Corporate Law- View allLast updated: 2026-07-195 min readLawyer-Reviewed

Japan APPI Data Breach Reporting: A Guide for Foreign Companies (Deadlines & Notification)

Key Takeaways

  • The APPI applies to any business handling the personal data of individuals in Japan, regardless of the company’s location or size (extraterritorial reach)
  • Reporting is triggered by four breach categories (sensitive data / risk of financial harm from misuse / breaches caused by wrongful intent / more than 1,000 individuals)
  • Reporting to the PPC is two-stage (prompt preliminary report; final report within 30 days, or 60 days for sensitive data)
  • Notification to affected individuals is generally required; violating a PPC order can carry a fine of up to JPY 100 million for a company
Share this article

Japan’s APPI and Foreign Companies

Japan’s Act on the Protection of Personal Information (APPI) can apply to foreign companies that have no physical presence in Japan. If you run an e-commerce site or SaaS with users in Japan, or hold data on employees or applicants residing in Japan, you may be subject to the APPI even if you do not think of yourself as operating "in Japan." This guide focuses on the data breach reporting obligations that foreign companies most need to understand.

Extraterritorial Reach (Who Is Covered)

The APPI applies to any business that handles the personal data of individuals located in Japan, regardless of where the business itself is located. This is its extraterritorial reach.

  • There is no threshold based on size, such as revenue or headcount
  • Even the personal data of a single resident of Japan can trigger obligations
  • Foreign companies with no office or subsidiary in Japan can still be covered

The starting point is that "we have no legal entity in Japan, so this does not concern us" can be a mistaken assumption. See our glossary entry on the Personal Information Protection Act for the underlying framework.

Free Tool Related to This Article

Contract Risk Checker

Try our free simulator related to this topic.

Try for free →

The Four Reportable Breach Categories

When a leakage, loss, or damage of personal data (collectively, a "breach") occurs, an obligation to report to the Personal Information Protection Commission (PPC) arises if the breach falls into any one of the following four categories.

  • (a) Involving sensitive personal information: where the data includes information requiring special care, such as race, creed, medical history, or criminal record
  • (b) Risk of financial harm from wrongful use: for example, the leakage of credit card numbers
  • (c) Caused by an act with wrongful intent: such as an external cyberattack or an insider's improper removal of data
  • (d) Affecting more than 1,000 individuals: where the number of affected data subjects exceeds 1,000

Meeting any single category triggers the reporting obligation. Note that even a small number of records must be reported if the breach falls under (a) through (c).

Two-Stage Reporting to the PPC

Reporting to the PPC is split into two stages: a preliminary report and a final report.

Preliminary Report

This must be made promptly after becoming aware of the breach. Under the guidelines, a company is generally expected to file within roughly 3 to 5 days. At this stage, the information known so far is sufficient.

Final Report

A report covering the facts and preventive measures must generally be made within 30 days. However, where sensitive personal information is involved (a breach caused by an act with wrongful intent), the deadline is extended to 60 days.

For foreign companies, the practical priority is to build the "roughly 3 to 5 days" speed of the preliminary report into their incident-response procedures in advance.

Notification to Affected Individuals

In addition to reporting to the PPC, notification to the affected individuals is generally required.

  • Notification should be made promptly, depending on the circumstances of the incident
  • Where notifying individuals is difficult and the company takes alternative measures (such as a public announcement) to protect the rights and interests of the individuals, an exception allows those measures in place of direct notification

Penalties and the 2026 Reform

Current Penalties

An APPI violation can be subject to an order from the PPC. Violating such an order carries a fine of up to JPY 1 million for an individual and up to JPY 100 million for a company (with the heavier penalty applying to corporations).

The 2026 Reform

Momentum toward reform has been building in 2026.

  • January 9, 2026: The PPC published its policy direction for reforming the system
  • April 7, 2026: The Cabinet approved a bill that includes the introduction of a surcharge (a direct administrative monetary penalty for violations)

If enacted during 2026, the reform is expected to take effect around 2028. Beyond the existing penalties for disobeying an order, the direction is to add an administrative monetary sanction for the violation itself, increasing the compliance stakes for foreign companies.

Practical Steps for Foreign Companies

Below is a checklist of what foreign companies should do, both in ordinary times and when a breach occurs.

  • (a) Confirm applicability: take stock of whether you handle the personal data of individuals in Japan
  • (b) Prepare procedures in advance: build incident-response procedures that incorporate the reporting deadlines (roughly 3–5 days for the preliminary report; 30 / 60 days for the final report)
  • (c) Categorize the breach: when a breach occurs, promptly determine which of the four categories above it falls under
  • (d) File the preliminary report: submit the preliminary report to the PPC within roughly 3 to 5 days
  • (e) Notify individuals: notify affected individuals promptly (and consider whether alternative measures are needed)
  • (f) File the final report: submit the final report generally within 30 days (or 60 days where sensitive personal information is involved)
  • (g) Consider a local contact or representative: consider appointing a point of contact or representative in Japan

Summary

The APPI’s breach reporting obligations can reach foreign companies with no base in Japan. The core framework is extraterritorial reach with no size threshold, the four reportable categories, the two-stage reporting deadlines to the PPC (roughly 3–5 days for the preliminary report; 30 days for the final report, or 60 days for sensitive data), and notification to affected individuals. With the 2026 reform advancing toward a surcharge system, the risks for foreign companies are trending upward. Because the assessment of the facts and the management of deadlines can determine the outcome in any specific case, we recommend consulting a professional at an early stage.

Free Tools for This Area

Share this article
This article provides general legal information and does not constitute legal advice. For specific legal issues, please consult with a qualified attorney.

Related Articles

Foreign Company Entering Japan: Choosing an Entity Type and the Governing Law of Your Contracts

How a foreign company can enter Japan: the differences among a representative office, a branch, and a subsidiary; comparing the KK and GK company forms; designing the governing law and dispute resolution of local contracts; inward direct investment filings under the Foreign Exchange Act; industry-specific licenses; and the practical steps.

Corporate Liability for Data Breaches in Japan: Response Obligations and Damages

Corporate legal obligations when personal data breaches occur in Japan under the APPI.

Personal Data Breach Notification in Japan: APPI Obligations and Response Procedures

Japan's mandatory breach notification obligations under the amended APPI: which incidents trigger reporting, timelines, content requirements, and best practices.

Can You Commercially Use Generative AI Output in Japan? Copyright Article 30-4 and Output-Stage Risk

Whether you can commercially use generative AI output in Japan, from a copyright standpoint: how Article 30-4 relaxes the training stage and its proviso, the distinction between training and output, the reliance-plus-similarity test that applies at the output stage, mixed enjoyment purposes, the Agency for Cultural Affairs’ view, and practical steps.

Starting a Business in Japan: KK vs LLC Comparison

Comparing stock corporations (KK) and limited liability companies (GK/LLC) for business formation in Japan.

Director Liability in Japan: Duties, Obligations, and Risks

Guide to director duties and liability in Japanese corporate law, including fiduciary duties and shareholder derivative suits.

Related Q&A

Related Legal Terms

Recommended Articles

Lawyer-Reviewed

Consult a Legal Professional Early

This article provides general information; outcomes vary by specific circumstances. Contact your local bar association for case-specific advice.

JFBA Consultation Guide