Japan

Overview

Japan’s Directorate for Signals Intelligence (DFS) operates ~1,700 personnel across at least six surveillance facilities conducting around-the-clock interception, with no independent oversight body — most Japanese government officials are kept in the dark about its activities. The DFS received the NSA’s XKeyscore (April 2013) and Japan has financed over $500 million in NSA operations on Japanese soil. Japan participates in Five Eyes Plus (since January 2020) but initially declined SSPAC membership. CIRO is being upgraded to a National Intelligence Bureau by mid-2026, with an external intelligence agency planned by end of FY2027.^[1][2]

On the civilian side, the APPI (Act on the Protection of Personal Information, three-year review cycle) earned Japan the first EU mutual adequacy decision (January 2019). The Active Cyber Defense Act (May 2025) authorises pre-emptive cyber operations and government access to telecommunications metadata via agreements with critical infrastructure operators. Japan has no mandatory data retention law.^[3]

Privacy Framework

The PPC (Personal Information Protection Commission) enforces the APPI through a guidance-first approach with escalation to orders and criminal prosecution. Article 13 of the Constitution (right to pursue happiness) is interpreted to include a right to privacy. The APPI’s third mandatory three-year review (initiated November 2023) proposes introducing administrative monetary penalties, injunctive relief, strengthened minors’ protection, and mandatory privacy impact assessments. The Communications Interception Act (1999) requires judicial warrants for wiretapping, limited to specific organised crime offences. The Specially Designated Secrets Act (2013) criminalises disclosure of classified information (up to 10 years imprisonment).^[3][4]

Surveillance and Intelligence

Japan lacks a comprehensive intelligence authorisation statute. Each agency operates under separate legal authority with no independent oversight body reviewing operations across agencies.^[5]

DFS (Directorate for Signals Intelligence)

Japan’s secret SIGINT agency (~1,700 personnel), revealed by The Intercept in 2017–2018 based on Snowden documents. The MALLARD programme (Tachiarai base, northern Kyushu) collected ~200,000 internet sessions per week (stored two months). NSA provided XKeyscore in April 2013. Japan financed $500M+ in NSA facilities including at least three NSA bases. The Misawa Security Operations Center (LADYLOVE) uses ~12 antenna domes for satellite interception across the Asia-Pacific. Operations are “so highly classified that the Japanese government has disclosed little about its work” with “no independent oversight.”^[1][6]

Other Intelligence Agencies

CIRO (~170 agents): Principal civilian intelligence body under the Cabinet Secretariat, operating surveillance satellites. Upgrading to National Intelligence Bureau by mid-2026. DIH (Defence Intelligence Headquarters, est. 1997): 19 ground-based SIGINT stations; expanding beyond SIGINT to IMINT, HUMINT, and OSINT. PSIA (Public Security Intelligence Agency, est. 1952): Investigates organisations threatening the democratic system. NPA Security Bureau: Contains classified signals unit “YAMA” with access to intercepts.^[7][8]

Muslim Surveillance Program

In 2010, 114 leaked police files revealed systematic religious profiling of at least 72,000 residents from OIC countries, including ~1,600 school students. The Tokyo Metropolitan Police’s “mosque squad” (43 agents) surveilled mosques and compiled databases. The Supreme Court dismissed plaintiffs’ appeal (May 2016), effectively confirming the programme’s legality.^[9]

Internet Infrastructure and Cable Surveillance

Japan is the telecommunications hub for nearly all US-Asia bandwidth. At least 20 international cable landing stations serve ~30 cable systems. 99% of international communications depend on subsea cables, with 80%+ of data centres in Tokyo/Osaka. Major IXPs: JPNAP (five networks), JPIX, and BBIX (SoftBank subsidiary). Major transpacific cables include Pacific Crossing-1, FASTER, NCP, JUPITER, and Topaz.^[10]

Japan’s position as the primary US-Asia cable hub makes its landing stations strategically significant for intelligence. The DFS operates interception capabilities at cable chokepoints. The Active Cyber Defense Act (2025) enables government agreements with critical infrastructure operators (including NTT Communications, which dominates Japan’s backbone and international cable infrastructure) to receive and analyse telecommunications metadata.^[10][11]

Commercial Surveillance

NEC Corporation: 1,000+ active biometric systems in 70+ countries, “Safer Cities” predictive policing suite, US DHS $23.9M contract, and technology underpinning India’s Aadhaar. Cellebrite (majority-owned by Japan’s Sun Corporation): adopted by NPA, Metropolitan Police, prosecutors, and customs. Domestic facial recognition: JR East deployed across 8,350 cameras at 110+ stations (July 2021) targeting ex-prisoners, parolees, and “suspicious” persons. Japan is a founding Wassenaar Arrangement member for dual-use export controls; considering restricting facial recognition exports to China.^[12][13]

Data Retention

Japan has no mandatory data retention law. Operators define their own retention periods, which must be “within the period needed for the purposes of use.” The Active Cyber Defense Act (2025) introduced government access to telecommunications metadata via operator agreements — the most significant expansion of government access since the 1999 Communications Interception Act.^[11]

International Data Sharing Agreements

Five Eyes Plus

Japan initially declined SSPAC membership, citing disclosure risk. Since January 2020, it participates in “Five Eyes Plus” with Five Eyes, France, and South Korea for intelligence on North Korea and China. Discussion of formal “Six Eyes” membership continues but has not materialised.^[2]

Mutual Legal Assistance

Japan’s MLAT/MLAA partners: United States (signed August 5, 2003 — Japan’s first bilateral MLAT — in force July 21, 2006), South Korea, China, Hong Kong SAR, Russia, and Vietnam. Japan also signed an EU-Japan MLA agreement — the first “self-standing” MLA agreement between the EU and a non-EU country. Japan can also provide assistance without a treaty based on the principle of reciprocity.^[14]

US-Japan Security Alliance

The 1960 Treaty of Mutual Cooperation and Security, supplemented by the GSOMIA (2007) for classified military information. Drives extensive intelligence sharing on China, Russia, and North Korea. Japan maintains separate intelligence-sharing agreements with Australia (2012), the UK (Hiroshima Accord), and France. A US-Japan-Australia trilateral intelligence arrangement was signed in 2016. Japan-South Korea GSOMIA (2016): first bilateral intelligence-sharing agreement since 1945 liberation, focused on North Korean threats.^[15][16]

Multilateral Frameworks

Interpol: NPA serves as National Central Bureau. Egmont Group: JAFIC participates (FATF: compliant/largely compliant on 39/40 Recommendations). APEC CBPR and Global CBPR Forum member. EU mutual adequacy (January 2019).^[17]

The Privacy Backdoor Effect

Despite PPC enforcement and EU adequacy, alternative access pathways exist:

• Five Eyes Plus: Intelligence sharing with access to partner nations’ collection capabilities
• NSA on Japanese soil: $500M+ investment, XKeyscore deployed to DFS, at least three NSA bases
• US-Japan MLAT: Law enforcement data requests through bilateral treaty
• Cable hub: Primary US-Asia telecommunications hub exposing transiting communications to interception
• Active Cyber Defense Act: Government metadata access via operator agreements at cable chokepoints

Recent Developments

Intelligence Reform (2025–2027): CIRO upgrading to National Intelligence Bureau (mid-2026). External intelligence agency planned by end of FY2027. New ministerial intelligence post. Anti-espionage legislation under consideration; HRW warned it “would need to respect rights.”^[18]

Active Cyber Defense Act Enacted (May 2025): Authorises pre-emptive cyber operations including neutralising attacker infrastructure abroad. Government metadata access via critical infrastructure operator agreements.^[11]

MirrorFace Campaign (January 2025): NPA attributed 200+ cyberattacks (2019–2024) to Chinese APT10 subgroup MirrorFace, targeting MoD, MoFA, JAXA, Japan Airlines, politicians, journalists, and semiconductor firms.^[19]

Economic Security Clearance Act (May 2025): Security clearance system for economic security information. Up to 5 years imprisonment for unauthorised disclosure. Enables participation in allied joint development projects.^[20]

APPI Review: Third mandatory review proposes administrative monetary penalties, injunctive relief, minors’ protection, and mandatory PIAs. Amendment expected 2025–2026.^[4]

Sources