Defamation & Reputation Management 2026

Last Updated February 10, 2026

Japan

Law and Practice
Trends and Developments

Law and Practice

Author

Nagashima Ohno & Tsunematsu is based in Tokyo and is widely recognised as a leading law firm and one of the foremost providers of international and commercial legal services. The firm’s overseas network includes locations in New York, Shanghai, Singapore, Bangkok, Ho Chi Minh City, Hanoi, Jakarta (associate office), and London. The firm also maintains collaborative relationships with prominent local law firms. In representing leading domestic and international clients, the firm has successfully structured and negotiated many of the largest and most significant corporate, finance and real estate transactions related to Japan. In addition to its capabilities spanning key commercial areas, the firm is known for path-breaking domestic and cross-border risk management/corporate governance cases and large-scale corporate reorganisations. The firm's more than 600 lawyers work together in customised teams to provide each client with the specific expertise and experience they require.

1. Privacy and Confidentiality

1.1 Privacy Grounds

In Japan, the unauthorised disclosure or publication of facts or information relating to an individual’s private life that the person wishes to keep confidential constitutes an infringement of privacy. The right to privacy is recognised as part of an individual’s personality rights, which are grounded in Article 13 of the Constitution, guaranteeing respect for the individual and their right to pursue happiness.

Whether information is protected as a privacy interest is assessed based on three elements:

it concerns private life (private matters);
it is information which a person would ordinarily not wish to be disclosed (confidential nature); and
it is not yet generally known (non-public nature).

Whether an infringement has occurred is determined by balancing the legally protected interest in non-disclosure against the reasons for publication.

In addition, the Act on the Protection of Personal Information (APPI) is intended to protect individuals’ rights and interests, including privacy. The APPI imposes obligations on personal information-handling business operators, such as the duty to implement security control measures (Article 23). It also provides for requests for suspension of use or provision in the event of a reportable data breach (Articles 26(1) and 35), among other remedies.

1.2 Privacy Remedies

Both damages' claims and injunctions are available as remedies for privacy infringements. Pre-publication injunctions may be granted where the infringing act is clearly foreseeable, the victim is likely to suffer serious harm as a result, and post-publication remedies would be impossible or extremely difficult.

As a general guideline, damages typically range from approximately JPY100,000 to JPY500,000. However, higher amounts may be awarded, depending on factors such as the seriousness, duration and scope of the infringement, the social status of the victim, the degree of intent or negligence of the defendant, and the maliciousness or persistence of the conduct.

1.3 Privacy Deadlines and Defences

Claims for damages arising from privacy infringement are tort claims. The limitation period is three years from the time the victim becomes aware of both the damage and the perpetrator, with an absolute limitation period of 20 years from the time of the infringing act (Article 724 of the Civil Code). By contrast, injunctions, which aim to stop ongoing or future infringements, are not subject to limitation periods.

Unlike defamation, privacy claims do not allow defences based on the truth of the disclosed facts or on reasonable grounds based on the public interest. This is because, by their nature, privacy infringements may become more serious the more truthful the disclosed information is.

In addition, while defamation may be found lawful where the subject matter concerns public interest and is published for a public purpose, the disclosure of private life information is in principle unlawful even where the person concerned is a politician or other public figure.

Case law seeks to reconcile the protection of privacy with freedom of expression by balancing the competing interests when determining whether claims for damages or injunctions should be upheld.

1.4 Privacy Proceedings Forum Choice

In civil proceedings, the complaint and other pleadings must include the parties’ names and addresses, and court records are, in principle, open to public inspection. To prevent victims from refraining from bringing actions due to concerns about disclosure of their identity or address, the Code of Civil Procedure provides for a party anonymisation system under Chapter VIII. Where there is a risk that disclosure of a party’s name or address to the opposing party would cause serious disruption to the person’s social life, the court may permit anonymisation (Article 133(1)). Privacy infringement cases are not excluded from this system.

Jurisdiction for damages' claims arising from privacy infringement lies either with the court of the defendant’s domicile (or, for a corporation, its principal place of business) or the court of the place of the tort, being either the place of the infringing act or the place where the damage occurred (Article 5(ix)). In practice, injunction claims are treated in the same manner.

The “place of the tort” encompasses both the location where the information was disclosed and the place where the victim’s peaceful private life was infringed, typically the victim’s place of residence. In cases involving online posts, where the place of viewing cannot be geographically limited, courts take a flexible approach. Evidence typically includes screenshots of posts or articles showing the date, time and URL, as well as documents identifying the victim’s place of residence.

1.5 Privacy Costs

Legal costs may be recovered. In addition, attorneys’ fees may be included in the scope of recoverable damages in tort claims.

1.6 Other Features of Privacy Actions

In business-to-business (B2B) transactions, it is common for personal information handled by the parties to be covered by non-disclosure agreements for privacy protection purposes. However, there are no statutory restrictions specifically dedicated to privacy in this context, and limitations are instead derived from general principles such as public policy and good morals under the Civil Code (Article 90), as well as from consideration for freedom of expression and other rights and interests.

A recent notable feature of privacy litigation is that, in some data breach cases, courts have recognised privacy infringements without conducting a detailed, case-specific balancing exercise under the traditional analytical framework, a development that has attracted attention in practice.

In online privacy infringement cases, perpetrators are often anonymous. As a result, before bringing damages' claims, it may be necessary to identify the offender through a sender information disclosure request under the Act on Measures Against Rights Infringement, etc, Arising from Distribution of Information by Specified Telecommunications.

Under that Act, large-scale specified telecommunications service providers designated by the Minister for Internal Affairs and Communications (such as Google, Meta and X) are required to establish and publish procedures and standards for removal and other measures to prevent the transmission of infringing information. Where the applicable standards or statutory exceptions are satisfied, those providers may take measures to prevent the transmission of infringing content (Article 26(1)).

In addition, injunctions against platform operators may be granted in privacy infringement cases. The Supreme Court has held that, although deletion of search results (Google) and deletion of social media posts (X) should in principle be assessed using similar balancing factors to those applied in traditional publication cases, different standards apply. Specifically, for search results, the Court requires that it be “clearly” established that the interest in non-disclosure prevails, whereas this requirement does not apply to social media posts. Careful practical handling is therefore required in light of these differing approaches.

2. Defamation

2.1 Defamation Grounds

In Japan, both criminal and civil liability may arise in relation to defamation.

Criminally, defamation is defined under Article 230 of the Penal Code and requires:

public disclosure;
the statement of facts; and
harm to another person’s reputation.

Depending on the circumstances, conduct may also constitute insult (Article 231), credit defamation or obstruction of business (Article 233).

Under civil law, defamation may arise either from the statement of facts or from opinions or commentary. Even where expressions are capable of harming reputation, a claim requires that the person’s objective social reputation has actually been diminished. Such claims are based on tort under Article 709 of the Civil Code. In addition, an infringement of a person’s subjective feelings of honour may also constitute a tort.

2.2 Defamation Remedies

For defamation, both damages and injunctions are available. In addition, the court may order appropriate measures to restore the victim’s reputation (Article 723 of the Civil Code).

Pre-publication injunctions are also available. However, because they impose serious restrictions on freedom of expression, they are granted only under strict conditions. Specifically, such relief is available only where:

it is evident that the content is untrue or that it was not published solely for the public interest; and
there is a risk that the victim will suffer serious and irreparable harm.

The court will also balance the disadvantages to both parties, taking into account factors such as their social status and the nature of the conduct.

As a general guideline, where the victim is an individual, damages typically range from approximately JPY100,000 to JPY500,000. However, depending on factors such as the maliciousness of the conduct, its duration and whether it was repeated, awards in the range of approximately JPY1 million to JPY2.5 million may be granted. Where the victim is a corporation, damages typically range from approximately JPY500,000 to JPY1 million, taking into account reputational and credit harm, although in serious cases awards may reach several million yen.

2.3 Defamation Deadlines and Defences

Criminal Proceedings

The statute of limitations for the offence of defamation is three years. Defamation is a crime prosecutable only upon complaint, and a criminal complaint must be filed within six months from the date on which the victim becomes aware of the offender.

Where the act relates to matters of public interest and is conducted solely for the benefit of the public, illegality is excluded if the facts are proven to be true (Article 230-2 of the Penal Code). In addition, where the accused mistakenly believed the facts to be true and had reasonable grounds for that belief based on reliable materials, criminal intent may be negated under the defence of reasonable belief. Journalistic activities may also be protected under these principles.

Civil Proceedings

For civil claims based on tort, the limitation period is three years from the time the victim becomes aware of both the damage and the perpetrator, and there is an absolute limitation period of 20 years from the time of the infringing act (Article 724 of the Civil Code). Injunctions, which aim to prevent ongoing or future infringements, are not subject to limitation periods.

Although there is no express statutory provision equivalent to that in criminal law, in cases of defamation by statement of facts, the defences of truth and reasonable grounds are taken into account in determining whether a tort has been committed. With respect to opinions and commentary, expressions do not constitute defamation unless they go beyond the permissible scope of opinion, such as by amounting to personal attacks. Where opinions are based on underlying facts, the defences of truth and reasonable grounds are also examined.

2.4 Defamation Proceedings Forum Choice

Distinction between Criminal and Civil Proceedings

Defamation is a crime prosecutable only upon complaint, and the six-month time limit for filing a complaint must be observed. In contrast, civil damages' claims based on defamation are subject to a three-year limitation period and a 20-year long-stop period. Accordingly, civil proceedings may still be brought even after the time limit for filing a criminal complaint has expired.

Private or Anonymised Proceedings

Criminal trials are in principle open to the public. However, where there is a risk of harm to the victim’s reputation or peaceful life, measures such as the redaction of identifying information in indictments (Article 256(6) of the Code of Criminal Procedure) and shielding measures during trial (Article 157-2) may be permitted.

In civil proceedings, although disclosure of the parties’ names and addresses and access to court records are the general rule, the party anonymisation system (Chapter VIII, Article 133(1) of the Code of Civil Procedure) may be applied where disclosure would cause serious disruption to a person’s social life. Defamation cases are not excluded from this system.

Jurisdiction

In criminal cases, offences for which a fine is available as a sentencing option may fall within the jurisdiction of summary courts, although the choice between a summary court and a district court is made by the public prosecutor. Jurisdiction lies with the court of the place of the crime (the place of the act or the place where the result occurred) or the place of the defendant’s domicile. In cases involving social media posts, the place of the crime may include both the location where the offender made the post and the place where the victim’s social reputation was harmed, such as the victim’s place of residence or workplace.

In civil cases, jurisdiction for damages and injunction claims lies with the court of the defendant’s domicile (or, for a corporation, its principal place of business) or the place of the tort (the place of the act or the place where the result occurred). The place of the tort includes locations where the expression was disseminated and places where the victim’s reputation is likely to have been harmed. In cases involving online posts, courts adopt a flexible approach. Typical evidence includes screenshots of posts or articles (showing the date, time and URL) and documents demonstrating the victim’s principal place of residence or employment.

2.5 Defamation Costs

Legal costs may be recovered. In addition, attorneys’ fees may be included as part of recoverable damages in tort claims.

2.6 Other Features of Defamation Actions

In civil cases, courts may order appropriate measures to restore the victim’s reputation (Article 723 of the Civil Code). Examples include the publication of corrective statements or public apologies.

3. Harassment

3.1 Harassment Grounds

Act on the Regulation of Stalking and Similar Conduct

The Act on the Regulation of Stalking and Similar Conduct prohibits conduct such as persistent following or monitoring, and the unauthorised acquisition of location information, where such conduct causes harm to a person’s personal safety, the peace of their residence or their reputation, or creates serious anxiety by substantially restricting their freedom of action (Article 3). A person who commits stalking conduct may be subject to imprisonment for up to one year or a fine of up to JPY1 million (Article 18).

Criminal Liability

Depending on the nature and circumstances, harassment may constitute criminal offences such as injury (Article 204 of the Penal Code), assault (Article 208), intimidation (Article 222), compulsion (Article 223), or trespass (Article 130).

Civil Liability

Victims may bring claims for damages based on tort (Article 709 of the Civil Code), including claims for consolation money for emotional distress (Article 710).

3.2 Harassment Remedies

Act on the Regulation of Stalking and Similar Conduct

In addition to criminal proceedings, the Public Safety Commission may issue prohibition orders and other similar administrative measures against stalking conduct (Article 5). A person who violates such orders may be subject to imprisonment for up to two years or a fine of up to JPY2 million (Article 19(1)).

Criminal Liability

Assault, injury, compulsion, intimidation and trespass are all offences prosecutable without a complaint. Victims may file a damage report with the police or submit a criminal accusation.

Civil Liability

Victims may also bring civil damages' claims based on tort (Article 709 of the Civil Code), including claims for consolation money for emotional distress (Article 710). Courts commonly award compensation for emotional distress in the range of several hundred thousand yen to approximately JPY2 million, depending on the seriousness of the conduct and the extent of the harm.

3.3 Harassment Deadlines and Defences

Criminal Proceedings

The statute of limitations for prosecution is ten years for injury offences and three years for other relevant offences (Article 250(2)(v) and (vi) of the Code of Criminal Procedure).

Civil Proceedings

For tort claims, the limitation period is three years from the time the victim becomes aware of both the damage and the perpetrator, and there is an absolute limitation period of 20 years from the time of the infringing act (Article 724 of the Civil Code).

3.4 Harassment Proceedings Forum Choice

Criminal Proceedings

Criminal trials are, in principle, open to the public. However, where there is a risk of harm to the victim’s reputation or peaceful life, measures such as redaction of identifying information in indictments (Article 256(6) of the Code of Criminal Procedure) and shielding measures during trial (Article 157-2) may be permitted.

With respect to jurisdiction, although offences for which a fine is a possible punishment may fall within the jurisdiction of summary courts, the choice between a summary court and a district court is at the discretion of the public prosecutor. Jurisdiction lies with the court of the place of the crime or the defendant’s domicile.

Civil Proceedings

In civil proceedings, although disclosure of the parties’ names and addresses and access to court records are the general rule, the party anonymisation system (Chapter VIII, Article 133(1) of the Code of Civil Procedure) may be applied where disclosure would cause serious disruption to a person’s social life. Harassment cases are not excluded from this system.

Jurisdiction for damages' claims lies with the court of the defendant’s domicile (or, for a corporation, its principal place of business) or the court of the place of the tort (the place of the infringing act or the place where the damage occurred). The place of the tort includes not only the location where violent or threatening conduct occurred but also the place where the harm materialised or continued to be felt, such as the victim’s place of refuge or current residence. In practice, courts often recognise the victim’s post-evacuation residence as the place where the damage occurred.

Evidence typically includes medical certificates, police consultation records, records of domestic violence support organisations, documents relating to protection orders, and written statements by the victim. It is important to demonstrate in detail the nature of violence and the circumstances of the victim’s evacuation.

3.5 Harassment Costs

Court costs may be recovered in civil proceedings. In addition, attorneys’ fees may be included as part of recoverable damages in tort claims.

4. Data Protection

4.1 Data Protection Grounds

In Japan, data subjects may pursue civil remedies such as damages' claims based on tort. They may also exercise statutory rights under the Act on the Protection of Personal Information (Act No 57 of 2003; the APPI), including rights to request disclosure, correction or deletion, and suspension of use or cessation of provision.

The APPI is primarily an administrative regulatory framework that protects personal information by imposing obligations on personal information-handling business operators in order to prevent infringement of individuals’ rights and interests. It also provides for the aforementioned civil claims by data subjects.

4.2 Data Protection Remedies

APPI

Where a personal information-handling business operator violates its statutory obligations, or where a reportable data breach event (Article 26(1)) occurs, data subjects may request suspension of use or cessation of provision of their personal information (Article 35).

In addition, where a business operator violates its obligations under the APPI, the Personal Information Protection Commission (PPC) may issue guidance or advice (Article 147). Where a business operator violates certain specified obligations and the PPC considers it necessary to protect individuals’ rights and interests, it may issue a recommendation (Article 148). If the business operator fails, without justifiable grounds, to comply with the recommendation and there is an imminent risk of serious infringement of individuals’ rights and interests, the PPC may issue an order (Article 148(2)). In urgent cases where immediate action is required due to facts seriously infringing individuals’ rights and interests, the PPC may issue an emergency corrective order without first issuing a recommendation (Article 148(3)).

Failure to comply with such orders is subject to criminal penalties: imprisonment for up to one year or a fine of up to JPY1 million for the individual offender, and a fine of up to JPY100 million for the corporation (Article 178; Article 184).

At present, no administrative surcharge system has been introduced.

Civil Damages' Claims

Damages' claims are typically brought where personal information has been leaked. In practice, courts commonly award compensation in the range of approximately JPY5,000 to JPY50,000 per affected individual, depending on the categories of personal information that were leaked.

4.3 Data Protection Deadlines and Exemptions

APPI

The APPI does not itself prescribe a limitation period for court actions. However, because requests for suspension of use and similar claims are civil in nature, the general prescription rules apply (Article 166 of the Civil Code). A claim becomes time-barred if not exercised within five years from the time the data subject becomes aware that the right may be exercised, or within ten years from the time the right becomes exercisable.

With respect to requests for suspension of use or cessation of provision, a business operator is not required to comply where implementation would involve excessive costs or would otherwise be difficult, provided that alternative measures necessary to protect the individual’s rights and interests are taken.

In addition, court proceedings may not be commenced unless either two weeks have elapsed since an out-of-court request was made, or unless the request has been refused (Article 39(1)).

Civil Damages' Claims

For damages' claims based on tort, the limitation period is three years from the time the victim becomes aware of both the damage and the perpetrator, and there is an absolute limitation period of 20 years from the time of the infringing act (Article 724 of the Civil Code).

4.4 Data Protection Proceedings Forum Choice

Jurisdiction lies with the court of the defendant’s domicile, or, in the case of a corporation, its principal place of business (Article 4(1) and (4) of the Code of Civil Procedure). In addition, for damages' claims, jurisdiction may also lie with the court of the place of the tort, namely, the place of the infringing act or the place where the damage occurred.

4.5 Data Protection Costs

Court costs may be recovered (Article 61 of the Code of Civil Procedure). Attorneys’ fees may be recognised as part of recoverable damages in tort-based damages' claims. However, where a claim is brought solely under the APPI without an accompanying damages' claim, attorneys’ fees are not recoverable as court costs.

5. Regulatory and Media Environment

5.1 Key News Providers

In Japan, the importance of self-regulation based on journalistic ethics is actively discussed. Examples include the Canon of Journalism of the Japan Newspaper Publishers and Editors Association (NSK), and the Broadcasting Ethics Basic Charter established by Nippon Hōsō Kyōkai (NHK), the Japan Broadcasting Corporation, and the Japan Commercial Broadcasters Association. Each media organisation establishes its own internal standards and undertakes initiatives based on these frameworks. In addition, many newspaper companies have established independent third-party committees to review problematic cases. In the broadcasting sector, the Broadcasting Act adopts a principle of respect for self-regulation, and a joint organisation established by NHK and commercial broadcasters, the Broadcasting Ethics & Programme Improvement Organisation (BPO), operates as a mechanism for both deterrence and correction.

The five most influential media organisations are: NHK; Yomiuri Shimbun; Asahi Shimbun; Nikkei (The Nikkei); and Mainichi Shimbun.

However, the internet has become an indispensable source of information. According to the 2025 White Paper on Information and Communications in Japan issued by the Ministry of Internal Affairs and Communications, 73% of users obtain news primarily through a combination of portal sites, social media platforms and news' curation services.

5.2 Regulatory Framework

In Japan, in order to avoid chilling effects on freedom of expression and reporting, there is no content-based legal regulation, including prior restraints. There is no specific legislation regulating newspapers or publishing.

Broadcasting, however, is subject to the Broadcasting Act. This statute primarily regulates the institutional and operational aspects of broadcasting services to ensure appropriate reception environments, rather than imposing content regulation.

With respect to online and social media platforms, large-scale specified telecommunications service providers may be required to take measures to prevent the transmission of infringing information under the Information Distribution Platform Act (IDPA) (see 1.6 Other Features of Privacy Actions).

5.3 Complaints Process

In Japan, regulatory authorities do not provide a formal complaints-handling process for media-related matters.

5.4 User-Generated Content

In Japan, websites that store or host user-generated content are subject to a legal framework under the IDPA (see 1.6Other Features of Privacy Actions, 5.2 Regulatory Framework). This framework is designed to balance responses to allegedly unlawful content with users’ freedom of expression and other interests.

The Act contains safe-harbour provisions that limit liability for damages, both where a service provider fails to take measures to prevent the transmission of infringing information and where it does take such measures.

These safe-harbour provisions apply only to civil liability for damages, regardless of whether the claim is based on tort or breach of contract. They do not apply to injunction claims and do not affect criminal liability.

5.5 SLAPPs

There are no specific legal mechanisms in Japan designed to prevent abusive or excessive litigation that may inhibit public interest journalism.

5.6 Preventing Foreign Judgments

Japan does not have specific legislation designed to prevent the enforcement of foreign judgments in media-related cases.

Nagashima Ohno & Tsunematsu

JP Tower, 2-7-2 Marunouchi,
Chiyoda-ku,
Tokyo 100-7036,
Japan

+81-3-6889-7000

+81-3-6889-8000

info@nagashima.com www.nagashima.com

Trends and Developments

Author

Tomomi Hioki

Introduction

In 2025, following the enforcement of the Act on Measures Against Rights Infringement, etc, Arising from Distribution of Information by Specified Telecommunications, practical improvements were observed in Japan in the procedures for responding to illegal acts such as online defamation, reputational harm and privacy infringements. At the same time, regulatory requirements imposed on large-scale platform operators increased, and the scope of application and designation under the Act on Improving Transparency and Fairness of Specified Digital Platforms was expanded.

Among the major developments relating to defamation and related issues during the year, data-related topics that are expected to have a significant impact on future practice, including an overview of security incidents and trends in amendments to the Act on the Protection of Personal Information (APPI) and other data-related legislation, are the focus of this article.

Personal Information Protection

From the perspective of personal information protection, this section summarises key developments in 2025 relating to the APPI, security and related disputes.

Trends in enforcement activities

An overview of the supervisory activities of the Personal Information Protection Commission (PPC) indicates that its primary focus was on responses to personal data breaches and on so-called data broker businesses. In addition to these areas, publicly announced cases included improper acquisition of personal information by a job placement operator in the construction industry (a violation of Article 20(1) of the APPI), as well as a somewhat unusual data breach case involving the transfer of customer information from an insurance agency to a non-life insurance company.

Data breach cases, which account for the majority of supervisory actions, totalled 8,928 reported incidents in the first half of fiscal year 2025 (April to September). The main causes included erroneous delivery or loss of documents containing sensitive personal information at hospitals and pharmacies, unauthorised access, and the erroneous delivery of credit cards. Upon receiving such reports, the PPC confirms the relevant facts and measures taken to prevent recurrence and, where necessary, provides guidance and other administrative responses.

Trends in security incidents

In light of the increasingly sophisticated, complex and covert cyber-attacks targeting personal information-handling business operators and public bodies in recent years, which have become a major cause of personal data breaches, the PPC has taken the lead in establishing the Cybersecurity Liaison Meeting under the APPI in order to strengthen co-operation with relevant ministries and agencies, including the National Cyber Office, the National Police Agency, the Ministry of Internal Affairs and Communications, the Ministry of Economy, Trade and Industry, and the Information-technology Promotion Agency, Japan (IPA).

The Cybersecurity Liaison Meeting examines and monitors measures that may be taken as security control measures required under the APPI, shares information on trends in cyber incidents and challenges in responding to them and discusses effective approaches to public awareness and outreach for personal information-handling business operators and public institutions. The Meeting is held on a quarterly basis.

In early 2025, in addition to the distributed denial of service (DDoS) attacks on airlines and major banks that had continued since late 2024, a series of cyber-attacks targeting critical infrastructure occurred, including attacks on telecommunications carriers and connection failures caused by surges in traffic at a major card company’s systems. Furthermore, in September, a ransomware attack resulted in the suspension of order and shipment systems at a major beverage manufacturer for approximately two months and the leaking of more than 1.9 million personal records. In October, more than 700,000 personal records were leaked from a major e-commerce site, and the operator’s website was taken offline. These incidents affected multiple companies, including their business partners, due to increasingly complex supply chains, and posed serious challenges for the protection of consumers’ personal information.

In addition, in the Top 10 Information Security Threats 2026, published by the IPA, ransomware attacks ranked first and attacks targeting supply chains and contractors ranked second, as was the case in 2025. In light of the persistent nature of these threats, further action by companies is required.

Recent notable disputes

Ransomware attacks, security management and corporate liability

In June 2023, a company providing cloud services for social insurance and labour consultants suffered a ransomware attack, resulting in the leaking and loss of personal information and the suspension of operations at the consultants’ offices and client companies. In response, the PPC issued guidance and publicly disclosed the incident in March 2024. Subsequently, on 9 July 2025, social insurance and labour consultants and other service users filed a damages lawsuit seeking damages against the service provider.

The main issues in this litigation are expected to include the content and required standard of security control measures and the appropriateness of the company’s actions to prevent damage. While the APPI requires “the necessary and appropriate measures” to be taken for security management (Article 23; Articles 24 and 25 regarding the supervision of contractors and of employees), the specific content and standard of such measures are not clearly defined. Accordingly, a court ruling in this case could set a leading precedent.

The damages claimed reportedly amount to approximately JPY310 million. Notably, the plaintiffs are not the data subjects themselves but business operators that handle the personal information. The damages are therefore understood to include losses arising from the service suspension, operational disruption caused by the damage to, or loss of, legally required stored data, and the costs incurred in responding to the PPC and to the affected data subjects.

Liability of system vendors and providers

In October 2022, a medical institution operated by a local incorporated administrative agency suffered a ransomware attack, rendering its electronic medical records unusable. System restoration took considerable time and led to the suspension of new outpatient services and the temporary cancellation of scheduled surgeries, although it was reported that there was no impact on patients’ lives and no leaking of personal information.

The attack targeted the core system servers running the electronic medical record system. The institution sought damages from system vendors, providers and other related business operators, alleging investigation and recovery costs of several hundred million yen and losses of more than JPY1 billion due to restrictions on medical services. It is considered that the infection route was highly likely to have been through the systems of a catering service provider that prepared meals off-site. Deficiencies in management practices were cited as contributing factors, including the failure to address vulnerabilities in VPN devices, the granting of administrator privileges to all users, and the use of shared IDs and passwords.

In August 2025, it was publicly announced that the multiple business operators agreed jointly to pay JPY1 billion in settlement funds. In practice, operation and maintenance contracts for systems handling personal information commonly include limitation of liability clauses. As a result, claims are often not pursued due to contractual arrangements. The extent to which this case will influence future practice remains to be seen.

Key legal issues and legislative trends

Establishment of governance structures and internal rules

Cybersecurity risks fall within the scope of the obligation of the board of directors (and individual directors) under the Companies Act to establish internal control systems. In certain circumstances, a failure to establish such systems may constitute a breach of a director’s duty of care or duty of loyalty.

Under the APPI, sanctions are primarily indirect, in that penalties are imposed where an order issued by the PPC in relation to certain violations is breached. The offender may be subject to imprisonment for up to one year or a fine of up to JPY1 million, and, under the dual liability provisions, a corporation may be subject to a fine of up to JPY100 million. For example, if a director serving as Chief Digital Officer (CDO) commits a violation and is penalised for non-compliance with an order, a breach of the duty of care under the Companies Act may also be at issue.

Against this background of obligations under the Companies Act and the APPI, and in light of the fact that reports of legal violations and security incidents can have a material impact on market capitalisation and consumer behaviour, the importance of implementing privacy governance and security governance has been widely recognised and is being actively pursued.

Reporting and notification of data breaches (Article 26 of the APPI)

The APPI requires personal information-handling business operators to take necessary and appropriate security control measures and, in certain cases involving the leaking, loss or damage of personal data or other incidents affecting the security of personal data, to report to the PPC and notify the affected individuals.

This obligation, introduced by the 2020 amendment, has been criticised as being excessively burdensome relative to the objective of protecting individuals’ rights and interests. For example, it has been pointed out that because cases where there is a “risk” of a breach are subject to reporting, the practical effect may be tantamount to a requirement to prove that no breach has occurred. Another concern is that the obligation covers even a partial breach of personal data, such as the leaking of employee IDs alone.

Some have argued that compared with the General Data Protection Regulation (GDPR), under which notification is required “unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons”, Japan’s regime is stricter in practice. In some cases, notification costs can exceed hundreds of millions of yen, creating a significant burden for companies. Moreover, because incidents involving sensitive personal information (as defined in Article 2(3) of the APPI), unauthorised access or potential economic loss are subject to reporting and notification even if only a single individual is affected, routine incidents such as misdirected faxes by hospitals or the erroneous delivery of credit cards must be reported each time. It has therefore been suggested that more rational approaches may exist in light of the purpose of reporting to the PPC.

Under the so-called three-year review of the APPI, which has been underway since autumn 2023, the PPC has presented a policy proposal under which the obligation to notify affected individuals would be relaxed in cases where the risk of harm to individuals’ rights and interests is low. With respect to reporting to the PPC, however, the proposal merely states that rationalisation will be considered on the basis that third-party confirmation, such as confirmation by certified personal information protection organisations, is obtained regarding internal structures and procedures.

With regard to the criteria for reportable incidents, the current approach, which broadly covers cases where there is a “risk”, is to be reviewed and replaced with standards based on the level of risk to individuals’ rights and interests, while ensuring consistency with the incident-reporting standards under the Cyber Response Capability Strengthening Act. Although revising the interpretation and operational guidance is considered sufficient with respect to the concept of “risk”, there has been no significant progress since the interim summary published in the summer of 2024, and future developments will need to be closely monitored.

Contractors and outsourcing arrangements

Under the current regime, where the handling of personal data is outsourced, the outsourcing party is required to exercise necessary and appropriate supervision to ensure that the contractor implements security management measures properly. However, in recent years, cases in which the handling of personal data is effectively dependent on third parties have increased, and there have been incidents in which supervision by the outsourcing party has not functioned adequately and contractors have used personal data beyond the scope of the outsourced tasks.

In light of these developments, a review of the obligations applicable to contractors has been proposed, reflecting the actual practice of outsourcing arrangements. An explicit obligation is to be imposed on contractors, prohibiting the handling of personal data beyond the scope necessary to perform the outsourced tasks. Conversely, where the contractor does not itself determine the method of handling personal data, the application of obligations under the APPI will, in principle, be disapplied under certain conditions.

Related Policies and Legislation

In 2025, there were significant developments in Japan, including ongoing discussions, relating to policies and legislation concerning data, including personal information.

Medical and healthcare sector

Expansion of secondary use of medical information in public databases

In December 2025, an amendment to the Medical Care Act and other related laws was enacted, enabling pseudonymised medical information handled in public databases, including the National Database (NDB) maintained by the Ministry of Health, Labour and Welfare, to be used and provided to third parties. Linkage and joint analysis among public databases are also scheduled to commence.

Discussions on further expansion of secondary use of medical information

The Study Group on the Promotion of the Utilisation of Health, Medical and Nursing Care Information, for which the Cabinet Office’s Office for Healthcare Policy serves as the principal secretariat, has presented directions for a new institutional framework and legislative measures safely to collect and link medical and healthcare information, including electronic medical records, in order to promote the utilisation of medical data.

The relationship between this framework and the Act on Anonymised Medical Data That Are Meant to Contribute to Research and Development in the Medical Field and the APPI are currently being examined and reviewed on the premise of protecting patients’ rights and personal information. Discussions on legal amendments aimed at building a data infrastructure through public-private co-operation are expected to intensify, with a view to promoting medical digital transformation and utilising data for research and drug discovery.

With respect to data utilisation in the medical and healthcare field, specific amendment policies have also been indicated in the three-year review (see the first three points under Other key issues under the three-year review.

AI-related developments

AI Act

The Act on Promotion of Research and Development, and Utilisation of AI-related Technology (AI Act), which was enacted in June 2025 and came into force fully in September 2025, is a framework law designed to promote AI research, development and utilisation comprehensively while addressing risks relating to transparency and safety. The AI Act institutionalises the establishment of the AI Strategic Headquarters, chaired by the Prime Minister, and the formulation of a basic AI plan.

The AI Act imposes responsibilities on companies and research institutions (including AI users and developers) to ensure the appropriate use of AI and to co-operate with national policies, including the promotion of voluntary initiatives and the development of AI governance. It also establishes a mechanism under which the government may provide guidance, advice and information as necessary. In December 2025, the AI Strategy Headquarters adopted the “Guidelines on Ensuring the Appropriateness of Research, Development and Utilisation of Artificial Intelligence-Related Technologies”.

In addition, a wide range of guidelines have been published to support corporate practice, including the “AI Business Operator Guidelines” issued by the Ministry of Internal Affairs and Communications and the Ministry of Economy, Trade and Industry, as well as AI contract checklists. Many of these address privacy and personal information issues. However, the implementation of concrete measures is left to voluntary self-regulation, taking into account the APPI and reputational considerations.

AI development and the three-year review

The PPC has proposed that, with respect to the provision of personal data to third parties and the acquisition of publicly available sensitive personal information, the consent of the data subject will not be required where the use is limited to the creation of statistical information and similar purposes (including AI development), and where requirements specified by PPC regulations are satisfied so as to ensure that the risk of harm to individuals’ rights and interests is low.

It should be noted, however, that if the requirements for these exceptions are not met, the conduct in question may be treated as constituting a data breach and may accordingly be subject to breach-reporting obligations.

Other key issues under the three-year review

According to the policy presented by the PPC, in addition to matters relating to security management and AI, a wide range of issues are under discussion in the three-year review.

Relaxation of consent requirements. In addition to the AI development and statistical information exceptions described in AI-related developments – AI development and the three-year review, the following relaxations have been proposed with respect to use beyond the stated purpose, acquisition of sensitive personal information, and provision to third parties:

consent will not be required where, based on the circumstances of acquisition, it is clear that the use is not contrary to the data subject’s intent and does not harm the data subject’s rights and interests;
the requirement that it be difficult to obtain consent will be relaxed in cases involving purposes such as the protection of life or physical safety or the improvement of public health; and
it will be clarified that institutions and organisations whose purpose is the provision of medical services fall within the scope of “academic research institutions, etc” under the academic research exception.

Statutory rules on the handling of children’s personal information. Taking into account internationally established rules, the following measures have been proposed with respect to the personal information of children under the age of 16:

consent and notifications should be addressed to the child’s legal representative;
the requirements for requests for suspension of use or cessation of provision of retained personal data should be relaxed; and
a statutory duty should be established to give priority to the best interests of the child when handling children’s personal information.

Although exceptions are to be introduced to avoid excessive impact in practice, many concerns have been raised in light of the wide range of situations in which children’s personal information is handled, both online and offline, and the current state of data management practices.

Additional rules on the handling of facial feature data and similar biometric data. With respect to biometric data, the following measures have been proposed:

certain matters relating to the handling of facial feature data, which is more likely to lead to infringements of privacy and similar rights, must be disclosed;
the requirements for requests for suspension of use and cessation of provision will be relaxed; and
provision to third parties based on the opt-out scheme will be prohibited.

Although exceptions are also to be introduced to avoid excessive impact in practice, as with children’s personal information, concerns have been raised in light of actual handling practices.

Introduction of an administrative surcharge system. Business organisations have expressed concern that introducing an administrative surcharge system could lead to excessive chilling effects on the handling of personal information in Japan. In response, the PPC has explained the necessity of such a system by pointing to the reality that data brokers trade in lists that are used for criminal purposes without the knowledge of the data subjects. An intense debate is ongoing regarding the scope of conduct that would be subject to surcharges.

The PPC has proposed that administrative surcharge payment orders would apply to the following five categories of serious illegal conduct, where the specified requirements are met and monetary or other benefits have been obtained as consideration for ceasing the illegal conduct:

Five categories

Provision of personal information to third parties who are expected to engage in illegal acts or unjust discriminatory treatment.
Use of personal information in response to requests from third parties who are expected to engage in illegal acts or unjust discriminatory treatment.
Acquisition or use of personal information by deception or other improper means.
Provision of personal data to third parties without the consent of the data subject.
Use for purposes other than the intended purpose, or provision to third parties, in breach of obligations, of personal information obtained under the statistical information and similar exceptions.

Requirements

Failure to exercise due care.
A large-scale incident affecting 1,000 or more individuals.
Infringement of individuals’ rights and interests.

Outlook for 2026

In addition to the matters previously discussed, further legislative developments relating to data and security are underway. Data utilisation has been positioned as part of the government’s growth strategy, and discussions have proceeded on a dual-track basis, emphasising both the effective and necessary protection of personal information and the promotion of data utilisation, premised on the broad use of data in society.

Under the “Basic Policy on the Ideal Form of Data Utilisation Systems” adopted in June 2025 by the Cabinet Secretariat’s Meeting on Digital Administrative and Fiscal Reform, the Act on the Advancement of Government Administration Processes That Utilise Information and Communications Technology (Act No 151 of 2002) is to be amended to introduce a system under which the Digital Agency will certify business plans for data utilisation.

In the context of economic security, discussions have also been conducted with reference to US Executive Order 14117 (Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern), among other developments, regarding data security and cloud-related regulations. Amendments to the Act on the Promotion of Ensuring National Security through Integrated Implementation of Economic Measures are also being considered.

In Japan, multifaceted discussions are underway regarding privacy, personal information protection, and related data and security issues that extend beyond the mere protection and utilisation of data. While the extent to which these initiatives will be implemented in 2026 will depend on political and social circumstances, significant developments are likely to continue thereafter. Companies will need to assess the necessary measures in light of legislative amendments and other regulatory changes, and should determine appropriate schedules and priorities by working backwards from the expected enforcement dates.

Nagashima Ohno & Tsunematsu

JP Tower, 2-7-2 Marunouchi,
Chiyoda-ku,
Tokyo 100-7036,
Japan

+81-3-6889-7000

+81-3-6889-8000

info@nagashima.com www.nagashima.com

Law and Practice

Author

Tomomi Hioki

Trends and Developments

Author

Tomomi Hioki

Compare law and practice by selecting locations and topic(s)

Select Topic(s)

{{topic.title}}

Defamation & Reputation Management 2026

Japan

Author

1. Privacy and Confidentiality

1.1 Privacy Grounds

1.2 Privacy Remedies

1.3 Privacy Deadlines and Defences

1.4 Privacy Proceedings Forum Choice

1.5 Privacy Costs

1.6 Other Features of Privacy Actions

2. Defamation

2.1 Defamation Grounds

2.2 Defamation Remedies

2.3 Defamation Deadlines and Defences

2.4 Defamation Proceedings Forum Choice

2.5 Defamation Costs

2.6 Other Features of Defamation Actions

3. Harassment

3.1 Harassment Grounds

3.2 Harassment Remedies

3.3 Harassment Deadlines and Defences

3.4 Harassment Proceedings Forum Choice

3.5 Harassment Costs

4. Data Protection

4.1 Data Protection Grounds

4.2 Data Protection Remedies

4.3 Data Protection Deadlines and Exemptions

4.4 Data Protection Proceedings Forum Choice

4.5 Data Protection Costs

5. Regulatory and Media Environment

5.1 Key News Providers

5.2 Regulatory Framework

5.3 Complaints Process

5.4 User-Generated Content

5.5 SLAPPs

5.6 Preventing Foreign Judgments

Nagashima Ohno & Tsunematsu

Trends and Developments

Author

Nagashima Ohno & Tsunematsu

Law and Practice

Author

Trends and Developments

Author

Compare law and practice by selecting locations and topic(s)

{{searchBoxHeader}}

Select Topic(s)

Please select at least one chapter and one topic to use the compare functionality.