Many Large Japanese companies often outsource their IT functions to one of their affiliated companies, which then implements and maintains their IT systems as a whole. Based on recent developments in IT technology in the business sector, the scope of IT outsourcing has expanded to include cloud computing, data protection and cyber security. Cloud-computing services, in particular, are increasingly utilised to provide business functionality without the need for substantial infrastructure investment. However, there are still major customer risks in utilising cloud services. One such risk is security. In the financial industry, transparency is very important. However, in many cloud-computing services, it is not transparent as to the location or collocation of the infrastructure.
BP outsourcing is a continuously growing area in the Japanese market. Many Japanese companies have already outsourced specific areas of their business such as payroll. Due to the increasing complexities of business processes and the need to reduce costs, many Japanese companies have begun to outsource their ancillary functions, such as customer service (eg, call centres, AI chat bot, etc) to companies specialising in these specific areas.
With the introduction of new technology, tasks that were traditionally outsourced to and handled by normal workers, such as answering customers’ online chat inquiries and telephone inquiries, are now being handled by AI. Additionally, many industrial robots have already been introduced to manufacturing factories and construction sites. These days, robots now have the capacity to interact with humans. For instance, in many modern buildings human security guards have been replaced by robot guards. Robot guards regularly patrol their areas for security purposes and sometime act as guides for visitors. Installing, operating and managing a system that enables the implementation of new technology, such as AI and blockchain, and incorporating this system into a company’s business, requires sophisticated and specialised technological skills, which results in the increased need for such tasks to be outsourced to a third party with the requisite knowledge.
Many Japanese companies are increasingly avoiding direct employment of workers and are using different means to boost productivity and competitiveness (“haken”). As a result, companies have been using in-house subcontracting to increase their work forces without the burden of directly hiring workers. The Worker Dispatch Act sets out the regulations on the dispatching of workers through recruitment agencies and the protection of dispatched workers.
The Worker Dispatch Act requires dispatching agencies to obtain permission from the Ministry of Health, Labour and Welfare in order to conduct worker dispatching business. In general, the company accepting dispatched workers (Accepting Company) can only accept a dispatched worker in a certain division for a period of no more than three years and will need to replace the worker prior to the end of the three-year limitation period (Worker Dispatch Act, Article 35-3). Further, Accepting Companies can only accept dispatched workers for no more than three years in the same workplace, and may only extend this period for another three years by listening to the opinion of the majority labour union or an employee representative. However, there are some exceptions to this limitation, such as dispatched workers who are employed by dispatch agencies under a term of indefinite duration dispatched workers who are more than 60 years old.
Dispatch agencies and Accepting Companies are under obligations to secure proper operations and to provide protection to dispatched workers, such as obligations to take actual measures to "take proper care" in promoting equal treatment between dispatched workers and regular employees, to develop the careers of the dispatched workers, and to stabilise the employment of dispatched workers.
There are no national laws that specifically regulate outsourcing transactions. Outsourcing is not specifically recognised as a commercial or operational concept and is therefore not highlighted as requiring regulation under Japanese law. As to telecommunications outsourcings, any telecommunications carrier or agent shall, before the conclusion of a contract of services for general consumers, explain the service contents to users, such as the type of service, the name of the telecommunications carrier, points of contact for the telecommunications carrier, including business hours, and the content of telecommunications services. The telecommunications carrier (or agent) shall deliver documents containing the above matters and make subsequent verbal explanations to potential users, if necessary. In relation to business process outsourcings and IT outsourcings, there are no additional legal or regulatory requirements for business process transactions.
The Financial Service Agency (FSA), which regulates the financial service industry, regularly implements inspections of financial institutions such as banks, securities firms and insurance companies, and publicly publishes manuals in relation to these inspections. The inspection manuals include, among others, key points for inspection, which function as guidelines for financial institutions. In relation to outsourcing, the following points are carefully considered:
However, even if the FSA identifies concerns in relation to the above, there are no criminal penalties yet, although the FSA may take these points into consideration when deciding whether to make an order of any kind, including an order for a business to submit a business improvement plan.
The manuals described above also refer to the security standards required for computer systems. When outsourcing, financial institutions must comply with these standards and, additionally, ensure that all outsourcing agents utilised by the financial institution, likewise comply with these standards.
In 2001, the Bank of Japan, which supervises the banking industry, published a paper on risk control for the outsourcing of financial institution activities. This paper covers a range of topics, including the following:
The paper includes suggestions as to how to implement outsourcing for financial institutions. It does not prescribe penalties. The Bank of Japan will take the paper into consideration when overseeing bank operations.
Medical Services Transactions
Under the Medical Care Act, hospital managers must comply with standards determined by the Ministry of Health, Labour, and Welfare of Japan (MHLW) when they outsource the following medical services:
There are no criminal penalties for breach of the above provisions under the Medical Care Act.
Legal Services Transactions
There are no legal restrictions on the outsourcing of legal services from lawyers to outsourcing agents, such as translators, and even other lawyers.
In Japan, lawyers are self-regulated and are not governed by a regulatory agency. From a financial perspective, law firms are operated entirely from client fees and other revenues collected from members.
Under the Lawyer Act, dispute resolution services can only be operated by lawyers. Debt collection usually goes hand-in-hand with disputes and, thus, debt collection outsourcing should only be made to lawyers or debt collection service providers approved by the government under the Act on Special Measures Concerning Claim Management and Collection Businesses.
With reference to personal data protection, the Act on the Protection of Personal Information (Law No. 57 of 2003, as amended) (APPI) governs the protection of information that is personal in nature. The APPI was largely amended in 2015, and the amendments to the APPI were implemented from 30 May 2017.
Under the current APPI, each government agency has issued guidelines regarding the treatment of personal information in the areas that fall under the jurisdiction of that agency. These guidelines set out in more detail the responsibilities of an information handler with regard to safeguarding personal information. After the implementation of the amendments, many guidelines will be abolished and replaced by the common guidelines issued by the Personal Information Protection Committee (PPC), an independent and comprehensive supervisory authority on the issues surrounding data protection. An information handler should verify whether these guidelines are applicable to it and should ensure compliance with the guidelines as well as the APPI.
Personal Information Protection Committee
The PPC has issued the following guidelines with respect to personal information:
The guidelines were published on 30 November 2016. They contain guidance regarding the general rules, the offshore transfer of personal data, book-keeping, verification obligations when transferring personal data to a third party and big data processing.
Under the APPI, an information handler may not transfer or provide personal data to any third party, including other companies within its group, unless it obtains the prior consent of the data subject (the limitation on transfer). An exemption is available with respect to external contractors providing data management services (outsourcing agents), to the extent that accessing the data is necessary to achieve the purpose of use of the information handler. These outsourcing agents are not regarded as third parties for the purposes of the general prohibition on transfer.
Under the APPI, where management of personal data is outsourced to outsourcing agents, the information handler must appropriately supervise the outsourcing agents with respect to the handling of personal data. Further, the information handler must ensure that the personal data in the possession of the outsourcing agents is subject to the same level of protection that is required of the information handler under the APPI.
In this regard, the relevant guidelines issued by each government agency should also be obeyed.
In relation to the amendments, companies should pay attention to newly-introduced international transfer regulations.
The amended APPI specifically provides that an information handler must obtain the prior consent of any data subject whose personal data will be provided to a third party located in a foreign country including offshore transfers by way of merger or business transfer, joint use of personal data by several entities and the outsourcing of the handling of personal data. This does not apply if the foreign country is white-listed under the enforcement rules of the amended APPI or the third party receiving the personal data has established similarly adequate standards for privacy protection as specified in the enforcement rules of the amended APPI. Under the amended APPI, if the data transfer is undertaken by way of merger or business transfer, joint use by several entities or through data handling outsourcing within Japan, no consent for a third-party transfer is necessary. The current APPI does not require consent for merger or business transfers, joint use of personal data or the outsourcing of data handling, regardless of whether a domestic or offshore transfer is involved.
According to the published enforcement rules of the amended APPI, “similarly adequate standards” means that the practices of the information handler handling the personal data accord with the requirements for the protection of personal information under the amended APPI or that the information handler has obtained recognition based on the international frameworks concerning the handling of personal information. According to the guidelines for offshore transfers, one of the examples of an acceptable international framework is the APEC CBPR system. As of yet, no white-listed countries have been specified under the rules promulgated by the PPC.
If the data subject’s consent to the transfer of the personal data to an offshore third party was obtained prior to the enforcement of the amended APPI, this prior consent for offshore transfer is regarded as sufficient under the amended APPI. No separate consent is required upon enforcement of the amended APPI. If consent was not obtained and the third party does not meet the requirements for protection of personal information under the amended APPI, the information handler must obtain the consent of the data subject if the relevant personal data is transferred offshore after the enforcement of the Amended APPI commences.
Further, it is recommended that the information handler takes the following measures:
In order to protect the rights of the data subject such as consumers, and in the interests of transparency, the information handler should inform the data subject of the fact that their personal data will be outsourced and the extent to which this will occur. The level of disclosure to the data subject may vary depending on the characteristics of the information handler’s business.
Ministry of Health, Labour and Welfare
The Ministry of Health, Labour and Welfare of Japan (MHLW) has issued the following guidelines in respect of personal information:
Ministry of Internal Affairs and Communications of Japan
The Ministry of Internal Affairs and Communication of Japan (MIC) has issued the following guidelines with respect to the protection of personal information in the telecommunication and broadcasting industries:
Financial Services Agency
The Financial Services Agency of Japan (FSA) has issued the Guideline on Protection of Personal Information in the Financial Industry.
Pursuant to the Guidelines for APPI issued by the FSA, the following measures should be taken by the information handler:
In the event of a violation of any provisions of the APPI, the PPC or the agency overseeing the violating information handler’s business field (relevant government ministry) may advise such information handler to cease the violating activity. In the event that the information handler does not properly respond to government advice and it is recognised that important individual rights are on the verge of being violated, the PPC may order the information handler to cease the violating activity. If the information handler does not properly respond to this government order, the responsible officer or employee of the information handler may be subject to a maximum penalty of either up to six months’ imprisonment or a fine of up to JPY300,000. Should this kind of event occur, the information handler itself will also be subject to a fine of up to JPY300,000.
As to data protection, in the event of a violation of any provisions of the APPI, the PPC or the agency overseeing a given information handler’s business field (relevant government ministry) may advise the information handler to cease the violating activity. In the event that the information handler does not properly respond to government advice and it is recognised that important individual rights are on the verge of being violated, the PPC may order the information handler to cease the violating activity. If the information handler does not properly respond to this government order, the responsible officer or employee of the information handler may be subject to a maximum penalty of either up to six months’ imprisonment or a fine of up to JPY300,000. In such an event, the information handler itself will also be subject to a fine of up to JPY300,000.
If a data breach causes a data subject’s personal data to be lost, stolen or leaked, the data subject may seek damages from an information handler if there has been negligence or wilful misconduct on the part of the data handler. Further, an information handler may avoid liability if they can prove that they did not engage in wilful misconduct or a negligent act.
Mandate, contracting and subcontracting are standard supplier–customer models for outsourcing.
Multi-sourcing is one of the alternative contract models in Japan.
The concept of captives and shared services is an emerging concept in Japan. The Sharing Economy Association, Taiwan was established in July 2015, which aims to develop shared economy in transportation, financial services and Internet of Things (IoT).
Under Japanese law, there are no special protections or remedies provided to an outsourcing customer. Only general protections and remedies provided under the Civil Code, which govern contractual relationships, may be utilised when an outsourcing service provider breaches its contract. The customer may seek damages against the service provider. This remedy may be utilised even in the case of a minor breach of contract. Under the Civil Code, the customer has the burden to prove the actual damages suffered, such as business loss, with the exception of cases involving personal information. Under the Act on Protection of Personal Information Act, a service provider who deals with personal information has a duty to set up security/protection measures to prevent any intrusion or unauthorised distribution in respect of personal information.
Under Japanese law, there are no special protections or remedies provided to an outsourcing customer. Only general protections and remedies provided under the Civil Code may be utilised. As a general protection under the Civil Code, the customer or supplier may terminate the outsourcing agreement based on the other party’s breach of contract, which has a material adverse effect on the maintenance of the outsourcing agreement. For example, the customer has the right to terminate the outsourcing agreement upon certain events (such as default, bankruptcy or dissolution), which may have an adverse material effect on the supplier’s ability to provide the outsourced services.
The Japanese legal system adopts a view of dividing damages into two parts: ordinary damage and special damage. The range of compensation will depend on whether the damages constitute “ordinary damages” or “special damages”. Ordinary damages are damages caused by the non-performance of obligations, and a party claiming ordinary damages need only prove the amount of damages linked to the non-performance. Ordinary damages will typically be fully compensated. However, in the case of special damages, the party seeking compensation must prove that the breaching party had foreseen or could have foreseen circumstances in which the special damages would occurr when breaching the contract.
Normally, loss of profit, goodwill, business, etc, would be considered special damages. The party seeking compensation must prove that the breaching party could have foreseen the loss of profit, goodwill, business, etc.
Although not expressly stated in writing, certain terms may be implied in an outsourcing relationship and may, nevertheless, become part of the contract based on custom and law. Terms may also be implied by the circumstances surrounding an agreement and where it is apparent from the facts that the parties intended for certain terms to be included in the contract.
There is no relevant labour and employment legislation for outsourcing transactions. In the context of outsourcing, labour and employment law would not apply to a change in initial or subsequent service providers, or transfers of undertakings or parts of undertakings. If a company needs employee transfer as part of a business transfer, the company must obtain prior consent from each relevant employee.
There is no specific requirement that a trade union or works council consultation must be undertaken for outsourcing
The practice on employee transfers will vary depending on the method of outsourcing. In the case of outsourcing based on a merger or spin-off, which constitute a comprehensive transfer of a company’s business as a whole, unless an employee objects to the transfer of his or her employment relationship, the employment relationship between the employer and the employee is automatically transferred to the transferee company. As employment relationships are automatically transferred, the transferee may not refuse to continue the employment of the transferred employees, unless there is just cause for termination of employment, and must assume and apply, in substance, the same employment terms and conditions (such as employment period, wages/benefits and severance pay) as applicable to the transferred employees prior to the transfer.
In contrast, in the case of a business transfer, the transferee does not succeed to the employment relations existing prior to the transfer. In the legal sense, the transfer of employees in an asset transfer means that the employment with transferor is terminated and new employment relations are entered into with transferee.
In Japan, there are no specific regulations on the assignment and assumption of assets under an outsourcing contract, except for provisions regarding the assignment and assumption of a business under the Company Act.
Otemachi Park Building
+81 3 6775 1000
+81 3 6775 2088www.amt-law.com