The amendments to Japan's data protection law create a 'statistical processing' exception that eases consent requirements for medical histories, racial data, and other sensitive categories used in AI training.
Japan’s Cabinet has approved amendments to the country’s core data protection law, the Act on the Protection of Personal Information (APPI), that would let companies use sensitive personal data for AI model training without obtaining individual consent. The catch: the data has to be pseudonymized well enough that re-identifying someone from it would be, in the government’s view, sufficiently difficult.
What the new rules actually change #
The core of the reform is a new statutory exception for what Japan is calling “statistical processing” of personal data. If a company can strip your data down to the point where you personally can’t be identified from it, they can feed it into AI systems without asking you first.
That might sound reasonable until you consider what falls under “sensitive data” in this context. Medical histories. Racial information. Categories that most privacy frameworks, including Europe’s GDPR, treat with maximum caution. Under the amended APPI, these categories will no longer require the stringent consent protocols that previously governed their use.
There are some limits. Biometric data, things like fingerprints and facial recognition markers, will face heightened transparency obligations. The amendments also tighten rules around data belonging to minors under 16.
The bill has already cleared Japan’s Lower House of Parliament. Legislative discussions are continuing in the Diet, with implementation expected by late 2026 or early 2027, contingent on final legislative approval and follow-up Cabinet orders.
Japan’s AI independence strategy #
The APPI amendments follow the AI Promotion Act that Japan passed in May 2025. Japanese policymakers have been explicit about what they’re trying to avoid: becoming what some officials have described as an “AI colony” dependent on foreign technology.
Privacy concerns and the re-identification problem #
Critics of the reform have zeroed in on what is probably the most technically contested claim in the entire framework: that pseudonymized data carries minimal re-identification risk.
The history of data anonymization is littered with examples of supposedly anonymous datasets being reverse-engineered to identify individuals. Researchers have repeatedly demonstrated that combining pseudonymized health records with publicly available information can unmask patients. Netflix famously learned this lesson when researchers de-anonymized its “anonymous” movie rating dataset by cross-referencing it with IMDb reviews.
What this means for investors and markets #
For investors watching the AI sector, Japan’s regulatory shift creates a potentially meaningful tailwind for domestic AI companies. Companies with large proprietary datasets, particularly in healthcare and financial services, stand to benefit the most from the relaxed consent requirements. One notable absence from the reform: cryptocurrency and digital assets. The APPI amendments don’t touch crypto tokens or blockchain-related data handling, which means the intersection of AI and Web3 in Japan remains governed by existing, more restrictive frameworks.
Companies operating in Japan will need to adapt their data handling practices to the new framework, which means upfront investment in pseudonymization infrastructure and transparency reporting, especially for biometric data.
Disclosure: This article was edited by Editorial Team. For more information on how we create and review content, see our