Subscribe to regular updates:


DPA Digital Digest: Japan

A close-up of Japan’s regulatory approach to data governance, content moderation, competition and more

Report Image

This is the second issue of the new “DPA Digital Digest” series based on the Digital Policy Alert database. This series provides concise summaries of each G20 nation’s recent policy changes in data governance, content moderation, competition and further domestic focal points.


Tommaso Giardini

Date Published

21 Mar 2023

On the international stage, the Japanese government actively advocates the opportunities from digital trade and emphasises the pitfalls of digital fragmentation. As part of its presidency this year, the Japanese government aims to promote free data flows within the G7 through increased interoperability of national data protection frameworks – a priority ever since the late president Shinzo Abe launched the Data Free Flow With Trust framework in 2019. For years, Japan has sought to maintain an open internet through its efforts at the World Trade Organization and preferential trade agreements.

But what digital policies does Japan stand for? The second DPA Digital Digest provides a succinct overview of the latest policy and enforcement developments for major policy areas as well as Japan-specific focal points.

Jump directly to the section that interests you most:

Discover the details of Japan's approach below and stay informed on our dedicated page:

Remain up-to-date on new and upcoming policy developments with our free notification service:

Data governance

Data protection policy developments

In April 2022, substantial amendments to the Act on the Protection of Personal Information (APPI) were implemented. The amended APPI now covers both the private and public sectors. The amendment increased data subject rights regarding consent as well as the disclosure and deletion of personal data. Businesses must notify data breaches to both data subjects and the Personal Information Protection Commission (PPC). Compliance obligations are specified by the PPC’s Enforcement Rules and subject to higher stakes – maximum penalties for violations were increased to JPY 100,000,000 (approx. USD 750,000) for businesses.

The June 2022 amendment to the Telecommunications Business Act (TBA) introduced further data protection requirements. Telecommunications service providers, including social network and search engine providers, must obtain user consent and provide opt-out measures in order to share user-related information with third parties (e.g. through third-party cookies). The Enforcement Rules for the amended TBA are currently undergoing a second consultation while the Minister of Internal Affairs and Communications revised its implementation guidelines.

Data transfer/localisation developments

The 2020 amendment to the APPI added further conditions to Japan’s cross-border data transfer regime. Previously, consent was required for transfers, unless the PPC deemed the country’s protection adequate or contractual obligations held the recipient to APPI standards. Now, businesses must inform data subjects about the destination of the data and the level of foreign data protection for their consent to be valid. In addition, contractual safeguards are sufficient only if businesses take action to ensure implementation and inform data subjects on said action upon request. For medical information, the government recommends storing data locally.

The Japanese government has spearheaded international initiatives on cross-border data flows. In 2019, the late president Shinzo Abe launched the Data Free Flow With Trust framework. This guiding principle for international cooperation on data flows was since endorsed by the G20 nations and continuously discussed by the G7. Further facilitating data flows, Japan accepts and issues certificates of the Cross-Border Privacy Rules System of the Asia-Pacific Economic Cooperation (APEC), a government-backed privacy certification that enables companies to demonstrate compliance with international protection standards.

Secondary legislation and enforcement developments

Public enforcement action concerning companies’ violations of data protection rules is infrequent. A notable exception is the investigation into popular messaging app LINE for illegal data transfers to China. Businesses are, however, confronted with a growing body of secondary legislation stemming from various government bodies. In March 2023, the Ministry of Economy, Trade, and Industry (METI) adopted its guidance on information disclosure regarding cyberattacks. Since 2022, METI is deliberating cross-cutting Cybersecurity Management Guidelines and has adopted recommendations on cybersecurity for critical infrastructure companies and factory systems. The PPC publishes guidance for APPI compliance, including a toolkit for assessing privacy policies, and is currently deliberating data handling rules for platforms. In addition, sectoral regulators issue specific guidelines, such as the Financial Services Agency’s 2022 guidelines on financial data.

Content moderation

Content moderation developments

The Ministry of Internal Affairs and Communications is currently deliberating rules for platform operators' response to illegal and harmful information. The rules would require transparency and a proactive stance by providers. Platforms would be obliged to publish their content moderation policies, including reports on the measures taken to address illegal and harmful information and the handling of complaints. Proactivity would be required in preventing the dissemination of illegal and harmful information, especially by repeat-offender accounts.

In 2022, the Penal Code was amended to impose criminal penalties for "online insults". Due to rising public concern over cyberbullying, offenders convicted of online insults now risk imprisonment for up to one year. Finally, the Copyright Act was amended in 2021 to combat online piracy, especially “index sites/apps” that guide the public to content that infringes copyrights. The amendment subjects providers of such index sites/apps and users that link to infringing content to penalties for copyright violations.

Enforcement and oversight developments

Enforcement of content moderation policy, such as blocking orders, is not documented by public, official sources. In recent years, proposals to expand government control over online content were deliberated but not adopted. The 2021 amendment to the Copyright Act originally planned to increase governmental oversight of online content. Instead, it expanded the scope of the prohibition on illegal downloads beyond music and images, to all copyrighted works (including manga). Since October 2022, the revision of the Provider Liability Act empowers users rather than the government: Online service users can request the disclosure of sender information when their rights are evidently infringed and the disclosure is justifiable, e.g. to claim tort damages. Users can request information from providers and approach courts, which can issue disclosure orders.


Competition policy developments

Japanese competition policy builds on the Anti-Monopoly Act, which has not been altered to address digital competition issues. Instead, in 2019, the Japan Fair Trade Commission (JFTC) simultaneously revised guidelines concerning both mergers in digital markets and unilateral conduct relating to data. Regarding mergers, the agency’s jurisdiction expanded beyond previous thresholds to “major” mergers that could affect competition in Japan, considering digital-market-specific scenarios. Regarding unilateral conduct, the JFTC prohibited behaviour that may result in an "impediment to competition". This removes the requirement of market power, extending oversight beyond the "abuse of a dominant position". In addition,, the Japanese government created the Headquarters for Digital Market Competition in 2019 to advance competition policies specific to digital markets (to be enforced by the JFTC). The organisation has since published reports, e.g. on Competition in the Digital Advertising Market.

Enforcement developments

The JFTC pursues a nudging enforcement approach, aiming to induce “voluntary changes” rather than impose fines. In 2021, it closed its investigation into Apple’s App Store guidelines in response to assurances that Apple would allow developers to provide in-app links to non-App Store payment methods. The same approach occurred across several digital markets investigated by the JFTC: In 2022, after and Expedia removed parity clauses; in 2021, when Rakuten Group changed its Shipping Inclusive Program Measures, previously preventing merchants from delivery fees; and in 2020, after Amazon Japan committed to introduce internal antitrust guidelines. The approach also extends to merger reviews: In 2021, the JFTC cleared Google’s acquisition of FitBit following behavioural remedy commitments including database separation and biannual reporting. Whether the JFTC continues on this approach will be revealed in its ongoing investigations into Google's proposed acquisition of Mandiant and Microsoft's proposed acquisition of Activision Blizzard.

Further Japanese digital policy focal points

International digital trade

Japan leads international digital trade efforts on all levels. At the multilateral level, Japan co-convenes the World Trade Organization’s Joint Initiative on E-commerce. On the regional level, Japan is a signatory to the plurilateral Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP), boasting a groundbreaking chapter on Electronic Commerce. In 2022, Japan joined the launch of the Indo-Pacific Economic Framework for Prosperity. In addition, it has pursued bilateral digital trade agreements, e.g. with the United States. Finally, Japan advances cooperation on digital trade-related issues such as the Cooperation on Cybersecurity, Digital Economy and AI with Singapore and the Quad Cybersecurity Partnership with India, the United States, and Australia, as well as digital partnerships, for instance with the UK and the European Union.


Platform transparency

A unique aspect of Japanese digital policy is its focus on transparency. In force since 2021, the Act Improving Transparency and Fairness in Trading on Specified Digital Platforms introduces transparency obligations for "specified digital platforms providers". Designated platforms must disclose their terms and conditions to sellers and consumers, including advance notice of changes, implement fair procedures and submit yearly reports to the Ministry of Economy, Trade and Industry (METI). Subsequently, METI subjected several large platforms to the Act through designation orders, based on their dominance in sectors of the digital economy.[1] Currently, METI is deliberating its evaluation of designated platforms’ transparency and fairness, which it consulted on in December 2022.


Since May 2021, the Act for the Protection of Consumers who use Digital Trading Platforms protects consumer interests in electronic commerce. It refers mainly to unsafe or misleading products and complications in seller identification. Consumers received the right to request seller information to file a claim. Platforms must establish a reporting system towards the Japanese Consumer Affairs Agency (CAA), which can request the removal of unsafe products. Furthermore, platforms must enable consumer-seller communication and, if necessary, verify seller identity. In addition, they must investigate customer complaints and remove listings of unsafe products.



The Telecommunications Business Act (TBA) has recently undergone significant amendments of particular importance to foreign businesses. The 2020 amendment of the TBA expanded its scope to foreign operators that “provide telecommunications services in Japan”[2], regardless of the location of their headquarters. Foreign providers must since notify their operations to the Ministry of Internal Affairs and Communications (MIC). Also, foreign providers that operate telecommunications facilities in Japan are obliged to register. Furthermore, they must designate a domestic representative or agent.


The 2022 amendments to the TBA further expanded its requirements. Providers must report service suspensions and data breaches. If they exceed certain size thresholds, the MIC may by designation subject providers to communication secrecy and user identification obligations. Specific rules apply to search service providers, which must notify their operations, and to wholesale telecommunication services, which cannot refuse service without justification.



Japan has focused on cryptocurrencies to boost government innovation and protect investors. In 2023, the Bank of Japan announced the launch of a pilot project for a Central Bank Digital Currency starting in April 2023. The pilot will test the technical feasibility of interlinking various systems and incorporating the insights of private businesses in the CBDC design.


In 2022, the parliament adopted a stablecoin investor protection law. The impact on the domestic market was immediate, even though the bill is yet to take effect (further guidance is expected in June 2023). The bill applies to new stablecoins issued by domestic providers. Only licensed banks, trust companies, and registered money transfer agents may issue such stablecoins. In addition, the law requires stablecoins to be tied to the Japanese Yen and grants investors the right to redeem stablecoins at face value. Since its adoption, no locally registered cryptocurrency exchange has offered stablecoin operations.

Namely, the sectors and designated providers are: media-integrated advertising digital platforms (Google, Meta, Yahoo), advertising-mediated digital platforms (Google), online shopping malls (Amazon, Rakuten, Yahoo); and app stores (Apple/iTunes, Google).