What is the data security obligation?

What the Law Says

The Act on the Protection of Personal Information (APPI) imposes mandatory data security obligations on business operators handling personal information in Japan.

Under the APPI, business operators must implement 'necessary and proper' security control measures to prevent leakage, loss, or damage of personal data. These include organizational, human, physical, and technical safeguards aligned with the size and nature of their operations.

Operators must also supervise employees and contractors who handle personal information, and maintain records of data transfers for at least five years. In case of a data breach involving risk of harm, notification to the Personal Information Protection Commission (PPC) is required without delay — generally within 30 days — and to affected individuals if serious harm is likely.

Failure to comply may result in guidance, orders, or administrative penalties, including fines up to ¥1 million for false reporting or refusal to comply with PPC orders.

Statutory Text

A Business Operator shall take necessary and proper measures for the safe management of personal data.

— Act on the Protection of Personal Information, s. 20 — Measures for Safe Management of Personal Data

Statutory Text

In the event of a leak, loss or damage of personal data… the Business Operator shall promptly notify the Commissioner [of the PPC].

— Act on the Protection of Personal Information, s. 24 — Reporting of Leakage, etc. of Personal Data

Statutory Text

The Business Operator shall keep records… for a period of five years from the date of termination of the handling of the personal data.

— Act on the Protection of Personal Information, s. 25 — Record-Keeping

What to Do

Sources