic-format spirit of Article 33(1) without incurring the disproportionate API-development cost.

Failure to explain the reason for substituting paper delivery — or providing only a conclusory statement ("your request is too difficult") — exposes the business to PPC enforcement under Articles 147–148 (guidance, recommendation, or order to cure the violation) and potential civil damages under the general tort provision (Civil Code Article 709).

## Scope difference from GDPR Article 20 — no "provided to" / "obtained from" limitation

GDPR Article 20 portability applies only to personal data that the data subject has "provided to" the controller and that is processed on the basis of consent (Article 6(1)(a)) or contract (Article 6(1)(b)). Data derived or inferred by the controller (e.g., credit scores, algorithmic recommendations, risk profiles) is excluded from the portability right, though it remains subject to the access right under Article 15.

Article 33(1) APPI contains no such limitation. The electronic-format disclosure right applies to all retained personal data the business holds concerning the principal, regardless of how the data was obtained (provided by the principal, collected from third parties, derived through analytics) and regardless of the lawful basis for processing (consent, statutory obligation, legitimate interests). If the business retains a machine-learning-generated risk score as personal data, and the principal requests disclosure, the business must disclose the score in electronic format (subject to the cost-and-difficulty exception and the Article 33(2) refusal grounds for harm, operational burden, or legal prohibition).

This broader scope means that Japanese businesses face more extensive disclosure obligations than their EU counterparts under GDPR portability, even though the APPI does not require controller-to-controller direct transmission. A principal exercising the Article 33(1) electronic-format right in Japan can obtain a comprehensive electronic dataset encompassing raw input data, transaction histories, and algorithmically derived outputs — a data portrait more complete than GDPR Article 20 would deliver.

Practical implication: Businesses operating in both the EU and Japan should not repurpose their GDPR Article 20 portability export tools for APPI Article 33(1) compliance without first confirming that the export includes all retained personal data, not merely the data "provided to" the controller. The APPI export must include data sourced from third-party data brokers, credit bureaus, public records, and internal analytics — categories often excluded from GDPR portability exports.

## Effective date and transition — April 1, 2022 with no grandfathering

The electronic-format disclosure right under Article 33(1) entered into force on April 1, 2022, the same effective date as the broader 2020 APPI amendments (mandatory breach notification, expanded definition of retained personal data, enhanced rights to suspend use). The PPC provided a two-year preparation period from the June 12, 2020 promulgation of the amendment act to the April 1, 2022 effective date, during which businesses were expected to build or procure the infrastructure (secure portals, CSV export scripts, encryption tools) necessary to respond to electronic-format DSAR.

There is no grandfathering or transition rule for retained personal data created before April 1, 2022. If a principal submits a DSAR on May 1, 2022 requesting electronic disclosure of all retained personal data from 2015 onward, the business must comply (subject to the cost-and-difficulty exception and the Article 33(2) refusal grounds). The 2022 amendments eliminated the pre-existing six-month retention carve-out (data scheduled for deletion within six months was previously excluded from the definition of "retained personal data"), meaning that virtually all personal data in the business's active and archival systems now falls within the scope of the electronic-format disclosure right.

Businesses with legacy data stored in obsolete formats or offline media (magnetic tape, microfiche, paper archives) face heightened compliance risk. If the cost of digitizing and converting the legacy data to electronic format is "a large amount of expenses," the business may invoke the Article 33(1) exception and deliver paper photocopies instead — but the business must document the cost estimate and provide the Article 36 explanation to the principal. Ignoring the request or claiming that the data "cannot" be disclosed because it is offline is non-compliant; the business must at minimum deliver the data in written form.

## Fees and cost recovery — Article 38(1) disclosure fee authority

Article 38(1) APPI (formerly Article 30(1) before the 2022 renumbering) permits businesses to charge a fee for disclosure requests, provided the fee "reflects actual costs" incurred in copying and transmitting the data. The fee structure must be publicly disclosed under Article 37(1)(iv).

Businesses may not charge an additional fee solely because the principal requests electronic format instead of paper. If the business's actual cost for a secure portal download is zero (after initial portal setup) and its actual cost for printing and mailing a 50-page written document is ¥500, the business may charge ¥500 for the paper delivery but cannot charge ¥500 for the download. The PPC has indicated that businesses should set a single reasonable fee (e.g., ¥1,000 per disclosure request, covering staff time for verification and data retrieval) that applies uniformly regardless of format, or charge no fee for electronic disclosure and a postage-and-printing fee only for paper delivery.

Fees may not be charged for correction, suspension of use, or erasure requests under Articles 34–35; Article 38(1) applies only to disclosure (Article 33) and notification of purpose (Article 32(2)). This asymmetry reflects the policy judgment that transparency (disclosure) may impose retrieval and compilation costs, whereas correction and erasure are remedial actions the business should perform without additional charge when the underlying processing was unlawful.

## Comparison to other Asia-Pacific regimes — Japan as regional leader on electronic disclosure

Japan's Article 33(1) electronic-format disclosure right places it ahead of most Asia-Pacific jurisdictions on data portability, though still behind the GDPR's controller-to-controller transmission standard.

• Singapore PDPA (2020 amendments, effective February 1, 2021) grants a portability right under Section 26B for data provided by or on behalf of the individual and processed by automated means with consent or for contract performance — mirroring GDPR Article 20's scope but without direct-transmission obligation.

• Australia Privacy Act 1988 contains no statutory data portability right; the Australian Privacy Principles (APPs) grant only an access right (APP 12) that requires provision of the information "in the manner requested by the individual, if it is reasonable and practicable to do so." The "reasonable and practicable" standard is weaker than Japan's "costly expenditure" exception and has been interpreted to permit paper-only disclosure in many contexts.

• South Korea PIPA Article 35 grants a right to receive personal information "in a form easily identifiable" but does not specify electronic format or impose a method-of-choice obligation on the data controller. Korea's Personal Information Protection Commission has issued guidance recommending CSV or JSON but has not made it mandatory.

• China PIPL Article 45 grants a portability right to obtain a copy of personal information "transferred to a personal information processor designated by the individual" when "technically feasible," but implementing regulations defining "technically feasible" have not been published as of mid-2022. In practice, Chinese businesses provide PDF downloads or paper copies rather than structured electronic exports.

Japan's Article 33(1) is the most operationally specific portability provision in Asia outside Singapore, and the only one that makes electronic format the default expectation rather than a discretionary accommodation. For multinational businesses operating data platforms across APAC, Japan's framework is likely to drive regional convergence toward CSV/JSON export infrastructure, because building that infrastructure once for Japan allows the business to extend it to other markets at low marginal cost.

Source: Act on the Protection of Personal Information (English translation, consolidated April 1, 2023), APPI Three-Year Review Outline of System Reform (PPC, December 2019), Order for Enforcement of the Act on the Protection of Personal Information

The April 1, 2022 amendments to Japan's Act on the Protection of Personal Information (APPI) introduced a statutory right to receive disclosed retained personal data in electronic format, aligning Japan's data subject access framework with GDPR Article 15(3) and the portability principle in Article 20. Prior to 2022, businesses could satisfy disclosure requests by delivering a paper document; electronic delivery was permitted only if the requesting principal agreed to it. The 2022 reform inverts this default: Article 33(1) now requires that businesses disclose retained personal data "through electronic or magnetic records or other means as prescribed by Order of the Personal Information Protection Commission," with paper delivery permitted only when electronic disclosure would impose disproportionate cost or prove otherwise difficult.

This change reflects the Personal Information Protection Commission's (PPC's) finding in its Three-Year Review that electronic disclosure is essential to enabling data subjects to reuse their personal data across different services and to exercise meaningful control over data held by multiple business operators. The reform is part of a broader policy push to facilitate data portability in digital markets, particularly in sectors where consumers routinely switch service providers (telecommunications, financial services, e-commerce platforms).

## Article 33(1) APPI — the electronic-format mandate and the "costly expenditure" exception

Article 33(1) APPI (as amended, effective April 1, 2022) provides:

> "An identifiable person may request that a business handling personal information disclose personal data the business holds that can identify that person through electronic or magnetic records or other means as prescribed by Order of the Personal Information Protection Commission."

The statute does not specify which electronic formats satisfy the obligation; instead, it delegates technical standards to the Order for Enforcement of the APPI (Cabinet Order No. 507 of 2003, as amended). Article 9 of the Order provides:

> "A method prescribed by cabinet order under Article 28, paragraph (2) of the Act shall be the one by delivering a written document (when there is a method agreed on by a person having requested disclosure, that method)."

Read together, Article 33(1) and the Order establish a two-tiered framework:

1. Default method: electronic or magnetic records. The business must disclose retained personal data in an electronic format unless the requester agrees to receive a paper document or unless electronic disclosure meets the statutory exception below.

1. Fallback to paper: "costly expenditure" or "otherwise difficult" exception. The business may deliver a paper document instead if electronic disclosure "requires a large amount of expenses" (多額の費用を要する, tagaku no hiyō o yōsuru) or is "otherwise difficult" (困難である, konnan de aru). This exception is drawn narrowly; the business must demonstrate that the specific request cannot reasonably be satisfied electronically given the state of the business's IT infrastructure and the nature of the retained personal data.

The burden of proof rests with the business operator. If the business invokes the exception and provides a paper document, it must explain the reason under the Article 36 duty to "endeavor to explain its reasons" for not complying with the requestor's preferred method. PPC enforcement materials suggest that invoking the exception without a concrete cost estimate or technical justification (e.g., "Our legacy HR system from 1998 stores employment records as scanned TIFF images on optical disks and cannot export to CSV without manual transcription; estimated retrieval cost is ¥500,000 for 20 years of records") is non-compliant. Conversely, a blanket policy of paper-only disclosure—common before 2022—is now unlawful unless every request genuinely meets the exception threshold.

## "Electronic or magnetic records" — acceptable formats and structured vs. unstructured data

Neither the APPI nor the Order for Enforcement prescribes a specific file format (CSV, JSON, XML, PDF, etc.) for electronic disclosure. The statute refers generically to "electronic or magnetic records" (電磁的記録, denji-teki kiroku), a term defined elsewhere in Japanese law to encompass any record created or stored by electronic, magnetic, or optical means that is not directly perceivable by human senses without the aid of a reading device. This includes:

• Structured data formats: CSV (comma-separated values), JSON, XML, Excel spreadsheets (.xlsx), database exports, API responses. These formats enable the principal to import the disclosed data into another system for reuse, consistent with the portability policy goal.

• Unstructured or document formats: PDF, JPEG/PNG image files, plain text (.txt), Word documents (.docx), scanned images of paper records converted to electronic form. These formats satisfy the "electronic" requirement but may not enable portability if the data is presented as a non-machine-readable image or locked PDF.

PPC guidance (issued in connection with the 2020 amendment legislative process) states that businesses should disclose data in a "commonly used, machine-readable format" (一般的に利用されている機械可読な形式, ippan-teki ni riyō sarete iru kikai-kadoku na keishiki) when the retained personal data is stored in structured form (e.g., database records, CRM entries, transaction logs). If the original data is unstructured—such as handwritten notes scanned into the system or free-text email correspondence—the business may disclose it as a PDF or image file, provided the file is delivered electronically (e.g., via email attachment, secure download link, or USB drive).

The PPC has not published a prescriptive list of approved formats, reflecting the principle that technology-neutral standards age better than format mandates. In practice, most Japanese businesses handling consumer data at scale have adopted CSV or Excel for disclosure of tabular data (account details, purchase history, service usage logs) and PDF for disclosure of documents (contracts, correspondence, consent records). Financial institutions subject to anti-money-laundering recordkeeping obligations commonly provide account statements in PDF and transaction logs in CSV or Excel, bundled in a password-protected ZIP archive transmitted via encrypted email or a customer portal.

## Method of delivery — email, portal, physical media

The APPI does not restrict the channel through which electronic records are delivered. Acceptable methods include:

• Email attachment — commonly used for small-volume requests (a few megabytes of CSV or PDF files). Businesses may require the requestor to provide a valid email address at the verification stage. Best practice is to encrypt attachments or use password-protected ZIP archives, with the password transmitted separately, to comply with the security safeguard obligations under Article 23 APPI.

• Secure customer portal or online account — prevalent among telecommunications operators, banks, securities firms, and e-commerce platforms that already maintain authenticated user portals. The business uploads the disclosed data to the principal's account and notifies the principal by email or SMS that the disclosure is available for download. The portal session must be authenticated (multi-factor authentication is recommended for high-sensitivity data) and the data must be encrypted in transit (TLS 1.2 or later).

• Physical electronic media (USB drive, CD-ROM, DVD) — permitted as an "electronic or magnetic record" delivery method, though less common post-2022 given the prevalence of broadband internet access in Japan. Businesses that choose this method must mail the media by registered post or secure courier to the address on file for the principal, with tracking confirmation.

• API or automated export function — emerging practice among large platforms (social media, cloud storage providers, app ecosystems). The business provides the principal with an API endpoint or an automated "download my data" tool accessible through the user account. This method is not mandated by the APPI but is considered best practice when the business already offers such functionality (e.g., Google Takeout–style export).

The business may decide the delivery method and must disclose the method in its publicly available procedures under Article 37(1) APPI. If the principal requests a specific delivery method (e.g., "Please email the data to this address" or "Please make it available through my account portal"), the business should accommodate the request unless doing so would violate the security safeguard obligations (Article 23) or impose disproportionate cost. A principal who is dissatisfied with the offered delivery method has no statutory override right; the remedy is to file a PPC complaint or civil claim asserting that the chosen method effectively denied access.

## When may a business still provide paper documents?

The "costly expenditure or otherwise difficult" exception in Article 33(1) preserves the paper-delivery option for two fact patterns:

1. Legacy IT systems with no export capability

A business that stores retained personal data in a legacy mainframe system, proprietary database, or offline archive (microfilm, optical disk) from which electronic export would require manual transcription, custom software development, or migration to a modern database may invoke the exception. The business must quantify the estimated cost and timeframe. PPC interpretive materials suggest that a cost exceeding several hundred thousand yen per request, or a timeline extending beyond several months, may meet the "costly expenditure" threshold for a single-requestor access demand. However, if the business receives multiple requests targeting the same legacy system, it cannot repeatedly invoke the exception without taking steps to modernize the system; the PPC expects businesses to invest in export functionality when access requests become routine.

2. Unstructured records where electronic conversion is impracticable

If the retained personal data exists only in paper form (e.g., handwritten employment application from 1995, signed contracts stored in a physical archive) and has not been scanned or digitized, the business may provide a photocopy delivered by mail rather than scanning the document and converting it to PDF—but only if scanning would impose disproportionate burden relative to the volume of records. A single-page contract can be scanned at minimal cost; a 20-year personnel file comprising hundreds of pages across multiple storage locations may meet the exception. The business must explain the reason in the Article 36 notice to the principal.

Importantly, the exception does not apply merely because the business prefers paper delivery or finds electronic disclosure administratively inconvenient. Routine operational burden—printing a PDF, encrypting an email attachment, uploading a file to a portal—is part of the business's compliance obligation under Article 33(1) and does not justify refusal of electronic delivery.

## No prescribed structural standards — contrast with GDPR Article 20 "structured, commonly used" requirement

Article 33(1) APPI does not replicate GDPR Article 20's requirement that data be provided in a "structured, commonly used and machine-readable format." The APPI uses the broader formulation "electronic or magnetic records," which encompasses both structured formats (CSV, JSON, database exports) and unstructured electronic documents (PDF, image files). This means a business may satisfy Article 33(1) by delivering a scanned image of a paper record as a PDF attachment, whereas under GDPR Article 20 the same request might require a structured CSV export if the data was originally stored in structured form.

The PPC's guidance recommends structured formats when the underlying data is structured, but it does not mandate them. Businesses that provide only PDF or image files when the retained personal data is stored in a relational database or spreadsheet risk PPC criticism during a supervisory investigation, but the statute does not expressly prohibit this practice. In contrast, GDPR Article 20 creates an enforceable right to receive data in a portable format, which several EU data protection authorities (CNIL, ICO, Garante) have construed to require machine-readable structured data even when the controller's systems store the data in a document format.

This divergence reflects Japan's incremental approach to data portability. The 2022 amendment introduced the right to electronic disclosure as a necessary first step; a future amendment may introduce an explicit portability obligation modeled on GDPR Article 20, requiring not only electronic format but also structured, interoperable formats and direct transmission to another controller at the principal's request. The PPC's Three-Year Review materials (published December 2019) note that "further examination" of data portability standards is ongoing, with particular attention to cross-border data flows and platform ecosystems.

## Fees for electronic disclosure — same rules as paper disclosure

Article 38(1) APPI (formerly Article 30(1) before 2022 renumbering) permits businesses to charge a fee for disclosure requests if the fee reflects actual costs incurred. The 2022 amendment did not alter the fee framework; businesses may charge the same fee for electronic disclosure as for paper disclosure. However, the fee must be limited to the actual incremental cost of fulfilling the specific request—server time, bandwidth, media cost (USB drive, CD-ROM), postal delivery if physical media is used—and may not include overhead, staff salary, or a profit margin.

In practice, most Japanese businesses that charge a fee set a flat rate of ¥500 to ¥1,500 (approximately USD 3 to 10) per disclosure request, covering the cost of preparing and transmitting the data. Businesses that offer electronic disclosure via a customer portal or automated download tool commonly waive the fee, as the marginal cost of an additional download is near zero once the system is built. Financial institutions (banks, credit card issuers, securities firms) almost universally charge no fee for electronic disclosure of transaction histories and account statements delivered through online banking portals, treating disclosure as a routine customer-service function.

The fee structure must be disclosed in the business's public notice under Article 37(1) APPI. A business may not impose a higher fee for electronic disclosure than for paper disclosure, as that would defeat the purpose of the 2022 amendment. Conversely, a business that waives the fee for electronic disclosure but charges a fee for paper delivery (to incentivize electronic requests and reduce administrative burden) is acting consistently with the statute.

## Timing of the electronic-format obligation — April 1, 2022 effective date and retroactive application

The April 1, 2022 effective date applies to all disclosure requests received on or after that date, regardless of when the retained personal data was originally collected. A request submitted March 31, 2022 is governed by the pre-amendment rule (paper delivery as default, electronic delivery only by agreement); a request submitted April 1, 2022 is governed by Article 33(1) as amended (electronic delivery as default). There is no grace period or transitional relief for businesses that had not yet built electronic disclosure infrastructure by April 2022; the PPC expected businesses to prepare during the two-year period between the June 12, 2020 amendment enactment and the April 1, 2022 enforcement date.

Businesses that continued to deliver only paper disclosures after April 1, 2022 without invoking the "costly expenditure" exception or obtaining the requester's agreement to paper delivery are in violation of Article 33(1). The PPC has not published enforcement statistics specific to electronic-disclosure refusals, but the duty is unambiguous in the statute and the Order for Enforcement.

## Cross-reference — GDPR equivalence and EU-Japan adequacy framework

The EU-Japan mutual adequacy framework (in force since January 23, 2019, with the EU adequacy decision for Japan adopted via Commission Implementing Decision (EU) 2019/419 and the Japanese supplementary rules for EU-originating data in PPC Rule No. 2) does not require Japan to adopt GDPR Article 20's data portability right as a condition of adequacy. The European Commission's adequacy assessment focused on the APPI's overall protection standard (lawful basis framework, special-category protections, cross-border transfer safeguards, enforcement powers) and found Japan's regime "essentially equivalent" to the GDPR without requiring perfect Article-by-Article alignment.

However, Japanese businesses handling personal data transferred from the EU under the adequacy decision are subject to the PPC's Supplementary Rules, which impose additional obligations aligned with GDPR requirements. The Supplementary Rules do not mandate GDPR Article 20 portability for EU data subjects, but they do require that businesses "ensure the necessary and appropriate measures" to enable EU data subjects to exercise their rights under the GDPR. In practice, this means Japanese businesses that receive EU personal data under the adequacy framework should implement structured-data exports for EU data subjects even if the APPI itself does not mandate them, to avoid disputes with EU data protection authorities and to comply with the original controller's obligation to honor GDPR rights.

A Japanese business operating a subsidiary or branch in the EU is directly subject to GDPR Article 20 for personal data processed in the EU establishment, independent of the APPI's Article 33(1) obligation. The two regimes operate in parallel; compliance with one does not automatically satisfy the other.

Source: Act on the Protection of Personal Information (English translation, consolidated April 1, 2023), Order for Enforcement of the Act on the Protection of Personal Information (English translation), PPC — APPI Three-Year Review Outline of System Reform