Japan

Overview

Japan’s privacy landscape is defined by a contradiction between its civilian data protection framework and its intelligence apparatus. The Act on the Protection of Personal Information (APPI), enforced by the independent Personal Information Protection Commission (PPC), earned Japan the first mutual adequacy decision with the EU in January 2019. Article 13 of the Japanese Constitution (the right to pursue happiness) has been interpreted by courts to include a right to privacy. The APPI operates on a mandatory three-year review cycle, making it one of the most regularly updated data protection frameworks in the world.^[1]

Behind this civilian framework, Japan operates a secret signals intelligence agency — the Directorate for Signals Intelligence (DFS) — with approximately 1,700 personnel and at least six surveillance facilities conducting around-the-clock interception. The DFS received the NSA’s XKEYSCORE system in April 2013, and Japan has funneled over $500 million to finance NSA facilities and operations on Japanese soil. The DFS operates under such deep classification that most Japanese government officials are kept in the dark about its activities, and no independent oversight body reviews its operations.^[2]

Japan initially declined membership in SSPAC (SIGINT Seniors of the Pacific), citing the risk that disclosure of its participation would be too high. Since January 2020, Japan participates in a “Five Eyes Plus” intelligence-sharing arrangement with the Five Eyes, France, and South Korea, focused on North Korea and China. A major intelligence reform is underway: CIRO will be upgraded to a National Intelligence Bureau by mid-2026, and an external intelligence agency is planned by the end of FY2027.^[3]

Data Protection Authority: PPC

The Personal Information Protection Commission (PPC) was established on January 1, 2016, as an independent body under the Cabinet Office. The PPC replaced the fragmented system in which each ministry supervised data protection within its own sector. The Commission consists of a chairperson and eight commissioners appointed by the Prime Minister with Diet consent.^[4]

Enforcement Approach

The PPC’s enforcement relies primarily on administrative guidance rather than monetary penalties. In FY2024, the PPC brought 67 cases requiring operators to report and submit materials, and issued guidance or advice in 395 cases. The APPI currently provides no administrative fines; enforcement escalates from guidance to recommendations to orders, with criminal penalties (up to one year imprisonment or ¥1 million for individuals, up to ¥100 million for corporations) only for violations of PPC orders. A proposed amendment introducing administrative monetary penalties (kacho-kin) is under review for the 2025–2026 APPI revision cycle.^[5]

Notable Enforcement Actions

The absence of administrative fining power distinguishes the PPC from its European counterparts and is a central issue in the ongoing APPI review. The proposed kacho-kin system would bring Japan’s enforcement model closer to the GDPR’s financial penalty regime.^[5]

Key Legislation

Act on the Protection of Personal Information (APPI)

The APPI (Act No. 57 of 2003) is Japan’s comprehensive data protection law. Originally enacted in 2003, it has undergone substantial revisions in 2015 (creating the PPC, introducing anonymized data processing), 2020 (effective April 2022; strengthened individual rights, increased penalties, introduced pseudonymized processing, tightened cross-border transfer rules), and is currently undergoing its 2024–2025 review (third mandatory three-year review cycle).^[1]

Key provisions include: data subject rights to disclosure, correction, and cessation of use; purpose limitation; consent requirements for sensitive personal information (race, creed, social status, medical history, criminal record); cross-border transfer restrictions requiring consent, adequacy, or equivalent safeguards; and mandatory breach notification to the PPC within 3–5 days for qualifying incidents.^[10]

EU-Japan Mutual Adequacy Decision

On January 23, 2019, the European Commission adopted an adequacy decision for Japan — the first mutual adequacy arrangement, as Japan simultaneously recognized the EU as providing adequate protection. The decision was supported by Supplementary Rules adopted by the PPC to bridge gaps between the APPI and GDPR (covering sensitive data, purpose limitation, retention limitation, and onward transfers). The adequacy decision was reviewed and reaffirmed in April 2023.^[11]

Communications Interception Act (1999)

The Act on Wiretapping for Criminal Investigation (Act No. 137 of 1999) made Japan the last G8 nation to legalize wiretapping. Interception requires a judicial warrant from a district court judge, with a maximum warrant period of 10 days. The Act was originally limited to four crime categories: narcotics, firearms, organized smuggling, and organized murder. A 2016 amendment significantly expanded eligible offenses and enabled real-time encrypted transfer of intercepted communications to investigators’ computers, eliminating the prior requirement for telecommunications personnel to be present during interception.^[12]

Specially Designated Secrets Act (2013)

The SDS Act (Act No. 108, effective December 10, 2014) allows classification of information across four categories: defense, foreign relations, counter-espionage, and counter-terrorism. Maximum classification period of 30 years, extendable with Cabinet approval. Unauthorized disclosure carries up to 10 years imprisonment and a ¥10 million fine. Critics argued the Act lacks a public interest override and provides no whistleblower protection.^[13]

Active Cyber Defense Act (2025)

Enacted May 16, 2025, with full implementation expected by November 2027. Four pillars: public-private cooperation on threat sharing, government access to internet communications metadata for threat analysis, authority to neutralize attacker infrastructure abroad (a fundamental shift from Japan’s historically defensive posture), and organizational restructuring. The Act allows the government to enter agreements with critical infrastructure operators to receive and analyze telecommunications data.^[14]

My Number System

The My Number system assigns a 12-digit identification number to every resident of Japan, linking tax administration, social security, and disaster response records. Health insurance cards were integrated into My Number Cards in fall 2024, despite public opposition — a Kyodo News survey found 71.6% of respondents expressed concern about expanding My Number use.^[15]

Data breach incidents involving My Number surged from 334 cases in FY2023 to 2,052 cases — a sixfold increase. Errors included linking My Number cards to wrong individuals’ payment methods (172 erroneous linkages reported). The system remains controversial as a case study in the tension between digital government efficiency and centralized personal data risk.^[16]

Surveillance and Intelligence

Japan lacks a comprehensive intelligence authorization statute. Each agency operates under separate legal authority, and no independent oversight body reviews intelligence operations across agencies.^[17]

DFS (Directorate for Signals Intelligence)

The DFS is Japan’s primary signals intelligence agency, revealed in detail by The Intercept in 2017–2018 based on Snowden documents. Approximately 1,700 personnel operate from at least six surveillance facilities conducting around-the-clock interception of phone calls, emails, and other communications. DFS headquarters is located in the “C1” office building inside the Ministry of Defense compound at Ichigaya, Tokyo.^[2]

The MALLARD program, operated from the Tachiarai base in northern Kyushu, collected records on approximately 200,000 internet sessions per week as of mid-2012, stored for two months. The NSA provided Japan’s DFS with XKEYSCORE in April 2013, enabling the searching and analysis of emails, chats, browsing histories, and social media activity. Japan financed over $500 million in NSA facilities and operations on Japanese soil, including at least three NSA bases. The Misawa Security Operations Center (code name LADYLOVE) uses approximately 12 large antenna domes to intercept satellite communications across the Asia-Pacific.^[18]

DFS operations are “so highly classified that the Japanese government has disclosed little about its work.” Most Japanese officials are kept in the dark, and activities are “regulated by a limited legal framework and not subject to any independent oversight.”^[2]

CIRO (Cabinet Intelligence and Research Office)

The CIRO (Naikaku Jōhō Chōsashitsu) is Japan’s principal civilian intelligence body, reporting directly to the Prime Minister through the Cabinet Secretariat. Approximately 170 agents, of whom roughly 100 are seconded from other ministries. Top positions are typically held by career police officers. CIRO operates the Cabinet Satellite Intelligence Center, managing a network of surveillance satellites. CIRO is scheduled to be upgraded to a National Intelligence Bureau by mid-2026.^[19]

DIH (Defense Intelligence Headquarters)

The DIH (Jōhō Honbu), established January 20, 1997, is the Ministry of Defense’s unified intelligence body. Operates 19 ground-based SIGINT stations monitoring electronic emissions and telecommunications. The December 2022 National Defense Strategy mandated DIH expansion beyond traditional SIGINT to include IMINT, HUMINT, and OSINT for countering information warfare.^[20]

PSIA (Public Security Intelligence Agency)

The PSIA (Kōanchōsa-chō), established July 21, 1952, operates under the Ministry of Justice. Mandate: investigating organizations that “harbor intentions of destroying the democratic system guaranteed by the Japanese Constitution through violent means.” The PSIA also operates under the Act Regarding the Control of Organizations Which Committed Indiscriminate Mass Murder, passed after the 1995 Aum Shinrikyo sarin attack. Investigations require approval from the Public Security Examination Commission (PSEC).^[21]

NPA Security Bureau

The National Police Agency’s Security Bureau handles national-level internal security. Its Foreign Affairs and Intelligence Department conducts counter-intelligence and international counter-terrorism, and contains a classified signals unit known as “YAMA” with access to intercepts from various communications facilities.^[22]

Parliamentary Oversight

Nominal oversight exists through the Security Committee of the House of Representatives and the Foreign Affairs and Defence Committee of the House of Councillors. In practice, oversight boards rarely review classified documents to confirm the validity of secrecy designations. There is no credible independent third-party oversight of intelligence operations, no public interest override for classified information, and no whistleblower protection for intelligence personnel.^[17]

Muslim Surveillance Program

In 2010, 114 police files were leaked revealing systematic religious profiling of Muslims across Japan. By the 2008 G8 summit, at least 72,000 residents from Organisation of Islamic Conference countries had been profiled, including approximately 1,600 school students around Tokyo. The Tokyo Metropolitan Police’s “mosque squad” (43 agents) stationed agents at mosques, followed individuals home, and compiled databases. The leaked data was downloaded over 10,000 times in 20+ countries. Seventeen Muslim plaintiffs filed suit; on May 31, 2016, the Supreme Court dismissed the appeal, effectively confirming the legality of the surveillance program.^[23]

Internet Infrastructure and Cable Surveillance

Internet Exchange Points

Japan operates three major internet exchange points, among the largest in Asia by traffic volume. JPNAP (Japan Network Access Point), operated by Internet Multifeed Co. since 2001, runs five interconnection networks in Tokyo, Osaka, Fukuoka, Sendai, and Sapporo.^[49] JPIX (Japan Internet Xing) provides IX and VNE services across Tokyo and Osaka. BBIX, a wholly owned subsidiary of SoftBank Corporation established in 2003, handles significant domestic and international peering.^[50] In January 2026, all three IXPs jointly established exchange points at the OPTAGE Sonezaki Data Center in Osaka.^[39]

Submarine Cable Infrastructure

Japan is the telecommunications hub for nearly all US-Asia bandwidth and for connectivity across maritime and mainland Asia. At least 20 international submarine cable landing stations serve approximately 30 active or announced cable systems. Key landing points include Minamiboso (Chiba Prefecture) and Shima (Mie Prefecture), with additional stations on Hokkaido and Kyushu. Ninety-nine percent of Japan’s international communications depend on subsea cables, with over 80% of data centers concentrated in the Tokyo and Osaka metropolitan areas. Major transpacific cables include Pacific Crossing-1, FASTER, New Cross Pacific (NCP), JUPITER, and Topaz.^[24]

Intelligence Nexus

Japan’s position as the primary US-Asia cable hub makes its landing stations and exchange points strategically significant for signals intelligence. The DFS operates interception capabilities at cable chokepoints, and the NSA’s $500 million+ investment in facilities on Japanese soil includes infrastructure positioned to exploit this concentration. The Active Cyber Defense Act (2025) introduced a new legal mechanism for accessing telecommunications data at these points: the government can enter agreements with critical infrastructure operators, including major carriers that operate cable landing stations and IXPs, to receive and analyze telecommunications metadata. NTT Communications, which dominates both Japan’s domestic backbone and international cable infrastructure, is the central node in this architecture.^[24][14]

Data Retention

Japan does not have a mandatory data retention law comparable to the EU Data Retention Directive. Telecommunications operators define their own retention periods, which must be “within the period needed for the purposes of use,” and must endeavor to erase personal information without delay after the retention period expires. The Ministry of Internal Affairs and Communications (MIC) and PPC jointly publish guidelines covering retention of communication history, usage details, caller information, and location data.^[25]

The Active Cyber Defense Act (2025) introduced a new access mechanism: the government can enter agreements with critical infrastructure operators, including major carriers, to receive telecommunications metadata, analyze it for cyber threats, and share results. This represents the most significant expansion of government access to telecommunications data since the 1999 Communications Interception Act.^[14]

Commercial Surveillance

NEC Corporation

NEC has developed facial recognition technology since 1989 and operates over 1,000 active biometric systems in 70+ countries. Its “Safer Cities” suite integrates biometrics, national IDs, citywide video, drones, and crowd behavior analysis for predictive policing. Notable contracts include a US DHS $23.9 million contract (2020–2023) for unlimited facial recognition deployment, and NEC technology underpins India’s Aadhaar biometric identification system.^[26]

Cellebrite (Sun Corporation Subsidiary)

Cellebrite DI Ltd. was acquired by Japan-based Sun Corporation (JASDAQ-listed) in 2007. Sun Corporation holds approximately 45% of shares, making it the largest shareholder. Cellebrite’s Universal Forensic Extraction Device (UFED) can extract data from 181+ Android apps and 148+ iPhone apps, including encrypted messaging applications. The National Police Agency, Metropolitan Police Department, Public Prosecutors Office, and Japanese customs have all adopted Cellebrite products.^[27]

Domestic Facial Recognition

Japanese police operate a nationwide facial recognition system matching surveillance camera and social media images against arrest databases. JR East (East Japan Railway) deployed facial recognition across 8,350 cameras at 110+ stations starting July 2021, targeting ex-prisoners, parolees, wanted suspects, and “suspicious” persons. The Japan Federation of Bar Associations (Nichibenren) requested suspension of the program.^[28]

Wassenaar Arrangement

Japan is a founding member of the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies, including communication surveillance technologies. Export controls are administered by the Ministry of Economy, Trade and Industry (METI). Japan is considering restricting facial recognition technology exports to China to prevent use against ethnic minorities.^[29]

International Data Sharing Agreements

Five Eyes Plus

Japan initially declined membership in SSPAC (SIGINT Seniors of the Pacific), citing the risk that “unintended disclosure of its participation would be too high.” Since January 2020, Japan participates in a “Five Eyes Plus” arrangement with the Five Eyes, France, and South Korea for intelligence sharing on North Korea and China’s military, cyber, and space activities. Japan, France, and South Korea receive enhanced but still limited access compared to full Five Eyes members. Discussion of Japan formally joining Five Eyes as a “Six Eyes” member has continued since Prime Minister Suga’s tenure, though no formal membership has been achieved.^[3]

US-Japan Mutual Legal Assistance Treaty

The US-Japan MLAT was signed August 5, 2003 — Japan’s first bilateral MLAT — and entered into force July 21, 2006. Covers terrorism, drug trafficking, child exploitation, antitrust, environmental crimes, and fraud. Assistance includes taking testimony, examining items, locating persons, providing government records, transferring persons in custody, and forfeiture of proceeds.^[30]

US-Japan Security Alliance

The 1960 Treaty of Mutual Cooperation and Security commits the US to defend Japan (Article 5) while Japan provides military basing rights (Article 6). The GSOMIA (General Security of Military Information Agreement), signed August 10, 2007, established common security standards for classified military information. The alliance drives extensive intelligence sharing on shared threat perceptions regarding China, Russia, and North Korea.^[31]

Japan-South Korea GSOMIA

Signed November 23, 2016 — the first intelligence-sharing agreement between the two nations since Korea’s liberation from Imperial Japan in 1945. Focused on North Korean threat intelligence. South Korea’s President Moon threatened withdrawal during the 2019 Japan-South Korea trade dispute; reversed hours before the deadline under US pressure. President Yoon officially normalized GSOMIA on March 21, 2023.^[32]

Other Bilateral Agreements

Japan maintains intelligence-sharing agreements with Australia (Information Security Agreement, 2012), the UK (Hiroshima Accord defense partnership), and France. A US-Japan-Australia trilateral intelligence arrangement was signed at the end of 2016. Japan participates in APEC CBPR (Cross-Border Privacy Rules) as one of nine participating economies and is a member of the Global CBPR Forum.^[33]

Interpol and Egmont Group

The National Police Agency serves as Japan’s Interpol National Central Bureau. The Japan Financial Intelligence Center (JAFIC), within the NPA, participates in the Egmont Group for suspicious transaction reporting. Japan’s FATF mutual evaluation (August 2021) found Japan compliant or largely compliant on 39 of 40 Recommendations.^[34]

The Privacy Backdoor Effect

Despite the PPC’s enforcement of the APPI, the EU mutual adequacy decision, and the Communications Interception Act’s warrant requirements, international data sharing agreements create alternative pathways for accessing Japanese person data:

• Five Eyes Plus: Intelligence sharing on North Korea and China with access to partner nations’ collection capabilities
• NSA facilities: Over $500 million in Japanese-financed NSA operations on Japanese soil, with XKEYSCORE deployed to DFS
• US-Japan MLAT: Law enforcement data requests through bilateral treaty channels
• Cable infrastructure: Japan’s position as the primary US-Asia telecommunications hub exposes transiting communications to interception at multiple points

For Japanese persons, these parallel pathways mean data nominally protected by the APPI can be accessed through intelligence and law enforcement channels that operate outside the PPC’s oversight.

Recent Developments

Intelligence Reform: National Intelligence Bureau (2025–2027)

Under Prime Minister Takaichi’s coalition government, CIRO is to be upgraded to a National Intelligence Bureau with a Secretary General rank on par with the National Security Secretariat Secretary General, planned for mid-2026. An external intelligence agency is to be established by end of FY2027. A new ministerial post for intelligence will be created. The ruling coalition is also planning anti-espionage legislation, potentially including a foreign agents registration system. Human Rights Watch warned in December 2025 that the espionage law “would need to respect rights.”^[35]

Active Cyber Defense Act Enacted (May 2025)

Approved by the Cabinet on February 7, 2025, passed the House of Representatives on April 8, and enacted on May 16, 2025. Authorizes pre-emptive cyber operations including neutralizing attacker infrastructure abroad. METI announced plans to double registered information security specialists to 50,000 by 2030.^[14]

MirrorFace Cyberattack Campaign (January 2025)

The National Police Agency attributed 200+ cyberattacks from 2019–2024 to MirrorFace, a Chinese APT10 subgroup. Targets included the Ministry of Defense, Ministry of Foreign Affairs, JAXA, Japan Airlines, politicians, journalists, and semiconductor and aerospace firms.^[36]

AI Promotion Act (May 2025)

Enacted May 28, 2025, effective September 1, 2025. Japan’s first law addressing AI, taking an “innovation-first” approach with no explicit financial penalties for non-compliance (contrasting with the EU AI Act). AI Strategy Headquarters established September 1, 2025. JPY 196.9 billion allocated for FY2025 AI activities; JPY 10 trillion in public support planned by 2030.^[37]

Economic Security Clearance Act (May 2025)

The CESI Act, effective May 16, 2025, establishes security clearance systems for economic security information. Penalties: up to 5 years imprisonment and ¥5 million for unauthorized disclosure. Designed to enable Japanese companies to participate in international joint development with allies.^[38]

APPI Three-Year Review (2024–2026)

PPC initiated the third mandatory review in November 2023; Interim Report published June 2024; Study Group report December 2024. Proposed changes include introduction of administrative monetary penalties (kacho-kin), injunctive relief through qualified consumer organizations, strengthened protection of minors’ data, and mandatory privacy impact assessments. Amendment expected 2025–2026; implementation 2026–2027.^[5]

My Number Data Breaches Surge (2024–2025)

Data breach incidents surged from 334 cases (FY2023) to 2,052 cases. Health insurance card integration proceeded in fall 2024 despite public opposition.^[16]

Japan Airlines Cyberattack (December 2024)

Christmas Day cyberattack caused delays and cancellations to 20+ domestic flights; systems restored within hours.^[9]

Sources