Japan APPI 2026 Amendments Enacted: Diet Approves Bill No. 54 with AI Exceptions and Gain-Based Surcharges
Japan's landmark triennial overhaul of the Act on the Protection of Personal Information (APPI) has officially been enacted into law. On July 10, 2026, the House of Councillors (the upper chamber of the Diet) passed the Cabinet-sponsored amendment bill (Bill No. 54) by a majority vote, following its approval by the House of Representatives in May 2026.
The revised law, which is scheduled to take effect within two years of its promulgation (by July 2028), represents a dual-track strategy. It relaxes consent requirements to boost Japan's competitiveness in artificial intelligence (AI) and data utilization, while simultaneously strengthening safeguards for sensitive data (such as facial features and children's information) and significantly expanding the enforcement powers of the Personal Information Protection Commission (PPC).
1. Key Relaxations: Boosting AI and Practical Data Sharing
The amendments introduce significant carve-outs from the traditional consent-heavy framework to streamline business operations and AI development:
- Statistical Compilation and AI Exception (Articles 30-2, 31-3): The law establishes a new statutory exception allowing businesses to acquire publicly available "special care-required personal information" (sensitive data) and provide personal data to third parties without data subject consent, provided the data is used solely for statistical compilation or AI development.
- "No Consent" for Anticipated Business Uses (Articles 16, 18, 20, 27): Consent is no longer required for use beyond specified purposes, acquisition of sensitive data, or third-party transfers if, "given the circumstances of collection, it is clear that the handling does not run counter to the data subject's wishes and does not harm the data subject's rights and interests." This codifies common-sense business practices, such as a hotel reservation site sharing a guest's name with the hotel.
- Relaxed Breach Notifications (Article 26, para. 2): In cases where a data breach occurs but there is "little risk that the protection of data subjects' rights and interests would be inadequate," the obligation to notify data subjects is relaxed, allowing businesses to implement alternative measures.
2. Regulatory Tightening: Biometrics, Children, and Opt-Outs
To balance these relaxations, the law introduces stricter controls on high-risk processing:
- Facial Feature Data (Articles 21-2, 27, 35): Businesses processing facial feature data must provide advance notice of the purpose of use. Third-party transfers of facial data via the "opt-out" regime are strictly prohibited, and data subjects gain expanded rights to request the suspension of its use.
- Children's Privacy (Under 16 Years): Statutory representatives must be involved in consent-obtaining and notification procedures. Furthermore, children (or their representatives) can request the suspension of data use regardless of whether a violation has occurred.
- Opt-Out Verification: List brokers and other providers utilizing the opt-out regime must verify in advance the identity of the recipient and their intended purpose of use, with non-criminal fines ("karyou") imposed for providing false verification information.
3. Enforcement Overhaul: Gain-Based Administrative Surcharges
The revised APPI dramatically strengthens the PPC’s supervisory and enforcement capabilities:
- Administrative Surcharge System (Articles 148-3 through 148-17): In a major departure from the previous compliance-remediation-only model, the PPC is now authorized to issue administrative surcharge orders. Where a serious violation harms individual rights, the surcharge is calculated to claw back the financial benefit gained from the violating conduct.1
- Broadened PPC Orders (Articles 148, 148-2): The PPC can issue recommendations and orders to notify or publicly disclose violations to data subjects. Crucially, these can now be issued regardless of whether a formal violation has been established, and the PPC can legally order third parties assisting in violations to cease their conduct.
- Criminal Penalties (Articles 178–180): Statutory maximum penalties are increased, and new criminal penalties are enacted for providing a personal information database with intent to cause harm, or for acquiring personal data through fraudulent means.
Compliance teams managing operations in Japan must prepare for a dual-track environment: capitalizing on new AI training data and business-process consent exemptions while implementing strict internal controls around biometrics, children’s data, and robust data protection systems to avoid severe gain-based surcharges.
-
An instance of Unlawful AI training now triggers the direct destruction or financial clawback of the underlying model. — Japan's introduction of gain-based administrative surcharges matches the shift toward direct financial clawbacks and algorithmic disgorgement for unlawful data processing. ↩︎