In 2015, Japan passed its Act on the Protection of Personal Information. This data protection legislation established the Personal Information Protection Commission. The PPC works with government ministries to set guidelines on how to handle personal information; data breaches; data transfers to foreign countries; and data anonymization.
Specific guidelines also regulate how personal genetic data; credit information; and healthcare records are to be protected.
Data cannot be transferred to third parties unless the person concerned consents, but there are exceptions including those to protect the public health. Data transfers can proceed if no response has been received during an opt out period and notification has been provided.
An initial exemption for businesses which handle the data of less than 5,000 people was repealed in 2017.
The APPI can apply when foreign businesses acquire the personal data of Japanese citizens in order to provide goods and services in Japan.