Japan: Overview and Key Points of the Amendments to the APPI
We published a newsletter regarding Overview and Key Points of the Amendments to the APPI. To view PDF version, please click the following link.
→Overview and Key Points of the Amendments to the APPI
Overview and Key Points of the Amendments to the APPI
May 2026
One Asia Lawyers Tokyo Office
On April 7, 2026, the Bill for Partial Amendment of the Act on the Protection of Personal Information and Other Related Laws (hereinafter, the “Amendment Bill”) was approved by the Cabinet.
The Amendment Bill will generally enter into force within two years from the date of promulgation, and subordinate legislation including cabinet orders, Personal Information Protection Commission (“PPC”) rules, and guidelines are expected to be developed in due course.
This newsletter provides an overview of the Amendment Bill in Section I, followed by three key points in Section II.
I. Overview of the Amendment Bill
The Amendment Bill aims to facilitate smooth data sharing conducive to the utilization of AI, while also ensuring the appropriate protection of the rights and interests of individuals.
The main amendments under the Amendment Bill may be categorized into the following three perspectives, as summarized below
- Areas where regulations have been relaxed
- Areas where regulations have been strengthened
- Areas where enforcement has been strengthened
| Overview of the Amendment Bill | ||
| Regulatory Relaxation / Promoting Data Utilization | Regulatory Strengthening | Enforcement Strengthening |
| Exception for Statistical Compilation, Etc. (Articles 30-2, 31-3) ▶ Where personal data, etc. is to be used solely for statistical compilation, etc., provision to third parties and acquisition of publicly available special care-required personal information are permitted without the data subject’s consent Relaxation of Consent Requirements (Article 16, para. 9; Article 18, para. 3; Article 20, para. 2; Article 27, para. 1) ▶ Where, given the circumstances of collection, it is clear that the handling does not run counter to the data subject’s wishes and does not harm the data subject’s rights and interests,consent is not required for use beyond the specified purpose, acquisition of special care-required personal information, or provision to third parties ▶ Relaxation of the requirement that consent be difficult to obtain, in cases involving handling for the protection of life, etc., or the promotion of public health, etc. ▶ Clarification that “academic research institutions, etc.” includes institutions or organizations whose purpose is the provision of medical care Exemption from Obligations for Commissioned Parties (Article 58-2) ▶ Exemption from obligations as a personal information handling business operator for commissioned parties that do not independently determine the method of handling Breach Reporting and Notification to Data Subjects (Article 26, para. 2) ▶ Where, in the event of a breach, etc., there is little risk that the protection of data subjects’ rights and interests would be inadequate, the obligation to notify data subjects is relaxed and alternative measures may be taken instead |
Facial Feature Data, Etc. (Articles 21-2, 27 para. 2, 35 paras. 7·8) ▶ Obligation to provide advance notice of the purpose of use, etc. ▶ Provision to third parties via opt-out is prohibited ▶ Expanded right of data subjects to request suspension of use, etc. Personal Information of Children (Under 16 Years of Age) (Article 35 paras. 9·10, Article 40-2, Article 58-3) ▶ Mandatory involvement of statutory representatives in consent-obtaining and notification procedures ▶ Requests for suspension of use, etc. are now available regardless of whether a violation has occurred Clarification of Commissioned Party’s Obligations (Article 30-3) ▶ Statutory codification of the obligation prohibiting commissioned parties from handling entrusted personal data, etc. beyond the scope necessary for the performance of the commissioned work Prevention of Inappropriate Use, Etc. (Article 27, para. 7; Article 31-2) ▶ Prohibition of inappropriate use and unlawful acquisition of information that, while not personal information, enables outreach to specific individuals ▶ Mandatory advance verification of the identity and purpose of use of the recipient when providing personal data under the opt-out regime |
Recommendations and Orders (Articles 148, 148-2) ▶ Review of the requirements for issuing orders ▶ The PPC may issue recommendations and orders requiring measures to notify or publicly disclose to data subjects facts relating to violations, and other measures necessary to protect data subjects’ rights and interests; recommendations and orders may now be issued regardless of whether a violation has occurred ▶ Establishment of a legal basis for requesting third parties that assist in violations to take measures necessary to cease the violating conduct Strengthening of Criminal Penalties (Articles 178–180) ▶ Increase in the statutory maximum penalties ▶ Addition of acts of providing personal information database, etc. with the intent to cause harm as subject to criminal penalties ▶ Addition of penalties for the act of unlawfully acquiring personal information through fraudulent means, etc. Introduction of Administrative Surcharge System (Articles 148-3 through 148-17) ▶ Where individual rights and interests are harmed, etc., as a result of a serious violation, an order to pay an administrative surcharge equivalent to the financial benefit gained from the violating conduct |
| Effective Date: Within two years from the date of promulgation — Cabinet orders, PPC rules, guidelines, etc. are to be developed in due course. Article numbers cited refer to those in the Amendment Bill. |
||
II. Key Points of the Amendment Bill
1. Exception for Cases Involving the Purpose of Statistical Compilation, Etc.
Under current law, the acquisition of special care-required personal information and provision of personal data to third parties generally require the consent of the data subject. However, the Amendment Bill introduces an exception permitting, without the data subject’s consent, the acquisition of publicly available special care-required personal information and the provision of personal data, etc. to third parties, provided that such data will be used solely for “statistical compilation, etc.” It is expressly stated that “AI development and similar activities that can be categorized as statistical compilation, etc.” fall within the scope of “statistical compilation, etc.,” and the exception is expected to facilitate data sharing across companies and the development of AI training datasets.
To utilize this exception, the following conditions must be satisfied: (1) disclosure of certain information, including the name of the acquirer/provider and the content of the planned statistical compilation, etc.; and (2) in the case of provision to a third party, a written agreement between the provider and the recipient confirming that the provision is made solely for the purpose of statistical compilation, etc. Additionally, data acquired or provided under this exception is prohibited from being used beyond the stated purpose or from being re-provided to third parties.
As for which specific AI development activities qualify as “statistical compilation, etc.,” it will be necessary to closely monitor the content of forthcoming rules and guidelines.
Please note that violations of this exception may be subject to an administrative surcharge. The following are examples of specific violations:
| By the Acquirer Prohibition on Use Beyond Stated Purpose / Provision to Third Parties | By the Recipient Prohibition on Use Beyond Stated Purpose / Provision to Third Parties |
| Where special care-required personal information acquired solely for the purpose of statistical compilation, etc. is: ▶ sold directly to a third party without being subjected to statistical compilation, etc. (except where such provision is made in reliance on this exception) ▶ used to generate revenue by providing advertising distribution services to client companies without being subjected to statistical compilation, etc. |
Where personal data received for the purpose of statistical compilation, etc. is: ▶ sold directly to a third party without being subjected to statistical compilation, etc. ▶ used to generate revenue by providing advertising distribution services to client companies without being subjected to statistical compilation, etc. |
(Personal Information Protection Commission Secretariat, “On the Bill for Partial Amendment of the Act on the Protection of Personal Information and Other Related Laws” (April 2026), p. 20. URL: https://www.ppc.go.jp/files/pdf/260407_kisyahaifusiryou.pdf)
2. No Consent Required Where It Is Clear That Handling Does Not Run Counter to the Data Subject’s Wishes
With respect to use beyond the specified purpose, acquisition of special care-required personal information, and provision to third parties, the data subject’s consent is not required where “given the circumstances of collection, it is clear that the handling does not run counter to the data subject’s wishes and does not harm the data subject’s rights and interests.”
Illustrative scenarios presented by the PPC include: cases where a hotel reservation website provides the name of the reservation holder to the hotel (information sharing that is naturally anticipated given the nature of the reservation service contract), and cases where a remitting financial institution provides information about the sender to the receiving financial institution in the context of international remittances[1] While formal consent has previously been required in such situations, the amendment will allow business processes to be revised to reflect actual practice. The specific scope of applicable cases is to be defined in PPC rules, etc.
3. Obligation to Verify the Identity and Purpose of Use of the Recipient under the Opt-Out Regime
The opt-out regime is a system that allows personal data to be provided to third parties without the data subject’s consent, on the condition that the provision will be stopped upon the data subject’s request (Article 27, para. 2 of the current Act). Currently, cases have emerged in which unscrupulous list brokers exploit this regime to sell personal data lists to parties engaged in unlawful conduct.
The Amendment Bill introduces a provision requiring providers who provide personal data under the opt-out regime to verify in advance the identity of the recipient (name or trade name, address, and name of representative) and the recipient’s purpose of use.
Where a recipient provides false information during verification, such conduct will be subject to a non-criminal fine (“karyou”).
Please note that cases where the personal data was publicly disclosed by the data subject, a national authority, a local government, or similar entity at the time of its collection, etc. are excluded from the verification obligation.
III. Conclusion
As the Amendment Bill has been submitted to the extraordinary session of the National Diet following Cabinet approval, it will enter into force once passed by both chambers.
As the specifics of many of the regulatory requirements are to be finalized through forthcoming cabinet orders, PPC rules, and guidelines, it will be necessary to monitor further developments.
Our firm will continue to keep you informed of developments regarding subordinate legislation and guidelines.
[Reference Materials]
Personal Information Protection Commission• Press Release: Cabinet Decision on the “Bill for Partial Amendment of the Act on the Protection of Personal Information and Other Related Laws” (April 7, 2026)
https://www.ppc.go.jp/news/press/2026/260407/
———
[1] Ibid., Personal Information Protection Commission Secretariat, “On the Bill for Partial Amendment of the Act on the Protection of Personal Information and Other Related Laws” (April 2026), p. 7.
