What reporting duties for data breaches?

What the Law Says

Japan’s Act on the Protection of Personal Information (APPI) sets mandatory reporting duties for data breaches involving personal information. The law requires business operators to assess risk and report promptly when harm to individuals’ rights or interests is likely.

Under the APPI, a business operator who suffers a data breach must promptly notify the Personal Information Protection Commission (PPC) if the breach is likely to harm the rights or interests of individuals. This includes incidents involving unauthorized access, loss, or leakage of personal data.

If the breach affects 100 or more individuals and poses a risk of serious harm (e.g., financial loss, identity theft), the business must also publicly disclose details on its website or through other appropriate means.

Notification to affected individuals is mandatory when the breach creates a risk of damage to their rights or interests — for example, if leaked data includes names, addresses, or credit card numbers.

Statutory Text

A business operator shall, without delay, notify the Commissioner of the Personal Information Protection Commission of any incident involving personal information that is likely to cause harm to the rights or interests of an individual.

— Act on the Protection of Personal Information, s. 23 — Reporting of incidents concerning personal information

Statutory Text

Where a business operator has caused damage to the rights or interests of an individual by failing to take necessary and proper measures for the safe management of personal information… the business operator shall, without delay, notify the individual concerned.

— Act on the Protection of Personal Information, s. 24 — Notification to individuals

What to Do

Sources