Japan Gateway Services
Services
Process
Our Team
Resources
Contact
.

Japan's Privacy Law Is Getting Teeth: What the 2026 APPI Amendments Mean for Foreign Businesses

Cover Image for Japan's Privacy Law Is Getting Teeth: What the 2026 APPI Amendments Mean for Foreign Businesses

Introduction

For years, Japan's Act on the Protection of Personal Information (個人情報保護法, Kojin Jōhō Hogo-hō), commonly known as the APPI, has been viewed by international compliance teams as a relatively lenient data protection regime. Unlike the EU's General Data Protection Regulation (GDPR), which can impose fines of up to 4% of global annual revenue, the APPI has relied primarily on guidance, recommendations, and orders from the Personal Information Protection Commission (個人情報保護委員会, Kojin Jōhō Hogo Iinkai, or PPC), with criminal penalties reserved for extreme cases and rarely applied.
That is about to change.
On January 9, 2026, the PPC published the Policy Direction for Institutional Reform (制度改正方針, Seido Kaisei Hōshin) under the APPI's mandatory three-year review process. The proposed amendments introduce Japan's first-ever administrative surcharge system for data protection violations, new regulations on cookies and personal-related information, dedicated protections for children's data, rules governing biometric data, and strengthened enforcement powers. A bill is expected to be submitted to the Diet during the current ordinary session, which runs through June 2026.
For foreign companies operating in Japan or handling data of individuals located in Japan, these amendments carry immediate strategic significance. The APPI applies extraterritorially: any business that provides goods or services to individuals in Japan, conducts marketing targeting Japan, or processes data of Japanese residents is subject to the law, regardless of where the company is incorporated. The introduction of financial penalties means that non-compliance now carries economic consequences, not just regulatory guidance.

Background: The Three-Year Review Process

The APPI includes a built-in mechanism for periodic revision. Under Article 10 of the supplementary provisions of the 2020 amendments, the PPC is required to review the law approximately every three years, taking into account the state of information technology, the development of new industries, and international trends.
The current review cycle began in November 2023 with stakeholder hearings. In June 2024, the PPC published an interim summary of key issues. Public comments were collected and analyzed through September 2024, followed by a detailed expert panel report in December 2024. The final reform policy was published on January 9, 2026, setting the direction for legislative drafting.
This review is also part of a broader government initiative. The Cabinet's Basic Policy on Data Utilization Systems, decided in June 2025, explicitly called for prompt submission of APPI amendments to the Diet. The reform therefore reflects not just the PPC's regulatory agenda but the Japanese government's wider digital transformation strategy.

Key Changes for Foreign Companies

The reform policy identifies twelve specific items across four pillars: promoting appropriate data utilization, risk-responsive regulation, preventing improper use, and ensuring compliance effectiveness. The following six items are most directly relevant to foreign businesses operating in Japan.

1. Administrative Surcharge System

This is the single most significant change in the APPI's enforcement framework. For the first time, the PPC will have the authority to impose administrative fines, known as surcharges (課徴金, Kachōkin), on businesses that violate certain provisions of the law.
Covered violations. The surcharge system targets five specific types of conduct, each involving financial gain from data misuse:
  1. Providing personal information to a third party who is expected to use it for illegal activities or discriminatory treatment
  2. Providing personal information at the request of a third party who is expected to use it for illegal or discriminatory purposes
  3. Acquiring personal information through deception or other wrongful means and using it (violation of Article 20, Paragraph 1)
  4. Providing personal data to a third party without the data subject's consent (violation of Article 27, Paragraph 1)
  5. Using or providing to third parties personal information obtained under statistical processing exceptions in violation of those exceptions' conditions
Three conditions must all be met before a surcharge order can be issued:
  • Negligence: The business operator failed to exercise reasonable care to prevent the violation
  • Scale: The violation involves personal information or personal data of more than 1,000 individuals
  • Harm: The degree of infringement on individuals' rights and interests is not insignificant
Calculation of the surcharge amount. The surcharge equals the "financial benefit equivalent" (財産上の利益に相当する額) that the business obtained through the violation or through ceasing the violation. Unlike the GDPR's revenue-based calculation, Japan's approach ties the penalty directly to the profit derived from the unlawful data handling.
GDPR comparison. While the GDPR allows fines of up to EUR 20 million or 4% of global annual turnover (whichever is higher), the APPI surcharge is calibrated to the actual financial gain from the violation. The philosophical difference is notable: the GDPR emphasizes deterrence through potentially massive penalties, while the APPI focuses on disgorgement of ill-gotten gains. However, the introduction of any financial penalty marks a fundamental shift for Japan's data protection enforcement, which until now has relied entirely on orders and criminal sanctions.

2. Regulation of Cookies and Personal-Related Information

The reform policy introduces new rules targeting what the APPI calls "personal-related information that enables contact with specific individuals" (特定の個人に対する働きかけが可能となる個人関連情報等). This category includes phone numbers, email addresses, Cookie IDs, and similar identifiers.
Under the current APPI framework, personal-related information (個人関連情報, Kojin Kanren Jōhō) occupies a grey zone. It is information that, by itself, does not identify a specific individual but can be linked to one when combined with other data. Cookies, device identifiers, and browsing histories fall into this category. The existing law regulates personal-related information primarily when it is provided to a third party who will link it to identified individuals, requiring the provider to confirm the third party has obtained consent.
The reform policy goes further in two key ways:
Prohibition of improper use and wrongful acquisition. The amendments will explicitly prohibit the improper use and wrongful acquisition of personal-related information that can be used to contact or target specific individuals. This fills a gap where data brokers or advertisers could collect and trade such information without clear regulatory constraints.
Opt-out scheme tightening. When personal data is provided to third parties under the opt-out scheme (where data subjects can object but are not asked for prior consent), the provider will now be required to verify the identity of the recipient and confirm the intended purpose of use.
GDPR comparison. The EU has regulated cookies since the ePrivacy Directive (2002/58/EC), requiring informed consent for non-essential cookies. Japan's approach is narrower, focusing on misuse and acquisition rather than requiring consent for all tracking. However, the direction of travel is clear: Japan is closing the regulatory gap on online tracking and targeting.

3. Children's Data Protection

The APPI currently contains no specific provisions for protecting children's personal information. The reform policy addresses this gap directly.
Legal representative requirement for under-16s. The amendments will codify that when the data subject is under 16 years of age, consent and other notifications must be directed to the legal representative (法定代理人, Hōtei Dairinin), typically a parent or guardian. While this was previously understood as implied guidance, it will now be an explicit statutory requirement.
Relaxed suspension and deletion rights. Data subjects (or their legal representatives) will have expanded grounds to request suspension of use or deletion of retained personal data concerning minors. The current threshold for such requests requires demonstrating a risk of rights infringement; the amendments will lower this bar for children's data.
Best interests principle. A new duty of care provision will require businesses to prioritize the best interests of minors when handling their personal information. This is a responsibility provision (責務規定, Sekimu Kitei) rather than a strict obligation, meaning it establishes a standard of conduct that regulators will reference when evaluating compliance.
GDPR comparison. The GDPR addresses children's data primarily through Article 8, which sets the digital age of consent at 16 (with member states permitted to lower it to 13). The APPI's approach is broader, applying to all processing of children's data rather than just online consent. The "best interests" principle echoes the language of the UN Convention on the Rights of the Child, which the GDPR references in its recitals.

4. Biometric Data Rules

Facial feature data and other biometric information will be subject to new, dedicated rules for the first time under the APPI.
Notification obligations. Businesses that handle facial feature data (顔特徴データ, Kao Tokuchō Dēta) and similar biometric information will be required to publicly disclose certain matters related to their data handling practices.
Expanded suspension rights. The requirements for data subjects to request suspension of use or deletion of their biometric data will be relaxed, making it easier for individuals to object to biometric processing.
Ban on opt-out transfers. Providing biometric data to third parties under the opt-out scheme will be prohibited. This means businesses cannot share facial recognition data or similar biometric information with third parties unless they obtain explicit prior consent or fall under another legal basis.
GDPR comparison. Under the GDPR, biometric data is classified as a "special category" of personal data (Article 9), subject to a general prohibition on processing with limited exceptions. Japan's approach stops short of this blanket prohibition but moves significantly in the same direction by restricting how biometric data can be shared and giving individuals stronger objection rights.

5. Commissioned Data Processing

The reform policy introduces clearer rules for businesses that process personal data on behalf of others, a scenario increasingly common as companies rely on cloud services, SaaS platforms, and outsourced data processing.
Purpose limitation codified. The amendments will establish an explicit statutory obligation that commissioned processors must not handle personal data beyond what is necessary for performing the commissioned work. While this was previously understood as an implicit requirement, its codification removes ambiguity and creates a clear enforcement basis.
Exemption for passive processors. Where a commissioned processor does not independently determine how to handle the data (for example, a data entry service that mechanically processes data according to the committing party's instructions), the processor will be exempted from most Chapter 4 obligations under the APPI. The security management obligation will continue to apply regardless.
This distinction effectively introduces a controller-processor framework into Japanese data protection law. The committing party retains full regulatory responsibility, while the passive processor faces a reduced compliance burden in exchange for not exercising independent judgment over data handling.
GDPR comparison. This closely parallels the GDPR's controller-processor distinction (Articles 24-28), where data processors act only on the controller's instructions and are subject to specific but limited obligations. Japan's approach is more lenient in that passive processors are largely exempted from the APPI's general obligations, whereas GDPR processors still face direct obligations including security measures, breach notification, and cooperation with supervisory authorities.

6. Enhanced Enforcement Powers

Beyond the surcharge system, the reform policy strengthens the PPC's enforcement toolkit in several important ways.
Faster order authority. Currently, the PPC must generally issue a recommendation before escalating to an order. The amendments will allow orders to be issued when rights infringement is "imminent" (切迫, Seppaku), enabling faster regulatory intervention without the delay of the recommendation step.
Violation disclosure powers. The PPC will be able to recommend or order businesses to notify affected data subjects of the facts of a violation, or to publicly disclose the violation. This creates a powerful reputational incentive for compliance.
Third-party measures. New provisions will establish a legal basis for the PPC to request that third parties who assist in violations take measures to cease the violating conduct. This explicitly covers cloud service providers, hosting companies, and DNS server operators who may be facilitating data protection violations.
Expanded criminal penalties. The scope of criminal liability is broadened. Providing personal information databases for the purpose of causing harm to individuals will be punishable. Additionally, new criminal penalties are introduced for acquiring personal information through fraud or deception.

What This Means for Foreign Companies in Japan

The cumulative effect of these amendments is a significant strengthening of Japan's data protection regime. Three aspects are particularly important for foreign businesses.
Extraterritorial reach is now backed by financial consequences. The APPI's extraterritorial application is not new; it has applied to foreign businesses handling Japanese residents' data since the 2020 amendments. What is new is the enforcement bite. With the surcharge system, a foreign company that violates the APPI while handling data of more than 1,000 Japanese individuals faces financial penalties, not just regulatory guidance. This changes the compliance calculus fundamentally.
Digital businesses face the most immediate impact. Companies in e-commerce, digital advertising, SaaS, cloud computing, and AI development are most directly affected by the new cookie and personal-related information rules, the biometric data restrictions, and the commissioned processing framework. If your business collects browsing data, uses tracking pixels, processes facial recognition data, or handles Japanese customer data through third-party processors, each of these reform areas applies to you.
The compliance preparation window is now. Based on past reform cycles, the bill is expected to pass by mid-2026, with implementation likely 1-2 years after enactment. This means businesses have roughly 18 to 30 months before the new rules take full effect. However, the direction of reform is clear and unlikely to change significantly through the legislative process. Companies that begin preparation now will avoid the rush of last-minute compliance efforts.

Compliance Preparation Checklist

Even before the amendments are formally enacted, foreign companies operating in Japan or handling Japanese residents' data should begin the following preparations.

Data Mapping and Inventory

  • Identify all personal-related information your business collects, including cookies, device IDs, email addresses, and phone numbers used for targeting.
  • Map data flows involving commissioned processors, particularly cloud service providers and outsourced data handling operations.
  • Flag any processing of biometric data, including facial recognition, fingerprints, or voiceprints.

Cookie and Tracking Review

  • Audit your current cookie consent mechanisms for Japanese users.
  • Evaluate whether your use of third-party tracking technologies involves provision of personal-related information that would fall under the new restrictions.
  • Review relationships with data brokers and advertising partners to ensure compliance with opt-out scheme requirements.

Children's Data Policies

  • Determine whether your services are used by or directed at individuals under 16 in Japan.
  • Develop or update age verification and parental consent mechanisms.
  • Review privacy notices to ensure they address the handling of minors' data.

Processor Agreements

  • Review contracts with commissioned data processors to ensure they include purpose limitation clauses.
  • Clarify the division of responsibilities between your organization and processors who independently determine handling methods versus those who follow instructions passively.

Incident Response Planning

  • Update breach notification procedures to reflect the evolving requirements.
  • Ensure your organization can assess whether a breach affects more than 1,000 individuals, the threshold that triggers potential surcharge liability.

Internal Training

  • Brief legal, compliance, and marketing teams on the upcoming changes.
  • Pay particular attention to the new restrictions on personal-related information use, as these affect day-to-day marketing and analytics operations.

Timeline and What Comes Next

The current ordinary session of the Diet runs from January 23 to June 21, 2026. The government has indicated its intention to submit the APPI amendment bill during this session. If passed, the amendments are expected to take effect approximately one to two years after enactment, consistent with past reform cycles.
Several points remain subject to further discussion during the legislative process. The specific calculation methodology for surcharges, the detailed scope of biometric data rules, and the practical implementation of the commissioned processing exemptions will likely be refined through Cabinet Orders and PPC rules issued after the bill becomes law.
Additionally, the Cabinet Office is separately examining data utilization systems through its Digital Administrative and Fiscal Reform Council. The PPC has indicated that the APPI amendments will be coordinated with these broader data governance reforms, meaning further adjustments are possible as the government's digital transformation agenda evolves.
For foreign businesses, the key takeaway is straightforward: the direction of reform is settled, the bill is imminent, and the preparation window is open. Companies that act now will be well-positioned when the new rules take effect.

Disclaimer

This article provides general information about proposed amendments to Japan's Act on the Protection of Personal Information and should not be considered legal advice. The reform policy discussed in this article represents the PPC's stated direction for legislative drafting; the final enacted law may differ in specific provisions. Businesses are strongly encouraged to consult with qualified legal professionals for guidance tailored to their specific situations.