Japan is the third-largest software market in the world. If your SaaS serves Japanese businesses or consumers — or even Japanese employees working for international companies — Japan's Act on the Protection of Personal Information (APPI) applies to you.
APPI was significantly strengthened by the 2022 amendments (fully in force since April 2022) and brought Japan much closer to GDPR standards. Japan has also received a mutual adequacy decision from the EU, which simplifies EU–Japan data transfers. But APPI has its own distinct requirements you need to understand.
Does APPI apply to your SaaS?
APPI applies to any business operator that handles personal information — including businesses outside Japan if they collect personal information from data subjects located in Japan in connection with goods or services supplied to those subjects. This extraterritorial provision, added in 2022, is modelled on GDPR's approach.
Practical test: if Japanese users can sign up for your SaaS, purchase your product, or access your service — APPI likely applies.
The Personal Information Protection Commission (PPC) is Japan's national DPA, established in 2016.
Key definitions: what counts as personal information?
Under APPI, "personal information" means information relating to a living individual that falls into either of two categories:
- Information containing a name, date of birth, or other description that can identify the specific individual
- Information containing a personal identification code — a statutory concept covering passport numbers, driver's licence numbers, insurance card numbers, fingerprints, face recognition data, and certain other biological data
APPI also recognises "specially considered personal information" (yōhairyo kojin jōhō) — equivalent to GDPR's special category data — covering race, creed, social status, medical history, criminal record, and disability status. This data gets heightened protection (collection requires explicit consent; no third-party provision without consent in most cases).
APPI vs GDPR: key comparison table
| Topic | GDPR | APPI (2022+) |
|---|---|---|
| Extraterritorial scope | Yes — Art. 3 applies to EU residents regardless of controller location | Yes (since 2022) — applies to foreign businesses supplying services to individuals in Japan |
| Legal basis required? | Yes — one of 6 bases required for all processing (Art. 6) | Consent-centric for third-party disclosure; lawful basis for collection not formally specified (purpose specification + appropriateness implied) |
| Purpose limitation | Strong — Art. 5(1)(b), further processing compatibility test | Yes — purpose must be specified as precisely as possible; change of use requires notice and opt-out opportunity |
| Transparency / notice | Comprehensive — Arts. 13–14 disclosure requirements | Required — purpose of use must be notified or made public at or before collection; privacy policy typically satisfies this |
| Consent | One of 6 bases; not required for all processing | Required for third-party disclosure (with exceptions); required for specially considered PI; opt-out acceptable for some third-party sharing |
| Data subject rights | Access, rectification, erasure, restriction, portability, objection | Disclosure of use, correction, cessation of use, deletion, cessation of third-party provision, portability (added 2022) |
| Breach notification | 72 hours to DPA (Art. 33); individuals if high risk (Art. 34) | Report to PPC "as soon as possible" (guideline: within 3–5 days of discovery); notify affected individuals "without delay" for high-risk breaches |
| International transfers | Adequacy, SCCs, BCRs, derogations | Consent, adequacy (EU, UK, others), equivalent protection measures, or PPC-approved framework |
| DPO requirement | Mandatory for certain controllers/processors (Art. 37) | No mandatory DPO; internal compliance manager (Kojin Joho Hogo Manager) recommended but not legally required |
| Maximum fines | €20M or 4% of global annual turnover (whichever higher) | Up to ¥100M (~€600K) for businesses; criminal penalties (fines + imprisonment) for individuals; lower than GDPR but materially increased in 2022 |
| Record keeping | Art. 30 Records of Processing Activities (RoPA) for most controllers | Third-party provision records must be kept (record of who you share data with and when) — similar obligation to GDPR RoPA for sharing activities |
The EU–Japan mutual adequacy decision
In January 2019, the EU and Japan issued mutual adequacy decisions. This means:
- EU personal data can flow to Japan without SCCs or other transfer mechanisms, as long as the Japanese recipient is subject to APPI and the additional safeguards in the EU Commission decision (which add GDPR-equivalent protections to APPI, especially for sensitive data and data subject rights).
- Japanese personal data can flow to the EU without additional transfer measures.
This is significant for SaaS: if you are an EU-based controller sending data to a Japanese sub-processor or customer, the adequacy decision covers the transfer. The adequacy decision was reviewed and renewed in 2024 and remains valid.
Key APPI obligations for SaaS founders
1. Purpose specification
You must specify the purpose of use as precisely as possible at or before collection. A general statement like "to provide services" is not sufficient. Your Privacy Policy should specify what you do with each category of data (account management, billing, email communications, analytics, customer support).
2. Third-party disclosure requires consent
Unlike GDPR (which has multiple lawful bases for sharing), APPI generally requires consent to provide personal information to a third party. Exceptions include:
- Sharing within scope of purpose of use (controversial; seek advice)
- Outsourcing (委託) — sharing with a service provider to fulfil your purpose is not "third-party provision" if the provider is acting as your processor and you have a contract. This is the APPI equivalent of the controller-processor relationship.
- Business succession (merger/acquisition)
- Joint use (共同利用) — a GDPR-distinct concept: you can share data among a defined group of businesses without consent if you publicly disclose the shared use, the data categories, and who is responsible.
3. Breach notification (2022 amendment)
A significant 2022 change: breach notification to the PPC is now mandatory (previously recommended). Breaches triggering notification include: leakage of sensitive information, leakage likely to lead to economic loss, intentional leakage by a third party, and breaches affecting a large number of individuals (1,000+).
Timeline: report to PPC "as soon as possible" (PPC guidance suggests within 3–5 business days of awareness of the high-risk breach); notify affected individuals "without delay" for high-risk breaches. This is stricter in some respects than GDPR's 72-hour rule for DPA reporting but more flexible in others.
4. Anonymised information (匿名加工情報)
APPI has a specific concept of "anonymised information" — data processed to remove all identifying elements such that the individual cannot be re-identified. Once properly anonymised, the data can be used without the normal APPI restrictions. This is useful for analytics and AI training data. However, the anonymisation standards are strict and must be documented.
5. Pseudonymously processed information (仮名加工情報)
Added in 2022: a new category for internal use. Data can be pseudonymised for internal analysis without being fully anonymised — but it cannot be provided to third parties. Similar to GDPR pseudonymisation, but with a formal regulatory framework.
Practical APPI compliance checklist for SaaS
- ✅ Update your Privacy Policy to specify purposes precisely (not generic "to provide services")
- ✅ Add a Japanese-language version of your Privacy Policy (or a Japanese summary) if you have significant Japanese users
- ✅ Review third-party sharing: identify what requires consent vs what is covered by the outsourcing exemption
- ✅ Sign data processing contracts (consignment agreements / 委託契約) with any sub-processors handling Japanese personal data
- ✅ Update your breach response plan to cover PPC notification within the APPI timeline
- ✅ Add data portability and cessation-of-use rights to your user rights section
- ✅ Keep records of any third-party provision of personal data (name of third party, date, data category)
- ✅ For EU→Japan transfers: rely on the EU–Japan adequacy decision (no SCCs needed)
Generate your compliance foundation
ComplyKit's free generators can help you build the core documents:
- Privacy Policy Generator — covers purpose specification, data subject rights, and third-party disclosures for APPI compliance
- GDPR DPA Generator — adapt for APPI outsourcing agreements with sub-processors handling Japanese data
- Sub-Processor List Generator — APPI equivalent of GDPR sub-processor disclosure
- Incident Response Plan Generator — covers breach notification workflows including PPC notification
For more global privacy law comparisons, see our guides on CCPA vs GDPR, GDPR vs LGPD (Brazil), and PIPEDA vs GDPR (Canada).