Japan’s APPI and Foreign Companies
Japan’s Act on the Protection of Personal Information (APPI) can apply to foreign companies that have no physical presence in Japan. If you run an e-commerce site or SaaS with users in Japan, or hold data on employees or applicants residing in Japan, you may be subject to the APPI even if you do not think of yourself as operating "in Japan." This guide focuses on the data breach reporting obligations that foreign companies most need to understand.
Extraterritorial Reach (Who Is Covered)
The APPI applies to any business that handles the personal data of individuals located in Japan, regardless of where the business itself is located. This is its extraterritorial reach.
- There is no threshold based on size, such as revenue or headcount
- Even the personal data of a single resident of Japan can trigger obligations
- Foreign companies with no office or subsidiary in Japan can still be covered
The starting point is that "we have no legal entity in Japan, so this does not concern us" can be a mistaken assumption. See our glossary entry on the Personal Information Protection Act for the underlying framework.
Free Tool Related to This Article
Contract Risk Checker
Try our free simulator related to this topic.
Try for free →The Four Reportable Breach Categories
When a leakage, loss, or damage of personal data (collectively, a "breach") occurs, an obligation to report to the Personal Information Protection Commission (PPC) arises if the breach falls into any one of the following four categories.
- (a) Involving sensitive personal information: where the data includes information requiring special care, such as race, creed, medical history, or criminal record
- (b) Risk of financial harm from wrongful use: for example, the leakage of credit card numbers
- (c) Caused by an act with wrongful intent: such as an external cyberattack or an insider's improper removal of data
- (d) Affecting more than 1,000 individuals: where the number of affected data subjects exceeds 1,000
Meeting any single category triggers the reporting obligation. Note that even a small number of records must be reported if the breach falls under (a) through (c).
Two-Stage Reporting to the PPC
Reporting to the PPC is split into two stages: a preliminary report and a final report.
Preliminary Report
This must be made promptly after becoming aware of the breach. Under the guidelines, a company is generally expected to file within roughly 3 to 5 days. At this stage, the information known so far is sufficient.
Final Report
A report covering the facts and preventive measures must generally be made within 30 days. However, where sensitive personal information is involved (a breach caused by an act with wrongful intent), the deadline is extended to 60 days.
For foreign companies, the practical priority is to build the "roughly 3 to 5 days" speed of the preliminary report into their incident-response procedures in advance.
Notification to Affected Individuals
In addition to reporting to the PPC, notification to the affected individuals is generally required.
- Notification should be made promptly, depending on the circumstances of the incident
- Where notifying individuals is difficult and the company takes alternative measures (such as a public announcement) to protect the rights and interests of the individuals, an exception allows those measures in place of direct notification
Penalties and the 2026 Reform
Current Penalties
An APPI violation can be subject to an order from the PPC. Violating such an order carries a fine of up to JPY 1 million for an individual and up to JPY 100 million for a company (with the heavier penalty applying to corporations).
The 2026 Reform
Momentum toward reform has been building in 2026.
- January 9, 2026: The PPC published its policy direction for reforming the system
- April 7, 2026: The Cabinet approved a bill that includes the introduction of a surcharge (a direct administrative monetary penalty for violations)
If enacted during 2026, the reform is expected to take effect around 2028. Beyond the existing penalties for disobeying an order, the direction is to add an administrative monetary sanction for the violation itself, increasing the compliance stakes for foreign companies.
Practical Steps for Foreign Companies
Below is a checklist of what foreign companies should do, both in ordinary times and when a breach occurs.
- (a) Confirm applicability: take stock of whether you handle the personal data of individuals in Japan
- (b) Prepare procedures in advance: build incident-response procedures that incorporate the reporting deadlines (roughly 3–5 days for the preliminary report; 30 / 60 days for the final report)
- (c) Categorize the breach: when a breach occurs, promptly determine which of the four categories above it falls under
- (d) File the preliminary report: submit the preliminary report to the PPC within roughly 3 to 5 days
- (e) Notify individuals: notify affected individuals promptly (and consider whether alternative measures are needed)
- (f) File the final report: submit the final report generally within 30 days (or 60 days where sensitive personal information is involved)
- (g) Consider a local contact or representative: consider appointing a point of contact or representative in Japan
Summary
The APPI’s breach reporting obligations can reach foreign companies with no base in Japan. The core framework is extraterritorial reach with no size threshold, the four reportable categories, the two-stage reporting deadlines to the PPC (roughly 3–5 days for the preliminary report; 30 days for the final report, or 60 days for sensitive data), and notification to affected individuals. With the 2026 reform advancing toward a surcharge system, the risks for foreign companies are trending upward. Because the assessment of the facts and the management of deadlines can determine the outcome in any specific case, we recommend consulting a professional at an early stage.