Japan — Enforcement & Penalties

The Personal Information Protection Commission (PPC) serves as Japan's independent data-protection authority, holding broad administrative and investigative powers under the Act on the Protection of Personal Information (APPI), Act No. 57 of 2003 as amended. Established in its current form through the 2015 APPI amendments (effective 2017), the PPC oversees compliance by both domestic and foreign business operators handling personal information of individuals in Japan, under Article 171 extraterritorial authority.

## PPC administrative powers

The PPC may:

• Investigate business operators, including on-site inspections and document requests;
• Issue recommendations for corrective action when violations are suspected;
• Issue orders requiring specific measures to protect data-subject rights and interests, including cessation of unlawful processing, notification to affected individuals, or public disclosure of the violation;
• Request reports from businesses handling personal information; and
• Coordinate with foreign data-protection authorities under bilateral cooperation frameworks (including the UK, EU, and Canada as of the PPC's 2025 Global Strategy).

The PPC does not require a formal determination of harm before exercising these powers; administrative guidance may be issued proactively when the PPC identifies handling practices that pose risk to individual rights.

## Criminal penalties for violations

The APPI imposes criminal penalties for certain violations, enforceable through prosecution in Japanese courts. The 2020 Amendment (effective April 2022) substantially increased these penalties:

Violation of a PPC order (Article 145): Imprisonment with labor for not more than one year or a fine of not more than ¥1 million (previously six months / ¥300,000).

False submission of reports or refusal to cooperate with PPC investigations: Fine of not more than ¥500,000.

Improper provision of personal-information databases (database theft or provision to third parties for wrongful gain, with intent to cause harm): Imprisonment with labor for not more than one year or a fine of not more than ¥500,000, introduced by the 2020 Amendment to address data-breach monetization and insider misuse.

Fraudulent or improper acquisition of personal information: Similar penalties introduced in 2020 for acquisition through deception or other improper means.

These penalties apply to both natural persons (employees, officers) and—where the statute provides—to the business operator as a legal entity under dual-liability provisions typical of Japanese administrative penal law.

## Proposed administrative monetary penalties (2026 Amendment)

On April 7, 2026, the Japanese Cabinet approved a bill to amend the APPI, submitted to the Diet for enactment. A key enforcement reform is the introduction of administrative monetary penalties (surcharges) that the PPC may impose directly, without requiring criminal prosecution. The proposed surcharges are calibrated to the pecuniary benefit obtained through serious violations involving large-scale, economically motivated mishandling of personal information, aligning Japan's enforcement toolkit more closely with the GDPR administrative-fine regime. The bill also expands the PPC's order-making authority to enable more flexible and prompt remediation, and permits the PPC to request third parties involved in a violation (such as processors or advertising-technology intermediaries) to take necessary corrective measures. Enactment timing and effective dates remain subject to Diet approval as of May 2026.

## Enforcement posture

The PPC has historically favored a cooperative enforcement model, issuing administrative guidance and recommendations before escalating to formal orders or criminal referrals. Public enforcement actions remain relatively infrequent compared to European supervisory authorities, though the PPC has increased its use of publicized guidance documents and industry-specific compliance frameworks. The introduction of administrative surcharges in the 2026 Amendment signals a shift toward more assertive deterrence of serious violations, particularly those involving cross-border data flows, sensitive personal information, and children's data.

Source: Act on the Protection of Personal Information, Act No. 57 of 2003, Chapters VI–VIII Source: Personal Information Protection Commission, The Amendment Bill of the Act on the Protection of Personal Information (2020) Source: Personal Information Protection Commission, Ensuring the Effective Enforcement of Compliance Obligations — Outline of the System Reform Policy under the Triennial Review of the APPI (January 2026)

The Act on the Protection of Personal Information (APPI) does not grant a statutory private right of action for violations of its provisions. Instead, individuals whose personal information has been mishandled may seek compensation for damages through tort claims under Article 709 of the Civil Code (Act No. 89 of 1896), which provides that "a person who has intentionally or negligently infringed any right or legally protected interest of another is liable to compensate any damages resulting therefrom."

## Privacy rights recognized through case law

Japanese courts have developed a common-law right to privacy — defined as the right of individuals not to have their private lives disclosed without legitimate reason — through judicial decisions. Breaching this judicially-recognized privacy right constitutes a tort under Article 709 of the Civil Code. In a landmark October 2017 decision, the Supreme Court of Japan held that breaches of the right to privacy may give rise to claims for compensation for emotional distress caused by the leakage of personal information, including names, birthdates, addresses, and telephone numbers. The Osaka High Court awarded JPY 1,000 to the claimant on 20 November 2019 in that case.

This tort framework operates independently of the APPI's administrative-enforcement provisions. A plaintiff must prove:

• the defendant's intentional or negligent conduct;
• infringement of the plaintiff's privacy right or other legally protected interest; and
• damages resulting from the infringement.

## Breach-of-contract claims

In addition to tort liability, a breach-of-contract cause of action may be available when a business operator has promised to keep personal data confidential in a contract (such as terms of use, service agreements, or a privacy policy) and subsequently compromises the data. Contract claims do not require proof of negligence where the promise is express, but the plaintiff must be in privity of contract with the defendant. Non-contractual parties (such as third-party data subjects whose information was acquired indirectly) must proceed under tort law.

## Employer vicarious liability

Under Article 715 of the Civil Code, a business operator may be held vicariously liable as an employer for torts committed by its employees during the course of their duties, including unauthorized disclosure, theft, or sale of customer data by an employee. Both the employee and the employer may be jointly and severally liable for resulting damages.

## Damages awards in data-breach cases

Japanese courts have historically awarded modest damages in privacy-violation cases. In the well-known Benesse data-breach litigation involving the theft and sale of approximately 29 million customer records by a subsidiary employee, the courts found both Benesse Corporation and its subsidiary liable for damages of JPY 3,300 (approximately EUR 27) plus 5% late charges per annum per affected individual. This reflects the Japanese judiciary's practice of balancing compensatory goals against concerns about excessive damages awards, and its consideration of post-incident remedial measures taken by the defendant.

## Consumer collective-action mechanism (limited scope)

A procedural statute, the Act on Special Measures Concerning Civil Court Proceedings for Collective Redress for Property Damage Incurred by Consumers (Act No. 96 of 2013), permits certified consumer organizations to bring collective-redress actions on behalf of consumers for property damages arising from consumer contracts and torts under the Civil Code. Article 3 of that statute allows tort-based damage claims (limited to claims arising under Civil Code provisions), but historically the statute excluded emotional-distress-only damages.

The scope of the collective-redress statute was broadened in October 2023 to cover emotional damages as well, potentially making it more useful for data-breach cases. However, as of June 2026, there have been no reported successful uses of this mechanism for APPI-related privacy breaches. The Personal Information Protection Commission's January 2026 policy outline proposed introducing a specialized collective injunction and redress scheme specifically for APPI breaches, but that proposal awaits Diet action.

## Comparison to GDPR and CCPA private-action regimes

The Japanese civil-damages framework differs materially from GDPR Article 82, which grants an explicit statutory right to compensation for material or non-material damage caused by a GDPR infringement without requiring proof of fault. It also differs from the California Consumer Privacy Act § 1798.150, which grants a statutory private right of action for data breaches involving specific categories of unencrypted personal information, with statutory damages of $100–$750 per consumer per incident. Japanese plaintiffs must satisfy traditional tort or contract elements, and damages awards tend to be significantly lower than those in US or EU privacy litigation.

Source: Civil Code (Act No. 89 of 1896), Article 709 Source: Act on the Protection of Personal Information, Act No. 57 of 2003 Source: Act on Special Measures Concerning Civil Court Proceedings for Collective Redress for Property Damage Incurred by Consumers, Act No. 96 of 2013

The Personal Information Protection Commission (PPC) has historically adopted a cooperative enforcement posture, relying on administrative guidance and recommendations to achieve compliance rather than escalating immediately to formal orders or criminal referrals. Under Articles 147 and 148 of the Act on the Protection of Personal Information (APPI), the PPC exercises a tiered enforcement ladder: it issues non-binding guidance (Article 147) for less serious violations; recommendations (Article 148, paragraph 1) when individual rights and interests require protection; and binding orders (Article 148, paragraph 2) only when a business operator fails to comply with a recommendation without legitimate grounds and the violation imminently threatens serious harm to individual rights.

Formal orders under Article 148(2) remain extremely rare in practice. The PPC's primary enforcement tools are administrative guidance and public disclosure of company names in serious cases, leveraging reputational risk as a deterrent in Japan's trust-sensitive business culture. Criminal penalties for violation of PPC orders (imprisonment up to one year or fine up to ¥1 million under Article 178; corporate fines up to ¥100 million under Article 184) are available but seldom enforced; the PPC has not publicly reported criminal referrals as a routine enforcement mechanism.

## Quarterly supervision reporting (2024 reform)

Beginning in August 2024, the PPC launched a quarterly transparency initiative to provide more granular disclosure of its supervisory activities. The PPC now publishes, every quarter:

• "Overview of the Exercise of Monitoring and Supervisory Authority" (監視・監督権限の行使状況の概要), detailing the number and nature of guidance, recommendations, and orders issued, broken down by violation type and industry sector; and
• "Handling Status of Breach Notifications" (漏えい等報告の処理状況), summarizing the volume and causes of data-breach reports received under the APPI's mandatory breach-notification regime.

These quarterly reports replaced the PPC's prior practice of publishing only aggregate annual statistics and selective press releases for high-profile cases. The initiative aims to inform the public and enable business operators to benchmark their security practices against enforcement trends.

FY 2024 Q1 (April–June 2024) data, published August 28, 2024, illustrate the PPC's supervisory workload:

• The PPC issued 67 requests for reports or materials from handling operators;
• Unauthorized access (including ransomware, VPN vulnerabilities, and credential theft) was the leading cause of reported breaches, accounting for approximately 30% of the 3,599 breach reports received in FY 2024 Q2 (July–September 2024); and
• Common security-control deficiencies identified by the PPC included failure to patch disclosed VPN or application vulnerabilities, weak or easily guessable passwords, and database-access misconfigurations.

## Enforcement priorities and publicized actions

The PPC's recent enforcement actions, as disclosed in quarterly reports and press releases, reveal three priority areas:

1. Security measures for large-scale personal-data handling. The PPC has emphasized the need for "necessary and appropriate" organizational and technical safeguards under Article 23 of the APPI, particularly for operators managing high volumes of personal data. Quarterly reports since August 2024 have specifically called out failures to patch known vulnerabilities, inadequate access controls, and weak authentication as recurring deficiencies.

1. Oversight of outsourced data processors. Multiple publicized enforcement actions in 2024 involved breakdowns in controller oversight of processors or sub-processors. In February 2024, the PPC issued administrative guidance to NTT DOCOMO and NTT Nexia after temporary employees of NTT Nexia (NTT DOCOMO's outsourcee for customer-information management) improperly appropriated approximately 5.96 million customer records. The PPC identified inadequate organizational security-control measures and directed both companies to implement recurrence-prevention measures.

In January and September 2024, the PPC issued recommendations and guidance to NTT Marketing Act ProCX and its sub-processor NTT Business Solutions following the illegal exfiltration of approximately 9.28 million customer and resident records over a ten-year period by an employee of the sub-processor. The PPC's detailed press releases criticized both companies for failing to detect the long-running exfiltration and for conducting an inadequate internal investigation that misled a client company. The PPC required public reporting of corrective measures and ongoing implementation status.

1. Cross-border and high-profile operators. In March 2024, the PPC issued administrative guidance to LINE Yahoo Corporation following a large-scale data breach involving unauthorized access from South Korea. The action underscored the PPC's extraterritorial reach under Article 171 of the APPI and its willingness to publicly name major technology platforms.

## Public disclosure as enforcement mechanism

The PPC's practice of publicly disclosing company names, violation details, and required corrective measures serves as a central enforcement lever. Press releases on ppc.go.jp include the operator's corporate name, the nature of the security or oversight failure, the number of affected individuals, and—where applicable—the text of formal recommendations or guidance. The reputational impact of public disclosure often exceeds the direct legal consequences of guidance or recommendations, particularly for consumer-facing brands.

The quarterly reporting regime and increased case-specific disclosures since 2024 signal a shift toward greater transparency in PPC enforcement, aligning with the proposed introduction of administrative monetary penalties in the 2026 APPI Amendment and broader movement toward more assertive regulatory deterrence.

Source: Personal Information Protection Commission, Overview of Quarterly Publication of Monitoring and Supervisory Authority Exercise Status and Breach Notification Handling Status (August 28, 2024) Source: Personal Information Protection Commission, Monitoring and Supervisory Activities Source: Act on the Protection of Personal Information, Articles 147–148 Source: Personal Information Protection Commission, Administrative Action Regarding NTT DOCOMO and NTT Nexia (February 15, 2024) Source: Personal Information Protection Commission, Administrative Action Regarding NTT Marketing Act ProCX and NTT Business Solutions (September 11, 2024)

Corporate officers and directors of Japanese business entities face multiple, overlapping layers of personal liability for data-protection violations under the Act on the Protection of Personal Information (APPI) and the Companies Act (Act No. 86 of 2005). These liability streams operate concurrently and independently: criminal liability for direct violations, dual-liability corporate fines, internal duty-of-care liability to the company, and third-party tort liability.

## Dual-liability provisions: Article 184 APPI corporate fines

Article 184 of the APPI imposes corporate fines on the business entity itself when an officer, employee, or agent of the entity commits certain APPI violations. Under Japan's dual-liability framework, both the individual offender and the corporation may be punished for the same act. Article 184 provides for a corporate fine of up to ¥100 million when a representative, agent, or employee violates Article 178 of the APPI (criminal penalties for violation of a PPC order, improper provision of personal-information databases, or fraudulent acquisition of personal information).

This corporate fine is imposed in addition to the individual criminal penalty. For example, if a corporate officer violates a PPC order under Article 145 and is sentenced to imprisonment with labor for up to one year or a fine of up to ¥1 million under Article 178, the business entity itself may be fined up to ¥100 million under Article 184. The dual-liability provision applies regardless of whether the corporation benefited from the violation; it is a strict-liability mechanism designed to incentivize corporate compliance systems.

The ¥100 million corporate fine cap was introduced in the 2020 APPI Amendment (effective April 2022) to align Japan's enforcement posture with international norms and to impose meaningful financial deterrence on large-scale data handlers. Prior to 2020, corporate fines for APPI violations were capped at lower levels insufficient to deter economically motivated breaches.

## Director duty-of-care liability: Companies Act Article 423

In addition to APPI-specific penalties, corporate directors owe a statutory duty of care and loyalty to the company under Article 423 of the Companies Act. A director who breaches this duty—whether through negligence or intentional misconduct—is liable to the company for resulting damages. Where a director's failure to implement adequate data-protection measures, to supervise employees handling personal information, or to respond appropriately to a data breach causes the company to suffer losses (such as PPC fines, remediation costs, reputational harm, or settlement payments to affected individuals), the director may be held personally liable to the company under Article 423.

This internal liability is civil and compensatory, not criminal. The company (or, derivatively, its shareholders under Article 847 of the Companies Act) may bring an action against the director to recover damages. The business judgment rule and other corporate-governance doctrines apply, and courts will assess whether the director's conduct fell below the standard of care expected of a reasonably prudent director in comparable circumstances. Proof of negligence or gross negligence is required; strict liability does not apply.

Japanese courts have applied Article 423 in data-breach contexts where directors failed to ensure compliance with statutory security obligations under the APPI (e.g., the "necessary and appropriate" security measures required by Article 23 of the APPI) or failed to respond diligently to breach-notification obligations, resulting in increased regulatory or civil exposure for the company.

## Third-party liability: Companies Act Article 429

Article 429 of the Companies Act extends director liability beyond the company itself to third parties. A director who negligently or willfully breaches duties and causes harm to a third party is jointly and severally liable for damages to that third party. In the APPI context, this provision may enable data subjects whose personal information was mishandled to bring tort claims directly against corporate officers, in addition to or instead of suing the company.

Article 429 liability requires proof that the director acted with gross negligence or intent in the performance (or non-performance) of duties, and that the third party suffered harm as a direct result. Japanese courts have historically applied Article 429 narrowly, requiring a showing that the director's conduct was more egregious than ordinary negligence. In practice, third-party claims against directors for data breaches have been rare in Japan compared to claims against the company itself under Civil Code Article 709, but the availability of Article 429 liability increases personal exposure for officers in cases involving systemic control failures, cover-ups, or deliberate disregard of known risks.

## Interplay with criminal penalties under APPI Article 178

The personal-liability mechanisms described above operate in addition to the criminal penalties imposed directly on officers under Article 178 of the APPI. An officer who personally violates a PPC order, improperly provides a personal-information database for wrongful gain, or fraudulently acquires personal information may be criminally prosecuted under Article 178 and sentenced to imprisonment or a fine. That criminal conviction does not shield the officer from concurrent civil liability under the Companies Act (Articles 423 or 429), nor does it prevent the imposition of a corporate fine on the business entity under Article 184.

## Practical risk allocation and indemnification

Many Japanese corporations maintain directors' and officers' (D&O) liability insurance to cover personal liability under Articles 423 and 429 of the Companies Act, but such policies typically exclude coverage for criminal fines and for conduct involving intentional misconduct or gross negligence. The ¥100 million corporate fine under Article 184 is borne by the corporation itself and is not indemnifiable to individual officers. Corporate indemnification agreements authorized under Article 430-2 of the Companies Act may cover directors' legal defense costs and certain civil damages, but cannot cover criminal penalties or conduct that violates public policy.

As a result, corporate officers bear personal financial and reputational risk for APPI violations even when acting within the scope of their duties. The PPC's January 2026 policy outline signaling the introduction of administrative monetary penalties (surcharges) in the 2026 Amendment underscores the trend toward heightened personal and corporate accountability for data-protection failures in Japan.

Source: Act on the Protection of Personal Information, Articles 178 and 184 Source: Companies Act, Articles 423 and 429 Source: Personal Information Protection Commission, Ensuring the Effective Enforcement of Compliance Obligations — Outline of the System Reform Policy (January 2026)

The Personal Information Protection Commission (PPC) exercises extraterritorial jurisdiction over foreign business operators that handle personal information of individuals in Japan, and participates in multiple bilateral and multilateral enforcement-cooperation frameworks to address the cross-border dimension of data protection. These mechanisms enable the PPC to investigate foreign operators, coordinate enforcement actions with peer authorities, and share intelligence on violations involving multinational data flows.

## Extraterritorial application under Article 171

Article 171 of the Act on the Protection of Personal Information (APPI) extends the PPC's authority to foreign business operators — defined as entities that are not domiciled or have no offices in Japan but handle personal information of individuals located in Japan. A foreign operator that meets the definition of a "business operator handling personal information" under Article 2 of the APPI (handling a database of more than 5,000 individuals' personal information in the preceding six months) is subject to the same obligations as domestic operators, including:

• Security-safeguard requirements (Article 23);
• Cross-border transfer restrictions (Article 28);
• Breach-notification duties (Article 26); and
• Compliance with PPC requests for reports, on-site inspections, recommendations, and orders (Articles 147–148).

The PPC may issue recommendations and orders to foreign operators under Article 148, enforceable through criminal penalties for non-compliance (imprisonment up to one year or fines up to ¥1 million under Article 178). In practice, the PPC's exercise of Article 171 authority has focused on major technology platforms and cross-border data processors that maintain significant Japanese user bases. The March 2024 administrative guidance to LINE Yahoo Corporation following a large-scale breach involving unauthorized access from South Korea is a prominent example of the PPC's willingness to publicly name and sanction foreign-controlled operators.

Article 171 does not require a foreign operator to have physical presence, employees, or servers in Japan; the triggering factor is the handling of personal information of individuals in Japan, interpreted broadly to include processing of data collected from Japan-based users through online services, mobile applications, or IoT devices. However, the PPC has not publicly articulated a numerical threshold (such as GDPR's "not occasional" standard or CCPA's 50,000-consumer threshold) for when foreign operators' activities become subject to extraterritorial enforcement.

## Bilateral memoranda of cooperation (MOC)

The PPC has concluded bilateral Memoranda of Cooperation (MOC) with data-protection authorities in like-minded jurisdictions to facilitate case-specific enforcement assistance, including:

• United Kingdom: MOC signed with the Information Commissioner's Office (ICO) in October 2023. This was the PPC's first formal bilateral enforcement-cooperation agreement and serves as the template for subsequent MOCs. The MOC provides for exchange of information on enforcement matters, mutual assistance in investigations, and coordination of remedial measures when the same violation affects both jurisdictions.

• Canada: MOC signed with the Privacy Commissioner of Canada in April 2025. The framework mirrors the UK MOC structure, enabling cross-border investigative cooperation and information-sharing on entities handling personal data in both Japan and Canada (relevant for multinational technology companies and cloud-service providers operating in North America and Asia-Pacific).

The PPC's Global Strategy 2025 (published March 26, 2025) identifies expansion of the MOC network as a core enforcement priority, with plans to conclude additional bilateral agreements with jurisdictions sharing "fundamental values with Japan" (language the PPC uses to signal liberal-democratic data-protection regimes, likely including Australia, Singapore, South Korea, and the European Union member states beyond the existing EU–Japan adequacy framework). The 2025 Global Strategy explicitly states that the PPC will pursue MOCs to "ensure necessary support is obtained when needed for individual enforcement cases."

The MOCs do not create binding legal obligations or mandatory information-sharing; rather, they establish voluntary cooperation frameworks and designate contact points for ad-hoc enforcement assistance. Both the UK and Canada MOCs are published on ppc.go.jp and are structured as political commitments rather than treaties requiring Diet ratification.

## EU and UK adequacy frameworks as enforcement bridges

Japan's mutual adequacy arrangements with the European Union (effective January 23, 2019) and the United Kingdom (grandfathered under the EU arrangement and maintained post-Brexit) operate primarily as cross-border transfer mechanisms but also function as enforcement-cooperation scaffolds. Under the EU–Japan adequacy arrangement, the PPC and the European Commission (and, by extension, the European Data Protection Board and national supervisory authorities in EU member states) committed to ongoing dialogue on enforcement priorities and to cooperate on investigations involving EU–Japan data flows.

The Supplementary Rules issued by the PPC in January 2019 to accompany the EU adequacy designation impose additional safeguards on personal data transferred from the EU to Japan, including requirements to notify the PPC of breaches involving EU-origin data and to cooperate with EU supervisory authorities in joint investigations. The PPC and the European Commission conducted the first triennial review of the mutual adequacy arrangement in June 2023, reaffirming the framework's continued validity and identifying no material gaps requiring remediation.

## Multilateral enforcement networks

The PPC participates in three multilateral privacy-enforcement networks that facilitate information exchange and coordinated enforcement:

1. Global Privacy Enforcement Network (GPEN) The PPC is a member of GPEN, an informal network of data-protection authorities established in 2010 under OECD auspices. GPEN facilitates information-sharing on cross-border privacy complaints and coordinates annual enforcement "sweeps" targeting common violations (mobile-app privacy practices, dark patterns, children's data). GPEN does not maintain a formal legal framework; cooperation is voluntary and case-specific, typically through designated contact points at member authorities.

2. G7 Data Protection and Privacy Authorities Roundtable Japan hosted the 2nd G7 DPA Roundtable in June 2023 in Tokyo, producing a joint Action Plan that called on G7 authorities (including Japan, Canada, France, Germany, Italy, the UK, and the European Commission) to enhance bilateral and multilateral enforcement cooperation. The Action Plan specifically endorsed development of a G7 Request for Information (RFI) format for cross-border investigative assistance and encouraged G7 authorities to conclude bilateral MOCs and incorporate the RFI format into GPEN's enforcement-cooperation handbook. The PPC's subsequent MOCs with the UK and Canada implement this G7 commitment.

3. Asia-Pacific Privacy Authorities (APPA) Forum and APEC Cross-Border Privacy Rules (CBPR) System The PPC participates in the APPA Forum (formerly APPA) and serves as an Accountability Agent for Japan under the APEC CBPR System, a voluntary certification framework for cross-border data transfers within the Asia-Pacific region. The PPC's Global Strategy 2025 identifies promoting the Global CBPR System (the rebranded and expanded version launched in 2023) as a key priority. The CBPR enforcement-cooperation mechanism relies on designated Accountability Agents (private-sector certification bodies) rather than direct authority-to-authority coordination, making it structurally distinct from GPEN and the G7 framework.

## Practical enforcement cooperation: the NTT cases

The PPC's 2024 enforcement actions against NTT DOCOMO, NTT Nexia, NTT Marketing Act ProCX, and NTT Business Solutions involved domestic operators and domestic processors but illustrate the PPC's approach to supply-chain enforcement cooperation. In both cases — involving 5.96 million and 9.28 million customer records, respectively — the PPC coordinated with sectoral regulators (the Ministry of Internal Affairs and Communications for telecommunications operators) and imposed public reporting requirements that required the operators to disclose corrective measures to affected corporate clients and consumers. While these cases did not involve foreign authorities, they demonstrate the PPC's willingness to use public disclosure, corrective-action mandates, and ongoing supervision as enforcement tools in complex supply-chain violations.

For true cross-border cases, the PPC's March 2024 action against LINE Yahoo Corporation (following unauthorized access from South Korea) exemplifies the practical exercise of Article 171 extraterritorial authority combined with bilateral enforcement dialogue. Although the PPC has not published details of coordination with South Korean authorities (the Personal Information Protection Commission of Korea), the rapid issuance of public guidance and the company's swift remediation suggest behind-the-scenes cooperation facilitated by the APPA Forum and possible ad-hoc information exchange.

## Gap: no published enforcement-cooperation statistics

As of June 2026, the PPC has not published statistics on the number of cross-border enforcement-assistance requests sent or received, the number of joint investigations conducted under the bilateral MOCs, or the frequency of GPEN case referrals. This contrasts with the European Commission's annual adequacy-review reports (which disclose the volume of mutual legal assistance requests under EU adequacy arrangements) and the EDPB's enforcement-action database. The PPC's quarterly supervision reports (launched in August 2024) focus on domestic guidance, recommendations, and breach-notification statistics but do not yet include a cross-border enforcement module.

Source: Act on the Protection of Personal Information, Act No. 57 of 2003, Article 171 Source: Personal Information Protection Commission, Global Strategy 2025 (March 26, 2025) Source: Personal Information Protection Commission, Memorandum of Cooperation with the UK ICO (October 2023) Source: Personal Information Protection Commission, Memorandum of Cooperation with the Privacy Commissioner of Canada (April 9, 2025) Source: G7 Data Protection and Privacy Authorities Action Plan (June 2023)