Japan: Proposed Amendments to the Act on the Protection of Personal Information (APPI)

I. Introduction

In April 2026, a bill to amend the Act on the Protection of Personal Information (APPI) was submitted to the Japanese Diet.  

The proposed amendments have been anticipated for some time and reflect both domestic policy developments and broader international trends in data protection, particularly in light of the rapid expansion of data-driven business models and the increasing deployment of artificial intelligence (AI). From a structural perspective, the amendments pursue two overarching objectives: (i) facilitating data utilization and clarifying existing rules, and (ii) strengthening regulatory oversight and enforcement.  

This dual approach reflects a broader regulatory recalibration observed globally. Legislators are increasingly seeking to enable innovation—particularly in areas such as AI and digital services—while ensuring that the protection of individuals’ rights keeps pace with technological change. In this respect, the Japanese reforms exhibit certain parallels with developments in other jurisdictions, including the adoption of more risk-based regulatory approaches, while retaining distinctive features of the APPI framework. 

If enacted, the amendments are expected to come into force within a period not exceeding two years from promulgation. While some elements codify existing practices or clarify interpretative ambiguities, others introduce materially new obligations and enforcement tools. Taken together, the reforms are likely to have a meaningful impact on corporate data governance frameworks. This article highlights key aspects of the proposed amendments and considers their practical implications for businesses. 

In addition, the amendments should be understood in the context of Japan’s ongoing efforts to align its data protection framework with international standards while maintaining flexibility for domestic business practices. In particular, the increasing importance of cross-border data flows and the use of global technology platforms are likely to continue to influence the interpretation and application of the APPI. As a result, developments under the amended framework may be relevant not only for domestic compliance, but also for multinational data governance strategies. 

 II. FacilitatingData Utilization and Clarifying Existing Rules

  1. New Consent Exemptions for Statistical Processing (Including AI Development)

A central feature of the proposed amendments is the introduction of new exemptions from consent requirements for the acquisition and third-party provision of personal data, as well as for the acquisition of publicly available sensitive personal information, where such data is used solely for the creation of statistical information (including AI development). 

Under the current APPI framework, personal data may generally be used within the scope of its specified purpose of use. However, data subjects’ consent is required for certain categories of processing, including the acquisition of sensitive personal information, use beyond the original purpose, and third-party provision. In practice, obtaining consent—particularly at scale—can be challenging, and reliance on statutory exceptions has been a recurring issue. 

The proposed amendments appear intended, at least in part, to address legal uncertainties that have arisen in the context of AI development. In particular, two issues have attracted attention:

  • whether the handling of personal data by AI service providers can becharacterisedas processing on behalf of another entity (akin to a “processor” concept), thereby avoiding consent requirements; and 
  • • whether the collection of publicly available information for training purposes—particularly where such information includes sensitive personal information—may give rise to compliance concerns under the APPI. 

The introduction of a statutory exemption for statistical processing is expected to provide greater legal certainty in these areas. The amendment bill introduces a new concept of “statistical processing,” which is defined as the creation of information relating to trends or characteristics derived from a large volume of data, through extraction, classification, comparison or other forms of analysis, provided that such information does not constitute personal information and that the processing is unlikely to harm individuals’ rights and interests. The exemption applies where personal data is processed for such purposes or provided to a third party for such purposes. 

In the context of AI development, while further clarification on the scope of this concept is awaited, it is generally expected that typical training activities would fall within this concept. In practice, therefore, the key issue is likely to be how the relevant conditions attached to the exemption can be satisfied, rather than whether the processing itself falls within the definition. 

In this regard, the exemption is subject to a number of conditions, including:

  • public disclosure of the intended statistical processing and prescribed matters;
  • continued availability of such disclosures;
  • restrictions on the scope of use;
  • prohibition of further third-party provision; and
  • implementation of appropriate security measures. 

These safeguards suggest that the exemption is not intended to provide a blanket relaxation, but rather to permit specific forms of data use within a structured compliance framework. In particular, restrictions on downstream use and onward transfer may limit the flexibility of certain business models. In addition, the level of detail required for the public disclosure of the intended statistical processing is likely to be an important practical issue. 

The implications extend beyond AI developers to companies deploying AI tools or analytics platforms. Such companies may need to confirm, both legally and contractually, whether the relevant processing falls within the scope of the exemption and how compliance responsibilities are allocated between the parties. As a result, contractual frameworks governing data use—particularly in AI-related arrangements—are likely to require careful review. 

  1. Expanded Exceptions to the Consent Requirement

The amendments also introduce broader flexibility in relation to the consent requirement. 

First, consent would not be required where it is clear, in light of the circumstances of acquisition, that the processing does not conflict with the individual’s intent and does not harm the individual’s rights or interests.  

This appears to codify certain transactional data flows that are widely understood as inherent to service provision—for example, the sharing of booking information with a hotel or the transfer of remittance data between financial institutions. While reliance on implied consent has not been entirely precluded under the current framework, it has been approached cautiously in practice. The proposed amendment may provide greater comfort in recognising such “expected” data flows. 

At the same time, the scope of this exception will likely require careful interpretation. The threshold that processing be “clearly” consistent with the individual’s intent may impose a relatively high bar, particularly in more complex or multi-party data ecosystems. 

Second, in cases where personal data is handled for the protection of life, body or property (including that of legal entities), the existing requirement that obtaining consent be “difficult” is supplemented by an additional standard of “reasonable grounds” for not obtaining consent, thereby relaxing the conditions for relying on this exception.  

This change may be of practical relevance in cross-border contexts, such as when responding to requests from foreign regulators or courts. Under the current framework, it can be difficult to demonstrate that obtaining consent is “difficult,” whereas the introduction of the additional “reasonable grounds” standard may allow for a more flexible assessment, subject to appropriate justification. 

  1. Risk-Based Approach to Data Breach Notification

The proposed amendments also introduce a more risk-based approach to data breach notification. 

Under the current APPI, notification to affected individuals is required where certain thresholds are met, subject to limited exceptions. The amendments would allow notification to be replaced with alternative measures where the risk to individuals’ rights and interests is low.  

This change appears to address concerns that the current framework may impose notification obligations even in cases where the practical impact on individuals is minimal—for example, where leaked data consists solely of internal identifiers with no standalone meaning. 

In addition, the Personal Information Protection Commission (PPC) has indicated that procedural aspects of breach reporting may be reviewed, including potential exemptions from preliminary reporting and more flexible handling of minor incidents. 

Taken together, these developments suggest a gradual shift away from a purely formalistic approach toward a framework that places greater emphasis on substantive risk assessment. For businesses, this may enable more proportionate allocation of compliance resources, although it will also require the development of internal methodologies for assessing risk levels. 

  1. Clarification of Obligations for Service Providers

The amendments clarify the obligations of service providers handling personal data on behalf of others. 

Unlike regimes such as the GDPR, the APPI does not formally distinguish between controllers and processors. The proposed amendments, however, introduce elements that move in that direction, including: 

  • an explicit prohibition on processing beyond the scope necessary for performing entrusted services; and  
  • a framework under which certain obligations may be relaxed where specified contractual arrangements are in place.  

In particular, the amendments indicate that where appropriate contractual terms are agreed between the parties—such as those relating to the handling of personal data and reporting obligations in the event of non-compliance—the service provider may be exempt from certain obligations, other than core requirements such as purpose limitation and security measures. 

This clarification may have practical implications for how responsibilities are allocated between parties. Under the current framework, service providers are generally subject to the full set of obligations under the APPI, which has sometimes led to uncertainty in structuring outsourcing arrangements. The proposed amendments may provide a clearer basis for allocating compliance responsibilities contractually. 

This development may facilitate greater alignment with international data governance frameworks. For multinational organisations, it may also enable more consistent structuring of intra-group and outsourcing arrangements, reducing the need for jurisdiction-specific deviations. At the same time, businesses may need to review existing contractual arrangements to ensure that they meet the requirements for relying on the proposed framework. 

III. Strengthening Regulation and Enforcement 

  1. Introduction of Administrative Surcharges

The proposed amendments introduce an administrative surcharge regime, which represents a significant development in the enforcement framework under the APPI.  

Under the current system, the PPC primarily relies on administrative measures, such as guidance, recommendations and orders, with criminal penalties applying only in limited cases. The introduction of a surcharge system indicates that enforcement may become more focused on deterrence, particularly in cases involving misuse of personal data. 

The surcharge may be imposed where a business operator both (a) engages in certain specified violations, and (b) obtains economic benefit from such conduct. In outline, the framework can be summarised as follows: 

(i) Scope of violations

The surcharge applies to certain categories of conduct, including:

  • Improper acquisition of personal information;
  • provision of personal data to a third party that is expected to use the data for unlawful or discriminatory purposes;
  • use of personal information at the request of a third party in circumstances where such misuse is anticipated;
  • unlawful third-party provision of personal data (including cases involving minors); and
  • misuse of the exemption for statistical processing. 

(ii) Exclusions
The surcharge may not apply in certain cases, including where:
• the business operator exercised due care to prevent the violation; or
• the impact on individuals is limited (for example, where the number of affected individuals does not exceed a specified threshold (i.e., 1,000 individuals)). 

(iii) Calculation method
The amount of the surcharge is generally based on the economic benefit obtained from the violation. Unlike regimes such as the GDPR, there is no explicit upper limit linked to turnover. 

It should also be noted that violations relating to security measures are not included within the scope of the surcharge regime. This suggests that the system is primarily intended to address cases where personal data is used or provided in a manner that gives rise to economic gain, rather than general failures in data management. 

From a practical perspective, this framework is likely to result in increased scrutiny of data sharing arrangements and business models involving the use of personal data. Businesses may therefore need to review how personal data is used and transferred, particularly in cases where such use is linked to revenue generation. In addition, it may become increasingly important to document internal decision-making processes and compliance measures, in order to demonstrate that appropriate care has been taken. 

In addition, although the introduction of the surcharge regime represents a significant development, the practical impact will depend on how actively the PPC makes use of these powers. In this respect, it will be important to monitor enforcement trends following the implementation of the amendments, including the types of cases in which surcharges are imposed and the approach taken in calculating the relevant amounts. 

  1. Enhanced Protection of Children (Under 16)

The proposed amendments introduce a statutory framework for the protection of children under the age of 16.  

Under the current APPI, there is no explicit provision regarding children’s data, although guidance indicates that consent from a legal guardian may be required in certain cases. The amendments would formalise this approach and introduce additional requirements. 

(i) Key requirements

In particular, the amendments provide that:

  • where consent is required under the APPI, such consent must be obtained from a legal guardian if the data subject is under 16;
  • notifications that would otherwise be provided to the individual must be given to the legal guardian;
  • children may exercise certain rights, such as requesting cessation of use or third-party provision; and
  • businesses are required to make efforts to take measures that prioritise the best interests of minors. 

Notably, these requirements are not limited to services specifically directed at children. As a result, a wide range of businesses may need to consider how the rules apply to their services, even where children are not the primary target users. 

(ii) Key practical issues
A number of practical issues are likely to arise in implementation, including:

  • how to determine whether a user is under 16;
  • what methods of age verification are required; and
  • how consent from a legal guardian should be obtained. 

A key issue in this regard will be the interpretation of the exception where the business operator has a “legitimate reason” for not knowing that the data subject is under 16. The scope of this exception is likely to affect whether businesses are required to implement age verification measures. 

At present, the amendments do not specify how age verification should be conducted. In practice, a range of approaches may be considered, including self-declaration by users or more robust verification methods. However, more stringent methods may impose a significant operational burden and may also raise additional data protection considerations. 

(iii) Practical impact
From a practical perspective, these requirements may affect not only legal compliance, but also product design and user experience. Businesses may need to review onboarding processes, consent flows, and internal procedures for responding to data subject requests. 

In doing so, it will be important to balance compliance requirements with usability, particularly in services where excessive friction may affect user engagement. Further clarification from the PPC is expected to be important in determining how these requirements should be implemented in practice. In particular, businesses operating online platforms or services with a broad user base may need to consider whether additional safeguards are required, even where children are not the intended users. 

  1. Expansion of Regulation to Non-PersonalInformation

The amendments extend certain regulatory obligations to information that does not constitute “personal information” under the APPI, such as telephone numbers, email addresses (where they do not include a name) and cookie identifiers. 

While many organisations already apply similar controls to such data as part of global compliance frameworks, the formal extension of regulatory coverage underscores the increasing recognition of risks associated with these identifiers, including fraud and phishing. 

This development may have relevance for digital advertising and online tracking practices. 

  1. Additional Requirements for Biometric Data

Finally, the amendments introduce enhanced transparency requirements for biometric data, including facial recognition data.  

Although such data is not classified as sensitive personal information under the APPI, the proposed rules reflect concerns regarding its potential impact on individuals. 

Businesses will be required to provide clearer disclosures and facilitate data subject rights, particularly in contexts involving surveillance or tracking technologies. Further regulatory guidance will be important in determining the practical scope of these obligations. 

 IV. Conclusion and Outlook

The proposed amendments to the APPI represent a significant evolution of Japan’s data protection framework, reflecting an effort to balance data utilization and regulatory control in an increasingly data-driven economy. 

From a practical perspective, the reforms signal an expectation that businesses adopt more structured and accountable approaches to data governance. This includes not only compliance with formal legal requirements, but also the implementation of internal processes to assess and manage data-related risks. 

Key areas of focus for businesses are likely to include: 

  • the scope and application of new exemptions for AI-related processing;  
  • governance of data-sharing arrangements in light of the surcharge regime;  
  • implementation of age verification and parental consent mechanisms; and  
  • enhanced transparency obligations for emerging data types.  

As many aspects of the reforms will be further specified through regulations and guidelines, ongoing monitoring will be essential. Early engagement and preparation will enable businesses to adapt effectively and integrate Japanese requirements into broader global compliance strategies. In this context, businesses may benefit from taking a proactive approach, including conducting gap analyses, reviewing internal policies and contractual arrangements, and considering how the proposed changes interact with existing global compliance frameworks. Early preparation may also help to reduce implementation risks once the amendments come into force.