Data protection with EU adequacy and strong business norms — but wiretap law exists and government access is opaque.
APPI protects personal information held by businesses, has an EU adequacy decision allowing free data flow, and Japanese corporate culture generally results in conservative data handling — though government surveillance capabilities exist.
APPI (2003, fully revised 2022) requires businesses to specify purposes of data use, obtain consent for third-party sharing, provide access and correction rights, and report breaches. The Personal Information Protection Commission (PPC) enforces. Penalties increased in 2022: up to 100M yen ($700K) for corporations, 1 year imprisonment for individuals. 'Sensitive personal information' (race, beliefs, medical, criminal record) requires explicit consent.
Japan's Wiretap Law (1999, expanded 2016) allows interception of communications for serious crimes with court order. The 2016 expansion removed the requirement for police to be physically present at telecom facilities during wiretaps. Intelligence gathering by the Cabinet Intelligence and Research Office (CIRO) and the Directorate for Signals Intelligence (DFS) is less transparent. Japan participates in the 'Five Eyes Plus' intelligence sharing arrangement (not a full member but a close partner). Edward Snowden revealed NSA collaboration with Japan's DFS.
In practice, Japanese companies tend to be conservative with data. Sony, Toyota, Nintendo, Panasonic, and others typically collect less than their American or Chinese counterparts — partly cultural (privacy as social norm), partly regulatory (PPC enforcement), partly reputational (data breaches cause severe brand damage in Japan). This doesn't mean zero risk — Line (messaging app, 92M Japanese users) was found in 2021 to have allowed engineers in China to access Japanese user data.
Japan received an EU adequacy decision in 2019 — the EU considers Japanese data protection essentially equivalent to GDPR. This means data flows freely between Japan and the EU without additional safeguards. The adequacy decision was based on PPC enforcement, APPI's rights, and supplementary rules Japan adopted for EU data. This is a strong signal: the EU assessed Japanese surveillance laws and found them acceptable.