Japan — Scope & Applicability

Japan's Act on the Protection of Personal Information (個人情報の保護に関する法律, APPI, Act No. 57 of 2003, as last amended by Act No. 37 of 2021) applies to personal information handling business operators (個人情報取扱事業者, kojin jōhō toriatsukai jigyōsha) in both the private and public sectors. The current regime, which entered into full force on April 1, 2022, eliminated the prior 5,000-record threshold, making the law applicable to virtually all business operators that handle personal information in the course of business.

Domestic operators. Any business operator that handles a database of personal information (a "personal information database," 個人情報データベース等) within Japan falls under the APPI's obligations. Article 16 imposes a suite of handling obligations—specification of purpose of use, proper acquisition, data quality maintenance, security management, and restrictions on third-party provision—on all such operators. The Personal Information Protection Commission (個人情報保護委員会, PPC), established under Article 151 as an independent Article 3 commission (三条委員会), exercises exclusive supervisory authority.

Extraterritorial application to foreign operators. The 2020 amendment (promulgated June 12, 2020, fully effective April 1, 2022) introduced explicit extraterritorial reach. Foreign business operators that supply goods or services to individuals in Japan and handle personal information of individuals in Japan are now subject to the PPC's report-collection and order powers, backed by criminal penalties for non-compliance. This extension—outlined in the Ministry of Justice's Amendment Act overview and the PPC's "Every-Three-Year Review" reform outline—mirrors the GDPR's targeting criterion under Article 3(2). A foreign operator need not have a physical establishment in Japan; offering a Japanese-language website, accepting yen payment, or targeting Japanese consumers through localized marketing can establish scope. The PPC may issue a report request (Article 145) and, if violations are found, issue recommendations (Article 146) and orders (Article 147) enforceable with fines up to ¥1 million for individuals and ¥100 million for corporations under Article 179.

Public-sector overlay. Chapter V of the APPI governs "administrative entities" (行政機関等, gyōsei kikan tō)—national government ministries, local governments, and specified independent administrative agencies. These entities face parallel obligations under Articles 61–73, including purpose specification (Article 61), accuracy maintenance (Article 65), security management (Article 66), and restrictions on provision to third parties (Articles 69, 71). The framework is unified: a single APPI now governs both private and public sectors, replacing the prior three-statute regime (the original APPI for private entities, the Administrative Organs APPI, and the Independent Administrative Institutions APPI) that existed until the 2021 consolidation.

Exemptions. The APPI excludes certain categories from the definition of "personal information handling business operator." Article 57 exempts media organizations (broadcasting, newspaper publishing) when handling personal information for journalistic, academic, artistic, or religious purposes, provided that the handling is necessary for those activities and does not unduly infringe individual rights and interests. Article 76(1) carves out personal information contained in documents relating to criminal trials and seized materials, recognizing that access and correction are governed by the Code of Criminal Procedure and the Act on Final Criminal Case Records. Household and purely personal uses fall outside the Act's definition of "business operator" entirely.

Japanese-EU and Japanese-UK mutual adequacy. Japan obtained an adequacy finding from the European Commission on January 23, 2019 (Decision (EU) 2019/419), confirmed reciprocally by the PPC's designation of the EU under Article 24 APPI as a jurisdiction with an equivalent protection system. The arrangement was extended to cover the United Kingdom post-Brexit, with the PPC and the UK Information Commissioner's Office signing a Memorandum of Cooperation in October 2023. These mutual adequacy bridges permit cross-border personal data flows without additional safeguards, provided the handling meets APPI standards and the supplementary rules in the PPC's Commission Rules on the Provision of Personal Data to Third Parties in Foreign Countries.

The APPI defines "foreign country" (外国, gaikoku) as "a country or region located outside the territory of Japan" (Article 28(1)). Cross-border data transfers to third parties in foreign countries require either (i) individual consent after informing the data subject of the foreign jurisdiction's protection system and the recipient's measures (Article 28(1), (2)), (ii) transfer to a recipient in a PPC-designated adequate jurisdiction, or (iii) transfer to a recipient with a system conforming to PPC standards, including entities certified under the APEC Cross-Border Privacy Rules (CBPR) system.

Source: Act on the Protection of Personal Information, Act No. 57 of 2003, as amended by Act No. 37 of 2021 Source: Personal Information Protection Commission — Overview of the Amended Act (June 2020) Source: Personal Information Protection Commission — APPI "Every-Three-Year Review" Outline of the System Reform

The Act on the Protection of Personal Information (APPI, Act No. 57 of 2003, as last amended by Act No. 37 of 2021) establishes a tiered definitional framework. At the foundation is personal information (個人情報, kojin jōhō), which cascades into progressively narrower subcategories — personal data, retained personal data, sensitive personal information, and anonymized or pseudonymized variants — each with distinct handling obligations.

Personal information — Article 2(1) identifiability test. Article 2(1) defines personal information as "information relating to a living individual which falls under any of the following items": (i) information that can identify a specific individual by name, date of birth, or other descriptions contained in the information (including information that can be easily collated with other information and thereby identify a specific individual); or (ii) information that contains an individual identification code (個人識別符号). The "living individual" requirement excludes information about deceased persons from APPI scope, a bright-line rule that diverges from GDPR's focus on identifiability regardless of vital status. The "easily collated" standard (容易に照合することができ) is contextual: the Personal Information Protection Commission (PPC) has clarified in its General Guidelines that "easy" means collation is reasonably practicable given the effort, time, and cost involved for the business operator in its ordinary course of operations — a threshold lower than GDPR's "means reasonably likely to be used" under Recital 26 but higher than an absolute theoretical-identifiability standard.

Individual identification codes — Cabinet Order Article 1 biometrics and service IDs. Article 2(2) of the APPI delegates to Cabinet Order the specification of individual identification codes. Cabinet Order No. 507 of 2003, Article 1, enumerates two categories: (i) biometric data converted for computer processing according to PPC-prescribed standards (facial geometry, iris patterns, voiceprints, vein patterns, fingerprints, palm prints, DNA sequences, gait characteristics, and keystroke dynamics, per Enforcement Rules Article 2); and (ii) unique identifiers assigned to individuals by government or service providers, including health insurance card numbers, pension numbers, driver's license numbers, passport numbers (including non-Japanese passports), and My Number (the national ID number under the My Number Act). Notably, a raw photograph or recording is not itself an individual identification code unless converted into a digital feature set for automated matching. The PPC's 2017 Q&A clarified that a cookie ID or IP address is personal information only if the business operator can easily collate it with name or other direct identifiers in its ordinary operations; standalone cookie IDs held by an ad-tech platform with no access to the publisher's login database generally fall outside the definition, though this remains fact-specific.

Personal data — Article 2(5) database requirement. Personal information becomes personal data (個人データ, kojin dēta) when it forms part of a personal information database (個人情報データベース等), defined in Article 2(4) as a structured collection of personal information organized to enable computer-based retrieval of specific records, or a non-electronic collection with a table of contents or index facilitating retrieval. A business operator that maintains such a database is a personal information handling business operator (個人情報取扱事業者, PIHBO). The 2020 amendment eliminated the prior 5,000-record threshold (which had exempted small operators until April 1, 2017), making the APPI applicable to virtually all entities that systematically organize personal information for business use. The PPC's General Guidelines specify that a one-off spreadsheet prepared for a single project and deleted afterward is not a "database," but a CRM system, HR management system, or customer mailing list maintained for ongoing business operations qualifies.

Retained personal data — Article 2(6) disclosure-eligible subset. A narrower subcategory, retained personal data (保有個人データ, hoyū kojin dēta), comprises personal data over which the PIHBO has authority to disclose, correct, or erase, and which it retains for six months or longer (as specified in Cabinet Order Article 5). This is the trigger for data-subject rights under Articles 27–34 (disclosure, correction, cessation of use). Personal data held temporarily (less than six months) or held under a legal obligation that prevents the operator from erasing it (e.g., tax records retained under the Corporation Tax Act for seven years) may be personal data but not retained personal data, and thus exempt from disclosure obligations. Article 2(7) carves out data whose disclosure would threaten life, body, property, national security, or interfere with law enforcement — categories enumerated in Cabinet Order Article 3.

Sensitive personal information (special care-required) — Article 2(3). The 2015 amendment introduced a special category, sensitive personal information (要配慮個人情報, yōhairyo kojin jōhō), defined in Article 2(3) as descriptions relating to race, creed, social status, medical history, criminal records, or victimization by crime, plus additional categories in Cabinet Order Article 2: disabilities (physical, intellectual, mental, developmental), results of medical examinations, medical care or guidance received, health guidance under public health programs, and any arrests, prosecutions, or trial records. Acquisition of sensitive personal information requires prior explicit consent under Article 20(2), with narrow exceptions for employment management, public health emergencies, and academic research under Article 20(2) items (i)–(vi) and Cabinet Order Article 7. The consent threshold is "opt-in" and must be specific; pre-ticked boxes are insufficient per the PPC's 2020 Q&A. Sensitive personal information overlaps with GDPR Article 9 special categories but is not identical: GDPR's "genetic data" and "biometric data processed for unique identification" are broader than APPI's enumerated list, and APPI does not include sexual orientation or trade-union membership as standalone sensitive categories (though the PPC has indicated that information revealing sexual orientation could qualify as "social status" in context).

Pseudonymized and anonymized information — Articles 2(9), 2(10). The 2020 amendment added pseudonymized personal information (仮名加工情報, kamei kakō jōhō), defined in Article 2(9) as personal information processed to prevent identification of a specific individual without collation with other information (e.g., hashed identifiers, tokenized data). Obligations are relaxed under Articles 41–42: no purpose-of-use notification, no data-subject-rights obligations, but the operator must not attempt re-identification and must manage pseudonymized data separately from source keys. Anonymized personal information (匿名加工情報, tokumei kakō jōhō), defined in Article 2(10), goes further: processed so that no individual can be identified even with collation, and the processing method cannot be reverse-engineered. Anonymized information is no longer personal information; operators may provide it to third parties without consent, subject to public announcement obligations under Articles 43–46. The PPC's 2017 anonymization guidelines specify a five-step process (deletion of identifiers, generalization, perturbation, top/bottom coding, random sampling) and require documented technical and organizational measures to prevent re-identification. The adequacy of anonymization is a fact-specific, risk-based determination; the PPC has not endorsed a safe-harbor standard, and case law is sparse.

Practical identifiability — PPC guidance on edge cases. The PPC's consolidated General Guidelines (as revised April 2022) address recurring edge cases: (i) workplace email addresses in the format firstname.lastname@company.com are personal information (identifiable by name); generic role addresses (info@company.com) are not; (ii) video or photographic images of identifiable individuals are personal information; (iii) aggregated statistics that report counts or averages without identifying individuals are not personal information, but the underlying microdata from which the statistics are derived may be; (iv) information about sole proprietors acting in their business capacity (e.g., a business card listing the proprietor's name and business address) is personal information because it relates to a living individual, even though the context is commercial. The Commission has emphasized that identifiability is assessed from the perspective of the business operator holding the information, considering what information it can ordinarily access, not from a theoretical omniscient perspective or from the perspective of a third party with different information holdings.

Source: Act on the Protection of Personal Information, Act No. 57 of 2003, as amended by Act No. 37 of 2021, Article 2 Source: Cabinet Order to Enforce the Act on the Protection of Personal Information, Cabinet Order No. 507 of 2003, Articles 1–7 Source: Enforcement Rules for the Act on the Protection of Personal Information, PPC Rules No. 3 of 2016, Article 2 Source: Personal Information Protection Commission — Overview of the Amended Act (June 2020) Source: Personal Information Protection Commission — Privacy Awareness Week 2024 materials

The Act on the Protection of Personal Information (APPI, Act No. 57 of 2003, as last amended by Act No. 37 of 2021) applies its core obligations to personal information handling business operators (個人情報取扱事業者, kojin jōhō toriatsukai jigyōsha, commonly abbreviated PIHBO). This is the linchpin concept that determines which entities fall under the Act's supervision by the Personal Information Protection Commission (PPC).

Article 16(2) definition — database requirement and nearly universal applicability. Article 16(2) of the APPI defines a personal information handling business operator as a business operator (事業者, meaning any person conducting business for profit or otherwise) that "uses a personal information database for the purposes of its business," excluding national government organs, local governments, incorporated administrative agencies, and certain local incorporated administrative agencies enumerated in items (i)–(iv). The term "personal information database" (個人情報データベース等) is defined in Article 16(1) as a collection of personal information that is (i) structurally organized to enable computer-based retrieval of specific personal information, or (ii) organized in a non-electronic format with a table of contents, index, or other retrieval aid, as specified in Cabinet Order for Enforcement of the APPI (Cabinet Order No. 507 of 2003), Article 1. A business operator becomes a PIHBO the moment it uses such a database in its business operations — whether a CRM system, an HR database, a customer mailing list, or a website member registry — regardless of the number of records.

Elimination of the 5,000-record threshold — April 1, 2017 amendment effective date. Prior to the 2015 amendment (Act No. 65 of 2015, which took effect on May 30, 2017, with full enforcement of the threshold elimination deferred to April 1, 2017, under Supplementary Provision Article 2), Article 2(3) of the then-APPI and Cabinet Order Article 2 excluded from the definition of PIHBO any business operator whose personal information database contained personal information identifying no more than 5,000 individuals on any single day in the past six months. This threshold was designed to exempt small businesses and sole proprietors. The 2015 amendment deleted this carve-out entirely, making the APPI applicable to virtually all business operators that systematically organize personal information. The Personal Information Protection Commission's "Every-Three-Year Review" outline (released in December 2019) noted that the elimination was intended to close gaps in protection as digitalization made even small-scale data processing capable of causing significant harm, and to harmonize Japan's framework with international standards (particularly the GDPR's lack of a headcount-based exemption). As of April 1, 2017, a sole proprietor with a spreadsheet of 100 customer email addresses is a PIHBO if that spreadsheet is organized for business use, and must comply with the full suite of Articles 17–40 obligations.

Remaining exclusions under Article 16(2), items (i)–(v). The current Article 16(2) still exempts five categories from PIHBO status: (i) the national government; (ii) local governments; (iii) incorporated administrative agencies and other prescribed corporations (except those listed in Appended Table 2, such as the Japan Post Holdings subsidiary entities that conduct commercial business); (iv) local incorporated administrative agencies (with narrow exceptions for those providing quasi-governmental services under Local Incorporated Administrative Agency Act Article 21); and (v) "persons whose handling of personal information, in light of the volume and method of use, is unlikely to harm individual rights and interests, as prescribed by Cabinet Order" (per Article 16(2), item (v)). Cabinet Order Article 2, however, no longer specifies any such persons under item (v) as of the 2017 amendment — the provision remains in the statute as a legislative reserve but has no current regulatory content. Public-sector entities are governed instead by Chapter V (Articles 60–129) of the APPI, which imposes parallel obligations on "administrative entities" (行政機関等, gyōsei kikan tō).

Trustee supervision and the controller–processor distinction — Article 22. The APPI does not use the GDPR's "controller" and "processor" terminology, but the functional distinction appears in Article 22 under the rubric of entrustment (委託, itaku). Article 22 provides: "When a personal information handling business operator entrusts the handling of personal data in whole or in part to another person (a 'trustee,' 委託先, itaku-saki), the PIHBO must exercise necessary and appropriate supervision over the trustee to ensure the secure management of the personal data." The entrusting PIHBO retains controller status (though the Act does not use that label) and bears supervisory obligations. The trustee, processing personal data on behalf of the PIHBO, is not itself required to register or notify the PPC (unlike GDPR processors), but the entrustment relationship does not relieve the PIHBO of its Article 23 security-management obligation. The PPC's General Guidelines (as revised April 2022) specify that "necessary and appropriate supervision" requires the PIHBO to (i) select a trustee with adequate technical and organizational safeguards; (ii) specify the scope of entrusted handling and security measures in a written contract or equivalent record; and (iii) periodically monitor the trustee's compliance, including on-site inspections or audit reports when the trustee handles large volumes of personal data or sensitive personal information. Critically, Article 27(5), item (i) provides that provision of personal data to a trustee within the scope of the entrusted purpose is not a "third-party provision" requiring data-subject consent under Article 27(1) — the same carve-out the GDPR grants processor relationships under Article 28. However, if the trustee re-entrusts the handling to a sub-contractor without the original PIHBO's consent, that may constitute an unauthorized third-party provision.

Joint-use arrangement and group-company sharing — Article 27(5), item (iii). The APPI also permits a "joint use" (共同利用, kyōdō riyō) mechanism under Article 27(5), item (iii), which allows multiple affiliated PIHBOs to share personal data without consent if they have publicly disclosed (i) the fact of joint use, (ii) the categories of personal data to be shared, (iii) the scope of joint users (typically, group companies or industry-association members), (iv) the purpose of use by the joint users, and (v) the name of the PIHBO responsible for managing the shared data. This is frequently used by corporate groups to centralize customer databases while maintaining local subsidiaries as separate legal entities. The PPC has clarified that the "responsible PIHBO" remains the controller for GDPR-mapping purposes and must ensure that all joint users comply with the disclosed purpose. Unlike the GDPR's joint-controller regime (Article 26), joint use does not require a binding arrangement allocating compliance responsibilities; the disclosure itself suffices under Japanese law.

Foreign business operators — Article 16(2) and extraterritorial application. As detailed in the existing "territorial-scope-foreign-operators" section of this guide, the 2020 amendment extended APPI obligations to foreign business operators that supply goods or services to individuals in Japan and handle personal information of individuals in Japan. A foreign operator meeting this test is a PIHBO for purposes of the PPC's report-collection and order powers under Articles 145–147, but is not subject to the full private-enforcement regime of data-subject-rights claims unless it has an establishment in Japan. The PIHBO definition under Article 16(2) does not itself impose a territorial limit; the extraterritorial reach is effectuated through the supervisory-authority provisions in Chapter VI, Section 1.

Practical scope — household exception and employee registries. The APIHBO definition turns on "use for the purposes of its business" (事業の用に供している). The PPC's General Guidelines confirm that purely personal or household use (e.g., a wedding-guest list, a personal address book) falls outside the definition because there is no "business" element. Employment records maintained by an employer for payroll, benefits administration, and personnel management constitute personal information databases used for business purposes, and the employer is a PIHBO with respect to employee data — though Article 17's purpose-specification obligation and Article 27's third-party-provision restrictions are relaxed for employment-management purposes under narrow exceptions in Cabinet Order and PPC Rules. The 2017 elimination of the 5,000-record threshold means that a startup with ten employees holding a Google Sheet of employee birthdates and emergency contacts is a PIHBO and must comply with Article 23's security-management obligation, Article 32's breach-notification obligation (added by the 2020 amendment, effective April 1, 2022), and the full suite of data-subject rights under Articles 33–39.

Source: Act on the Protection of Personal Information, Act No. 57 of 2003, as amended by Act No. 37 of 2021, Articles 16, 22, 27 Source: Cabinet Order for Enforcement of the Act on the Protection of Personal Information, Cabinet Order No. 507 of 2003, Articles 1–2 Source: Personal Information Protection Commission — Act on the Protection of Personal Information "The Every-Three-Year Review" Outline of the System Reform (December 2019), pp. 13–15

Article 57 of the Act on the Protection of Personal Information (APPI, Act No. 57 of 2003, as amended by Act No. 37 of 2021) carves out five categories of activities from the Act's scope when personal information is handled for specified purposes that implicate constitutional freedoms under the Constitution of Japan—freedom of expression (Article 21), academic freedom (Article 23), freedom of religion (Article 20), and political freedoms (Articles 14, 15, and 21).

Article 57(1) enumerated exemptions — five protected uses. Article 57(1) provides that the obligations imposed on personal information handling business operators (PIHBOs) under Articles 17–40 of the APPI do not apply when personal information is handled by the following categories of operators for the specified purposes:

1. Broadcasting organizations, newspapers, news services, and other journalistic organizations (including individuals who work in news reporting): use in news reporting (報道, hōdō);
2. Business operators in the business of creating literary works: use in the creation of literary works (著述, chojutsu);
3. Colleges, universities, or other academic or research-oriented institutions or organizations, or any business operator belonging to the same: use in academics or research (学術研究, gakujutsu kenkyū);
4. Religious organizations: use in a religious activity (宗教活動, shūkyō katsudō) (including activities incidental thereto);
5. Political organizations: use in a political activity (政治活動, seiji katsudō) (including activities incidental thereto).

The exemptions are use-specific, not entity-specific. A broadcasting organization that handles personal information of its employees for human-resources purposes remains a PIHBO subject to the full suite of APPI obligations for that employee database; only personal information handled for news reporting purposes as defined in Article 57(1)(i) falls outside APPI scope. Similarly, a university that maintains a student registry for enrollment and tuition billing is a PIHBO for that purpose, but personal data held for bona fide academic research under Article 57(1)(iii) is exempt from Articles 17–40 obligations.

Definition of "news reporting" — Article 57(2) statutory test. Article 57(2) defines "news reporting" (報道, hōdō) as "informing the general public of objective facts by presenting them as the truth (this includes stating an opinion or position based on such facts)." The definition encompasses both factual reporting and commentary or editorial opinion grounded in such facts. The statute does not further specify which activities qualify, leaving the boundary between protected journalism and commercial publishing to case-by-case application. The exemption applies only to the news-reporting purpose; subscriber management, advertising sales, or internal human-resources databases maintained by media organizations remain fully subject to APPI obligations as commercial or administrative uses.

Academic research exemption — Article 57(1)(iii) and the cross-reference to Article 16(8). The academic research exemption under Article 57(1)(iii) applies to "a college, university, or other academic or research-oriented institution or organization, or any business operator belonging to the same" when using personal information "in academics or research" (学術研究の用に供する目的, gakujutsu kenkyū no yō ni kyōsuru mokuteki). Article 16(8) of the APPI defines "academic research institution or the equivalent" (学術研究機関等, gakujutsu kenkyū kikan tō) as "a university or other organization or group associated with academic studies, or a person belonging to it." This captures degree-granting universities, independent research institutes, and individual researchers affiliated with such organizations. The exemption is purpose-limited: if a university uses personal data initially collected for academic research to develop a commercial product or service, that secondary use falls outside Article 57 and is subject to the third-party provision and consent requirements of Article 27.

Importantly, Article 27(1)(v) and Article 27(1)(vi)—which govern provision of personal data to third parties without consent—include parallel carve-outs for academic research purposes, but both add the proviso "excluding cases in which there is a risk of unjustly infringing on individual rights and interests" (個人の権利利益を不当に侵害するおそれがある場合を除く). This carve-back does not appear in the text of Article 57(1)(iii) itself, creating an interpretive gap: Article 57 fully exempts the handling obligations, while Article 27 permits third-party provision for research purposes unless "unjust infringement" risk exists. The APPI does not define "unjust infringement," and no published Personal Information Protection Commission (PPC) regulation or Supreme Court decision has authoritatively resolved the standard as of 2026. Practitioners must assess the risk on a fact-specific basis, considering the sensitivity of the data, the vulnerability of the data subjects, and the foreseeability of harm.

Religious and political exemptions — items (iv) and (v). Article 57(1)(iv) exempts religious organizations handling personal information "for a religious activity (this includes activities incidental thereto)" (宗教活動（これに付随する活動を含む。）の用に供する目的). Article 57(1)(v) exempts political organizations handling personal information "for a political activity (this includes activities incidental thereto)" (政治活動（これに付随する活動を含む。）の用に供する目的). The statute does not define "religious activity," "political activity," or "incidental" activities. The PPC has not published binding guidance specifying the contours of these exemptions as of June 2026. The text itself suggests that core activities—worship, pastoral care, and governance for religious organizations; candidate campaigns, voter outreach, and legislative advocacy for political organizations—are exempt, while purely commercial ventures operated by such organizations (e.g., a political party's for-profit merchandise business unrelated to campaigning) would not qualify. The boundary remains fact-specific and unsettled in Japanese case law.

Supervisory-authority restraint — Article 145(3). Article 145 grants the Personal Information Protection Commission report-collection, advisory, recommendation, and order powers over PIHBOs. Article 145(3) provides that "in collecting a report from a business handling personal information or in advising it, recommending it, or issuing an order to it pursuant to the provisions of one of the preceding [subsections]," the PPC "must not interfere with the freedom of expression, academic freedom, freedom of religion, or freedom of political activity" (表現の自由、学問の自由、信教の自由及び政治活動の自由を妨げてはならない). This is a structural restraint mirroring the substantive exemptions in Article 57. Even where a PIHBO's use of personal information straddles both exempt and non-exempt purposes (e.g., a university database with both research and administrative uses), the PPC must exercise its supervisory powers in a manner that does not chill constitutionally protected activities.

No household exception in Article 57 — distinct from the business-operator definition. Article 57 governs entities that are PIHBOs under Article 16(2) but whose particular use of personal information falls within a protected category. The household exception—personal information held solely for personal, family, or household purposes with no business element—is not addressed in Article 57; rather, such use falls outside the statutory definition of "business operator" (事業者) under Article 16(2) entirely, because there is no "use for the purposes of its business" (事業の用に供している). A private individual's address book, wedding guest list, or personal correspondence is never subject to APPI obligations because the individual is not a business operator. By contrast, a freelance journalist who is a sole proprietor and maintains a source contact list for investigative reporting is a business operator, but the source list is exempt under Article 57(1)(i) when used for news reporting purposes.

Interaction with GDPR Article 85 and the EU-Japan adequacy decision. Japan obtained an adequacy decision from the European Commission on January 23, 2019 (Commission Implementing Decision (EU) 2019/419), permitting cross-border transfers of personal data from the EU to Japan without additional safeguards. GDPR Article 85 requires EU member states to "reconcile the right to the protection of personal data pursuant to this Regulation with the right to freedom of expression and information, including processing for journalistic purposes and the purposes of academic, artistic or literary expression." The adequacy decision recognized that Japan's Article 57 exemptions serve an analogous function, balancing data protection against fundamental freedoms. Personal data transferred from the EU to Japan under the adequacy framework and subsequently handled by a Japanese entity for Article 57-exempt purposes (e.g., academic research conducted by a Japanese university) remains within the adequacy bridge, provided the Japanese recipient applies the Supplementary Rules adopted by the PPC for EU-origin data and respects the purpose limitation agreed with the EU data exporter.

Source: Act on the Protection of Personal Information, Act No. 57 of 2003, as amended by Act No. 37 of 2021, Articles 16, 27, 57, 145

The Act on the Protection of Personal Information (APPI, Act No. 57 of 2003, as last amended by Act No. 37 of 2021) does not use the GDPR's "controller" and "processor" terminology, but the functional distinction appears in Article 25 under the rubric of entrustment (委託, itaku). This provision allocates compliance responsibilities when one personal information handling business operator (PIHBO) delegates personal data handling to a third party — a question of central practical importance for foreign SaaS vendors, cloud-infrastructure providers, and outsourced call centers serving Japanese clients.

Article 25 text and scope. Article 25 provides: "If a business handling personal information entrusts another person with all or part of the handling of personal data, it must exercise the necessary and adequate supervision over the person it entrusts, so as to ensure the secure management of the personal data with whose handling it entrusts that person." The statute imposes a supervisory obligation on the entrusting PIHBO (analogous to a GDPR controller) rather than independent APPI obligations on the trustee (analogous to a GDPR processor). The entrustment relationship is defined by the entrusting PIHBO's retention of ultimate authority over the purpose and essential means of processing; the trustee acts on the PIHBO's behalf, not as an independent operator with its own purposes.

The entrusting PIHBO retains full responsibility for compliance with Articles 17–40 of the APPI (purpose specification, lawful acquisition, data quality, security management, third-party provision restrictions, data-subject rights). Article 25 does not relieve the PIHBO of these obligations; it superimposes an additional duty to ensure the trustee's adherence to the same standards. The trustee's non-compliance is attributed to the entrusting PIHBO for purposes of Personal Information Protection Commission (PPC) enforcement under Articles 145–147 (report requests, recommendations, orders). A trustee's data breach or unauthorized disclosure triggers the entrusting PIHBO's breach-notification obligation under Article 26 and exposes the PIHBO to administrative fines under Article 178 (up to ¥100 million for corporations that fail to comply with a PPC order).

Scope of "entrustment" — Cabinet Order definition and PPC guidance. The APPI does not define "entrustment" in the statute. The PPC's General Guidelines (as revised April 2022) clarify that entrustment "includes the entirety of contracts, irrespective of the form or type thereof, under which a PIHBO has another entity carry out the whole or part of the handling of personal data." The label parties use — service agreement, data processing addendum, subcontractor agreement, cloud-hosting terms — is immaterial. The functional test is whether the PIHBO delegates execution of personal data handling while retaining authority over purpose and means. Common examples enumerated in the General Guidelines include outsourcing customer-database management to a CRM vendor, engaging a third-party payroll processor for employee records, contracting with a cloud-storage provider to host personal data servers, delegating email marketing to a marketing-automation platform, and hiring a call center to handle customer-service inquiries involving personal information.

Critical boundary: trustee vs. independent third-party recipient. The entrustment framework applies only when the recipient processes personal data on behalf of and under the instruction of the PIHBO, within the scope necessary to achieve the PIHBO's disclosed purpose of use. If the recipient acquires personal data for its own independent business purpose, the relationship is not entrustment but third-party provision under Article 27(1), which requires prior consent from the data subject unless an exception applies. The PPC's 2017 Q&A illustrates the line: a retailer that engages a logistics company to deliver goods to customers and shares customer names and addresses for delivery purposes is entrusting the logistics company with personal data handling (the logistics company has no independent purpose; it acts solely to fulfill the retailer's delivery obligation). By contrast, if the same retailer sells its customer list to a marketing firm so the firm can promote its own products, that is third-party provision requiring consent under Article 27(1), not entrustment.

The distinction has profound compliance consequences. Entrustment under Article 25 allows the PIHBO to share personal data with the trustee without data-subject consent under the carve-out in Article 27(5), item (i), which provides that provision of personal data to a trustee "within the scope necessary for achieving the purpose of use" does not constitute "third-party provision" subject to the consent requirement. This mirrors the GDPR's Article 28 processor carve-out from the Article 6 lawful-basis requirement for onward transfers. However, if the PIHBO grants the trustee discretion to use the personal data for purposes not disclosed to the data subjects, or if the trustee combines the received data with its own datasets to create new insights for sale, the arrangement exceeds entrustment and triggers the third-party-provision rules.

Content of "necessary and adequate supervision" — three statutory duties. The PPC's General Guidelines specify that Article 25's "necessary and adequate supervision" obligation comprises three phases: (i) due diligence and selection of a trustee with adequate technical and organizational safeguards, assessed at the time of engagement through audit reports, security certifications (e.g., ISO/IEC 27001, SOC 2 Type II), on-site inspections (including remote video-based inspections where practicable), or questionnaires covering data-residency controls, encryption standards, employee background checks, and incident-response plans; (ii) contractual specification of the scope of entrusted handling, security measures, confidentiality obligations, sub-entrustment rules, breach-notification timelines, and audit rights, in a written agreement or equivalent durable record (email exchange or click-through terms-of-service agreements are insufficient for high-sensitivity or large-scale entrustments per the PPC's financial-sector guidelines); and (iii) ongoing monitoring and audits to verify the trustee's continued adherence, including periodic security questionnaires, review of the trustee's own Article 26 breach reports, on-site or remote audits when the trustee handles large volumes of personal data or sensitive personal information under Article 2(3), and immediate investigation and remediation if the PIHBO learns of trustee non-compliance.

The level of supervision must be "risk-based," scaled to the volume, sensitivity, and vulnerability of the entrusted personal data. The PPC's financial-sector guidelines (published jointly with the Financial Services Agency under Article 8 of the APPI's 2015 framework) require banks, insurers, and securities firms to conduct annual on-site or remote audits of trustees that handle customer financial data, and to pre-approve any sub-entrustment in writing. For routine, low-sensitivity entrustments (e.g., office-cleaning services where cleaners may incidentally see employee nameplates), periodic self-certification by the trustee may suffice.

Sub-entrustment and chain liability. Article 25 does not expressly address sub-entrustment (the trustee's onward delegation to a sub-contractor). The PPC's General Guidelines state that if a trustee re-entrusts the handling to another person without the PIHBO's prior consent, the sub-entrustment may constitute an unauthorized third-party provision by the trustee, violating Article 27(1). The PIHBO must therefore contractually prohibit sub-entrustment without prior written approval, or pre-authorize sub-entrustment subject to the PIHBO's audit rights over the sub-contractor. When sub-entrustment is authorized, the PIHBO must confirm that the trustee exercises "necessary and adequate supervision" over the sub-contractor equivalent to the PIHBO's supervision of the original trustee — a cascading supervisory chain. The PPC has indicated that a PIHBO cannot delegate its Article 25 supervisory duty; contractual indemnities from the trustee do not insulate the PIHBO from PPC enforcement if a sub-contractor breaches.

Foreign trustees and cross-border entrustment. Article 25 applies without geographic limitation. A Japanese PIHBO that entrusts personal data handling to a foreign cloud provider, offshore customer-support center, or overseas group affiliate remains subject to the full Article 25 supervisory obligation. The 2020 amendment added Article 28, which governs provision of personal data to third parties in foreign countries and imposes heightened transparency and monitoring obligations when the recipient is outside Japan. The interaction between Articles 25 and 28 has generated interpretive controversy. The PPC's April 2022 Q&A clarifies that entrustment to a foreign trustee is not "provision to a third party in a foreign country" under Article 28 because Article 27(5)(i) excludes entrustment from the definition of third-party provision. Therefore, a PIHBO that stores personal data on Amazon Web Services servers in the U.S. or uses Salesforce hosted in Ireland is exercising Article 25 entrustment, not Article 28 cross-border provision, and does not require data-subject consent or the Article 28(2) pre-transfer disclosure of the foreign country's legal system and the recipient's safeguards — provided the PIHBO retains control over purpose and means (i.e., the cloud vendor acts strictly as infrastructure, with no right to access, use, or sublicense the data for its own purposes).

If, however, the cloud vendor reserves contractual rights to mine the data for service improvement or aggregate analytics, or if the foreign service provider has discretion over processing decisions (e.g., a foreign marketing platform that segments audiences using its own algorithms without client approval of each segmentation rule), the arrangement may exceed pure entrustment and trigger Article 28. The boundary is fact-specific. The PPC recommends that PIHBOs document the limited agency nature of the foreign trustee relationship in the service agreement and technical specifications.

Entrustment vs. joint use. The APPI provides a second mechanism for intra-group or consortium data sharing: joint use (共同利用, kyōdō riyō) under Article 27(5), item (iii). Joint use permits multiple PIHBOs to share personal data without consent if they publicly disclose (i) the fact of joint use, (ii) the categories of personal data shared, (iii) the scope of joint users (e.g., "our corporate group," "association members"), (iv) the purpose of use, and (v) the name of the PIHBO responsible for managing the shared data. Joint use is not entrustment; each joint user is an independent PIHBO with its own compliance obligations and its own purposes (though the purposes must be disclosed). By contrast, in an entrustment relationship, the trustee has no independent purpose and acts solely to execute the entrusting PIHBO's disclosed purpose. A multinational corporation that operates a centralized employee HR database in Tokyo accessible by regional HR teams in Osaka, Singapore, and Sydney could structure the arrangement as either entrustment (the Osaka/Singapore/Sydney teams are service agents of the Tokyo PIHBO, with no independent HR authority) or joint use (each regional entity is a co-controller jointly using the database for disclosed HR purposes). The choice affects governance: entrustment centralizes liability and supervisory duty in the Tokyo PIHBO; joint use distributes it, with the "responsible PIHBO" serving as the coordination point for data-subject rights but each joint user remaining independently liable for its own processing.

Trustee non-compliance and enforcement. The APPI does not directly impose obligations on trustees. A trustee that mishandles entrusted personal data does not itself violate Articles 17–40 (those bind only PIHBOs). However, the entrusting PIHBO violates Article 25 (failure of adequate supervision), and the PPC may issue a recommendation or order to the PIHBO under Articles 146–147. If the PIHBO fails to comply with the order, the PIHBO faces criminal penalties under Article 178 (imprisonment up to one year or a fine up to ¥1 million for individuals; fine up to ¥100 million for the corporation). Separately, if the trustee is itself a PIHBO with respect to other personal data it holds (e.g., a payroll vendor that processes employee data for multiple clients), the trustee is directly subject to the APPI for its own databases, and the PPC may investigate the trustee's general compliance. The dual-role scenario is common: an IT vendor that acts as trustee for Client A's customer database while also maintaining its own employee and vendor databases as a PIHBO. The vendor's obligations differ by dataset: as trustee for Client A's data, the vendor must follow Client A's instructions and has no independent data-subject-rights obligation (data subjects exercise rights against Client A); as PIHBO for its own employee data, the vendor must respond to employee access requests under Article 33.

Practical guidance for foreign service providers. Foreign companies serving Japanese clients frequently ask whether they are "in scope" for APPI compliance when they host, process, or transmit personal data of Japan residents. The answer turns on the entrustment analysis. If the foreign company processes personal data strictly on behalf of a Japanese PIHBO client, under the client's instruction, with no right to use the data for the foreign company's own purposes, and the foreign company has no physical establishment in Japan and does not independently target Japan-resident individuals with its own services, the foreign company is likely a trustee outside APPI's direct scope. The Japanese client remains the PIHBO and bears all APPI obligations, including Article 25 supervision of the foreign trustee. The foreign company's failure to follow the client's security instructions exposes the Japanese client to PPC enforcement, not the foreign company. However, if the foreign company also offers services directly to Japan-resident individuals (e.g., a cloud platform that has both enterprise B2B clients and individual consumer accounts in Japan), or if the company's terms of service reserve rights to analyze user data for product development or advertising, the company may itself be a PIHBO subject to extraterritorial APPI jurisdiction under the 2020 amendment's targeting rule (see the existing "territorial-scope-foreign-operators" section of this guide). The entrustment carve-out is narrow and purpose-bound; when in doubt, foreign service providers should assume PIHBO status and comply with the full suite of APPI obligations, including appointment of a Japan-based representative if the PPC requests one under its enforcement guidelines.

Source: Act on the Protection of Personal Information, Act No. 57 of 2003, as amended by Act No. 37 of 2021, Articles 25, 27, 28 Source: Personal Information Protection Commission — Guidelines for the Protection of Personal Information in the Financial Sector, Article 10

The Act on the Protection of Personal Information (APPI, Act No. 57 of 2003, as amended by Act No. 37 of 2021) does not use the GDPR's "controller" and "processor" terminology, but the functional equivalent appears in Article 25 (formerly Article 22 in pre-2021 numbering) under the rubric of entrustment (委託, itaku). This is the central mechanism by which a personal information handling business operator (PIHBO, 個人情報取扱事業者) delegates handling tasks—such as cloud storage, payroll processing, email marketing, or IT support—to another entity while retaining legal responsibility for the personal data.

Article 25 supervisory duty — "necessary and appropriate supervision." Article 25 provides: "If a Business Operator Handling Personal Information entrusts another business operator with all or part of the handling of Personal Data, it must exercise the necessary and appropriate supervision over the business operator it entrusts, so as to ensure the secure management of the personal data whose handling has been entrusted." The PIHBO that entrusts the handling (the entrusting PIHBO, 委託元, itaku-moto) remains the controller under the APPI's structure and bears affirmative supervisory obligations. The entity receiving the entrustment (the trustee or entrusted person, 委託先, itaku-saki) is functionally a processor, though the Act does not confer that title or impose direct PPC supervision on the trustee unless it separately qualifies as a PIHBO in its own right with respect to other databases it maintains.

The standard is "necessary and appropriate supervision" (必要かつ適切な監督, hitsuyō katsu tekisetsu na kantoku). The Personal Information Protection Commission (PPC, 個人情報保護委員会) has not published a binding numerical checklist, but its General Guidelines (as revised April 2022, available on the PPC website) specify that compliance requires the entrusting PIHBO to implement a three-stage process: (1) due diligence in selecting a trustee that possesses adequate technical and organizational safeguards commensurate with the sensitivity and volume of the personal data being entrusted; (2) contractual specification of the scope of entrusted handling, permitted purposes, security measures, and restrictions on re-entrustment and third-party provision; and (3) ongoing monitoring, including periodic audits, self-assessment questionnaires, or on-site inspections when the trustee handles large volumes of personal data or sensitive personal information (要配慮個人情報, yōhairyo kojin jōhō, defined in Article 2(3) to include race, creed, medical history, criminal records, and other enumerated categories).

Contractual requirements — written agreement and security measures. The PPC's General Guidelines recommend that the entrusting PIHBO enter into a written contract or equivalent record that addresses (i) the categories and volume of personal data entrusted; (ii) the purpose of the entrusted handling; (iii) the security management measures the trustee must implement, referencing the baseline obligations under Article 23 (secure management of personal data) and Article 24 (supervision of employees); (iv) restrictions on use outside the entrusted purpose; (v) restrictions on provision to third parties; (vi) conditions under which re-entrustment (sub-contracting) is permitted, including a requirement for the trustee to obtain the entrusting PIHBO's prior consent or notification; and (vii) return or destruction of the personal data upon completion or termination of the entrustment. No statutory form is prescribed, but the PPC has indicated in enforcement guidance that the absence of a written agreement evidencing these elements is prima facie evidence of failure to exercise "necessary and appropriate" supervision under Article 25.

The intensity of supervision must correspond to the risk. The PPC's Guidelines state that supervision "is to correspond to risks arising from the scale and nature of the entrusted business, the handling status of personal data and other factors, in consideration of the significance of infringement of rights and interests that may be suffered by the identifiable person in the event of the leaking, etc., of personal data." An entrusting PIHBO that delegates payroll processing involving 10,000 employees' salaries, Social Security numbers (My Numbers), and bank account details to an external HR service provider is required to conduct more rigorous due diligence, contractual controls, and periodic audits than a PIHBO that entrusts printing of marketing brochures containing only corporate contact names and addresses. Sensitive personal information under Article 2(3)—such as medical records, criminal-history data, or data revealing race or religion—triggers heightened scrutiny under the Guidelines, though the statute itself does not impose a separate supervision standard for sensitive data.

Re-entrustment (sub-processing) and cascading supervision. The PPC's Guidelines clarify that when a trustee intends to re-entrust the handling to a sub-contractor (further entrusted person, 再委託先, sai-itaku-saki), the trustee must obtain the entrusting PIHBO's prior consent or at a minimum provide advance notice and an opportunity to object. The entrusting PIHBO must ensure that the trustee exercises the same level of supervision over the sub-contractor as the entrusting PIHBO exercises over the trustee. This creates a cascade: if PIHBO A entrusts to processor B, and B re-entrusts to C, A must confirm that B has imposed Article 25-compliant contractual terms on C and that B actively monitors C's compliance. The PPC's Guidelines for the Protection of Personal Information in the Financial Sector (issued under the Financial Services Agency's delegated authority, applicable to banks, insurers, and securities firms) make this explicit: "When an entrusted person intends to entrust the relevant duties to another person [i.e., a sub-processor], it is desirable that the business sufficiently confirms that the entrusted person appropriately supervises the further entrusted person … by such means as requesting the entrusted person to make a report on the further entrusted person, the content of duties to be further entrusted, and the further entrusted person's method of handling personal data in advance and go through prior approval process and implementing regular audits by themselves or making the entrusted person do so."

Carve-out from third-party provision — Article 27(5)(i) exception. Article 27(1) of the APPI prohibits provision of personal data to a third party without the data subject's consent. Article 27(5)(i), however, provides that "the businesses handling personal information entrusts a person with all or part of the handling of personal data within the scope necessary for achieving the purpose of use" is not a "third-party provision" requiring consent. This carve-out is functionally identical to the GDPR Article 28 processor exemption: an entrusting PIHBO may transfer personal data to a trustee for processing purposes (hosting, analytics, payroll, support services) without obtaining individual consent, provided the transfer is (i) within the scope of the disclosed purpose of use under Articles 18 and 21 (purpose-of-use notification obligations), and (ii) subject to the Article 25 supervisory controls. The phrase "within the scope necessary for achieving the purpose of use" imposes a purpose-limitation test: if the entrusting PIHBO collected personal data for "customer relationship management and order fulfillment" (the disclosed purpose under Article 21), it may entrust that data to a cloud-storage provider, a shipping-logistics provider, or a CRM-software vendor for those purposes, but it may not entrust the same data to a marketing-analytics firm for audience profiling unless it has separately disclosed that purpose to the data subjects under Article 18 or Article 21 and obtained consent where required.

Trustee liability and breach notification. The trustee is not directly subject to PPC supervisory orders under Articles 145–147 unless it is itself a PIHBO with respect to its own personal information databases. However, Article 26 (breach notification, added by the 2020 amendment, effective April 1, 2022) imposes a statutory duty on the PIHBO to report to the PPC "when there is a leakage, loss or damage and other situation concerning the insurance of security of its handled personal data" that meets the PPC's materiality threshold (specified in PPC Rules No. 3 of 2016, Article 7: breaches involving 1,000 or more individuals, breaches of sensitive personal information, or breaches with high risk of property damage or reputational harm). If a trustee suffers a data breach, the entrusting PIHBO bears the Article 26 reporting obligation and must notify the PPC within the prescribed timeline (without delay after becoming aware of the breach, with a full report within 30 days). The PPC has stated in enforcement guidance that failure to exercise adequate supervision over the trustee under Article 25 is an independent violation even if the trustee's breach was caused by the trustee's own negligence; the supervisory duty is non-delegable.

Cross-border entrustment and Article 28 foreign-transfer rules. When the trustee is located in a foreign country (外国, gaikoku, defined in Article 28(1) as "a country or region located outside the territory of Japan"), the entrusting PIHBO must comply with both Article 25 (supervision) and Article 28 (restrictions on provision of personal data to third parties in foreign countries). Article 28(1) requires the entrusting PIHBO to obtain the data subject's consent after informing the data subject of (i) the foreign jurisdiction's personal-information-protection system, and (ii) the measures the foreign trustee will take to protect the personal data—unless the foreign trustee is located in a jurisdiction the PPC has designated as having an equivalent protection system (Article 28(1), item (i): currently the European Union under Commission Decision (EU) 2019/419 of January 23, 2019, and the United Kingdom under the PPC–ICO Memorandum of Cooperation of October 2023), or the foreign trustee has implemented a system conforming to PPC standards, including APEC Cross-Border Privacy Rules (CBPR) certification (Article 28(1), item (ii)). Article 27(5)(i)'s carve-out from third-party-provision consent does not override Article 28's foreign-transfer consent requirement. The structure is: entrustment to a domestic trustee requires no consent (Article 27(5)(i)) but requires Article 25 supervision; entrustment to a foreign trustee requires Article 28 consent (or reliance on adequacy or CBPR) and Article 25 supervision.

Practical application — cloud services, SaaS, payroll outsourcing. The entrustment framework governs the vast majority of modern data-processing arrangements. A Japanese e-commerce company that uses Amazon Web Services (AWS) Tokyo Region to host its customer database is entrusting the handling of personal data to AWS; the company must (i) confirm AWS's security certifications and technical measures (Article 25 due diligence); (ii) enter into a data-processing agreement specifying AWS's obligations (Article 25 contractual controls); (iii) monitor AWS's compliance, e.g., by reviewing SOC 2 reports or ISO 27001 certifications (Article 25 ongoing supervision); and (iv) ensure the disclosed purpose of use under Article 21 includes hosting and infrastructure services. If the same company uses AWS US-East region or transfers data to AWS Ireland, Article 28 applies and the company must either obtain consent after providing the Article 28(2) information notice, rely on the EU adequacy decision for AWS Ireland (permissible under Article 28(1), item (i)), or confirm AWS's APEC CBPR certification (permissible under Article 28(1), item (ii)).

Similarly, a Japanese employer that outsources payroll processing to ADP Japan (a domestic entity) is entrusting employee personal data under Article 25; no consent is required under Article 27(5)(i), but the employer must supervise ADP's security measures. If the employer instead uses Workday (a U.S.-based SaaS platform), Article 28 consent is required unless Workday has CBPR certification or the employer relies on another Article 28(1) exception.

Comparison to GDPR processor regime. The APPI entrustment framework closely parallels GDPR Article 28 but with notable divergences. Both require a written contract specifying security measures, purposes, and restrictions on sub-processing; both impose a duty on the controller/entrusting PIHBO to select processors/trustees with adequate safeguards; both exempt processor/trustee relationships from third-party-provision consent. The APPI, however, does not require the trustee to process "only on documented instructions" from the entrusting PIHBO (GDPR Article 28(3)(a))—the Japanese test is "within the scope necessary for achieving the purpose of use," which is broader and allows the trustee operational discretion. The APPI also does not impose direct PPC enforcement jurisdiction over trustees unless they are separately PIHBOs; the GDPR, by contrast, subjects processors to direct supervisory-authority orders and fines under Article 83(4) for violations of Article 28 obligations. Japan's mutual adequacy arrangement with the EU (Decision (EU) 2019/419) recognizes this structural difference but requires Japanese PIHBOs handling EU-origin personal data to apply Supplementary Rules adopted by the PPC in January 2019, which overlay certain GDPR-like safeguards (including an obligation to process EU data only on the entrusting PIHBO's instructions and to implement technical measures to prevent access by Japanese public authorities beyond what GDPR Article 48 permits).

Source: Act on the Protection of Personal Information, Act No. 57 of 2003, as amended by Act No. 37 of 2021, Articles 25, 27 Source: Personal Information Protection Commission — Overview of the Amended Act (June 2020)

Japan's My Number (マイナンバー, officially the "individual number," 個人番号) is a unique 12-digit identifier assigned to every resident of Japan—Japanese nationals and foreign residents alike—pursuant to the Act on the Use of Numbers to Identify a Specific Individual in Administrative Procedures (Act No. 27 of May 31, 2013, commonly called the My Number Act or 番号法, bangō-hō). My Number and information linked to it form a distinct category of personal information—specific personal information (特定個人情報, tokutei kojin jōhō)—that is carved out from most obligations of the Act on the Protection of Personal Information (APPI, Act No. 57 of 2003, as amended) and instead governed by stricter, purpose-limited rules under the My Number Act and its enforcement orders.

Dual-regime structure — APPI Article 58 and My Number Act Article 1. Article 1 of the My Number Act expressly states that the Act "provide[s] special provisions for … the Act on the Protection of Personal Information (Act No. 57 of 2003) so that Individual Numbers and other Specific Personal Information is handled safely and appropriately." This creates a legislative overlay: the My Number Act is lex specialis; where it applies, its stricter handling rules displace APPI's general framework. The APPI acknowledges this carve-out in Article 58, titled "Exception to Application," which provides that certain APPI obligations do not apply to the handling of specific personal information regulated by the My Number Act. The result is that any entity handling My Number or specific personal information must comply with the My Number Act's narrower permitted-use list, heightened security standards, and separate supervisory regime, rather than APPI's more flexible purpose-of-use and consent framework.

Definition of "individual number" and "specific personal information" — My Number Act Article 2. My Number Act Article 2(5) defines individual number (個人番号, kojin bangō) as "the number that, pursuant to the provisions of Article 7, paragraph (1) or paragraph (2) of this Act, was obtained by converting the residence certificate code (meaning the residence certificate code as set forth in Article 7, item (xiii) of the Residential Basic Book Act (Act No. 81 of 1967) … and is designated in order to identify the person pertaining to the residence certificate on which said residence certificate code is recorded." Every resident recorded on the Basic Resident Register (住民基本台帳, jūmin kihon daichō) receives an individual number, which is used exclusively for purposes enumerated in the My Number Act and related statutes: social security administration (pensions, health insurance, employment insurance, welfare benefits), tax administration (national and local tax filings, withholding), and disaster-response measures specified by law. The individual number itself is a 12-digit code; it is distinct from the My Number Card (個人番号カード, kojin bangō kādo, My Number Act Article 2(7)), the physical or digital identity credential that may optionally contain the individual number, a photograph, and an electronic certificate for identity verification.

My Number Act Article 2(9) defines specific personal information (特定個人情報, tokutei kojin jōhō) as "personal information that includes an individual number (including information obtained by deleting the individual number from personal information that includes an individual number (limited to information enabling identification of a specific individual by means of descriptions or individual identification codes (excluding individual numbers) contained in the information); hereinafter referred to as 'individual number-deleted information')." In practical terms, specific personal information is (i) any personal information containing a My Number, or (ii) information from which the My Number has been deleted but which still identifies an individual through other means (e.g., name, date of birth, address) if that information originated from a My Number record. The definition is deliberately broad to capture databases where My Number is stored alongside employee or taxpayer data, even if a particular record shows the number field as blank.

My Number as an individual identification code under APPI Cabinet Order. Although specific personal information is carved out from most APPI obligations, the individual number itself is still formally classified as an individual identification code (個人識別符号, kojin shikibetsu fugō) under APPI Article 2(2) and Cabinet Order No. 507 of 2003, Article 1, item (vi), which lists "individual number set forth in Article 2, paragraph (5) of the Act on the Use of Numbers to Identify a Specific Individual in the Administrative Procedure (Act No. 27 of 2013)." This means that under the APPI definitional cascade, information containing a My Number is ipso facto personal information under APPI Article 2(1), item (ii). However, the My Number Act's special provisions immediately displace the APPI handling rules the moment the information qualifies as specific personal information. A foreign business operator or domestic employer that acquires a My Number from an employee or contractor does not apply APPI Article 18's purpose-of-use flexibility or Article 27's third-party-provision consent framework; instead, it must comply with My Number Act Article 20 (restrictions on collection to enumerated statutory purposes), Article 19 (prohibition on provision to third parties except as expressly permitted by law), and the separate security and breach-notification rules in My Number Act Chapter V.

Permitted uses — My Number Act Article 9 statutory enumeration and the prohibition on private-sector free use. My Number Act Article 9(1) provides that "an individual number may be used only within the scope of purposes of use prescribed in or based on this Act." Article 9(2) enumerates the lawful purposes: social-security administration (Article 9(2), items (i)–(ii)), tax administration (item (iii)), and disaster-response measures (item (iv)), each cross-referenced to schedules in the Act and dozens of implementing Cabinet Orders that list specific administrative procedures (e.g., pension enrollment under the Employees' Pension Insurance Act, withholding-tax filings under the Income Tax Act, health-insurance claims under the National Health Insurance Act). Private-sector entities may collect and use My Number only when acting as a statutory withholding agent, social-insurance administrator, or other role defined in the schedules—for instance, an employer collecting My Number to complete Form 給与所得者の扶養控除等申告書 (Employee's Exemption Declaration for Dependents) and submitting it to the National Tax Agency. An employer may not use My Number for general HR record-keeping, customer loyalty programs, or marketing; such uses are flatly prohibited under Article 9(1) and subject to criminal penalties under My Number Act Article 48 (up to four years' imprisonment or a fine of ¥2 million, or both) and Article 51 (up to two years' imprisonment or a fine of ¥500,000, or both, for unauthorized collection or provision).

Stricter acquisition and security obligations — My Number Act Articles 15, 20, and 12. My Number Act Article 15 requires explicit identification and verification when a business operator collects an individual number from a data subject. The operator must confirm (i) that the individual number presented is the correct number assigned to the person (number verification, 番号確認, bangō kakunin), and (ii) that the person is the legitimate holder of that number (identity verification, 身元確認, mimoto kakunin). This is stricter than APPI's acquisition-notice requirement under Article 21; it mandates that the operator inspect an official My Number notification card (通知カード, tsūchi kādo) or My Number card, plus a separate identity document (driver's license, passport, residence card) if the notification card is presented. Many employers and financial institutions use the My Number card itself, which serves both purposes in a single credential.

Article 12 of the My Number Act imposes a heightened security-management obligation on every "business handling individual numbers" (個人番号利用事務実施者 and 個人番号関係事務実施者, collectively covering statutory users and their trustees). The Personal Information Protection Commission and the National Tax Agency have published detailed Guidelines for the Proper Handling of Specific Personal Information (Business Operator Edition) (特定個人情報の適正な取扱いに関するガイドライン（事業者編）, last revised June 2026), which require (i) organizational safeguards (appointment of a handling supervisor, limitation of access to need-to-know personnel), (ii) personnel measures (execution of confidentiality agreements, background checks for handling staff when processing large volumes), (iii) physical safeguards (locked cabinets, access-controlled server rooms), and (iv) technical safeguards (encryption of My Number databases, access logging, secure deletion protocols). These requirements are more prescriptive than APPI Article 23's general security-management obligation and apply even to small employers handling fewer than 100 employee My Numbers. Breach of the security obligation can trigger both administrative sanctions (PPC guidance, recommendations, or orders under My Number Act Article 35) and criminal liability under Article 48 (leakage by a person handling specific personal information in the course of duties).

Supervisory-authority split — PPC for APPI, Digital Agency for My Number Act policy, joint enforcement. The Personal Information Protection Commission (個人情報保護委員会, PPC), established under APPI Article 151 as an independent Article 3 commission (三条委員会, san-jō iinkai), has supervisory authority over both the APPI and the My Number Act as they pertain to private-sector personal-information handling. However, policy coordination for the My Number system itself—including the issuance and management of individual numbers, the operation of the My Number Card, and the Information Providing Network System (情報提供ネットワークシステム, the secure inter-agency data-sharing platform under My Number Act Article 21)—is the responsibility of the Digital Agency (デジタル庁, established September 1, 2021, under the Act on the Establishment of the Digital Agency, Act No. 36 of 2021). The Digital Agency formulates My Number policy, promotes My Number Card adoption, and manages the technical infrastructure; the PPC exercises compliance supervision, investigates complaints, and issues administrative guidance and orders to business operators that mishandle specific personal information. This division is set out in the PPC's organizational regulations and the Digital Agency's jurisdiction under its enabling statute, Article 4(1), item (iv), which assigns the Agency "affairs concerning the use of an individual number … and a system to provide information [via the Information Providing Network System]."

Practical scope — who must comply. Every employer in Japan (including foreign-owned subsidiaries and branch offices of foreign corporations) that pays salary or wages to employees must collect the employees' My Numbers to complete statutory withholding-tax and social-insurance filings. Law firms, accounting firms, and other professional-services providers that pay fees to individual contractors (e.g., freelance translators, independent consultants) must collect those individuals' My Numbers to file Form 支払調書 (payment record slips) with the National Tax Agency under Income Tax Act enforcement regulations. Financial institutions (banks, securities firms, life-insurance companies) collect My Numbers from account holders and policyholders for tax-reporting purposes under the Act on the Appropriateness of Procedures for Customer Due Diligence by Financial Institutions (Act No. 22 of 2007, as amended to integrate My Number requirements). Foreign business operators with no establishment in Japan generally do not collect My Number unless they engage in one of the enumerated statutory purposes (e.g., a foreign employer with a Japan branch paying local employees; a foreign fund manager appointed as a qualified institutional investor for Japanese tax purposes). The bright-line rule is: if your activity appears on the My Number Act schedules or a linked Cabinet Order, you are a "business handling individual numbers" (個人番号関係事務実施者, Article 2(13)) and must comply with the full My Number regime, not APPI.

Cross-border transfer prohibition and the absence of an adequacy mechanism. My Number Act Article 19 prohibits the provision of specific personal information to third parties except in narrowly enumerated circumstances (provision within the scope of use permitted under Article 9; provision pursuant to a law or regulation; provision to a successor in a merger or business transfer, subject to purpose continuity). There is no general consent override comparable to APPI Article 27(1), and there is no adequacy-decision or standard-contractual-clauses framework for cross-border transfers of My Number data. In practice, this means that an employer in Japan may not store employee My Number data on a cloud server located outside Japan (e.g., AWS Tokyo Region is permissible; AWS Oregon Region is not) unless the server is operated by a trustee within the scope of an entrustment arrangement under My Number Act Article 10, and the trustee is contractually and technically restricted from accessing the data outside Japan. The PPC's Business Operator Guidelines specify that "in principle, specific personal information should not be taken outside Japan," and offshore processing is permitted only when (i) the foreign trustee is subject to a binding contract imposing My Number Act-equivalent security measures, (ii) the Japanese principal retains supervisory control, and (iii) the data is encrypted in transit and at rest. This is stricter than APPI's Article 28 cross-border framework and reflects the My Number system's design as a domestic administrative infrastructure with minimal international exposure.

Interaction with GDPR and other cross-border regimes. A European subsidiary of a Japanese parent that transfers employee personal data (names, email addresses, job titles) to the Tokyo headquarters for group HR purposes is governed by APPI (including the EU-Japan adequacy bridge) if the data does not include My Number. If the Tokyo headquarters requests My Number from the European subsidiary's Japan-based employees (e.g., employees on secondment who retain Japanese tax residence), that My Number data is specific personal information under the My Number Act and is subject to the My Number Act's transfer restrictions and security requirements, not APPI Article 28. The adequacy decision (Commission Implementing Decision (EU) 2019/419 of 23 January 2019) covers APPI, not the My Number Act; therefore, the Supplementary Rules under the APPI for EU-origin data do not apply to My Number, and the Japanese entity must ensure that My Number remains in Japan. In practice, multinational employers maintain separate systems: a global HRIS that complies with GDPR and APPI for general employee data, and a Japan-only payroll and tax system that holds My Number in an access-restricted database within Japan's borders.

Source: Act on the Use of Numbers to Identify a Specific Individual in Administrative Procedures, Act No. 27 of 2013, Articles 1, 2, 9, 12, 15, 19, 20, 48, 51 Source: Act on the Protection of Personal Information, Act No. 57 of 2003, as amended by Act No. 37 of 2021, Articles 2, 58 Source: Cabinet Order to Enforce the Act on the Protection of Personal Information, Cabinet Order No. 507 of 2003, Article 1, item (vi) Source: Personal Information Protection Commission — Roles and Responsibilities (My Number Act supervision)