{"id":140430,"date":"2026-04-22T09:54:48","date_gmt":"2026-04-22T09:54:48","guid":{"rendered":"https:\/\/my.legal500.com\/guides\/?post_type=hot_topics&p=140430"},"modified":"2026-04-22T09:55:00","modified_gmt":"2026-04-22T09:55:00","slug":"japan-proposed-amendments-to-the-act-on-the-protection-of-personal-information-appi","status":"publish","type":"hot_topics","link":"https:\/\/my.legal500.com\/guides\/hot-topic\/japan-proposed-amendments-to-the-act-on-the-protection-of-personal-information-appi\/","title":{"rendered":"Japan: Proposed Amendments to the Act on the Protection of Personal Information (APPI)"},"content":{"rendered":"

I. Introduction<\/span><\/b><\/h4>\n

In April 2026, a bill to amend the Act on the Protection of Personal Information (APPI) was\u00a0submitted\u00a0to the Japanese Diet.\u00a0<\/span>\u00a0<\/span><\/p>\n

The proposed amendments have been\u00a0anticipated\u00a0for some time and reflect both domestic policy developments and broader international trends in data protection, particularly\u00a0in light of\u00a0the rapid expansion of data-driven business models and the increasing deployment of artificial intelligence (AI). From a structural perspective, the amendments pursue two overarching\u00a0objectives: (i)\u00a0facilitating\u00a0data\u00a0utilization\u00a0and clarifying existing rules, and (ii) strengthening regulatory oversight and enforcement.\u00a0<\/span>\u00a0<\/span><\/p>\n

This dual approach reflects a broader regulatory recalibration\u00a0observed\u00a0globally. Legislators are increasingly\u00a0seeking\u00a0to enable innovation\u2014particularly in areas such as AI and digital services\u2014while ensuring that the protection of individuals\u2019 rights keeps pace with technological change. In this respect, the Japanese reforms\u00a0exhibit\u00a0certain parallels with developments in other\u00a0jurisdictions, including the adoption of more risk-based regulatory approaches, while\u00a0retaining\u00a0distinctive features of the APPI framework.<\/span>\u00a0<\/span><\/p>\n

If enacted, the amendments are expected to come into force within a period not exceeding two years\u00a0from\u00a0promulgation. While some elements codify existing practices or clarify interpretative ambiguities, others introduce materially new obligations and enforcement tools. Taken together, the reforms are likely to have a meaningful impact on corporate data governance frameworks. This article highlights key aspects of the proposed amendments and considers their practical implications for businesses.<\/span>\u00a0<\/span><\/p>\n

In addition, the amendments should be understood in the context of Japan\u2019s ongoing efforts to align its data protection framework with international standards while\u00a0maintaining\u00a0flexibility for domestic business practices. In particular, the increasing importance of cross-border data flows and the use of global technology platforms are likely to continue to influence the interpretation and application of the APPI. As a result, developments under the amended framework may be relevant not only for domestic compliance, but also for multinational data governance strategies.<\/span>\u00a0<\/span><\/p>\n

\u00a0II. <\/span>FacilitatingData Utilization and Clarifying Existing Rules<\/span><\/b><\/h4>\n
    \n
  1. New Consent Exemptions for Statistical Processing (Including AI Development)<\/span><\/b><\/li>\n<\/ol>\n

    A central feature of the proposed amendments is the introduction of new exemptions from consent requirements for the acquisition and third-party provision of personal data, as well as for the acquisition of publicly available sensitive personal information, where such data is used solely for the creation of statistical information (including AI development).<\/span>\u00a0<\/span><\/p>\n

    Under the current APPI framework, personal data may\u00a0generally be\u00a0used within the scope of its specified purpose of use. However,\u00a0data subjects\u2019\u00a0consent is\u00a0required\u00a0for certain categories of processing, including the acquisition of sensitive personal information, use beyond the original purpose, and third-party provision. In practice, obtaining consent\u2014particularly at scale\u2014can be challenging, and reliance on statutory exceptions has been a recurring issue.<\/span>\u00a0<\/span><\/p>\n

    The proposed amendments appear intended, at least in part, to address legal uncertainties that have arisen in the context of AI development.\u00a0In particular, two\u00a0issues have attracted attention:<\/span><\/p>\n

      \n
    • whether the handling of personal data by AI service providers can becharacterisedas processing on behalf of another entity (akin to a \u201cprocessor\u201d concept), thereby avoiding consent requirements; and<\/span>\u00a0<\/span><\/li>\n
    • \u2022 whether the collection of publicly available information for training purposes\u2014particularly where such information includes sensitive personal information\u2014may give rise to compliance concerns under the APPI.<\/span>\u00a0<\/span><\/li>\n<\/ul>\n

      The introduction of a statutory exemption for statistical processing is expected to provide greater legal certainty in these areas. The amendment bill introduces a new concept of \u201cstatistical processing,\u201d which is defined as the creation of information relating to trends or characteristics derived from a large volume of data, through extraction, classification, comparison or other forms of analysis, provided that such information does not constitute personal information and that the processing is unlikely to harm individuals\u2019 rights and interests. The exemption applies where personal data is processed for such purposes or provided to a third party for such purposes.<\/span>\u00a0<\/span><\/p>\n

      In the context of AI development,\u00a0while further clarification on the scope of this concept is awaited,\u00a0it is\u00a0generally expected\u00a0that typical training activities would fall within this concept. In practice, therefore, the key issue is likely to be how the relevant conditions attached to the exemption can be satisfied, rather than whether the processing itself falls within the definition.<\/span>\u00a0<\/span><\/p>\n

      In this regard, the exemption is subject to a number of conditions, including:<\/span><\/p>\n

        \n
      • public disclosure of the intended statistical processing and prescribed matters;<\/span><\/li>\n
      • continued availability of such disclosures;<\/span><\/li>\n
      • restrictions on the scope of use;<\/span><\/li>\n
      • prohibition of further third-party provision; and<\/span><\/li>\n
      • implementation of appropriate security measures.<\/span>\u00a0<\/span><\/li>\n<\/ul>\n

        These safeguards suggest that the exemption is not intended to provide a\u00a0blanket\u00a0relaxation, but rather to\u00a0permit\u00a0specific forms of data use within a structured compliance framework.\u00a0In particular, restrictions\u00a0on downstream use and onward transfer may limit the flexibility of certain business models.\u00a0In addition, the level of detail\u00a0required\u00a0for the public disclosure of the intended statistical processing is likely to be an important practical issue.<\/span>\u00a0<\/span><\/p>\n

        The implications extend beyond AI developers to companies deploying AI tools or analytics platforms. Such companies may need to confirm, both legally and contractually, whether the relevant processing falls within the scope of the exemption and how compliance responsibilities are\u00a0allocated\u00a0between the parties. As a result, contractual frameworks governing data use\u2014particularly in AI-related arrangements\u2014are likely to require careful review.<\/span>\u00a0<\/span><\/p>\n

          \n
        1. Expanded Exceptions to the Consent Requirement<\/span><\/b><\/li>\n<\/ol>\n

          The amendments also introduce broader flexibility in relation to the consent requirement.<\/span>\u00a0<\/span><\/p>\n

          First, consent would not be\u00a0required\u00a0where it is clear,\u00a0in light of\u00a0the circumstances of acquisition, that the processing does not conflict with the individual\u2019s intent and does not harm the individual\u2019s rights or interests.\u00a0<\/span>\u00a0<\/span><\/p>\n

          This\u00a0appears to codify\u00a0certain transactional data flows that are widely understood as inherent to service provision\u2014for example, the sharing of booking information with a hotel or the transfer of remittance data between financial institutions. While reliance on implied consent has not been entirely precluded under the current framework, it has been approached cautiously in practice. The proposed amendment may provide greater comfort in\u00a0recognising\u00a0such \u201cexpected\u201d data flows.<\/span>\u00a0<\/span><\/p>\n

          At the same time, the scope of this exception will\u00a0likely require\u00a0careful interpretation. The threshold that processing be \u201cclearly\u201d consistent with the individual\u2019s intent may impose a\u00a0relatively high\u00a0bar, particularly in more complex or multi-party data ecosystems.<\/span>\u00a0<\/span><\/p>\n

          Second, in cases where personal data is handled for the protection of life, body or property (including that of legal entities), the existing requirement that obtaining consent be \u201cdifficult\u201d is supplemented by an additional standard of \u201creasonable grounds\u201d\u00a0for not obtaining consent, thereby relaxing the conditions for relying on this exception.\u00a0<\/span>\u00a0<\/span><\/p>\n

          This change may be of practical relevance in cross-border contexts, such as when responding to requests from foreign regulators or courts. Under the current framework, it can be difficult to\u00a0demonstrate\u00a0that obtaining consent is \u201cdifficult,\u201d\u00a0whereas\u00a0the introduction of the\u00a0additional\u00a0\u201creasonable grounds\u201d standard may allow for a more flexible assessment, subject to\u00a0appropriate justification.<\/span>\u00a0<\/span><\/p>\n

            \n
          1. Risk-Based Approach to Data Breach Notification<\/span><\/b><\/li>\n<\/ol>\n

            The proposed amendments also introduce a more risk-based approach to data\u00a0breach\u00a0notification.<\/span>\u00a0<\/span><\/p>\n

            Under the current APPI, notification to affected individuals is\u00a0required\u00a0where certain thresholds are met, subject to limited exceptions. The amendments would allow notification to be replaced with alternative measures where the risk to individuals\u2019 rights and interests is low.\u00a0<\/span>\u00a0<\/span><\/p>\n

            This change\u00a0appears to address\u00a0concerns that the current framework may impose notification obligations even in cases where the practical impact on individuals is minimal\u2014for example, where leaked data consists solely of internal identifiers with no standalone meaning.<\/span>\u00a0<\/span><\/p>\n

            In addition, the Personal Information Protection Commission (PPC) has\u00a0indicated\u00a0that procedural aspects of\u00a0breach\u00a0reporting may be reviewed, including potential exemptions from preliminary reporting and more flexible handling of minor incidents.<\/span>\u00a0<\/span><\/p>\n

            Taken together, these developments suggest a gradual shift away from a purely formalistic approach toward a framework that places greater emphasis on substantive risk assessment. For businesses, this may enable more proportionate allocation of compliance resources, although it will also require the development of internal methodologies for assessing risk levels.<\/span>\u00a0<\/span><\/p>\n

              \n
            1. Clarification of Obligations for Service Providers<\/span><\/b><\/li>\n<\/ol>\n

              The amendments clarify the obligations of service providers handling personal data on behalf of others.<\/span>\u00a0<\/span><\/p>\n

              Unlike regimes such as the GDPR, the APPI does not formally distinguish between controllers and processors. The proposed amendments, however, introduce elements that move in that direction, including:<\/span>\u00a0<\/span><\/p>\n

                \n
              • an explicit prohibition on processing beyond the scope necessary for performing entrusted services; and\u00a0<\/span>\u00a0<\/span><\/li>\n
              • a framework under which certain obligations may be relaxed where specified contractual arrangements are in place.\u00a0<\/span>\u00a0<\/span><\/li>\n<\/ul>\n

                In particular, the amendments indicate that where appropriate contractual terms are agreed between the parties\u2014such as those relating to the handling of personal data and reporting obligations in the event of non-compliance\u2014the service provider may be exempt from certain obligations, other than core requirements such as purpose limitation and security measures.<\/span>\u00a0<\/span><\/p>\n

                This clarification may have practical implications for how responsibilities are\u00a0allocated\u00a0between parties. Under the current framework, service providers are\u00a0generally subject\u00a0to the full set of obligations under the APPI, which has sometimes led to uncertainty in structuring outsourcing arrangements. The proposed amendments may provide a clearer basis for\u00a0allocating\u00a0compliance responsibilities contractually.<\/span>\u00a0<\/span><\/p>\n

                This development may\u00a0facilitate\u00a0greater alignment with international data governance frameworks. For multinational\u00a0organisations, it may also enable more consistent structuring of intra-group and outsourcing arrangements, reducing the need for jurisdiction-specific deviations. At the same time, businesses may need to review existing contractual arrangements to ensure that they meet the requirements for relying on the proposed framework.<\/span>\u00a0<\/span><\/p>\n

                III. Strengthening Regulation and Enforcement<\/span><\/b>\u00a0<\/span><\/h4>\n
                  \n
                1. Introduction of Administrative Surcharges<\/span><\/b><\/li>\n<\/ol>\n

                  The proposed amendments introduce an administrative surcharge regime, which\u00a0represents\u00a0a significant development in the enforcement framework under the APPI.\u00a0<\/span>\u00a0<\/span><\/p>\n

                  Under the current system, the PPC primarily relies on administrative measures, such as guidance,\u00a0recommendations\u00a0and orders, with criminal penalties applying only in limited cases. The introduction of a surcharge system\u00a0indicates\u00a0that enforcement may become more focused on deterrence, particularly in cases involving misuse of personal data.<\/span>\u00a0<\/span><\/p>\n

                  The surcharge may be imposed where a business operator both (a) engages in certain specified violations, and (b) obtains economic benefit from such conduct. In outline, the framework can be\u00a0summarised\u00a0as follows:<\/span>\u00a0<\/span><\/p>\n

                  (i) Scope of violations<\/span><\/b><\/p>\n

                  The surcharge applies to certain categories of conduct, including:<\/span><\/p>\n

                    \n
                  • Improper acquisition of personal information;<\/span><\/li>\n
                  • provision of personal data to a third party that is expected to use the data for unlawful or discriminatory purposes;<\/span><\/li>\n
                  • use of personal information at the request of a third party in circumstances where such misuse is anticipated;<\/span><\/li>\n
                  • unlawful third-party provision of personal data (including cases involving minors); and<\/span><\/li>\n
                  • misuse of the exemption for statistical processing.<\/span>\u00a0<\/span><\/li>\n<\/ul>\n

                    (ii) Exclusions<\/span><\/b>
                    \nThe surcharge may not apply in certain cases, including where:<\/span>
                    \n\u2022 the business operator exercised due care to prevent the violation; or<\/span>
                    \n\u2022 the impact on individuals is limited (for example, where the number of affected individuals does not exceed a specified threshold\u00a0(i.e., 1,000 individuals)).<\/span>\u00a0<\/span><\/p>\n

                    (iii) Calculation method<\/span><\/b>
                    \nThe amount of the surcharge is\u00a0generally based\u00a0on the economic benefit obtained from the violation. Unlike regimes such as the GDPR, there is no explicit upper limit linked to turnover.<\/span>\u00a0<\/span><\/p>\n

                    It should also be noted that violations relating to security measures are not included within the scope of the surcharge regime. This suggests that the system is primarily intended to address cases where personal data is used or provided in a manner that gives rise to economic gain, rather than general failures in data management.<\/span>\u00a0<\/span><\/p>\n

                    From a practical perspective, this framework is likely to result in increased scrutiny of data sharing arrangements and business models involving the use of personal data. Businesses may therefore need to review how personal data is used and transferred, particularly in cases where such use is linked to revenue generation. In addition, it may become increasingly important to document internal decision-making processes and compliance measures,\u00a0in order to\u00a0demonstrate\u00a0that\u00a0appropriate care\u00a0has been taken.<\/span>\u00a0<\/span><\/p>\n

                    In addition, although the introduction of the surcharge regime\u00a0represents\u00a0a significant development, the practical impact will depend on how actively the PPC makes use of these powers. In this respect, it will be important to\u00a0monitor\u00a0enforcement trends following the implementation of the amendments, including the types of cases in which surcharges are imposed and the approach taken in calculating the relevant amounts.<\/span>\u00a0<\/span><\/p>\n

                      \n
                    1. Enhanced Protection of Children (Under 16)<\/span><\/b><\/li>\n<\/ol>\n

                      The proposed amendments introduce a statutory framework for the protection of children under the age of 16.\u00a0<\/span>\u00a0<\/span><\/p>\n

                      Under the current APPI, there is no explicit provision\u00a0regarding\u00a0children\u2019s data, although guidance\u00a0indicates\u00a0that consent from a legal guardian may be\u00a0required\u00a0in certain cases. The amendments would\u00a0formalise\u00a0this approach and introduce\u00a0additional\u00a0requirements.<\/span>\u00a0<\/span><\/p>\n

                      (i) Key requirements<\/span><\/b><\/p>\n

                      In particular, the amendments provide that:<\/span><\/p>\n

                        \n
                      • where consent is required under the APPI, such consent must be obtained from a legal guardian if the data subject is under 16;<\/span><\/li>\n
                      • notifications that would otherwise be provided to the individual must be given to the legal guardian;<\/span><\/li>\n
                      • children may exercise certain rights, such as requesting cessation of use or third-party provision; and<\/span><\/li>\n
                      • businesses are required to make efforts to take measures that prioritise the best interests of minors.<\/span>\u00a0<\/span><\/li>\n<\/ul>\n

                        Notably, these requirements are not limited to services specifically directed at children. As a result, a wide range of businesses may need to consider how the rules apply to their services, even where children are not the primary target users.<\/span>\u00a0<\/span><\/p>\n

                        (ii) Key practical issues<\/span><\/b>
                        \nA number of practical issues are likely to arise in implementation, including:<\/span><\/p>\n

                          \n
                        • how to determine whether a user is under 16;<\/span><\/li>\n
                        • what methods of age verification are required; and<\/span><\/li>\n
                        • how consent from a legal guardian should be obtained.<\/span>\u00a0<\/span><\/li>\n<\/ul>\n

                          A key issue in this regard will be the interpretation of the exception where the business operator has a \u201clegitimate reason\u201d for not knowing that the data subject is under 16. The scope of this exception is likely to affect whether businesses\u00a0are required to\u00a0implement age verification measures.<\/span>\u00a0<\/span><\/p>\n

                          At present, the amendments do not specify how age verification should be conducted. In practice, a range of approaches may be considered, including self-declaration by users or more robust verification methods. However, more stringent methods may impose a significant operational burden and may also raise\u00a0additional\u00a0data protection considerations.<\/span>\u00a0<\/span><\/p>\n

                          (iii) Practical impact<\/span><\/b>
                          \nFrom a practical perspective, these requirements may affect not only legal compliance, but also product design and user experience. Businesses may need to review onboarding processes, consent flows, and internal procedures for responding to data subject requests.<\/span>\u00a0<\/span><\/p>\n

                          In doing so, it will be important to balance compliance requirements with usability, particularly in services where excessive friction may affect user engagement. Further clarification from the PPC is expected to be important in\u00a0determining\u00a0how these requirements should be implemented in practice.\u00a0In particular, businesses\u00a0operating\u00a0online platforms or services with a broad user base may need to consider whether\u00a0additional\u00a0safeguards are required, even where children are not\u00a0the intended\u00a0users.<\/span>\u00a0<\/span><\/p>\n

                            \n
                          1. Expansion of Regulation to Non-PersonalInformation<\/span><\/b><\/li>\n<\/ol>\n

                            The amendments extend certain regulatory obligations to information that\u00a0does not constitute\u00a0\u201cpersonal information\u201d under the APPI, such as telephone numbers, email addresses (where they do not include a name) and cookie identifiers.<\/span>\u00a0<\/span><\/p>\n

                            While many\u00a0organisations\u00a0already apply similar controls to such data as part of global compliance frameworks, the formal extension of regulatory coverage underscores the increasing recognition of risks associated with these identifiers, including fraud and phishing.<\/span>\u00a0<\/span><\/p>\n

                            This development may have\u00a0relevance for digital advertising and online tracking practices.<\/span>\u00a0<\/span><\/p>\n

                              \n
                            1. Additional Requirements for Biometric Data<\/span><\/b><\/li>\n<\/ol>\n

                              Finally, the amendments introduce enhanced transparency requirements for biometric data, including facial recognition data.\u00a0<\/span>\u00a0<\/span><\/p>\n

                              Although such data is not classified as\u00a0sensitive\u00a0personal information under the APPI, the proposed rules reflect concerns\u00a0regarding\u00a0its potential impact on individuals.<\/span>\u00a0<\/span><\/p>\n

                              Businesses will\u00a0be required\u00a0to provide clearer disclosures and\u00a0facilitate\u00a0data subject rights, particularly in contexts involving surveillance or tracking technologies. Further regulatory guidance will be important in\u00a0determining\u00a0the practical scope of these obligations.<\/span>\u00a0<\/span><\/p>\n

                              \u00a0IV. <\/span>Conclusion and Outlook<\/span><\/b><\/h4>\n

                              The proposed amendments to the APPI represent a significant evolution of Japan\u2019s data protection framework, reflecting an effort to balance data\u00a0utilization\u00a0and regulatory control in an increasingly data-driven economy.<\/span>\u00a0<\/span><\/p>\n

                              From a practical perspective, the reforms signal an expectation that businesses adopt more structured and accountable approaches to data governance. This includes not only compliance with formal legal requirements, but also the implementation of internal processes to assess and manage data-related risks.<\/span>\u00a0<\/span><\/p>\n

                              Key areas of focus for businesses are likely to include:<\/span>\u00a0<\/span><\/p>\n

                                \n
                              • the scope and application of new exemptions for AI-related processing;\u00a0<\/span>\u00a0<\/span><\/li>\n
                              • governance of data-sharing arrangements\u00a0in light of\u00a0the surcharge regime;\u00a0<\/span>\u00a0<\/span><\/li>\n
                              • implementation of age verification and parental consent mechanisms; and\u00a0<\/span>\u00a0<\/span><\/li>\n
                              • enhanced transparency obligations for emerging data types.\u00a0<\/span>\u00a0<\/span><\/li>\n<\/ul>\n

                                As many aspects of the reforms will be further specified through regulations and guidelines, ongoing monitoring will be essential. Early engagement and preparation will enable businesses to adapt effectively and integrate Japanese requirements into broader global compliance strategies.\u00a0In this context, businesses may\u00a0benefit\u00a0from taking a proactive approach, including conducting gap analyses, reviewing internal policies and contractual arrangements, and considering how the proposed changes interact with existing global compliance frameworks. Early preparation may also help to reduce implementation risks once the amendments come into force.<\/span>\u00a0<\/span><\/p>\n","protected":false},"featured_media":0,"template":"","class_list":["post-140430","hot_topics","type-hot_topics","status-publish","hentry"],"acf":[],"_links":{"self":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/hot_topics\/140430","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/hot_topics"}],"about":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/types\/hot_topics"}],"wp:attachment":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/media?parent=140430"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}