Japan's Act on the Protection of Personal Information (APPI) is the cornerstone of the country's data protection framework. For enterprises handling the personal data of individuals in Japan, understanding the current state of the law — and the amendments now in progress — is essential. This article presents only verified facts.
The Foundations of APPI
The APPI is formally Act No. 57 of 2003 and came into effect in 2003. It has been amended over the years, with significant amendments in 2015 and 2020. The amendments passed in 2020 came into force progressively, with major provisions effective from April 1, 2022.
The law is enforced by the Personal Information Protection Commission (PPC), the regulatory body established under the 2015 amendments. The PPC issues guidelines, conducts investigations, and can impose penalties for violations.
Who APPI Applies To
The APPI applies broadly. It covers Japanese companies handling personal data, as well as foreign companies offering goods or services to, or conducting marketing toward, individuals in Japan. Even small businesses are subject to the law if they process personal data for commercial purposes, regardless of the number of individuals involved.
The 2026 Amendments Now in Progress
The APPI is subject to a review every three years under a supplementary provision of the law. The current review has produced concrete legislative action: the Japanese Cabinet approved a bill on April 6 to significantly amend the APPI, and submitted it to the Diet.
These amendments, commonly referred to as the 2026 amendments, aim to strike a balance between promoting broader data use — including for artificial intelligence development — and introducing stricter rules to address risks such as biometric tracking, misuse of data, and the handling of children's information.
Key changes include expanding the circumstances in which personal data may be used without prior consent (for example, for statistical processing that may include AI training), alongside a restructuring of supervisory provisions that expands the PPC's powers to conduct inspections, issue corrective orders, and impose administrative monetary penalties.
It is important to note the timing: the amended law is estimated to take effect in 2027. Enterprises should track the final enacted text and effective dates rather than assuming the amendments are currently in force.
Implications for Security
The expansion of the PPC's enforcement powers — including inspections and administrative monetary penalties — raises the stakes for organizations that suffer data breaches involving personal information. Demonstrable security controls and regular security testing become more valuable in this environment, both as a preventive measure and as evidence of due diligence.
How Simuna Infosec Helps
Our security assessments help organizations identify and remediate the vulnerabilities that could lead to personal data breaches before they occur. We test the systems that process personal information against real-world attack techniques, providing the documented assurance that a stricter enforcement environment increasingly demands.
*This article reflects publicly available information as of mid-2026. Regulatory details and effective dates evolve; consult qualified legal counsel for compliance decisions.*