Proposed Amendments to Japan’s Act on the Protection of Personal Information (APPI) (2026)—What You Need to Know

On April 7, 2026, the Japanese Cabinet approved a bill to amend the Act on the Protection of Personal Information (APPI), which has since been submitted to the Diet.

The bill includes both deregulatory measures and strengthened regulatory provisions. Key highlights include:

• A new consent exemption for statistical processing (e.g., AI development), allowing businesses to collect publicly available sensitive personal data and to share personal data with third parties for such purposes, subject to transparency measures and contractual safeguards. 

• Broader relaxation of consent requirements, including a new exception for processing that clearly does not prejudice individuals’ rights and interests, and a lowered threshold for existing public-interest exceptions.

• Specific protections for children’s personal data, requiring parental consent for children under 16 and granting children enhanced rights to request deletion or suspension of data use.

• New rules on biometric data, establishing a category of “Specific Biometric Personal Information” (e.g., facial recognition data) subject to heightened transparency requirements, expanded rights for individuals to request deletion, and a prohibition on third-party provision via the opt-out mechanism.

• Regulatory relief for entrusted data processors, exempting processors from most general APPI obligations where robust contractual safeguards are in place.

• Expanded enforcement powers for the Personal Information Protection Commission (PPC), including more flexible order-making authority and the ability to impose administrative fines for serious violations.

Assuming the bill passes the Diet in 2026, the new rules are expected to take full effect by 2028 at the latest.

The following sections provide an overview of these changes: (i) promoting appropriate data use, (ii) risk-based regulatory measures, (iii) preventing misuse of data, and (iv) enhanced enforcement and compliance.

One of the most consequential changes is the introduction of a new consent exemption for statistical and AI-related processing.

Under the current APPI, businesses must obtain the data subject’s explicit consent when obtaining sensitive personal data (“special care-required personal information” under the APPI) or when providing personal data to a third party, unless specific, narrow legal exceptions apply. This strict consent requirement has been a hurdle for businesses who require large, diverse datasets to develop AI models, which may inadvertently include sensitive data or sharing data between businesses.

The amendment introduces an exemption for data handled solely for the “Creation of statistical information etc.,” which may include AI training.

• Definition of “Creation of statistical information etc.:” Article 2(13) defines “Creation of statistical information etc.” as the generation of statistics or performance of other activities that involve extracting information from large volumes of data, and analyzing such information through classification, comparison, or other methods, in order to derive information on trends or characteristics of that data set (excluding information relating to identifiable individuals). The scope of this concept is designated by regulations of the Personal Information Protection Commission (PPC) on the basis that it poses a low risk of harm to individuals’ rights and interests. “Creation of statistical information, etc.” is understood to include the development of AI models provided that any correspondence between personal information contained in the training data and the data subjects has been eliminated. Since the definition of “Creation of statistical information, etc.” will be prescribed in the PPC regulations, it will be necessary to closely monitor the content of those regulations going forward.

• Collection of Sensitive Personal Data (e.g., web scraping): Under the new Article 30-2(1), businesses can now obtain publicly available sensitive personal data without obtaining prior consent, provided that the sole purpose is statistical creation or the provision of data to a third party for such purpose. Such businesses must follow certain requirements, including making certain information available to the public in advance and maintaining public availability of that information for as long as they handle the collected data, such as: (i) the name of the person or entity collecting the data, (ii) a description of the intended statistical processing or similar activities (including whether the data will be provided to third parties); and (iii) any other matters prescribed by the relevant regulations. Furthermore, using this collected sensitive data for any purpose other than the announced statistical creation is strictly prohibited (Article 30-2(4)).

• Third-Party Provision: Under Article 30-2(5), and Article 31-3(1), businesses may provide personal information¹ and personally referable information² to third parties without consent if the receiving third party needs the data solely for the Creation of the statistical information, etc. (e.g., sharing a dataset with an AI development partner). Eligible recipients are limited to business operators handling personal information and administrative organs. If the recipient is located in a foreign country, they must establish an appropriate system (safeguards) in accordance with PPC regulations. To rely on these exemptions, certain conditions must be met. The provider and the recipient must publicly announce their intent in advance, the nature of the statistical creation, their identities, and any other matters prescribed by the relevant regulations via the internet or other appropriate means (Article 30-2(5)(i); Article 31-3(1)(i)). In addition, the recipient must continuously make this information public for as long as they handle the provided data (Article 30-2(6); Article 31-3(2)). Furthermore, there must be a written agreement between the provider and recipient explicitly stating that the data provision is strictly for this purpose (Article 30-2(5)(ii); Article 31-3(1)(ii)). The law strictly prohibits use of this data for any purpose other than the announced statistical creation (Article 30-2(4) and (9); Article 31-3(5)) and bans the recipient from further providing it to other third parties (with limited exceptions, such as entrustment) (Article 30-2(10) and (11); Article 31-3 (6) and (7)).

Under the current APPI, an individual’s consent is generally required for: (i) use of personal data beyond the original purpose, (ii) collection of sensitive personal data, and (iii) provision of personal data to third parties. Beyond statistics or AI-specific reforms, the bill relaxes these consent requirements in several additional contexts: 

• Exception for Clearly Non-Prejudicial Processing: The bill introduces a new exception where it is clear that the data processing does not conflict with the individual’s intent and does not harm their rights and interests (Article 18(3)(vii); Article 20(2)(vii); Article 27(1)(viii)). This includes cases where the processing is clearly necessary and unavoidable for the performance of a contract with the individual. The PPC is expected to identify other cases that fall under this exception by regulation. Typical illustrations likely to fall within this exception include a travel agency providing a customer’s personal data to a hotel to make a reservation on the customer’s behalf, or a bank disclosing remitter and beneficiary details to another bank in the course of a bank transfer.

• Relaxation of the “Difficulty” Requirement: Current exceptions for protecting life, body, or property, or for improving public health require that obtaining consent must be practically “difficult.” The amendment relaxes that standard: these exceptions may now also apply where there are “reasonable grounds for not obtaining consent,” not solely when obtaining consent is difficult. (Article 18(3)(ii) and (iii); Article 20(2)(ii) and (iii); Article 27(1)(ii) and (iii)). The provision is intended to apply in situations where appropriate safeguards are in place to prevent invasions of the individual’s privacy and where there is no real risk of unjustified infringement of the individual’s rights — circumstances in which there are reasonable grounds for not obtaining consent.

Currently, an exception to the consent requirement for certain academic research purposes applies only to universities and academic bodies. To support research activities by medical institutions—such as clinical case analyses—the amendment revises Article 16(9) to explicitly state that “academic research institutions” also include institutions or organizations whose purpose is the provision of medical care, such as hospitals. This change is expected to facilitate medical research and ease data sharing in the healthcare sector.

Under the previous APPI, there was no explicit reference to children in the statutory provisions. The current guidelines state that, where the consent of the data subject is required and a minor lacks the capacity to make decisions, consent must be obtained from a person with parental authority or a legal guardian. As for the relevant age, the PPC’s Q&A indicates that, on a case-by-case basis, children aged 12 to 15 or younger are generally considered to lack such decision-making capacity.

The amendment introduces statutory provisions governing the treatment of minors and newly defines the relevant age threshold.

• Parental consent and notice for children under 16: New Article 40-2(1) requires that, when a business handles the personal information of a child under 16, obligations such as obtaining consent (for example, for third party disclosure) and providing privacy notices must be directed to the child’s parents or other statutory representative. Exceptions apply where: (i) the business has a reasonable basis for not knowing the information relates to an individual under 16; (ii) the child’s statutory representative had authorized the child’s business activities and the information was obtained in connection with those activities; or (iii) the child has no statutory representative, or the business has reasonable grounds to believe that the child has no statutory representative.

• Strengthened rights for child data subject: Article 35(9) and (10) introduce a special protective right for minors under 16. Minors (or their parents or statutory representatives) can, as a general rule, request the suspension of use, deletion, or suspension of third-party provision of their retained personal data without having to meet the requirements that apply to adults (for example, adults may be required to show that the data is no longer needed or that their rights or legitimate interests are at risk).

• Best Interests of the Child: A new overarching duty (Article 58-3(1)) requires businesses processing children’s personal data to take necessary measures to prevent harm to their rights, prioritizing the child’s best interests in light of their age and developmental stage. Furthermore, parents and other statutory representatives must also prioritize the minor’s best interests when exercising rights or giving consent on the minor’s behalf (Article 58-3(2)).
 

The amendments introduce targeted regulations on facial feature data and similar biometric information, reflecting growing concerns about the use of facial recognition technology and the tracking of individuals through their biometric characteristics.

• Definition: Article 16(5) introduces the category “Specific Biometric Personal Information,” defined as personal information containing specific biometric codes derived from physical features that can be obtained easily and without specialized technology or high cost, and that are not readily apparent to the individual. Further details will be prescribed by government ordinance. A typical example is facial recognition data extracted from camera footage.

• Transparency requirements: Article 21-2 requires businesses processing this Specific Biometric Personal Information to notify individuals or otherwise make certain information readily accessible in advance. The required disclosures include the business name, the fact that specific biometric data is being handled, the purpose of use, the specific physical features being converted, and procedures for exercising rights.

• Prohibition of opt-out: Article 27(2) explicitly prohibits providing Specific Biometric Personal Information to third parties using the opt-out mechanism. (In practice, relatively few companies currently use opt out for third party disclosures under the existing law.)

• Strengthened right to suspend use: Under Article 35(7) and (8), individuals generally have the right to request the suspension of use or suspension of third-party provision of their Specific Biometric Personal Information without having to satisfy the requirements that apply to individuals’ rights in other contexts (similar to the protection granted to minors).

The bill revises the regulatory framework applicable to entities entrusted with personal data processing (i.e., data processors engaged under outsourcing arrangements).

• Prohibition of use beyond the scope: The new Article 30-3 expressly prohibits an entrusted data processor from processing the entrusted personal data beyond the scope necessary to perform the entrusted service, except where such processing is permitted by law or is necessary for emergency responses, such as protecting human life or providing disaster relief.

• Reduced compliance burden for entrusted data processors: The new Article 58-2 provides significant regulatory relief for entrusted data processors. If (a) the entrustment contract strictly defines data processing methods, breach reporting protocols and other items required by PPC regulations, and (b) the entrusted data processor strictly adheres with those contractual provisions within the specific scope of the entrusted business, the entrusted data processor is exempt from the vast majority of general obligations under Chapter 4, Sections 2 to 4 (Article 17 to Article 46). Specifically, the entrusted data processor no longer needs to individually notify individuals of the purpose of use, or respond to data subjects’ rights directly (which should be handled by the entrusting party). However, certain fundamental duties always remain applicable to the processor, including security management measures (Article 23), the obligation to report data breaches (Article 26), as well as the strict prohibition of use beyond the entrusted scope (Article 30-3).

Under the current APPI, where certain categories of personal data breaches or potential breaches occur—namely, (i) cases involving sensitive personal information, (ii) cases involving personal data that may cause financial harm if misused, (iii) breaches that are suspected to have been carried out with wrongful intent, such as cyberattacks, and (iv) cases affecting more than 1,000 data subjects—businesses are formally required to notify the data subjects, without allowing for a substantive assessment of the existence or degree of risk to the data subjects.

The amendment introduces a more risk-based approach to the individual notification requirement. Under the revised Article 26(2), businesses will be exempt from directly notifying individuals if the PPC regulations designate the breach as having a “low risk of harming the rights and interests of the individual,” provided that the business takes necessary alternative measures to protect such rights (e.g., a public announcement).  

The amendment closes a regulatory gap by extending the APPI’s prohibitions on improper use and unauthorized acquisition to a new category of “contactable personally referable information.” Until now, only personal information was subject to these prohibitions. The new rule (proposed Article 31-2) covers personally referable information which lets a holder directly contact or approach a specific individual — for example, a phone number, email address, or cookie ID.

The new Article 31-2 prohibits businesses from using contactable personally referable information in a manner that may encourage or induce illegal or unjust acts. It also outright bans the collection of such information through deception or other wrongful means.

The bill imposes new obligations on businesses that provide personal data to third parties under the opt-out mechanism. Specifically, businesses will be required to verify the identity of the recipient and confirm the recipient’s purpose of use before making any such provision (Article 27(7)). This is a response to incidents in which the opt-out scheme has been exploited by bad actors to compile and distribute personal information for use in fraud or other criminal activity. 

• Flexible Order Requirements: For standard orders (which require a prior recommendation), the bill removes the current “imminent” requirement for issuing a standard order, allowing the PPC to act more flexibly (Article 148(2)). For emergency orders issued without a prior recommendation, the current law only permitted issuance when “harms to an individual’s significant rights or interests” have actually occurred; the proposed amendment also allows the PPC to issue an emergency order when it recognizes that an infringement on an individual’s significant rights or interests is imminent and urgent action is required.

• Affirmative Corrective Actions: Article 148(1) through (3) broaden the PPC’s authority beyond ordering cessation of a violation. The PPC can now require affirmative measures to protect rights, explicitly including notifying affected individuals of the facts of the violation or making a public announcement, thereby compelling businesses to be transparent about their failures.

The bill also introduces a statutory basis for the PPC to request third parties who assist or facilitate violations to take necessary measures to cease such violations. This provision is aimed at intermediaries and service providers whose platforms or services may be used to carry out data protection violations. Specifically:

• Article 148-2 establishes a legal basis for the PPC to request “Handling-Related Service Providers” (e.g., server hosts or cloud providers) to suspend their services or halt data processing on behalf of an entity that is violating the APPI.

• It also allows requests to “Specified Telecommunications Service Providers” (e.g., SNS platforms, search engines) to block the distribution of information that violates the APPI.

• To encourage cooperation, providers who comply with these requests are granted statutory legal immunity from civil damage claims brought by the violating businesses (Article 148-2(2) and (4)).

• Expansion of Illegal Provision Crime: The bill extends the offense of unlawful provision of a personal information database to include provision carried out for the purpose of causing harm (in addition to the existing offense of provision for unlawful profit). It also increases the statutory penalties for such offences to up to 2 years’ imprisonment or a fine of up to JPY 1,000,000 (previously up to 1 year’s imprisonment or a fine of up to JPY 500,000) (Article 178).

• New Offense for Illegal Acquisition: Article 180 establishes a new offense for acquiring personal information through fraud, assault, intimidation, or other acts that harm the management of the data holder (such as unauthorized system access or physical theft), committed with the intent to obtain illegal profits or to cause damage. This also carries a penalty of up to 2 years of imprisonment or a fine of up to JPY 1,000,000.

For the first time in the APPI’s history, the bill introduces an administrative monetary penalty. Under the bill, where a serious violation of the APPI has resulted in the infringement of individuals’ rights or interests, the PPC may order the violating entity to pay an administrative fine equivalent to the economic benefit derived from the violation. The administrative fine mechanism is introduced in a targeted and limited form:

• Target Acts (Article 148-3): Fines apply only to the categories of violations expressly specified in Article 148-3. The specified categories are:

– providing personal information to a third-party while recognizing that the recipient is likely to use it for illegal acts or unjust discriminatory treatment;
– using personal information at the request of a third-party under similar circumstances;
– unlawful provision to a third-party in violation of Article 27(1);
– handling personal information in breach of the restrictions applicable to “Creation of statistical information, etc.” (i.e., exceeding the permitted scope of use or provision); and
– providing personal information in breach of the no-redistribution restrictions under that framework.

• Exceptions: The fine does not apply if (a) the violator exercised due care to prevent the violation, or (b) as provided by Cabinet Order, the number of affected individuals does not exceed 1,000 or the extent of harm to individuals’ rights and interests is not significant (as further defined by Cabinet Order).

• Calculation: The fine amount is designed to confiscate ill-gotten gains; it directly equals the financial benefits (money or other property) obtained as consideration for the violation or the avoidance of the violation. If a business refuses to cooperate with an investigation, the PPC can estimate the fine based on data from competitors or business partners (Article 148-4).

• Increased Fines for Repeat Offenders (Article 148-5): The calculated fine is multiplied by 1.5 for businesses that commit violations within 10 years of a previous administrative fine order.

• Leniency Program (Article 148-6): To encourage self-reporting, the fine can be reduced by 50% if the business voluntarily reports the violation to the PPC before an investigation is anticipated.

The amendments are to come into force within two years from the date of promulgation. The PPC is reportedly seeking passage of the bill during the current parliamentary session. Assuming the bill is enacted in 2026, businesses can expect the new rules to take full effect by 2028 at the latest.

Businesses are required to analyze the impact of the proposed amendments on their operations. There will likely be aspects from which they benefit due to deregulation, as well as aspects where their burden increases due to strengthened regulations. Although certain points remain unclear from the text of the provisions alone, an initial analysis is already possible. In addition, close attention should be paid to the content of the cabinet orders, PPC regulations, and guidelines to be established after the enactment of the amended law, and businesses may also consider submitting comments in the relevant public comment procedures to seek clarification and influence the practical application of the new rules.