On April 7, 2026, Japan’s Cabinet approved a bill to amend the Act on the Protection of Personal Information (APPI) (Act No. 57 of 2003). The reform pulls in two directions at once: it relaxes data-use rules to accelerate AI development while strengthening enforcement through a first-ever surcharge (administrative fine) system. This article summarizes the eight key points known as of June 2026 and the compliance steps companies should begin now.
Overview — Expanded Use and Stronger Enforcement Together
The amendment stems from the APPI’s triennial review obligation (Supplementary Provision Article 10). The bill is being deliberated in the 2026 ordinary Diet session, with enforcement expected in 2028. Although there is lead time, data inventory and privacy-policy revisions take months, so starting in 2026 is strongly recommended.
| Category | Main amendment items |
|---|---|
| Expanded use | (1) Consent exception for AI training / statistical use (2) Streamlined processor obligations (3) Simplified breach reporting |
| Stronger rules | (4) Surcharge system (5) Biometric data rules (6) Protection of minors (7) Broader ban on improper use (8) Expanded criminal liability |
(1) Waiving Consent for AI Training and Statistical Use
The headline change lets companies use personal information for AI development and statistics without obtaining the individual’s consent, where the processing is statistical and does not identify individuals, or where it is clearly unlikely to harm the person’s rights and interests. This relaxes the consent principles under APPI Article 18 (purpose limitation) and Article 27 (restriction on third-party transfer), addressing the data bottleneck for generative AI. The boundary of “clearly no harm” will be the key practical question. See also Generative AI Copyright Litigation in Japan.
Free Tool Related to This Article
Contract Risk Checker
Try our free simulator related to this topic.
Try for free →(2) The Surcharge System — The Core of Enforcement
Until now, APPI sanctions were limited to corrective orders and criminal penalties for non-compliance (e.g., Article 178). The amendment introduces an administrative surcharge based on the financial benefit (illicit gains) obtained through the violation, enforceable by the Personal Information Protection Commission (PPC).
| Surcharge design | Content |
|---|---|
| Three covered acts | Improper acquisition, improper use, unlawful third-party provision (a breach caused merely by inadequate security measures is NOT covered) |
| Scale threshold | The violation must affect more than 1,000 individuals |
| Calculation base | The financial benefit (illicit gains) obtained as consideration for the violation |
| Adjustments | 1.5x for repeat offenders; 50% reduction for voluntary self-reporting (leniency) |
This moves Japan closer to the GDPR fine regime and affects the Japanese operations of global companies. For the GDPR comparison, see GDPR and Japan’s Adequacy Decision; for a detailed analysis as of the Cabinet decision, see Japan APPI Amendment Bill Approved.
(3) Rules for Specified Biometric Personal Information
Facial-recognition data, fingerprints, DNA, and voiceprints are newly classified as “specified biometric personal information” with heightened handling rules. Operators using facial recognition for security cameras or access control must revisit purpose specification and security measures.
(4) Stronger Protection for Minors (Under 16)
Processing the personal data of those under 16 will generally require guardian consent. Operators of apps, games, and social media aimed at minors must redesign age-verification and consent flows.
(5)–(8) Other Amendments
- Broader ban on improper use of “specified individual-approach information” that could lead to discriminatory treatment
- Simplified breach reporting for minor incidents, concentrating resources on serious cases
- Recalibrated processor obligations between data controllers and processors
- Expanded criminal liability for improper acquisition and provision
Three Compliance Steps to Start Now
- Data mapping — inventory the types, sources, and purposes of personal data, flagging biometric and minor data
- Privacy-policy revision — clarify AI-training use and purpose specification in line with the reform
- Processor management review — re-examine outsourcing contracts and oversight on the assumption of surcharge risk
Building a personal-data governance framework and surcharge-ready internal rules is best discussed early with a lawyer.
Primary Sources
- Personal Information Protection Commission (PPC): https://www.ppc.go.jp/en/
- e-Gov Law Search — Act on the Protection of Personal Information: https://laws.e-gov.go.jp/law/415AC0000000057
