JapanHow does APPI address AI profiling?
The Act on the Protection of Personal Information (APPI) regulates AI profiling by treating it as 'profiling' under its definition of 'automated processing', requiring consent, impact assessments, and safeguards for sensitive data.
What the Law Says
Japan’s Act on the Protection of Personal Information (APPI) addresses AI profiling through its 2022 amendments, which explicitly define and regulate automated decision-making—including profiling—when it significantly affects individuals’ rights or interests.
Under APPI, 'profiling' is defined as 'the automated processing of personal information to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.'
This definition applies to AI systems that process personal data to make predictions or classifications about individuals — such as credit scoring, job candidate screening, or targeted advertising — and triggers specific obligations.
When profiling leads to decisions with legal or similarly significant effects (e.g., denial of service, loan rejection), businesses must obtain prior, explicit consent unless an exception applies. They must also conduct a privacy impact assessment (PIA) and implement appropriate safeguards, especially when handling 'sensitive personal information' (e.g., health, biometrics, beliefs).
Controllers must ensure transparency: individuals have the right to know if profiling is occurring, the logic involved, and the likely consequences — and may request human intervention or contest the decision.
Statutory Text‘Profiling’ means the automated processing of personal information to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.
— Act on the Protection of Personal Information, Art. 2(12) — Definition of Profiling
Statutory TextWhere the handling of personal information involves profiling that produces legal effects concerning the individual or similarly significantly affects the individual, the business operator shall, in advance, obtain the consent of the individual concerned.
— Act on the Protection of Personal Information, Art. 17-2 — Consent for Profiling
What to Do
Determine whether your AI system performs 'profiling' as defined in APPI Article 2(12)
Obtain explicit, informed consent before deploying profiling that produces legal or significant effects
Conduct a Privacy Impact Assessment (PIA) and document safeguards for sensitive data
Provide clear explanations to individuals about profiling logic, purpose, and their rights to object or request human review
Appoint a Data Protection Officer (if handling large-scale sensitive data) and maintain records of processing activities
Sources
Not legal advice. This article is general information based on publicly available sources, written for educational purposes. Laws change and individual situations vary. Consult a licensed attorney in your jurisdiction before acting on anything you read here. Last reviewed: 2026-06-08.