The Act on the Protection of Personal Information (APPI) requires business operators holding a personal information database consisting of more than 5,000 individuals identified by personal information on any day in the past 6 months to protect this information (see here). This law was later amended to apply to all businesses in Japan. There is an option for business operators to disclose information to third parties, and the requirements for disclosure are clarified in the amendments.
The amendments also created the Personal Information Protection Commission (PIPC) established in January 2016. Laws and regulations pertaining to the protection of personal information (non-blockchain specific) can be located on the PIPC website here.
Notable among changes to Japanese data protection laws pertaining to financial services agencies are additional restrictions in relation to the extraterritorial provision of Japanese customer data outside of the country, or to third parties in general.
In addition, the PIPC upholds that under Japanese law, if a customer requires that details of a financial transaction be kept private, it is the legal obligation of the company or agent facilitating the transaction that anonymization take place. This is an apparent contradiction with the innate requirements of blockchain technology. However, Japanese privacy and data protection laws do coexist with blockchain technology, as described in this article here.
Key sources
Information on Japanese data protection laws
Information on data protection requirements for Japanese firms