In Japan, personal information protection is governed by the Act on Personal Information Protection (Act No. 57 of 2003, as amended).
This paper summarises the main features of Japan’s personal information protection regime as it applies generally to corporate and individual enterprises that collect, retain and store certain personal information of residents of Japan directly, indirectly or incidentally in connection with (a) the conduct of an enterprise or business in Japan and (b) the conduct of an enterprise or business outside Japan when such collection could have an impact on residents of Japan. This paper also describes certain legislative amendments implemented in 2017, which were essential for Japan’s adequacy status under the General Data Protection Regulation.