APPI Compliance

Configure your forms for Japan's Act on the Protection of Personal Information.

What is the APPI?

The Act on the Protection of Personal Information (APPI) is Japan's primary data protection law. Originally enacted in 2003, it was significantly amended in 2017 and again in 2022. It is enforced by the Personal Information Protection Commission (PPC).

The APPI applies to any "business operator" that handles personal information of individuals in Japan. The 2022 amendment removed the previous threshold that limited the law to entities handling 5,000 or more records — so it now applies regardless of how many records you hold. If your web form collects data from people in Japan, the APPI applies to you.

The APPI takes a fundamentally different approach from European privacy law. Where the GDPR is built around "lawful bases" for processing, the APPI is built around purpose specification — you must declare what you will do with the data, and you cannot go beyond that purpose.

Purpose of use — the core concept

This is the single most important concept in the APPI for form operators. Before collecting personal information, you must:

1. Specify the purpose of use as concretely as possible.
2. Notify or publicly announce that purpose to the individual.
3. Never use the data beyond that stated purpose without obtaining new consent.

For a web form, this means clearly stating on the form page (or in a linked privacy policy) exactly what you will do with the submitted data. Vague statements like "for business purposes" are not sufficient. Good examples:

• "To respond to your inquiry within 3 business days."
• "To process your job application and contact you about the position."
• "To send you the requested product information by email."

If you later want to use the collected data for a different purpose — for example, adding form respondents to a marketing list — you must obtain fresh consent for that new purpose. This is stricter than the GDPR's "compatible purpose" concept, which can allow some flexibility.

What the APPI preset configures

Set up the APPI preset

Account level

1. Go to Account Settings in the sidebar.
2. Scroll to Compliance.
3. Select APPI (Japan) from the dropdown.
4. Click Save.

Per form

1. Open the form in your dashboard.
2. Go to the Compliance tab.
3. Select APPI (Japan) from the preset buttons or region dropdown.
4. Click Save.

Why IPs are not anonymized

Under the APPI, an IP address alone is generally not considered "personal information" unless it can be combined with other data to identify a specific individual. This is a notable difference from the GDPR, where IP addresses are explicitly classified as personal data.

The APPI preset keeps full IP addresses because:

• There is no legal requirement to anonymize them under Japanese law.
• Full IPs are valuable for fraud detection, spam prevention, and abuse investigation.
• Anonymizing IPs would remove useful information without a corresponding legal benefit.

If you combine IP addresses with other identifiers in a way that makes individuals identifiable, those combined records would fall under the APPI's protections. The standard form submission workflow in FormBlade does not perform this kind of cross-referencing.

Anonymously processed information

The APPI defines a unique legal category called "anonymously processed information" — personal data that has been processed so that specific individuals cannot be identified and the data cannot be restored to its original state. This category has lighter restrictions: it can be shared with third parties without consent, provided you announce the data categories publicly.

This concept is not directly relevant to standard form submissions (you generally need the original data to respond to inquiries). However, if you aggregate submission data for analytics or reporting, the anonymously processed information rules may apply. The key requirement is that the anonymization must be irreversible.

Special care-required personal information

The APPI defines a strict category called "special care-required personal information" that demands explicit prior consent before collection. This includes:

• Race or ethnic origin
• Creed (political or religious beliefs)
• Social status
• Medical history and health information
• Criminal record
• Being a victim of crime

If your forms collect any of this data — for example, a medical intake form or a background check questionnaire — you must obtain explicit consent specifically for that category of data, separate from general form consent. The consent checkbox text should clearly reference the sensitive nature of the data being collected.

Cross-border transfers (2022 amendment)

The 2022 amendment significantly tightened the rules for transferring personal data outside Japan. Before transferring data to a foreign country, you must do one of the following:

1. Obtain the individual's consent after informing them about the recipient country's data protection regime, including the name of the country and an overview of its privacy laws.
2. Confirm equivalent protections — ensure the foreign recipient has a data protection system that meets the APPI's standards (EU/EEA countries generally qualify under the PPC's mutual adequacy arrangement with the European Commission).
3. Establish contractual safeguards — put in place a contract or internal rules that ensure the foreign recipient handles the data in compliance with the APPI.

FormBlade stores data on EU servers. The EU has a mutual adequacy agreement with Japan (the PPC and the European Commission recognized each other's data protection frameworks in 2019), so transfers from Japan to EU-based servers are generally permitted under option 2 above. You should note this in your privacy policy.

Data subject rights

The APPI grants individuals the following rights over their personal information:

• Right to disclosure — individuals can request to see what personal data you hold about them. Export submissions from the dashboard to fulfill these requests.
• Right to correction — if the data is inaccurate, the individual can request corrections. You can edit submissions in the dashboard.
• Right to cessation of use — a person can request that you stop using their data, even without deleting it. This is unique to the APPI. In practice, you should flag the submission and ensure it is not used for any active purpose (e.g., exclude it from exports or reports).
• Right to deletion — individuals can request that their data be erased entirely. Delete the relevant submissions from the dashboard.

The cessation-of-use right is worth highlighting. Unlike the GDPR's "right to erasure," this right allows a person to say "stop using my data" without requiring you to destroy it. You may still need to retain the data for legal or record-keeping purposes, but you must not process it for the original purpose.

Breach notification

Under the 2022 amendment, if a data breach occurs that is likely to harm the rights and interests of individuals, you must:

1. Notify the PPC — report the breach to the Personal Information Protection Commission promptly, with a follow-up detailed report within 30 days (60 days if the breach was caused by unauthorized access).
2. Notify affected individuals — inform the people whose data was compromised.

Breaches that trigger this obligation include leaks of data involving more than 1,000 individuals, leaks of special care-required information, leaks likely to cause financial damage, or leaks caused by unauthorized access.

Penalties

The 2022 amendment substantially increased penalties for APPI violations:

• Corporations — fines up to ¥100 million (approximately $700,000 USD) for violations such as unauthorized data use or failure to comply with PPC orders.
• Individuals — fines up to ¥1 million and/or imprisonment for up to 1 year for serious violations, including providing false reports to the PPC or obstructing inspections.

The PPC typically issues guidance and recommendations before imposing penalties, but the increased fines signal Japan's intent to take enforcement seriously.