:PROPERTIES:
:ID:       auto-appi
:CREATED:  [2026-05-23 Sat]
:END:
#+title: 
#+filetags: :passepartout:compliance:framework:appi:


Japan's comprehensive privacy law (amended 2022, fully effective 2023).
Applies to any business handling personal information of Japanese residents.
Key requirements: consent, purpose specification, data retention limits,
cross-border transfer restrictions (opt-in required), mandatory breach reporting,
data subject access/deletion rights, pseudonymized/anonymized data provisions.
Personal Information Protection Commission (PPC) enforces.

Penalties: Up to 100M JPY (~$700K) for violations; criminal penalties up to
1 year imprisonment. Orders to suspend data processing or delete data.

Who must comply: All businesses handling personal information of Japanese
residents. Extraterritorial — applies to non-Japanese businesses targeting
Japanese residents.

Why it matters: APPI's cross-border transfer restrictions require fine-grained
control over which data leaves Japan. The gate stack can encode "this data has
APPI cross-border consent flag = false → block egress." First-mover advantage
is moderate — few non-Japanese vendors target APPI specifically, and the 2022