Understanding the Policy of "Reviewing the Personal Information Protection Law Every Three Years" ── Impact on Corporate Practices and Key Points for Response

On January 9, Reiwa 8 (2026), the Personal Information Protection Commission in Japan announced the “Personal Information Protection Act: System Reform Policy for the Triennial Review.” This reform aims to promote data utilization in the AI era while reorganizing the rules and regulations concerning inappropriate use, including the introduction of “surcharges.” These changes will impact how companies handle data.

This article explains the key practical points of the amendments that companies in Japan should be aware of.

Background and Institutional Requirements of the Amendment Policy to the Japanese Personal Information Protection Act

The formulation of the current amendment policy is influenced by three major factors.

“Review Every Three Years” as a Legal Obligation

Firstly, there is an institutional requirement. According to the supplementary provisions of the amendment law enacted in Reiwa 2 (2020), it is mandated to review the implementation status of the law every three years, taking into account international trends, advancements in information and communication technology, and the creation of new industries, and to take necessary measures.

The current amendment policy is presented as the conclusion of the review process that began in November of Reiwa 5 (2023) based on this provision.

Reference: Personal Information Protection Commission｜Review of the Personal Information Protection Act Every Three Years

Alignment with Government-Wide Digital Reforms

Secondly, there is the alignment with the government’s overall data utilization strategy. In June of Reiwa 7 (2025), the government approved the “Basic Policy on the Framework for Data Utilization” in a cabinet meeting, advancing cross-cutting legal arrangements to establish a virtuous cycle of data and AI. Particularly, the rapid proliferation of AI and the sophistication and complexity of data processing have highlighted the challenge of individuals finding it difficult to understand how their data is being handled.

To address this, it has become essential to foster trust that allows individuals to provide their data with confidence, and to comprehensively establish the promotion of utilization and the effectiveness of post-utilization regulations.

Responding to Changes in Social and Technological Environments

Thirdly, there is the change in risks surrounding the rights and interests of individuals.

In recent years, the use of biometric information, exemplified by facial feature data (information that quantifies facial shapes and part arrangements to enable individual identification), has expanded, and issues concerning the handling of personal information of children under 16 have also become apparent.

Moreover, cases where personal information is misused for crimes, such as special fraud and phishing scams originating from “dark lists,” continue to occur. Additionally, as the outsourcing of data handling increases, risks arising from inadequate management, such as the use of data beyond the scope of the outsourced tasks, have been pointed out.

The emergence of these new risks, which the current legal framework cannot adequately address, is part of the background for the review.

The Four Pillars of the Amendment Policy for the Japanese Personal Information Protection Act

The current amendment policy is structured around four main pillars. We will explain the details of each pillar.

Promoting Appropriate Data Utilization Under Japanese Law

In this amendment, the approach to personal involvement in data usage, which has a relatively minor impact on the rights and interests of individuals, will be revised to facilitate smoother utilization.

Specifically, when data is used in a manner that does not allow the identification of specific individuals, such as in the creation of statistical information or AI development, the direction is set to eliminate the need for individual consent for third-party provision of personal data, under certain conditions.

Additionally, in cases where it is clear from the circumstances of acquisition that the use does not contradict the individual’s intent (for example, providing hotel reservation information to the accommodation or sharing information during international money transfers), the need for consent is also being reconsidered.

Furthermore, regarding exceptions related to the protection of life, body, and property, as well as the improvement of public health, the current requirement of “difficulty in obtaining consent” is being relaxed. A review is also being considered for exceptions related to academic research, aiming to facilitate clinical research by medical institutions.

Discipline Appropriately Addressing Risks Under Japanese Law

Establishing regulations that adapt to changes in handling methods is considered an important issue in Japan.

Firstly, regarding regulations related to minors, when obtaining personal information from individuals under the age of 16, the system is being reviewed to generally require the involvement of a legal guardian. Additionally, there is a proposal to introduce a responsibility provision that mandates considering “the best interests of the individual” when handling minors’ personal information.

Next, concerning regulations on biometric information, for data such as facial feature data that can continuously identify specific individuals, there is a discussion on strengthening the dissemination of usage purposes and expanding the scope of requests to cease usage. Furthermore, the review of third-party provision through opt-out is also a point of discussion.

Moreover, regarding regulations on outsourcing, there is a consideration to clarify rules to prevent the use of information beyond the scope of work by the subcontractor. On the other hand, when only mechanical processing is performed based on the instructions of the principal, there is a direction towards rationalizing the obligations.

Additionally, in response to incidents such as information leaks, there is a consideration to redesign the system to review the methods of notifying and reporting to individuals according to the degree of risk.

Prevention of Improper Use Under Japanese Law

Regarding the prevention of improper use, regulations will be strengthened to prevent misuse for criminal activities in Japan.

Even if certain information such as phone numbers or Cookie IDs does not qualify as personal information, its use or acquisition for improper purposes like phishing scams is prohibited. Additionally, when providing such information under the opt-out system, it is mandatory to verify the identity and purpose of the recipient to curb the illegal distribution of lists.

Ensuring the Effectiveness of Compliance Under Japanese Law

Ensuring the effectiveness of compliance is the primary concern in the recent amendments under Japanese law. The requirements have been revised to enable swift corrective orders, and a foundational provision has been established for requesting measures against third parties (such as hosting providers) that assist in violations.

Additionally, a system will be introduced to impose surcharges equivalent to the economic benefits obtained on businesses that collect large volumes of personal information and gain financial profit through malicious use or provision. This system will generally apply to large-scale cases involving more than 1,000 individuals, significantly increasing compliance risks for companies in Japan.

Corporate Responses Required for Amendments to the Japanese Personal Information Protection Act

The content of the amendment policy is extensive, and companies will be compelled to fundamentally review their legal and compliance frameworks. Here, we organize the specific responses required.

Reconstruction of Outsourcing Management and Contract Review

With this amendment, direct legal obligations will also be imposed on outsourcing partners. Companies must first reassess their supervisory systems to ensure that their outsourcing partners do not use data beyond the scope of their duties. This is particularly crucial when outsourcing AI development or data analysis, as there is a risk under the new law that using data for independent learning by the outsourcing partner will be explicitly prohibited.

Conversely, in cases where only “mechanical processing” tasks such as data entry are outsourced, companies need to prepare for contract revisions to adapt to the new system. This includes agreeing on all handling methods in the contract and specifying measures for situation awareness to qualify for exemptions from obligations.

Establishment of Special Rules for Minors and Biometric Data

Companies providing services to individuals under 16 years old must urgently develop age verification processes and implement workflows to obtain consent from legal guardians. Additionally, as there is a duty to consider the “best interests of minors,” companies will need to include clear explanations for minors in their privacy policies.

Furthermore, companies that have implemented facial recognition systems must prepare for the legal obligation to disclose certain information (such as the name of the data collector, specific purposes of use, and details of physical personalityistics) by reviewing the content displayed on bulletin boards and websites.

Utilization of Statistics as “Proactive Governance”

On the other hand, this amendment also aims to promote the utilization of data. A special exemption that does not require individual consent for the creation of statistics is being considered, potentially expanding the scope for advanced data analysis and AI development under certain conditions.

For companies, it is crucial to establish internal rules (such as prohibiting use beyond intended purposes, restricting third-party provision, and ensuring appropriate disclosure procedures) to appropriately utilize this exemption and build a legal foundation for innovation creation.

Risk Management for Increased Penalties and Surcharges

A major point of discussion in this review is the strengthening of the surcharge system and penalties. In cases of large-scale data breaches or improper use, companies may be ordered to pay surcharges equivalent to the unjust profits gained, in addition to administrative orders.

Moreover, the strengthening of penalties against corporations is also being debated, making it essential to establish compliance systems to eliminate data acquisition from inappropriate list vendors and prevent data usage that could lead to fraudulent activities.

Conclusion: Consult Experts on the Amendments to the Japanese Personal Information Protection Law

The proposed amendments to the Japanese Personal Information Protection Law are not merely minor changes; they are highly effective measures designed to address the advent of the AI era and the increasing severity of data crimes.

The amendment bill is scheduled to be submitted to the regular session of the National Diet in Reiwa 8 (2026), and if passed, it is expected to come into effect around Reiwa 9 to 10 (2027 to 2028). Now that the amendment policy has been announced, it is crucial to reassess your company’s data governance without waiting for the legislation to be enacted. In particular, the introduction of a penalty system and strict regulations on minors and biometric data are issues that directly impact management. It is advisable to closely monitor the legislative developments and collaborate with relevant departments within your company to ensure thorough preparation.

Guidance on Measures by Our Firm

Monolith Law Office is a legal practice with high expertise in both IT, particularly the Internet, and law. Recently, there has been increasing attention on governance related to the Japanese Act on the Protection of Personal Information. Our firm provides solutions for labor issues under Japanese law. Detailed information is provided in the article linked below.