MenuClose

Blog

ブログ

Overview of the 2026 Amendments to the Act on the Protection of Personal Information

2026.06.05

#個人情報

On April 7, 2026, the “Bill for the Act Partially Amending the Act on the Protection of Personal Information and Other Related Acts” (hereinafter referred to as the “Bill”) was approved by the Cabinet, and the proposed amendments to the Act on the Protection of Personal Information included therein (hereinafter referred to as the “2026 Amended APPI” or the “Amended Act”) were made public.

The Bill provides for necessary measures to further strengthen the protection of personal information while giving consideration to the usefulness of personal information, in light of the fact that, with the rapid advancement of digital technologies, demand for the utilization of data including personal information has increased, while, at the same time, the risk of infringement of individuals’ rights and interests due to unlawful handling of personal information has also increased. The Bill has been submitted to the 221st Extraordinary Session of the Diet.

In this article, we explain the outline of the 2026 Amended APPI based on the information currently available.[i]

[i] The materials relating to the 2026 Amended APPI published on the website of the Personal Information Protection Commission are as follows:

Legislative Background of the 2026 Amended APPI

Pursuant to Article 10 of the Supplementary Provisions of the 2020 Amended Act,[ii] the Personal Information Protection Commission has been conducting discussions since November 2023 regarding the so-called “review every three years” of the Act on the Protection of Personal Information[iii] (hereinafter referred to as the “Current APPI” or the “Current Act”), and, in March 2025, published the document entitled "Approach to Institutional Issues under the Act on the Protection of Personal Information[iv]" (hereinafter referred to as the “Approach”).

Thereafter, although there was no progress in the discussions regarding the “review every three years” for a period of ten months, in January 2026, the Personal Information Protection Commission published the “Policy for Institutional Revisions under the Act on the Protection of Personal Information in Connection with the So-Called Review Every Three Years[v]" (hereinafter referred to as the “Revision Policy”), thereby clarifying the direction of the 2026 Amended APPI.

Subsequently, on April 7, 2026, the Bill was approved by the Cabinet and its contents were disclosed, thereby clarifying the contents of the 2026 Amended APPI submitted to the 221st Extraordinary Session of the Diet. The Extraordinary Session is scheduled to be held from February 18 through July 17 of 2026, and, if the proposed amendments are enacted during such session, the proposed amendments to the Act on the Protection of Personal Information included in the Bill will become the “2026 Amended APPI.”

As a general rule, the 2026 Amended APPI will come into effect on a date specified by Cabinet Order within a period not exceeding two years from the date of promulgation (main clause of Article 1 of the Supplementary Provisions of the Amended Act).

[ii] Article 10 of the Supplementary Provisions provides as follows: “The government shall, every three years after the enforcement of this Act, review the status of enforcement of the New Act on the Protection of Personal Information, taking into consideration international trends concerning the protection of personal information, developments in information and communications technology, and the status of creation and development of new industries utilizing personal information accompanying such developments, and, where it finds it necessary, shall take necessary measures based on the results of such review.”

[iii] Act on the Protection of Personal Information (Act No. 57 of 2003)

[iv] Personal Information Protection Commission, “Approach to Institutional Issues under the Act on the Protection of Personal Information” (March 5, 2025).

[v] Personal Information Protection Commission, “Policy for Institutional Revisions under the Act on the Protection of Personal Information in Connection with the So-Called Review Every Three Years” (January 9, 2026).

Items Covered by the 2026 Amended APPI

The document published by the Personal Information Protection Commission entitled “Bill for the Act Partially Amending the Act on the Protection of Personal Information and Other Related Acts (Outline)” (hereinafter referred to as the “Outline Materials”) explains the amendments under four categories: “Promotion of Appropriate Data Utilization,” “Rules Corresponding Appropriately to Risks,” “Prevention of Improper Use, etc.,” and “Rules for Securing the Effectiveness of Compliance” (Outline Materials, “Details of Amendments,” Items 1 through 4). These four categories of amendments include the following twelve amendment items under the 2026 Amended APPI.

Amendment Category

Amendment Item

Promotion of Appropriate Data Utilization

1.    Exemption from the obligation to obtain consent for purposes of statistical compilation, etc.

2.    Relaxation of requirements for exceptions relating to the obligation to obtain consent

Rules Corresponding Appropriately to Risks

3.    Clarification and strengthening of regulations concerning children’s personal information

4.    Establishment of regulations concerning facial feature data, etc.

5.    Development of regulations applicable to entrusted business operators

6.    Relaxation of the obligation to notify data subjects in the event of leakage, etc.

Prevention of Improper Use, etc.

7.    Strengthening of regulations concerning information enabling approaches to specific individuals

8.    Mandatory confirmation of the identity of recipients and purposes of use in connection with opt-out provision
Rules for Securing the Effectiveness of Compliance

9.    Greater flexibility in the exercise of recommendations and orders

10.    Legalization of measures against third parties assisting, etc. violations

11.    Strengthening and expansion of criminal penalties

12.    Introduction of an administrative surcharge system

In this article, we explain the outline of the 2026 Amended APPI by organizing the information currently available regarding each of the above items 1 through 12 (note that the 2026 Amended APPI includes amendments relating to both the private sector and the public sector; however, the discussion below addresses amendments relating to the private sector rules).

Contents of the 2026 Amended APPI

1. Exemption from the Obligation to Obtain Consent for Purposes of Statistical Compilation, etc.

Under the Current APPI, even where personal data is used solely for the preparation of statistical information, etc., obtaining consent is, in principle, required for the provision of personal data to third parties and the acquisition of special care-required personal information (Articles 27, 28, and 20, Paragraph 2 of the Current APPI).

With respect to this point, the Approach noted that there is an increasing need for multiple business operators to share and analyze data across organizations for the purpose of preparing statistical information, etc., and that the preparation and use of statistical information, etc. from which correspondence relationships with specific individuals have been excluded present a low risk of infringing individuals’ rights and interests. Accordingly, it had been proposed that the provision of personal data, etc. to third parties and the acquisition of publicly disclosed special care-required personal information without obtaining the data subject’s consent be permitted, subject to conditions including assurance that such information will be used solely for the preparation of such statistical information, etc. (Approach, pp. 1–2). Based on such discussions, the Revision Policy indicated a policy of exempting consent requirements for the provision of personal data, etc. to third parties and the acquisition of publicly disclosed special care-required personal information, subject to conditions including assurance that the information will be used solely for the preparation of statistical information, etc. (including AI development, etc. that can be categorized as statistical compilation, etc.) (Revision Policy, pp. 1–2).

The 2026 Amended APPI establishes the following rules concerning exemptions from the obligation to obtain consent where information is used solely for the preparation of statistical information, etc.

Subject of Amendment

vSpecific Details of Amendment

Definitions of “Statistical Compilation, etc.” and “Purpose of Statistical Compilation, etc.”
  • Definition of “Statistical Compilation, etc.”: The preparation of statistics or other acts specified by the rules of the Personal Information Protection Commission as presenting a low risk of harming individuals’ rights and interests, whereby information relating to elements constituting a large volume of information is extracted and classified, compared, or otherwise analyzed in order to create information concerning trends or characteristics of such large volume of information (excluding information relating to individuals) (Article 2, Paragraph 13 of the Amended Act). 
  • Definition of “Purpose of Statistical Compilation, etc.”: A purpose of conducting statistical compilation, etc. (Article 30-2, Paragraph 1 of the Amended Act).

Conditions for Exemption from the Obligation to Obtain Consent under the Special Provisions for Statistical Compilation, etc.

  • Exemption from the obligation to obtain consent for the acquisition of special care-required personal information: Where the following conditions are satisfied, publicly disclosed special care-required personal information may be acquired without obtaining the data subject’s consent (Article 30-2, Paragraph 1 of the Amended Act). 

    1. Necessity for statistical compilation, etc.: It is necessary to handle publicly disclosed special care-required personal information for the purpose of statistical compilation, etc., or for the purpose of making a provision subject to the special provisions for statistical compilation, etc.[vi]

    2. Public disclosure: Matters specified by the rules of the Personal Information Protection Commission have been publicly disclosed.[vii]
  • Exemption from the obligation to obtain consent for third-party provision: Where the following conditions are satisfied, a business operator handling personal information or a business operator handling personally referable information may, in principle, provide personal information or personally referable information to a third party without obtaining the data subject’s consent (Article 30-2, Paragraph 5 and Article 31-3, Paragraph 1 of the Amended Act).[viii][ix]
    1. Necessity for statistical compilation, etc.: The third party must need to handle the relevant information for the purpose of statistical compilation, etc.[x]
    2. Public disclosure: Both the relevant business operator and the relevant third party must publicly disclose matters specified by the rules of the Personal Information Protection Commission.[xi]
    3. Written agreement: It must be clearly provided, by written agreement with the relevant third party, that the relevant provision is made pursuant to these provisions.

Continuous Publication Obligation
  • Continuous publication obligation during handling period: Publication obligations necessary to satisfy the special provisions for statistical compilation, etc. must continue throughout the period during which information subject to such special provisions is handled (Articles 30-2, Paragraphs 2 and 6, and Article 31-3, Paragraph 2 of the Amended Act).

vProhibition on Use for Purposes Other than Intended Purposes and Prohibition on Third-Party Provision[xii]
  • Prohibition on use for purposes other than intended purposes: Information subject to the exception for statistical compilation, etc., or information concerning individuals obtained by reproducing or processing such information,[8] must not be handled beyond the scope necessary for conducting statistical compilation, etc. corresponding to publicly disclosed content, except for limited exceptions (Articles 30-2, Paragraphs 4 and 9, and Article 31-3, Paragraph 5 of the Amended Act). 
  • Prohibition on third-party provision: Except for limited exceptions, such information must not be provided to third parties regardless of whether it constitutes personal data (Articles 30-2, Paragraphs 10 and 11, and Article 31-3, Paragraphs 6 and 7 of the Amended Act).

[vi] This is limited to cases where all purposes for handling the special care-required personal information are for purposes of statistical compilation, etc. or for the purpose of making the relevant provision (Article 30-2, Paragraph 1 of the Amended Act).

[vii] Where the matters subject to public disclosure are to be changed, such fact and the details of such changes must be publicly disclosed in advance (main clause of Article 30-2, Paragraph 3 of the Amended Act); provided, however, that, where certain publicly disclosed matters (e.g., the name or designation of the acquirer) are to be changed, it is sufficient to publicly disclose such matters promptly after such change has been made (proviso to Article 30-2, Paragraph 3 of the Amended Act).

v[viii] It should be noted that personal information or personally referable information received through third-party provision pursuant to the special provisions for statistical compilation, etc. may not again be provided to a third party pursuant to the special provisions for statistical compilation, etc. (proviso to the introductory clause of Article 30-2, Paragraph 5 and proviso to the introductory clause of Article 31-3, Paragraph 1 of the Amended Act).

[ix] Under the special provisions for statistical compilation, etc., the regulations concerning the provision of personal data or personally referable information to third parties located in foreign countries (Article 28 and Article 31, Paragraph 1, Item 2 of the Current APPI) are not excluded from application. Accordingly, it should be noted that, in relation to third parties located in foreign countries, it is necessary to establish a so-called “system conforming to standards” (Article 30-2, Paragraph 5 and Article 31-3, Paragraph 1 of the Amended Act). Where information subject to the special provisions for statistical compilation, etc. is provided to a third party located in a foreign country that has established a system conforming to standards, necessary measures must be taken to ensure the continuous implementation of equivalent measures by such third party, and information concerning such necessary measures must also be publicly disclosed (Article 30-2, Paragraph 13 and Article 31-3, Paragraph 9 of the Amended Act).

[x] This is limited to cases where all purposes for handling the personal information or personally referable information are for purposes of statistical compilation, etc. (Article 30-2, Paragraph 5 and Article 31-3, Paragraph 1 of the Amended Act).

[xi] Where the matters subject to public disclosure are to be changed, both the relevant business operator and the relevant third party must publicly disclose in advance such fact and the details of such changes (main clause of Article 30-2, Paragraph 7 and main clause of Article 31-3, Paragraph 3 of the Amended Act); provided, however, that, where certain publicly disclosed matters (e.g., the name or designation of the recipient) are to be changed, it is sufficient for the relevant third party to publicly disclose such matters promptly after such change has been made (proviso to Article 30-2, Paragraph 7, Paragraph 8 of the same Article, proviso to Article 31-3, Paragraph 3, and Paragraph 4 of the same Article of the Amended Act).

[xii] It should be noted that information subject to the special provisions for statistical compilation, etc., where it constitutes personal data, remains subject to the applicable rules in the ordinary manner, and, even where it does not constitute personal data, becomes subject, pursuant to mutatis mutandis application provisions, to the obligation to take security control measures (Article 23 of the Current APPI), the obligation to supervise employees (Article 24 of the Current APPI), and the obligation to supervise contractors (Article 25 of the Current APPI) (Article 30-2, Paragraph 14 and Article 31-3, Paragraph 10 of the Amended Act. In addition, where the obligation to take security control measures applies mutatis mutandis, “leakage, loss, or damage” is deemed to be replaced with “leakage.”).

[xiii] The phrase “information subject to the exception for statistical compilation, etc. or information concerning individuals obtained by reproducing or processing such information” as used herein is intended to refer to statistical compilation-use special care-required personal information, etc., provision statistical compilation-use personal information, etc., and provision statistical compilation-use personal data, etc. The definitions of each term are as follows:

  • “Statistical Compilation-Use Special Care-Required Personal Information, etc.”: Special care-required personal information acquired pursuant to Article 30-2, Paragraph 1 of the Amended Act, or information concerning a living individual obtained by reproducing or processing all or part thereof (Article 30-2, Paragraph 4 of the Amended Act).
  • “Provision Statistical Compilation-Use Personal Information, etc.”: Personal information received pursuant to the main clause of Article 30-2, Paragraph 5 of the Amended Act, or information concerning a living individual obtained by reproducing or processing all or part thereof (Article 30-2, Paragraph 6 of the Amended Act).
  • “Provision Statistical Compilation-Use Personal Data, etc.”: Personally referable information received pursuant to the main clause of Article 31-3, Paragraph 1 of the Amended Act, or information concerning a living individual obtained by reproducing or processing all or part thereof (Article 31-3, Paragraph 2 of the Amended Act).

2. Relaxation of Requirements for Exceptions Relating to the Obligation to Obtain Consent

Under the Current APPI, in cases involving use for purposes other than intended purposes, acquisition of special care-required personal information, and provision to third parties, obtaining the data subject’s consent is generally required (Articles 18, 20, Paragraph 2, 27, and 28 of the Current APPI). As relaxation measures concerning these consent requirements, the 2026 Amended APPI establishes the following three revisions.

(1) Establishment of New Exceptions for Handling Clearly Not Contrary to the Data Subject’s Intentions and Clearly Not Harmful to the Data Subject’s Rights and Interests in Light of the Circumstances of Acquisition

Under the Current APPI, even where it is clear from the circumstances of acquisition that handling is not contrary to the data subject’s intentions and therefore clearly does not harm the data subject’s rights and interests, exemption from the obligation to obtain consent is not available. In contrast, the Revision Policy indicated a policy that consent should not be required where handling is clearly not contrary to the data subject’s intentions and clearly does not harm the data subject’s rights and interests in light of the circumstances of acquisition (Revision Policy, p. 2).

Under the 2026 Amended APPI, the obligation to obtain the data subject’s consent is exempted where it is clearly unavoidable and necessary for the performance of a contract with the data subject, or where it falls within cases specified by the rules of the Personal Information Protection Commission as being clearly not contrary to the data subject’s intentions and clearly not harmful to the data subject’s rights and interests in light of the circumstances of acquisition of the relevant personal information, etc. (Article 18, Paragraph 3, Item 7; Article 20, Paragraph 2, Item 7; and Article 27, Paragraph 1, Item 8 of the Amended Act).

Specific examples falling within this exception included, in the Approach: (i) where an individual makes a reservation for accommodation at a hotel operated by Business Operator B through a hotel reservation website operated by Business Operator A, and Business Operator A provides the individual’s name and related information to Business Operator B; and (ii) where a financial institution provides remitter information to the recipient financial institution in order to conduct an overseas remittance (Approach, p. 2).

 

(2) Relaxation of the Requirement of Difficulty in Obtaining Consent

Under the Current APPI, exceptions to the obligation to obtain consent include cases where “it is necessary for the protection of a person’s life, body, or property and it is difficult to obtain the consent of the individual,” and cases where “it is particularly necessary for improving public health or promoting the sound growth of children and it is difficult to obtain the consent of the individual” (Article 18, Paragraph 2, Items 2 and 3; Article 20, Paragraph 2, Items 2 and 3; and Article 27, Paragraph 1, Items 2 and 3 of the Current APPI), all of which require difficulty in obtaining consent.

With respect to this point, the Revision Policy indicated a policy of relaxing such difficulty-in-obtaining-consent requirements (Revision Policy, p. 2).

Under the 2026 Amended APPI, reliance on exceptions to the obligation to obtain consent is permitted not only where “it is difficult to obtain the consent of the individual,” but also where “there are otherwise reasonable grounds for not obtaining the consent of the individual” (Article 18, Paragraph 2, Items 2 and 3; Article 20, Paragraph 2, Items 2 and 3; and Article 27, Paragraph 1, Items 2 and 3 of the Amended Act).

Specific examples corresponding to “other reasonable grounds for not obtaining the consent of the individual” included, at the stage of the Approach, cases where necessary and appropriate measures to prevent infringement of the individual’s privacy, etc. (such as deletion of names and execution of confidentiality agreements with recipients) have been implemented, such that there is no risk of unjust infringement of the individual’s rights and interests (Approach, p. 3).

 

(3) Clarification that Entities Providing Medical Services Are Included within Academic Research Institutions, etc.

Under the Current APPI, “academic research institutions, etc.” refers to universities and other institutions or organizations whose purpose is academic research, or persons belonging thereto (Article 16, Paragraph 8 of the Current APPI), and therefore institutions or organizations whose purpose is providing medical services are not necessarily included.

With respect to this point, the Approach pointed out that, in medical and life sciences research, analysis of clinical cases concerning diagnostic and treatment methods that are the subject of research is indispensable, and that research activities by hospitals and other institutions or organizations providing medical services are widely conducted in practice (Approach, p. 3). Based on such observations, the Revision Policy indicated a policy of clarifying that institutions or organizations whose purpose is the provision of medical services are included within “academic research institutions, etc.” that are subject to exceptions relating to academic research (Revision Policy, p. 2).

vUnder the 2026 Amended APPI, by adding parenthetical language to the definition of “academic research institutions, etc.” stating “(including hospitals prescribed in Article 1-5, Paragraph 1 of the Medical Care Act … and other institutions or organizations whose purpose is the provision of medical services),” it was clarified that institutions or organizations whose purpose is the provision of medical services are included within the definition of “academic research institutions, etc.” (Article 16, Paragraph 9 of the Amended Act).

3. Clarification and Strengthening of Regulations Concerning Children’s Personal Information

Under the Current APPI, the age threshold for children subject to consent acquisition and notification is not specified at the statutory level, and the Q&A published by the Personal Information Protection Commission merely states that consent should be obtained from a statutory representative, etc. for children approximately between the ages of 12 and 15 or younger.[xiv]

In addition, the Current APPI does not contain provisions specific to children with respect to requests for suspension of use, etc. of retained personal data. Furthermore, there are no provisions establishing a duty to prioritize consideration of the best interests of the child.
With respect to these points, the Approach pointed out that, because children are in developmental stages physically and mentally and therefore possess insufficient judgment capacity and are more susceptible to adverse effects arising from inappropriate handling of personal information, it is necessary to establish certain rules from the perspective of appropriately protecting children’s development and rights and interests (Approach, p. 2). Based on such observations, the Revision Policy indicated the following policies: (i) expressly providing that consent acquisition, notifications, etc. concerning persons under 16 years of age shall be directed to their statutory representatives; (ii) relaxing the requirements for requests for suspension of use, etc. of retained personal data by persons under 16 years of age; and (iii) adding provisions establishing a duty to prioritize consideration of the best interests of minors with respect to the handling of personal information, etc. of minors (Revision Policy, p. 2).

The 2026 Amended APPI establishes the following rules concerning the handling of children’s personal information.

Subject of Amendment

Specific Details of Amendment

Clarification that consent acquisition, notifications, etc. concerning persons under 16 years of age shall be directed to their statutory representatives
  • Replacement of “the individual” with “the statutory representative of the individual” for persons under 16 years of age: Where a business operator handling personal information or a business operator handling personally referable information handles personal information or personally referable information of a person under 16 years of age, the provisions of the APPI shall, in principle, apply by replacing references to “the individual” with “the statutory representative of the individual” (main clause of Article 40-2, Paragraph 1 and main clause of Paragraph 2 of the Amended Act). By virtue of such replacement, in relation to individuals under 16 years of age, compliance with obligations concerning consent acquisition, notifications, etc. requires responses to be made to the statutory representative of the individual. 
  • Exceptions to the replacement with “the statutory representative of the individual”: As exceptions to the above replacement, the special provisions replacing references with “the statutory representative of the individual” shall not apply where any of the following circumstances exist (proviso to Article 40-2, Paragraph 1 and proviso to Paragraph 2 of the Amended Act):
    1. Where the relevant business operator has justifiable grounds for not knowing that the relevant information pertains to a person under 16 years of age.
    2. Where the statutory representative of the individual has authorized the business of the relevant individual, and the relevant business operator acquired the relevant information in connection with such business.
    3. Where the individual has no statutory representative, or where the relevant business operator has reasonable grounds sufficient to believe that the individual has no statutory representative.

Relaxation of requirements for requests for suspension of use, etc. of retained personal data by persons under 16 years of age
  • Provisions concerning requests for suspension of use, etc. by persons under 16 years of age: A person under 16 years of age may, in principle, request a business operator handling personal information to suspend use, etc. of retained personal data identifying such individual or to cease providing such retained personal data to third parties where such retained personal data is being handled, and, where it is found that grounds for such request exist, the business operator must suspend use, etc. or cease third-party provision (Article 35, Paragraphs 9 and 10 of the Amended Act). Whereas the general provisions concerning requests for suspension of use, etc. (Article 35, Paragraph 5 of the Current APPI) permit such requests only where certain requirements are satisfied, the provisions concerning requests for suspension of use, etc. by persons under 16 years of age (Article 35, Paragraph 9 of the Amended Act) permit such requests in principle, thereby strengthening the rights of the individual to make such requests. 
  • Exceptions to requests for suspension of use, etc. by persons under 16 years of age: Various grounds are prescribed as exceptions to the above requests for suspension of use, etc. (items of Article 35, Paragraph 9 of the Amended Act). The following grounds are prescribed as exceptions specific to the handling of children’s personal information (Article 35, Paragraph 9, Items 1, 10, and 11 of the Amended Act):
    1. Where the retained personal data was acquired with the prior consent of the statutory representative of the individual. 
    2. Where the statutory representative of the individual has authorized the business of the relevant individual, and the retained personal data was acquired in connection with such business.
    3. Where the individual used fraudulent means to cause others to believe that he or she was 16 years of age or older.
Addition of provisions establishing a duty to prioritize consideration of the best interests of minors with respect to the handling of personal information, etc. of minors
  • Best-efforts obligation of business operators to consider the best interests of minors: Business operators handling personal information, etc. must comply with the provisions of the APPI in handling personal information, etc. relating to minors and must endeavor to take necessary measures so as not to harm the rights and interests of minors, while prioritizing consideration of the best interests of minors in accordance with their age and developmental stage (Article 58-3, Paragraph 1 of the Amended Act). 
  • Best-efforts obligation of statutory representatives to consider the best interests of minors: A statutory representative of a minor individual must prioritize consideration of the best interests of such individual when making requests for disclosure, etc. or giving consent under the provisions of the APPI (Article 58-3, Paragraph 2 of the Amended Act).

[xiv] Personal Information Protection Commission, “Q&A Concerning the ‘Guidelines for the Act on the Protection of Personal Information’” (July 1, 2025), A1-62.

4. Establishment of Regulations Concerning Facial Feature Data, etc.

Under the Current APPI, facial feature data, etc. may constitute personal identification codes (Article 2, Paragraph 2 of the Current APPI and Article 1, Item 1(b) of the Order for Enforcement of the Current APPI); however, no requirements specifically applicable to facial feature data, etc. are prescribed.

With respect to this point, the Approach pointed out that, amid the expanding use of biometric technologies such as camera systems equipped with facial recognition functions, facial feature data, etc. among biometric data possess the characteristics that they can easily (and therefore massively) be obtained without the knowledge of the individual, and that they have high uniqueness and immutability such that their effect in identifying specific individuals continues semi-permanently. Accordingly, facial feature data, etc. have characteristics making their handling more likely than other biometric data to lead typologically to infringement of individuals’ privacy, etc. (Approach, p. 6). Based on such observations, the Revision Policy indicated the following amendment policies: (i) mandating notification of certain matters relating to the handling of facial feature data, etc.; (ii) relaxing the requirements for requests for suspension of use, etc. of facial feature data, etc.; and (iii) prohibiting third-party provision of facial feature data, etc. through the opt-out mechanism (Revision Policy, p. 2).

The 2026 Amended APPI establishes the following rules concerning regulations applicable to facial feature data, etc.

Subject of Amendment

Specific Details of Amendment
Definitions of “Specified Biometric Personal Identification Code” and “Specified Biometric Personal Information”
  • Definition of “Specified Biometric Personal Identification Code”: Among personal identification codes converted for use by a computer from characteristics of a part of the body of a specific individual, information relating to characteristics of a part of the body that can be acquired by means not requiring special technology or significant expense and with respect to which the individual cannot easily recognize that such information has been acquired, as specified by Cabinet Order (Article 16, Paragraph 5 of the Amended Act). It is anticipated that facial feature data, etc. will hereafter be designated by Cabinet Order as “Specified Biometric Personal Identification Codes.”
  • Definition of “Specified Biometric Personal Information”: Personal information containing a specified biometric personal identification code (Article 16, Paragraph 5 of the Amended Act).
Mandatory notification of certain matters relating to the handling of facial feature data, etc.
  • Notification obligations relating to specified biometric personal information: In handling specified biometric personal information, the following matters must, in principle, be notified to the individual in advance or otherwise be made readily accessible to the individual (Article 21-2, Paragraph 1 of the Amended Act): 
    1. The name or designation and address of the business operator handling personal information, and, in the case of a juridical person, the name of its representative. 
    2. The fact that specified biometric personal information will be handled. 
    3. The purpose of use of the specified biometric personal information.
    4. The content of the information relating to characteristics of a part of the body that is converted into the specified biometric personal identification code included in the specified biometric personal information. 
    5. Procedures for responding to requests for disclosure, etc. (including the amount of fees where fees are charged). 
    6. Other matters specified by the rules of the Personal Information Protection Commission as necessary for protecting individuals’ rights and interests.
  • Exceptions to notification obligations relating to specified biometric personal information: The above notification obligations shall exceptionally not apply where compliance with such obligations falls under any of the following circumstances (Article 21-2, Paragraph 2 of the Amended Act):
    1. Where there is a risk of harming the life, body, property, or other rights or interests of the individual or a third party.
    2. Where there is a risk of harming the rights or legitimate interests of the relevant business operator handling personal information.
    3. Where cooperation with a national government organ or local public entity is necessary for the performance of duties prescribed by laws and regulations, and there is a risk of interfering with the performance of such duties. 
    4. Other cases specified by Cabinet Order as equivalent to the cases set forth in 1 through 3 above.
Relaxation of requirements for requests for suspension of use, etc. of facial feature data, etc.
  • Provisions concerning requests by individuals for suspension of use, etc. of specified biometric personal information: An individual may, in principle, request a business operator handling personal information to suspend use, etc. of specified biometric personal information identifying such individual or to cease providing such specified biometric personal information to third parties where such specified biometric personal information is being handled, and, where it is found that grounds for such request exist, the business operator must suspend use, etc. or cease third-party provision (Article 35, Paragraphs 7 and 8 of the Amended Act). Whereas the general provisions concerning requests for suspension of use, etc. (Article 35, Paragraph 5 of the Current APPI) permit such requests only where certain requirements are satisfied, the provisions concerning requests by individuals for suspension of use, etc. of specified biometric personal information (Article 35, Paragraph 7 of the Amended Act) permit such requests in principle, thereby strengthening the individual’s right to make such requests.
  • Exceptions to requests by individuals for suspension of use, etc. of specified biometric personal information: Various grounds are prescribed as exceptions to the above requests for suspension of use, etc. (items of Article 35, Paragraph 7 of the Amended Act). The following grounds are prescribed as exceptions specific to the handling of specified biometric personal information (Article 35, Paragraph 7, Items 1 and 2 of the Amended Act): 
    1. Where the relevant business operator handling personal information created the specified biometric personal identification code included in the specified biometric personal information with the prior consent of the individual. 
    2. Where the relevant business operator handling personal information acquired the specified biometric personal information with the prior consent of the individual.
Prohibition of third-party provision of facial feature data, etc. through the opt-out mechanism
  • Exclusion of specified biometric personal information from the scope of the opt-out mechanism: Specified biometric personal information is excluded from the scope of third-party provision of personal data under the opt-out mechanism (i.e., provision of personal data to third parties without obtaining the individual’s consent where certain matters are notified to the individual in advance or otherwise made readily accessible to the individual and notification is submitted to the Personal Information Protection Commission) (proviso to Article 27, Paragraph 2 of the Amended Act).

5. Development of Regulations Applicable to Entrusted Business Operators

Under the Current APPI, where the handling of personal data is entrusted to another party, the entrusting business operator is required to exercise necessary and appropriate supervision over the entrusted business operator (Article 25 of the Current APPI). However, apart from this requirement, no provisions specifically applicable to entrusted business operators are prescribed, and the general rules applicable to business operators handling personal information apply.

With respect to this point, the Approach proposed examining the appropriate framework of regulations applicable to entrusted business operators in light of the expanding number of cases in which business operators handling personal information, etc., in connection with the advancement of DX, substantially depend on third parties for the handling of personal data, etc. (Approach, p. 5). In response to such discussions, the Revision Policy indicated the following policies: (i) expressly providing that entrusted business operators must not handle personal data, etc. beyond the scope necessary for the performance of entrusted operations; and (ii) establishing conditions under which obligations otherwise applicable to entrusted business operators are exempted (Revision Policy, p. 2).

The 2026 Amended APPI newly establishes the following obligations and exemptions concerning regulations applicable to entrusted business operators.

Subject of Amendment

Specific Details of Amendment
Express clarification that entrusted business operators must not handle personal data, etc. beyond the scope necessary for the performance of entrusted operations
  • Prohibition on use beyond entrusted purposes by entrusted business operators: A business operator handling personal information that has been entrusted by another business operator handling personal information or by an administrative organ, etc. with all or part of the handling of personal information must not, in principle, handle the entrusted personal information beyond the scope necessary for the performance of the entrusted operations (Article 30-3 of the Amended Act). 
  • Exceptions to the prohibition on use beyond entrusted purposes by entrusted business operators: As exceptions to the above prohibition, “cases based on laws and regulations, etc.” are prescribed (Article 30-3 of the Amended Act). “Cases based on laws and regulations, etc.” refers to cases based on laws and regulations and cases where there is an urgent necessity for rescuing human life or responding to other emergency situations (Article 30-2, Paragraph 4 of the Amended Act).
Establishment of conditions under which obligations applicable to entrusted business operators are exempted
  • Conditions under which obligations applicable to entrusted business operators are exempted: With respect to handling of personal information, etc. by a business operator handling personal information, etc. that has been entrusted by another business operator handling personal information, etc. or by an administrative organ, etc. with the handling of personal information, etc., Chapters 4, Sections 2 through 4 of the private-sector rules (i.e., Articles 17 through 46) shall, in principle, not apply where both of the following requirements are satisfied (Article 58-2 of the Amended Act. Hereinafter, entrusted personal information, etc. shall be referred to as “Entrusted Personal Information, etc.” and the entrusted business operator handling personal information, etc. shall be referred to as the “Entrusted Business Operator Handling Personal Information”). 
    1. The following matters are prescribed in the contract relating to the entrustment: 
    (1) Method of handling personal information, etc.: Matters specified by the rules of the Personal Information Protection Commission concerning the method of handling Entrusted Personal Information, etc. (excluding matters relating to measures for security management of Entrusted Personal Information, etc. and matters not likely to impede protection of individuals’ rights and interests). 
    (2) Reporting to the entrusting party: Where the Entrusted Business Operator Handling Personal Information, etc. becomes aware that a reportable incident prescribed in Article 26, Paragraph 1 of the APPI has occurred with respect to the Entrusted Personal Information, etc., or that the Entrusted Personal Information, etc. has been handled beyond the scope necessary for the performance of the entrusted operations or in violation of contractual provisions relating to the matters set forth in (1) above, the Entrusted Business Operator Handling Personal Information, etc. shall promptly report such fact to the entrusting party. 
    (3) Other matters: Other matters specified by the rules of the Personal Information Protection Commission.
    2. The handling of personal information, etc. is conducted within the scope necessary for the performance of the entrusted operations and in accordance with the contractual provisions relating to the matters set forth in (1) above.
  • Obligations not exempted even for entrusted business operators: Even where the above exemption conditions are satisfied, provisions that do not presuppose the existence of authority to determine handling methods shall exceptionally continue to apply to entrusted business operators. Specifically, the following obligations shall always apply to entrusted business operators without exemption (Article 58-2 of the Amended Act): 
    1. The obligation not to handle information beyond the scope necessary for the performance of entrusted operations (Article 30-3 of the Amended Act). 
    2. Obligations relating to security management and responses to leakage, etc. incidents (Articles 23 through 26, etc. of the Amended Act).

6. Relaxation of the Obligation to Notify Data Subjects in the Event of Leakage, etc.

Under the Current APPI, where a business operator handling personal information is subject to the obligation to report leakage, etc., the business operator is uniformly required to notify the individual unless notification to the individual is difficult and alternative measures have been taken (Article 26, Paragraph 2 of the Current APPI).

With respect to this point, the Revision Policy indicated a policy of relaxing the obligation to notify individuals in cases of leakage, etc. where there is little risk of inadequate protection of the individual’s rights and interests, from the perspective of rationalizing the notification obligation (Revision Policy, p. 2).

The 2026 Amended APPI adds, as an exception to the obligation to notify individuals, “cases specified by the rules of the Personal Information Protection Commission as cases where there is little risk of inadequate protection of the individual’s rights and interests even if notification to the individual is not made” (proviso to Article 26-2 of the Amended Act).

As specific examples falling under the above exception, the Approach had cited cases where only information that, by itself, has virtually no meaning to the acquirer of the leaked information—such as internal identifiers (IDs) of service users—has been leaked (Approach, p. 3).

 

7. Strengthening of Regulations Concerning Information Enabling Approaches to Specific Individuals

Under the Current APPI, prohibitions on improper use and improper acquisition are prescribed for personal information (Articles 19 and 20, Paragraph 1 of the Current APPI); however, no such provisions are prescribed for personally referable information, pseudonymously processed information, or anonymously processed information.

With respect to this point, the Approach pointed out that, even where information including telephone numbers, email addresses, Cookie IDs, and other descriptions, etc. enabling contact with specific individuals does not constitute personal information, infringement of the privacy, property rights, and other rights and interests of such individuals may nevertheless occur through contact with such individuals. In addition, by linking together information including highly confidential descriptions, etc. through such descriptions, etc., there is a risk that privacy, etc. may be infringed or that infringements of individuals’ rights and interests through such contact may become more serious (Approach, p. 5). Based on such observations, the Revision Policy indicated a policy of prohibiting improper use and improper acquisition of personally referable information, etc. enabling approaches to specific individuals (Revision Policy, p. 2).

The 2026 Amended APPI establishes the following rules as regulations concerning information enabling approaches to specific individuals.

Subject of Amendment

Specific Details of Amendment
Definition of “Contactable Personally Referable Information”
  • Contactable Personally Referable Information: Personally referable information containing the following descriptions, etc. (including information that can readily be cross-referenced with other information thereby enabling identification of the following descriptions, etc.) (Article 2, Paragraph 8 of the Amended Act): 
    1. The address of a place where a specific individual is or was located[xv](e.g., residence or workplace).
    2. Telephone number.[xvi]
    3. Email address.[xvii]
    4. Symbols assigned so as to identify a user of telecommunications facilities or telecommunications facilities themselves[xviii](e.g., Cookie IDs). 
    5. Other descriptions, etc. specified by the rules of the Personal Information Protection Commission as being usable for contacting or otherwise transmitting information to specific individuals.
    Prohibition of improper handling of information enabling approaches to specific individuals
    • Prohibition on improper use of Contactable Personally Referable Information: Contactable Personally Referable Information must not be used by methods likely to encourage or induce unlawful or improper acts (Article 31-2, Paragraph 1 of the Amended Act).
    • Prohibition on improper acquisition of Contactable Personally Referable Information: Contactable Personally Referable Information must not be acquired through deception or other wrongful means (Article 31-2, Paragraph 2 of the Amended Act
    • Mutatis mutandis application to pseudonymously processed information and anonymously processed information: The above provisions relating to Contactable Personally Referable Information apply mutatis mutandis to pseudonymously processed information and anonymously processed information containing the descriptions, etc. set forth in 1 through 5 above (including information that can readily be cross-referenced with other information thereby enabling identification of such descriptions, etc.) (Article 42, Paragraph 4 and Article 46-2 of the Amended Act).

    [xv] Limited to information usable for postal delivery, correspondence delivery service, telegram delivery, or visits directed to specific individuals (Article 2, Paragraph 8, Item 1 of the Amended Act).

    [xvi] Limited to information usable for telephone calls or facsimile transmissions directed to specific individuals (Article 2, Paragraph 8, Item 2 of the Amended Act).

    [xvii] Refers to email addresses under the Act on Regulation of Transmission of Specified Electronic Mail and is limited to information usable for transmission of electronic mail prescribed under such Act to specific individuals (Article 2, Paragraph 8, Item 3 of the Amended Act).

    [xviii] Limited to information usable for transmission of information through telecommunications directed to specific individuals (Article 2, Paragraph 8, Item 4 of the Amended Act).

    8. Mandatory Confirmation of the Identity and Purpose of Use of Recipients under the Opt-Out Mechanism

    Under the Current APPI, where personal data is provided to third parties pursuant to the opt-out mechanism, confirmation of the identity and purpose of use of the recipient is not required (Article 27, Paragraph 2 of the Current APPI).

    With respect to this point, the Approach pointed out that, amid the recent worsening of the so-called “black market list” problem, cases have occurred in which list brokers that were opt-out notification business operators provided lists while recognizing that the recipients were malicious list brokers (i.e., entities reselling lists even to persons engaging in unlawful acts), and that personal data provided pursuant to the opt-out mechanism currently serves as one of the sources used in the creation of such “black market lists” (Approach, p. 7). Based on such observations, the Revision Policy indicated a policy of mandating confirmation of the identity and purpose of use of recipients at the time of third-party provision pursuant to the opt-out mechanism (Revision Policy, p. 2).

    The 2026 Amended APPI establishes the following rules concerning mandatory confirmation of the identity and purpose of use of recipients under the opt-out mechanism.

    Subject of Amendment

    Specific Details of Amendment
    Obligation to confirm recipients under the opt-out mechanism
    • Confirmation obligation: Where personal data is provided to a third party pursuant to the opt-out mechanism (i.e., provision of personal data to a third party without obtaining the individual’s consent where certain matters are notified to the individual in advance or otherwise made readily accessible to the individual and notification is submitted to the Personal Information Protection Commission), confirmation must be made of the following matters (main clause of Article 27, Paragraph 7 of the Amended Act):
       1. The name or designation and address of the relevant third party and, in the case of a juridical person, the name of its representative.
      2. The purpose of use of the relevant personal data by the relevant third party
    • Exceptions to the confirmation obligation: The above confirmation obligation shall exceptionally not apply where all of the personal data, at the time of acquisition thereof, had been publicly disclosed by the individual, a national government organ, a local public entity, an academic research institution, etc., persons listed in the items of Article 57, Paragraph 1 of the APPI, or other persons specified by the rules of the Personal Information Protection Commission, or where other cases equivalent thereto are specified by the rules of the Personal Information Protection Commission (proviso to Article 27, Paragraph 7 of the Amended Act).
    Prohibition of false statements concerning confirmation of recipients under the opt-out mechanism
    • Prohibition of false statements: A third party requested to provide the above confirmation must not make false statements concerning matters relating to such confirmation to the business operator handling personal information requesting such confirmation (Article 27, Paragraph 8 of the Amended Act).
    Recordkeeping obligation concerning confirmation of recipients under the opt-out mechanism
    • Recordkeeping obligation: Where the above confirmation is conducted, certain records relating to the confirmed matters must be prepared (Article 29, Paragraph 1 of the Amended Act).

    9. Greater Flexibility in the Exercise of Recommendations and Orders

    Under the Current APPI, an “order” requiring prior recommendation may be issued only “where it is recognized that infringement of a significant right or interest of an individual is imminent,” meaning that imminence of infringement is required (Article 148, Paragraph 2 of the Current APPI). In addition, an “emergency order” not requiring prior recommendation may be issued only “where it is recognized that urgent measures are necessary because there exists a fact harming a significant right or interest of an individual,” meaning that actual infringement of a significant right or interest must exist (Article 148, Paragraph 3 of the Current APPI). Further, recommendations may only require “cessation of the violation and other measures necessary to correct the violation” (Paragraph 1 of the same Article) and cannot require affirmative measures intended to make individuals aware that problematic handling has occurred (e.g., notification to individuals or public disclosure).

    In light of such circumstances, the Revision Policy indicated the following amendment policies from the perspective of introducing greater flexibility in the exercise of recommendations and orders: (i) revising the requirements for orders so as to enable prompt correction of violations; and (ii) introducing greater flexibility in the contents of recommendations and orders so as to enable measures necessary for the protection of rights and interests, such as notification or public disclosure of facts relating to violations (Revision Policy, p. 2).

    The 2026 Amended APPI establishes the following rules from the perspective of introducing greater flexibility in the exercise of recommendations and orders.

    <strong>Subject of Amendment

    Specific Details of Amendment
    Relaxation of requirements for orders enabling prompt correction of violations
    • Relaxation of requirements for “orders” requiring prior recommendation: The Personal Information Protection Commission may now issue an order where a business operator handling personal information, etc. that has received a recommendation fails, without justifiable grounds, to take measures relating to such recommendation, and it is recognized merely that “there is a risk that a significant right or interest of an individual may be harmed” (Article 148, Paragraph 2 of the Amended Act). By this amendment, the requirement of imminence of infringement has been removed from the requirements for “orders” requiring prior recommendation, thereby enabling prompt issuance of such orders.
    • Relaxation of requirements for “emergency orders” not requiring prior recommendation: The Personal Information Protection Commission may now issue an emergency order not only where there exists a fact harming a significant right or interest of an individual, but also where it is recognized that urgent measures are necessary because infringement of a significant right or interest of an individual is imminent (Article 148, Paragraph 3 of the Amended Act). By this amendment, even in the absence of actual infringement of a significant right or interest, the requirements for an emergency order are satisfied where such infringement is imminent, thereby enabling prompt issuance of emergency orders.
    Greater flexibility in the contents of recommendations and orders enabling measures necessary for protection of rights and interests, such as notification or public disclosure of facts relating to violations
    • Greater flexibility in the contents of recommendations and orders enabling affirmative measures: In addition to “cessation of the violation and other measures necessary to correct the violation,” the Personal Information Protection Commission may now recommend or order that “notification to the individual or public disclosure of facts relating to the violation, or other measures necessary to protect individuals’ rights and interests,” be undertaken (Article 148, Paragraphs 1 through 3 of the Amended Act).

    10. Legalization of Measures Against Third Parties Assisting Violations, etc.

    Under the Current APPI, orders may be issued only against business operators handling personal information, etc. that have violated obligations under the APPI (Article 148, Paragraphs 2 and 3 of the Current APPI), and no orders may be issued to third parties involved in such violations requiring suspension of services provided to such business operators handling personal information, etc. In addition, no statutory basis exists even for voluntary requests.

    In light of such circumstances, the Revision Policy indicated a policy of establishing statutory provisions serving as the basis for requesting third parties assisting violations, etc. to take measures necessary to cease such violations (Revision Policy, p. 2).

    The 2026 Amended APPI establishes the following rules concerning measures against third parties assisting violations, etc.

    Subject of Amendment

    Specific Details of Amendment
    Requests to “Handling-Related Service Providers”
    • Definition of “Handling-Related Service Provider”: A person entrusted by a business operator handling personal information, etc. with all or part of the handling of personal information, etc., or other persons providing services used by business operators handling personal information, etc. for the handling of such personal information, etc. pursuant to contracts with such business operators handling personal information, etc. (Article 148-2, Paragraph 1 of the Amended Act). At the stage of the Approach, contemplated examples included providers of cloud services used for storage of personal information, hosting providers of servers used for public disclosure of personal information, and hosting providers of DNS servers converting domain names of such servers into IP addresses (Approach, pp. 9–10). 
    • Statutory basis for requests to “Handling-Related Service Providers”: Where a business operator handling personal information, etc. fails to comply with a corrective order, the Personal Information Protection Commission may request a Handling-Related Service Provider providing services used for handling personal information, etc. relating to the violation subject to such corrective order to take measures necessary to cease such violation, including suspension of handling of personal information, etc. relating to such violation and suspension of provision of such services (Article 148-2, Paragraph 1 of the Amended Act).
    Requests to “Specified Telecommunications Service Providers”
    • Definition of “Specified Telecommunications Service Provider”: A Specified Telecommunications Service Provider (Article 2, Item 4 of the Act on Information Distribution Platform Responses[xix]) providing Specified Telecommunications Services (Item 3 of the same Article) relating to distribution of information through Specified Telecommunications (Item 1 of the same Article) prescribed in such Act (Article 148-2, Paragraph 3 of the Amended Act). At the stage of the Approach, contemplated examples included providers of search services, etc. (Approach, p. 10). 
    • Statutory basis for requests to “Specified Telecommunications Service Providers”: Where a corrective order has been issued and the relevant violation consists of transmission of information containing personal information, etc. through Specified Telecommunications, the Personal Information Protection Commission may request a Specified Telecommunications Service Provider to take measures to prevent distribution of such information through Specified Telecommunications (Article 148-2, Paragraph 3 of the Amended Act).
    Immunity where measures are taken in response to requests
    • Immunity of Handling-Related Service Providers and Specified Telecommunications Service Providers: Where a Handling-Related Service Provider or a Specified Telecommunications Service Provider takes measures in response to the above requests, such provider shall not be liable for damages incurred by the business operator handling personal information, etc. subject to the corrective order as a result of such measures (Article 148-2, Paragraph 4 of the Amended Act).

    [xix] Act Partially Amending the Act on Limitation of Liability for Damages of Specified Telecommunications Service Providers and Disclosure of Sender Information (Act No. 25 of 2024).

    11. Strengthening and Expansion of Criminal Penalties

    Under the Current APPI, criminal penalties relating to wrongful provision, etc. of personal information databases, etc. apply only where the relevant act is conducted “for the purpose of obtaining unlawful gain,” and do not apply where the relevant act is conducted “for the purpose of causing harm” (Article 179 of the Current APPI).

    With respect to this point, the Approach pointed out that, in terms of the degree of harm to the rights and interests of the individual, there is no meaningful difference between acts conducted for the purpose of obtaining unlawful gain and acts conducted for the purpose of causing harm (Approach, p. 10). Based on such observations, the Revision Policy indicated a policy of expanding the scope of punishable conduct relating to wrongful provision, etc. of personal information databases, etc. so as to include acts conducted for the purpose of causing harm, and of increasing the statutory penalties therefor (Revision Policy, p. 3).

    In addition, under the Current APPI, criminal penalties relating to wrongful provision, etc. of personal information databases, etc. apply to acts of provision or misappropriation, and do not apply to acquisition itself (Article 179 of the Current APPI).

    With respect to this point, the Approach pointed out that personal information improperly acquired is highly likely to be improperly used, and that acts of acquiring personal information through fraudulent acts, unauthorized access, or other conduct impairing the management of persons possessing personal information should therefore be made directly punishable (Approach, p. 10). Based on such observations, the Revision Policy indicated a policy of establishing criminal penalties for acts of improperly acquiring personal information through fraudulent acts, etc. (Revision Policy, p. 3).

    The 2026 Amended APPI establishes the following revisions from the perspective of strengthening and expanding criminal penalties.

    Subject of Amendment

    Specific Details of Amendment
    Expansion of punishable conduct and increase of statutory penalties relating to wrongful provision, etc. of personal information databases, etc.
    • Addition of acts conducted for the purpose of causing harm to the scope of punishable conduct: Under the Current APPI, punishable conduct relating to wrongful provision, etc. of personal information databases, etc. was limited to acts of provision or misappropriation conducted “for the purpose of obtaining unlawful gain” (Article 179 of the Current APPI). Under the 2026 Amended APPI, acts of provision or misappropriation conducted “for the purpose of causing harm to the individual or any other person” have been added to the scope of punishable conduct (Article 178 of the Amended Act). 
    • Increase of statutory penalties: Under the Current APPI, the statutory penalty for wrongful provision, etc. of personal information databases, etc. was “imprisonment with work for not more than one year or a fine of not more than JPY 500,000” (Article 179 of the Current APPI). Under the 2026 Amended APPI, the statutory penalty has been increased to “imprisonment for not more than two years or a fine of not more than JPY 1,000,000” (Article 178 of the Amended Act)
    Establishment of new criminal penalties for acts of improperly acquiring personal information through fraudulent acts, etc.
    • Addition of the offense of improper acquisition of personal information through fraudulent acts, etc.: New criminal penalties have been established for acquiring personal information through the following purposes and acts (Article 180, Paragraph 1 of the Amended Act):
      1. Purpose: The purpose of obtaining unlawful gain for oneself or a third party, or the purpose of causing harm to the individual, the person possessing the personal information, or any other person. 
      2. Acts: Acts of deceiving a person, committing violence against a person, or threatening a person, or acts impairing the management of persons possessing personal information, including theft or destruction of property, intrusion into facilities, interception of wired telecommunications, unauthorized access acts, or other similar conduct.

    12. Introduction of an Administrative Surcharge System

    Under the Current APPI, monetary sanctions for violations of the APPI are limited to criminal fines, and administrative surcharges cannot be imposed.

    With respect to this point, the Approach pointed out that administrative surcharges are imposed flexibly as administrative measures and are introduced for the purpose of deterring violations by reducing the economic incentives for such violations, and that they play an important role in law enforcement in modern market-based societies oriented toward ex post facto review (Approach, p. 10). In addition, from the perspective of conducting careful discussions regarding the surcharge system, deliberations were conducted from July 2024 by the “Study Group on the So-Called Review Every Three Years of the Act on the Protection of Personal Information,” and a report [xx] was compiled at the end of December of the same year.

    Based on such observations, the Revision Policy indicated a policy that, in order to effectively deter malicious violations involving the handling of large volumes of personal information for economic incentives, where individuals’ rights and interests are infringed by serious violations, payment of an administrative surcharge equivalent to the amount of financial gain, etc. obtained through such violations shall be ordered (Revision Policy, pp. 3 and 6).

    The 2026 Amended APPI introduces the following administrative surcharge system.

    Subject of Amendment

    Specific Details of Amendment
    Surcharge payment orders
    • Surcharge payment orders for violations: Where a business operator handling personal information engages in any of the following acts (hereinafter referred to as the “Violative Acts”) and obtains money or other benefits[xxi] as consideration for such Violative Acts or for ceasing such Violative Acts, the Personal Information Protection Commission must order payment to the national treasury of an administrative surcharge equivalent to the amount calculated by the method specified by Cabinet Order as corresponding to such money or other benefits (Article 148-3, Paragraph 1 of the Amended Act). 
      1. Provision of personal information to a third party under circumstances in which it is anticipated that such third party will use the personal information to engage in unlawful acts or unjust discriminatory treatment.
      2. Use of personal information at the request of a third party under circumstances in which it is anticipated that such third party will engage in unlawful acts or unjust discriminatory treatment through use of such personal information. 
      3. Provision of personal data in violation of the restrictions on third-party provision of personal data (Article 27, Paragraph 1 of the Amended Act). 
      4. Handling of personal information in violation of the prohibition on use for purposes other than intended purposes applicable to Statistical Compilation-Use Special Care-Required Personal Information, etc., Provision Statistical Compilation-Use Personal Information, etc., and Provision Statistical Compilation-Use Personal Data, etc. (Article 30-2, Paragraphs 4 and 9, and Article 31-3, Paragraph 5 of the Amended Act). 
      5. Provision of personal information in violation of the prohibition on third-party provision applicable to Statistical Compilation-Use Special Care-Required Personal Information, etc., Provision Statistical Compilation-Use Personal Information, etc., and Provision Statistical Compilation-Use Personal Data, etc. (Article 30-2, Paragraphs 10 and 11, and Article 31-3, Paragraphs 6 and 7 of the Amended Act). 
    • Surcharge payment orders for improper acquisition and use: Where a business operator handling personal information acquires personal information in violation of the obligation of proper acquisition (Article 20, Paragraph 1 of the Amended Act) and uses such personal information, and obtains money or other benefits as consideration for such use or for ceasing such use, the Personal Information Protection Commission must order payment to the national treasury of an administrative surcharge equivalent to the amount calculated by the method specified by Cabinet Order as corresponding to such money or other benefits (Article 148-3, Paragraph 2 of the Amended Act). 
    • Exceptions to surcharge payment orders: The above surcharge payment orders shall not apply where either of the following circumstances exists: 
      1. No failure to exercise due care: Where the relevant business operator handling personal information is recognized as not having failed to exercise reasonable care to prevent the relevant Violative Acts or the relevant acquisition and use (hereinafter collectively referred to as the “Surcharge-Subject Conduct”) throughout the period during which such Surcharge-Subject Conduct was carried out (main clauses of Article 148-3, Paragraphs 1 and 2 of the Amended Act).
      2. Not a large-scale case or no infringement of rights and interests: Where the number of affected individuals does not exceed 1,000, or other cases specified by Cabinet Order as cases in which the degree of harm to individuals’ rights and interests is not substantial (provisos to Article 148-3, Paragraphs 1 and 2 of the Amended Act).
    Estimation of surcharge calculation amounts
    • Estimation based on surcharge-related materials: Where a business operator handling personal information fails to comply with requests for reports or submission of materials (Article 146, Paragraph 1 of the Amended Act), the Personal Information Protection Commission may estimate, by a reasonable method specified by the rules of the Personal Information Protection Commission using materials obtained from the following business operators and other materials, the surcharge calculation amount for periods during which facts serving as the basis for surcharge calculation cannot be ascertained, and may issue a surcharge payment order based thereon (Article 148-4 of the Amended Act): 
      1. The relevant business operator handling personal information or other business operators conducting transactions therewith; or 
      2. Other business operators conducting the same type of business as the business relating to the Surcharge-Subject Conduct relating to the relevant surcharge payment order, or other business operators conducting transactions therewith.
    Surcharge increase based on prior surcharge payment orders
    • 1.5x surcharge increase for persons subject to prior surcharge payment orders: The Personal Information Protection Commission must order a person satisfying all of the following conditions to pay to the national treasury an administrative surcharge equivalent to 1.5 times the surcharge calculation amount (Article 148-5 of the Amended Act):
      1. Prior surcharge payment order within 10 years: The person has previously been subject to a surcharge payment order within 10 years prior to the date on which requests for reports, etc.[xxii]were first made (or, where no such requests were made, the date on which notice of an opportunity for explanation was received).
      2. Conduct after surcharge payment order date: The person engaged in Surcharge-Subject Conduct after the date of the relevant surcharge payment order.
    Surcharge reduction/exemption (leniency) system
    • Leniency system: Where a business operator handling personal information reports to the Personal Information Protection Commission facts constituting Surcharge-Subject Conduct relating to a surcharge payment order, the amount obtained by multiplying the surcharge calculation amount by 50/100 shall be deducted from the amount of the surcharge (main clause of Article 148-6 of the Amended Act). 
    • Cases excluded from application of the leniency system: The above leniency system shall not apply where such report was made in anticipation that a surcharge payment order would be issued as a result of an investigation concerning the relevant Surcharge-Subject Conduct (proviso to Article 148-6 of the Amended Act).

    [xx] Study Group on the So-Called Review Every Three Years of the Act on the Protection of Personal Information, “Report of the Study Group on the So-Called Review Every Three Years of the Act on the Protection of Personal Information” (December 25, 2024).

    [xxi] “Money or other benefits” means money and other property benefits. The same shall apply hereinafter.

    [xxii] “Requests for reports, etc.” means requests for reports or submission of materials, or on-site inspections, pursuant to Article 146, Paragraph 1 of the APPI. The same shall apply hereinafter.

    Member

    PROFILE

    野呂悠登

    野呂悠登

    #個人情報

    Other Categories

    MORE
    MORE
    MORE
    MORE
    MORE
    MORE
    MORE

    TAGS

    VIEW MORE
    × メールマガジンの
    配信登録は
    こちら