In brief
After a longer‑than‑anticipated review process, Japan has unveiled the long‑awaited bill for reform of its data protection regime. On 7 April 2026, the Cabinet approved and submitted to the Diet a bill (“Bill”) to amend the Act on the Protection of Personal Information (APPI).
The Bill proposes several important amendments, including the following:
- New exceptions to the consent requirement
- Protection of minors’ data and biometric data rules
- Obligations applicable to data processors
- Introduction of administrative fines
Together, these amendments signal a more nuanced, risk‑based approach to privacy regulation in Japan.
Recommended actions for businesses
Businesses engaged in the following activities are encouraged to take action:
- AI and other statistical use of data
Assess whether you may rely on newly introduced exceptions designed to promote appropriate data use and, if so, prepare to make the required public disclosures and review the relevant agreements. - Children’s data
If your company handles children’s personal information, review processes for obtaining parental consent and responding to requests to exercise individual rights. - Facial recognition data and other biometric data
If biometric information is used, determine whether the data collected qualifies as biometric information under the Bill and prepare for enhanced transparency obligations. - Outsourcing of data processing
Review and update data processing agreements to ensure that they clearly define the scope of processing, breach notification obligations and other terms required by regulation in order to take advantage of the proposed relaxation of processor obligations under the Bill.
The proposed amendments are expected to take effect within two years of their promulgation. Many obligations will be further detailed in future regulations and guidelines which have not yet been published. Businesses should therefore closely monitor forthcoming regulatory developments.
In depth
The proposed amendments to the APPI reflect a shift away from a uniform, consent‑driven model toward a framework that calibrates regulatory obligations based on the actual risk posed to individuals’ rights and interests. While safeguards for sensitive and high‑risk data are strengthened, the Bill also introduces flexibility intended to facilitate innovation.
New exceptions to the consent requirement
Under the current APPI, individual consent plays a central role in legitimizing several data processing activities by businesses. Consent is generally required for third‑party data transfers, the collection of sensitive personal information and changes to the stated purpose of use. The Bill re‑examines these consent requirements and relaxes them in certain circumstances.
Statistical analysis
Consent would no longer be required for the following activities, provided the relevant data is used exclusively for statistical analysis:
- Transfers of personal data or personal related data to third parties
- Collection of publicly available sensitive personal information
“Statistical analysis” includes AI development, provided the processing is comparable to statistical analysis.
It should be noted, however, that in such cases, businesses transferring or collecting the data must publicly disclose certain information — including the name of the business, details of the statistical analysis and other items to be specified in the enforcement regulations which are expected to be amended, — on their website or through other designated means. With respect to third‑party data transfers, in addition to satisfying the public disclosure requirements, businesses would need to clearly stipulate in a written agreement between the data transferor and the recipient that the data transfer is conducted pursuant to this exception. Accordingly, businesses intending to rely on this new legal basis for data transfers for statistical analysis would need to review and amend their agreements with data recipients to include appropriate and explicit language.
Other exceptions
The Bill also proposes the following:
- Easing consent requirements where it is evident that data processing does not contradict an individual’s intent and does not harm their rights or interests, as prescribed in the enforcement regulations (e.g., where processing is clearly unavoidable and necessary for the performance of a contract with the individual)
- Relaxing conditions in cases related to public health or protection of life (i.e., where obtaining consent is difficult or where reasonable grounds exist for proceeding without consent to protect life or promote public health)
- Explicitly recognizing medical institutions as eligible entities under the academic research exception
Children’s data and biometric data
Regulations would be tightened for information requiring heightened protection, such as children’s personal information and biometric data.
Children’s personal data
Using the data of individuals under the age of 16 would require the consent of and notification to the individuals’ legal guardians, subject to certain exceptions (e.g., where justifiable grounds exist for not knowing that the personal information relates to an individual under 16 years of age). In addition, the requirements for exercising data subject rights to request the suspension of use or third‑party transfer of children’s personal data would be relaxed, allowing such requests to be made without demonstrating a statutory reason, except in certain cases (e.g., where the legal guardian’s consent was obtained at the time a child’s personal data was collected or where processing is clearly unavoidable and necessary for the performance of a contract).
Businesses would also be required to make best efforts to ensure that children’s rights and interests are not infringed when handling their personal information, giving priority to the best interests of the child in light of their age and level of development.
Strengthening regulations on biometric data
The Bill also introduces enhanced rules for biometric data. Biometric data, newly defined as “Specified Biometric Personal Information” under the Bill, refers to personal information generated by converting an individual’s physical characteristics (e.g., fingerprints or facial features) into numerical data for computer processing, where such data is obtained without requiring special technology or significant cost and is not readily recognizable by the individual as having been collected.
The Bill imposes new transparency obligations, requiring businesses to publish information (e.g., the identity of the business, the purpose of use, procedures for handling data subject rights requests and the types of physical characteristics converted into biometric data). Further, biometric data may not be transferred to third parties based on an opt‑out mechanism. Similar to the new regime applicable to children’s personal data, the requirements for requesting the suspension of use or third‑party transfers of biometric data would also be relaxed, subject to certain exceptions.
Obligations applicable to data processors
The Bill revises the obligations applicable to data processors to better reflect practical realities. In particular, it clarifies that, except in limited cases, data processors must not process personal information beyond the scope necessary to perform entrusted services.
While data processors are generally subject to the same obligations as other business operators under the current APPI, the Bill introduces a partial relaxation of those obligations. Specifically, certain APPI obligations will not apply to data processors provided that the relevant agreement specifies prescribed matters under the enforcement regulations and the data is processed within the agreed scope. Key contractual requirements include provisions on (i) how the personal data may be handled, (ii) the data processor’s obligation to notify the business of data breaches or contractual violations involving the personal data and (iii) other matters to be specified by the enforcement regulations which are expected to be amended.
Relaxation of data breach notification to individuals
Under the current APPI, where a data breach must be reported to the authorities, businesses are also required to notify affected individuals. Alternative measures, such as public disclosure, are permitted only in limited circumstances, primarily where individual notification is impracticable (e.g., where contact information is unavailable).
The Bill broadens the circumstances in which measures may be taken instead of notifying affected individuals of a data breach — including cases in which the absence of notification is unlikely to materially harm individuals’ rights or interests — as specified by Japan's Personal Information Protection Commission (PPC) regulations. Detailed criteria for assessing the risk of harm will be set out in future implementing regulations.
We note that the Bill does not alter the requirement to report data breaches to the authorities, and notification to affected individuals will, in principle, continue to be required even under the proposed amendments.
Preventing improper use
The Bill would prohibit improper acquisition and use of data, particularly where contact information that may not qualify as personal information can be used for targeted outreach or criminal exploitation. The Bill also introduces stricter verification obligations in connection with opt-out mechanisms for third-party data transfers, which are frequently relied upon by data brokers.
Strengthening enforcement and deterrence
Expanded enforcement powers
Under the current APPI, enforcement generally follows a phased approach. After conducting an investigation and providing administrative guidance, the PPC typically issues a recommendation as a first step. A corrective order may be issued only if the business fails to comply with the recommendation, and there is an imminent risk of harm. A corrective order may be issued without a prior recommendation only in limited circumstances (e.g., where actual infringement has already occurred).
The Bill would significantly broaden the PPC’s enforcement powers. Recommendations could be issued under more lenient conditions, and where there is an imminent risk of infringement, a corrective order could be issued without a prior recommendation, even if no infringement has yet occurred. The scope of recommendations and corrective orders would also be expanded to allow the PPC to require businesses not only to cease or remedy violations, but also to notify affected individuals and publicly disclose violations. Furthermore, the PPC would be empowered to require third parties that facilitate violations to take necessary measures to cease those violations, thereby extending enforcement beyond the primary business operator. For example, where a non-compliant business engages a third-party IT service provider to carry out unlawful data processing, the PPC may require the IT service provider to discontinue offering the service to the business or to take other necessary measures.
Introduction of administrative fines and expansion of the scope of penalties
Most notably, the Bill introduces an administrative fine regime targeting serious violations involving large‑scale personal data and economic gain. Where a business operator meets the following criteria, the PPC may order the business to pay an administrative fine equivalent to the amount received:
(i) The business commits certain violations specified under the Bill (“Covered Violations”), such as providing personal information to a third party in circumstances where it is foreseeable that the information will be used for illegal acts or unfair discriminatory treatment.
(ii) The business receives money or other consideration in connection with such a Covered Violation.
The administrative fine will not apply in certain circumstances, including where the business operator exercised reasonable care to prevent the Covered Violation, where the number of affected individuals does not exceed 1,000, or where the harm to individuals’ rights or interests is considered insignificant, as specified in the enforcement regulations.
The methodology for calculating administrative fines will be clarified in future regulations and related guidance.
In addition, the Bill expands the scope of penalties to cover new categories of misconduct — including the unlawful collection of personal information through fraud and violence — and increases statutory penalties for particularly egregious offenses.
Next steps
The Bill is currently under deliberation in the National Diet and is expected to be enacted during the current session. It will enter into force within two years of promulgation. As many detailed requirements will be established under regulations and guidelines that have not yet been published, businesses should closely monitor ongoing legislative and regulatory developments.