Over the summer of this year, the Japanese parliament passed significant amendments to the Whistleblower Protection Act (JWPA), which to me is a clear signal that Japan is stepping up its whistleblower protections, aligning more closely with global frameworks and lifting the compliance stakes for employers operating there. This isn’t a simple update though, these changes have real implications for companies with Japan entities, and for global organisations with cross-border whistleblowing systems.
So, what are the key changes in the 2025 amendments?
First off, under the new regime, companies can face corporate fines (for example up to ¥30 million / $195,000) for retaliation against a whistleblower and individuals may face up to six months’ imprisonment or fines (up to ¥300,000 / $1,950) for dismissing or disciplining a whistleblower. Moreover, if a whistleblower is dismissed or suffers a disadvantageous action within one year of making a report (or one year from when the company became aware of an external report) the law presumes the action was retaliation, unless the employer proves otherwise. But the amendments extend protection beyond just ‘employees’ to include freelancers/service contractors currently under contract with a business operator and those whose contract ended within the past 12 months. Also, attempts by a business operator to identify a whistleblower without justifiable reason are now explicitly prohibited and any agreement that restricts the right to report (for example via contract terms) is now null and void.
For directors, it means one thing above all: saying “that’s what I was told by management, and I believed them” will no longer be an acceptable defence.
But who will now enforce all this, well the The Consumer Affairs Agency (CAA) that’s who. The CAA will be empowered to issue binding administrative orders, conduct on-site inspections, issue fines for non-cooperation, and has more oversight over whether companies have designated the required personnel to receive reports. And if you think having a standard reporting channel will suffice, you’d be wrong. Companies must actively ensure the system works, including informing employees about the channel, designating the responsible person or a “jujisha”, and documenting internal investigations and outcomes. So the US DoJ’s ECCP for ensuring something is well designed, adequately resourced to function effectively and works in practice comes to mind here.
Now, while the amendments were declared in June, the law allows up to one year and six months from declaration for the relevant provisions to take effect (thus likely before end of 2026 or at latest, the first part of 2027).
In short, Japan has raised the stakes for whistleblowing compliance. The era of “set up a channel and hope for the best” is over. The regulator expects proof the channel works, the workforce knows about it, and there are structures in place to protect reporters, and they will hold companies accountable if they fail.
So, if you have a Japanese subsidiary or business operation in Japan, here are high-priority action steps you should be taking immediately (and some medium-term items) to ensure readiness.
1. Gap-analysis of your current whistleblowing/reporting system
Check whether you have formally designated personnel (jujisha) responsible for receiving whistleblowing reports. The CAA now has power to issue orders if you haven’t. Review your system to confirm that freelancers and service contractors (and those whose contracts ended within past 12 months) are covered under your policy. If your whistleblowing policy only mentions employees, you probably have a gap. Test how your hotline or reporting channel is communicated to the workforce. Are employees and relevant parties informed of the system? Did you provide training, and do you have records that people not only took the training but understood it. Assess how quickly you would respond if someone uses the channel, is the process documented, independent enough, able to preserve confidentiality and protect identity? Check your internal contracts and vendor/supplier agreements: do they include restrictive clauses that might block or discourage whistleblowing (e.g., confidentiality or non-disparagement provisions)? These may now be null and void under the amended law.
2. Update policy, training and internal communications
Update your whistleblowing policy to reflect the expanded protections (including freelancers and former contractors within 12 months). Explicitly state that the company prohibits attempts to identify a reporter without justification and prohibits retaliatory disadvantageous treatment. I’ve said it before, but I’ll say it again, train managers, HR, internal investigators on the one-year presumption of retaliation. The biggest gap in most compliance programs is that managers don’t get adequate training for the roles they have and therefore the messaging that leadership work so hard to create gets stuck and never makes it past that middle line. You must be clear that any dismissal or disciplinary action within one year of a report carries a presumption that the action was retaliatory unless proven otherwise. Engage internal audit or compliance to monitor that the system is working. This could be in the form of tracking key metrics (number of reports, outcomes, whether any reprisals occurred), document investigations, and make sure you retain those records.
3. Review contracts and supplier / vendor arrangements
Make sure service agreements with freelancers and contractors include wording that respects whistleblower protections (and does not impose unfair termination for a report) and update any vendor and supplier templates so that third-party personnel, contractors and sub-contractors are aware of the internal reporting channel (or an approved external one) and are protected if they raise a concern. My advice here, create some training to send out to those third parties so they are aligned with your internal messaging.
Be mindful of post-contract termination exposures: since protection extends for up to 12 months after contract end, a reduction of engagement or termination shortly after a report could trigger a retaliatory-action claim.
4. Embedding culture, process and documentation
Most forward-thinking organisations are already integrating whistleblower systems into their wider E&C program, and this is no different. Silos kill continuity.
Regularly communicate to all personnel (employees, contractors, vendors) that the channel exists, how to use it, and that reprisal is prohibited. This can be built into to your existing code of conduct training (which should be reviewed).
I already mentioned the need for maintaining detailed documentation of investigations, decisions, and follow-up actions, but cataloguing any protective measures taken for the reporter will be essential. And, be ready for regulatory inspection. The CAA now has the power to inspect on-site, issue orders and impose administrative fines if you fail to cooperate. So, the audit trail should be ready.
What should global organisations with operations in Japan be looking at?
Well, the 2025 amendments to the Act introduce a layer of complexity that goes well beyond simply tweaking a hotline policy. These changes touch global system design, data flows, investigative protocols, contractor management, vendor relationships, and the day-to-day operational discipline of the Japanese entity.
Companies need to ensure their global whistleblowing architecture can function within Japan’s enhanced local obligations. Many multinationals rely on a single global hotline routed through headquarters or a regional hub. That remains acceptable, but it now requires much closer attention. The Japanese subsidiary still must satisfy Japan-specific requirements, such as appointing a designated the jujisha we mentioned, enabling local communication, and extending protections to freelancers and former contractors.
Cross-border issues become particularly sensitive. If a report originates in Japan but is transferred overseas for triage or investigation, the company must ensure that confidentiality and identity-protection standards under the JWPA remain intact. Any HQ request to identify a Japanese whistleblower could violate the new prohibition on “identity-seeking.” Organisations will also need to review how their global data-transfer practices and investigation protocols align with Japanese privacy rules and the growing scrutiny regulators are applying in this area. In some cases, it may be prudent to establish a local reporting node or a designated person within the global system to ensure the Japanese component is clearly documented and compliant.
Also, multinational groups should recognise that enforcement risk in Japan is now very real and extends beyond procedural missteps.
With the introduction of corporate fines and criminal penalties, the Japanese entity faces direct exposure if its whistleblowing system fails in practice. There could be reputational implications for the wider group if the Japan operation falls short. The new one-year presumption of retaliation places the burden on employers, meaning companies need to be proactive rather than reactive. Global programs that focus narrowly on employees may not be sufficient anymore, particularly where freelancers, service contractors, or individuals whose contracts recently ended fall outside standard policies. And when a report in Japan involves issues or individuals in the global group, the Japanese entity must be able to show clear, implemented procedures for investigation, escalation, follow-up, and protection of the reporter. Regulators will increasingly expect evidence of a functioning system, not just a policy document.
Finally, multinationals need to align global contracts, policies, and operations with Japan’s broadened requirements. For example, if group-wide policies refer only to “employees,” they must be updated for Japan to explicitly cover contractors, freelancers, and individuals whose relationship ended within the past 12 months. Communication to Japanese workers should reinforce these expanded protections.
Training programs may also need localisation to reflect Japanese language nuances, labor-law expectations, and the country’s shifting regulatory environment. Japan’s compliance culture is evolving rapidly, and regulators increasingly expect companies to demonstrate that they understand and are keeping pace with those changes. When in Rome, as they say.
Final Thoughts
The new 2025 amendments to Japan’s Whistleblower Protection Act mark a significant inflection point, but also a final call to action for companies operating in, or via, Japan. In the past, the obligation to have a reporting channel was very much a check the box requirement, but now the expectation is that companies need to demonstrate the channel works, that protections extend broadly (including those freelancers and third parties), that retaliation is taken seriously, and to remember that the regulator has real teeth now.
This isn’t just about updating a policy. It’s about shifting culture, strengthening governance, enhancing monitoring and aligning local practices with global architecture. The window for legacy “light” compliance is closing fast. Companies should act now to ensure they are not just compliant on paper, but ready for scrutiny in practice.
