Japan

What is pseudonymized info? How differs from anonymized?

s. 2(8)

APPI definition

s. 2(9)

APPI definition

100% irreversib

Anonymization standard

re-identifiable

Pseudonymized trait

The Short Answer

Pseudonymized information in Japan is personal data where identifiers are replaced with pseudonyms, but can still be re-identified using additional information. Anonymized information is irreversibly processed so re-identification is impossible.

What the Law Says

Japan’s Act on the Protection of Personal Information (APPI) defines both pseudonymized and anonymized information in Sections 2(8) and 2(9). These definitions establish the legal threshold for processing, disclosure, and retention.

Pseudonymized information is defined as 'personal information that has been processed so that a specific individual cannot be identified without using other information, and that such other information is managed separately.' It remains subject to most APPI obligations because re-identification is technically possible.

Anonymized information is defined as 'personal information that has been processed so that a specific individual cannot be identified and that such processing is not reversible.' Once properly anonymized, it falls outside the scope of the APPI — meaning no consent or security obligations apply.

The APPI requires anonymized data to meet strict technical and procedural standards set by the PPC (Personal Information Protection Commission), including removal of all identifiers and verification that re-identification is impossible.

Statutory Text
‘Pseudonymously processed information’ means personal information that has been processed so that a specific individual cannot be identified without using other information, and that such other information is managed separately.
— Act on the Protection of Personal Information, s. 2(8) — Definition of pseudonymously processed information

Statutory Text
‘Anonymously processed information’ means personal information that has been processed so that a specific individual cannot be identified and that such processing is not reversible.
— Act on the Protection of Personal Information, s. 2(9) — Definition of anonymously processed information

What to Do

Confirm whether your data processing qualifies as pseudonymization (reversible, separate key management) or anonymization (irreversible, no residual identifiers).

For pseudonymized data: comply with full APPI obligations (consent, security, breach reporting, etc.).

For anonymized data: verify compliance with PPC Guidelines and retain documentation proving irreversibility.

Anonymized data may be retained indefinitely, but must be re-evaluated every 3 years per PPC rules to confirm continued anonymity.

Sources

statuteAct on the Protection of Personal Information, s. 2(8) — Definition of pseudonymously processed information statuteAct on the Protection of Personal Information, s. 2(9) — Definition of anonymously processed information guidelinePPC Guidelines on Anonymously Processed Information (2022)

Not legal advice. This article is general information based on publicly available sources, written for educational purposes. Laws change and individual situations vary. Consult a licensed attorney in your jurisdiction before acting on anything you read here. Last reviewed: 2026-06-08.