Japan Privacy Law Reform 2026: AI Data Rules Relaxed, Surcharges Introduced

On April 8, 2026, the Japanese government approved an amendment bill to the Act on the Protection of Personal Information (APPI) at a Cabinet meeting. This is a major revision based on the mandatory three-year review clause (Supplementary Provision Article 10), built around two pillars: promoting data utilization for the AI and big data era and strengthening deterrence against violations.

Digital Minister Matsumoto stated after the Cabinet decision that "delays would create significant obstacles to AI development," expressing the government's intention to pass the bill during the current Diet session.

The main elements of the amendment are:

1. Relaxation of consent requirements for AI training and statistical data use
2. Introduction of a surcharge system
3. Strengthened criminal penalties (including heavier corporate fines)
4. Expansion of individual rights protections

Each point is explained in detail below.

---

Under current law, using personal data beyond the originally stated purpose or providing it to third parties without consent is generally prohibited. However, AI development requires training on massive datasets, and obtaining individual consent from each person has become practically impossible in many cases.

The EU's GDPR allows processing based on "legitimate interests," and the United States is developing guidelines for generative AI data usage. There was a growing concern that maintaining strict consent requirements would undermine Japan's international competitiveness in AI development.

The amendment permits the use of personal data without opt-in consent only when both of the following conditions are met simultaneously:

In other words, AI training using data that can identify specific individuals still requires consent. The relaxation is limited to statistical processing, AI model training using anonymized data, and academic research purposes.

• Training recommendation engines using anonymized purchase data
• Pre-training large language models (LLMs) on large text corpora
• Epidemiological research through statistical analysis of medical data
• Urban planning simulations based on anonymized location data

• Profiling specific individuals
• Retaining data in a re-identifiable form
• Using data containing sensitive information (medical history, criminal records, race, etc.)

---

One of the most significant additions in the amendment is the surcharge system. Previously, the APPI relied on administrative guidance/orders from the Personal Information Protection Commission (PPC) and criminal penalties for order violations. However, there was no mechanism to directly strip economic gains, creating a situation where "it pays to violate the law."

1. The PPC identifies and confirms the violation
2. The business is given an opportunity to present its defense (under the Administrative Procedure Act)
3. The PPC calculates the surcharge amount and issues a payment order
4. The business may file a revocation lawsuit if it objects

Unlike the Antimonopoly Act's surcharge system (which imposes a fixed percentage of revenue), the APPI surcharge is based on illicit profits. This more flexible calculation standard was adopted because determining "revenue" from personal data is often difficult.

---

The amendment strengthens criminal penalties in the following ways:

• Increased statutory penalties for violating PPC orders
• Introduction of heavier corporate fines (imposing higher fines on corporations than on individuals)
• Stricter penalties for providing or misappropriating personal information for illicit profit

Heavier corporate fines follow the same trend seen in recent cartel regulations and financial instruments law, aiming to increase incentives for companies to establish compliance systems.

---

If passed in the current Diet session, the amended law is expected to take effect within one to two years of promulgation. It is important to begin preparations well before the enforcement date.

Conduct a thorough inventory of all personal data your company holds, identifying what data is used for what purpose. In particular, verify:

• Whether any data is being used for AI development or machine learning
• Whether that data has been properly anonymized or remains personally identifiable
• Whether actual usage matches the purposes stated in your privacy policy

To benefit from the relaxed rules, you must meet the standards for creating anonymously processed information. Re-examine the current anonymization guidelines and verify whether your anonymization processes are sufficient.

Companies handling personal data of 1,000 or more individuals are potential targets of the surcharge system. Check the following:

• Are your data acquisition channels lawful (consent status, terms of service provisions, etc.)?
• If you provide data to third parties, is the recipient's management framework adequate?
• Have you purchased any data from data brokers?

Plan revisions to your personal information handling regulations and employee training programs. Education is particularly important for departments handling large volumes of personal data, such as AI development and marketing teams.

With the introduction of surcharges, the impact of data breach incidents becomes significantly greater. Re-examine your initial response procedures, PPC reporting framework, and individual notification process.

---

The amendment expands the scope of individuals' rights to request that businesses stop using or delete their personal data. Under current law, this is limited to cases of purpose-exceeding use or unlawful acquisition. After the amendment, it will be exercisable whenever the individual has a legitimate reason to request cessation.

The amendment also includes enhanced inspection authority and expanded staffing for the Personal Information Protection Commission. This is expected to improve law enforcement effectiveness and enable earlier detection and correction of violations.

While consent is no longer required for AI training purposes, businesses will be obligated to establish opt-out procedures allowing individuals to request that their data not be used for AI training. Businesses must present opt-out methods in a clear and accessible manner.

---

This amendment is also designed with awareness of the EU AI Act and US state privacy laws.

• EU: A two-layered structure where GDPR's "legitimate interests" provision allows AI training data use under certain conditions, while the AI Act imposes strict regulations on high-risk AI
• US: No comprehensive federal privacy law yet, but California's CCPA/CPRA establishes a "right to opt out of automated decision-making"
• Japan (post-amendment): An approach that waives consent only for anonymized/statistical purposes while deterring violations through surcharges

Japan's amendment can be characterized as a middle-ground approach — less regulatory than the EU, but less laissez-faire than the US.

---

The APPI amendment approved by the Cabinet on April 8, 2026 is a landmark legal reform that redefines the balance between data utilization in the AI era and the protection of individual rights.

For businesses, while the scope for AI development and data analysis expands, the introduction of surcharges means compliance has become more important than ever. Companies should urgently work on establishing data governance frameworks, reviewing privacy policies, and strengthening internal education in preparation for the amended law's enforcement.

For individuals, it is important to understand how to exercise opt-out rights and to take an active interest in how your data is being used.

As the details of the amendment will be finalized during Diet deliberations, we recommend continuously following the latest developments. If you have questions about personal data handling or data use in AI development, please consult a lawyer specializing in this field.