← Insights / Compliance

Japan's AI Compliance Overhaul 2025–2028: What International Firms Must Know About the AI Promotion Act and APPI Amendments

Japan has long occupied an unusual position in global AI governance: a major technology economy that resisted the impulse to legislate first and ask questions later. That approach is changing. Between May 2025 and July 2026, Japan enacted its first dedicated AI promotion law, approved significant am

Compliance 11 July 2026 6 min read

Japan's AI Compliance Overhaul 2025–2028: What International Firms Must Know About the AI Promotion Act and APPI Amendments

Japan has long occupied an unusual position in global AI governance: a major technology economy that resisted the impulse to legislate first and ask questions later. That approach is changing. Between May 2025 and July 2026, Japan enacted its first dedicated AI promotion law, approved significant amendments to its principal data protection statute, and updated its practical guidance framework twice. For international professional services firms and global enterprises operating across multiple jurisdictions, these developments demand attention — not least because they interact with obligations you may already carry under the EU AI Act, GDPR, or equivalent regimes elsewhere.

The AI Promotion Act: What It Does and Does Not Do

The Act on the Promotion of Research and Development and the Utilization of AI-Related Technologies, passed by the Diet on 28th May 2025 and largely in force from 4th June 2025, is Japan's foundational AI legislation. Its purpose is explicitly promotional: it frames AI as a driver of public welfare and economic resilience, and it distributes responsibility across government bodies, academia, businesses, and citizens through a co-ordinated, multi-stakeholder model.

What this Act does not do is impose prescriptive requirements on businesses in the manner of the EU AI Act's risk-tiered obligations. There are no mandatory conformity assessments, no prohibited AI practices list, and no penalties for non-compliance with a specific AI rulebook. Japan's position is deliberately permissive by design, intended to keep the country competitive in AI development without erecting barriers that might push innovation offshore.

That said, operating without a prescriptive framework is not the same as operating without risk. The Act establishes expectations for responsible conduct, and the voluntary guidelines issued by METI and MIC carry significant weight in practice. Regulators, courts, and commercial counterparties will likely treat these guidelines as the de facto standard when disputes or incidents arise. International firms should treat voluntary compliance as commercially and reputationally mandatory.

APPI Amendments: The Data Processing Picture Is Shifting

The more consequential near-term compliance challenge concerns data. Japan's Act on the Protection of Personal Information (APPI) is undergoing its most significant revision in years. A Cabinet-approved bill passed the Lower House in April 2026, with full enforcement anticipated around April 2028.

The amendments are a studied attempt to facilitate AI-era data use whilst tightening protections where risks are highest. The headline change is the introduction of a "statistical processing" exception, which may permit organisations to use publicly available personal data for AI model training without obtaining explicit consent — provided the data is de-identified (pseudonymised) and supported by documented safeguards, including Data Protection Impact Assessments (DPIAs). This addresses a practical tension that the Personal Information Protection Commission (PPC) had already flagged in June 2023, when it warned businesses that feeding personal data into AI systems could breach Articles 18 and 27 of the existing APPI if the data was retained or reused for training without adequate legal basis.

The "statistical processing" exception is a meaningful concession to innovation, but it is not a blank cheque. The PPC retains interpretive authority over what constitutes "little risk" for the purposes of this exception, and that ambiguity will need to be managed through documented governance rather than assumption. Firms that assume broad permission because data is technically public are likely to find themselves exposed.

Alongside the new exception, the amendments introduce stricter controls on specific biometric personal information, including facial recognition data, and extend protections for children under 16, requiring parental consent for data collection or use. A further revision enacted on 10th July 2026 facilitates the use of government administrative data — including personal information — by private businesses for AI development, overseen jointly by the Digital Agency and the PPC.

METI's AI Guidelines for Business: The Practical Compliance Baseline

While legislation sets the legal perimeter, the AI Guidelines for Business issued by METI and MIC provide the operational detail that compliance teams actually need. Updated to Version 1.01 in March 2025 and to Version 1.2 in March 2026, these guidelines have evolved alongside the technology they address.

Version 1.2 is notable for extending scope to AI agents and physical AI — systems capable of autonomous action in the real world. This is a significant step. As professional services firms deploy AI in document review, contract analysis, client advisory tools, and automated workflows, the question of whether a given system qualifies as an AI agent under these guidelines will become material to governance decisions.

METI also published a "Checklist for AI Use/Development Contracts" in February 2025, covering liability for erroneous output, intellectual property ownership, indemnity structures, and data-use scope. For firms procuring AI tools from Japanese vendors, or licensing AI capabilities to Japanese clients, this checklist represents the framework your counterparty will likely expect you to have considered. Ignoring it introduces unnecessary commercial friction and potential liability exposure.

What This Means for International Firms

The cumulative effect of these developments is a Japan AI compliance environment that is more structured, more demanding, and more consequential than it was eighteen months ago. For international firms, several practical considerations follow.

Cross-border data flows require renewed scrutiny. The revised APPI framework — particularly the biometric data provisions and the children's data rules — interacts with obligations under GDPR and other regimes. Where data flows between Japan and EU or UK entities, firms need to confirm that their legal bases, safeguards, and DPIA processes are coherent across jurisdictions, not just compliant in isolation.

AI procurement and vendor contracts need updating. The METI checklist establishes a clear set of risk allocation questions that should be reflected in your AI vendor agreements. If your standard templates predate 2025, they almost certainly do not address the issues Japan's framework now raises — and analogous gaps are likely to exist for other markets as well.

The 2028 enforcement date is not a reason to wait. APPI amendments with full enforcement from April 2028 still require firms to assess their current data practices, identify gaps, and build remediation into their compliance roadmaps now. Structural changes to how AI systems handle personal data — particularly training data pipelines — take time and resource to implement.

Voluntary guidelines carry real-world consequences. In the absence of mandatory enforcement mechanisms under the AI Promotion Act, reputational and contractual risk will be the primary levers. Japanese clients, regulators, and partners will assess your AI governance posture against the METI guidelines. International firms that treat these as optional are misreading the landscape.

Japan's evolving AI framework illustrates a broader truth: global AI compliance is no longer a collection of separate national checklists. It is an interconnected set of obligations that rewards firms who take an integrated, jurisdiction-aware approach and penalises those who manage each market reactively.

Ops Intel works with international professional services businesses and global enterprises to build AI compliance programmes that are coherent across jurisdictions, proportionate to actual risk, and designed to evolve as frameworks change. Whether you need a gap analysis against Japan's APPI amendments, a review of your AI vendor contracts, or a cross-border compliance strategy that spans multiple regulatory regimes, we can help.

Contact Ops Intel to speak with a compliance specialist or request a Japan AI compliance briefing tailored to your organisation.

Work with Ops Intel

Need help navigating AI compliance?

We build AI compliance frameworks and automation systems for professional services firms worldwide. Book a free 30-minute call or email us directly.

Call Now Claim Your Free Audit