In Japan, there are no laws or regulations which are generally applicable to cloud computing. However, certain services using cloud computing, such as voice communication services and email services, may constitute a telecommunications business as defined in the Telecommunications Business Act (the TBA). Please see 8.1 Scope of Telecommunications Rules and Approval Requirements.
Where personal information is stored in a cloud, the Act on the Protection of Personal Information (the APPI) will apply. The Personal Information Protection Commission (the PPC), the principal regulatory authority regarding the APPI, has clarified that businesses using cloud services must take security measures to protect personal information stored in a cloud service provided by a third party, but they do not need to supervise the providers of the cloud service or obtain consent from data subjects if the cloud service providers cannot access the stored personal information, regardless of whether the relevant data centre is located in or outside Japan. Please see 6.1Core Rules for Individual/Company Data.
Industries Subject to Greater Cloud Computing Restrictions
Financial service operators – such as banks, insurance companies and financial instrument business operators – are required by the supervisory guidelines issued by the Financial Services Agency (the FSA) to take outsourcing management measures. Since the use of cloud services provided by a third-party service provider is a form of outsourcing, financial service operators must implement outsourcing management measures such as conducting a due diligence check of the service provider, entering into a service agreement that satisfies the supervisory guidelines and auditing the service provider.
Risk and Liability
Except in financial services, the use of blockchain is not generally regulated.
For the financial service industry, the Payment Service Act regulates crypto-assets. A "crypto-asset" is defined as an electronically recorded value which can be used as payment for goods or services to unspecified people, can be purchased from or sold to unspecified people, and is not denominated in any fiat currency. The operation of a crypto-asset-related business – such as an exchange, brokerage, intermediary, agency or management of crypto-assets – requires registration with the FSA. The operator of any such services will also be subject to anti-money laundering obligations, such as KYC and suspicious transaction reporting, under the Act on the Prevention of the Transfer of Criminal Proceeds.
Further, derivatives, such as margin trading, of crypto-assets are regulated under the Financial Instrument and Exchange Act. The operation of any such business, such as dealing, brokerage, intermediary or agency, requires registration with the FSA.
There is no general exemption for the use of copyrighted content shared in a blockchain. Thus, copyright infringement is a risk in implementing a blockchain. A specific exemption concerning machine learning is discussed in 3.1 Challenges and Solutions.
If personal information is included in a blockchain shared among third parties, the consent of the data subjects will be generally required under Article 23 of the APPI unless any of the exceptions applies. An exception for a joint use applies and such consent will not be required where data subjects are given a notice of the fact that their personal data will be used jointly with defined parties, the specific personal data that will be used jointly, the joint users and the purposes of the joint use.
However, if the blockchain is shared among parties outside Japan, then under Article 24 of the APPI a cross-border data transfer is not allowed without the consent of data subjects even if the joint use exception applies. Since EU countries and the UK are designated as having a data protection regime equivalent to that of Japan, the consent of data subjects will not be required under Article 24 of the APPI if (i) the blockchain is shared among parties only in Japan, the EU or the UK and (ii) the joint use exception applies. If the blockchain is shared with parties in other jurisdictions, there is a need to obtain the consent of the data subjects or execute an agreement under which the parties sharing the blockchain will comply with the requirements of the APPI.
There is no statutory requirement regarding service levels. Users of a blockchain will need to agree on the service levels.
Users of a blockchain may choose the law governing the agreement governing the blockchain use, subject to certain exceptions, such as consumers' right to request the application of mandatory rules under the laws of the jurisdiction where the consumers reside.
With regard to the registration requirements for the crypto-assets exchange business, foreign exchange business operators which are not registered with the FSA may not solicit any person in Japan to enter into an exchange of cryptocurrency. Under the FSA guidelines, an advertisement by a foreign exchange business operator on the internet will be regarded as solicitation to people in Japan unless:
Product Liability and General Tort Liability
Under the Product Liability Act (the PL Act), a producer of a manufactured or processed movable good is liable for damages to human life or body, or property caused by a defect in the good, regardless of whether or not the producer is negligent.
Since big data, machine learning and artificial intelligence (AI) are not movable goods, producers of big data, machine learning or artificial intelligence themselves will not be subject to the PL Act. Rather, it is the producers of movable goods into which big data, machine learning or artificial intelligence is installed which will be liable for the damages caused by a defect in those movable goods, including a defect in the installed big data, machine learning or artificial intelligence.
Producers of big data, machine learning or artificial intelligence may be subject to general tort liability under the Civil Code. General tort liability is not a strict liability, unlike liability under the PL Act, and the plaintiff must prove intentional act or negligence (including simple negligence) on the part of the defendant to successfully claim for damages.
Autonomous Vehicle Accident Liability
Under the Act on Securing Compensation for Automobile Accidents, any person who has control over or operates an automobile for his or her benefit (eg, an owner or a driver) – the “responsible person” – is liable for damages for the death or bodily injury of another person arising from the operation of the automobile. The foregoing liability, however, does not apply if the responsible person proves that he or she and the driver exercised due care in controlling and operating the automobile, that the injured party or a third party other than the driver acted intentionally or negligently (including through simple negligence), and that there was no defect in the structure or functions of the automobile.
One issue is whether this special liability under the present automobile accident compensation framework should be modified to properly address car accidents caused by cars operated by artificial intelligence, such as holding the car manufacturers liable for damages. The Research Report on Damage Liability regarding Autonomous Vehicles, which the Ministry of Land, Infrastructure and Tourism published in March 2018, concluded that it is appropriate not to modify the existing special liability for automobile accidents during the transition period until 2025 when autonomous vehicles are expected to be widely used. The report recommended that insurance companies that have compensated for damages caused by a defect in an autonomous driving equipment installed in a vehicle should be able to recover the compensation they paid from the car manufacturers that installed the defective artificial intelligence-driving equipment.
Based on the recommendation, the Japanese Road Transport Vehicle Act was amended in May 2019 so that an autonomous driving equipment is required to have a recording equipment to provide insurance companies with evidence as to the cause of an automobile accident.
Data Protection Consideration
The APPI has not imposed strict conditions focused only on processing personal information by AI. The APPI requires business operators using a personal information database in their business (“handling operators”) to use personal information only within the scope of the purpose of use notified to data subjects or publicly announced when collecting personal information. Therefore, as a general rule, it is required to notify or publicly announce the purpose of machine learning in order to use personal information for machine learning.
In this regard, it is noteworthy that the purpose of generating statistical data by aggregating or analysing a big amount of personal information does not have to be notified to data subjects or publicly announced, as clarified in the relevant guidelines issued by PPC. Therefore, it is possible to process personal information and to have AI use it as statistics without being specified as a purpose of use.
Further, a recent amendment to the APPI, which is expected to be enforced in 2022, will introduce the concept of "pseudonymously processed information”, which is defined as personal information that can identify a specific individual only by collation with other information. If handling operators pseudonymously process personal data, they will be allowed to internally use the pseudonymously processed information beyond the original purpose of use that was notified to data subjects or publicly announced when collecting the original data. Thus, after the amendment takes effect, handling operators may use personal data for machine learning even where the machine learning is not included in the purpose of use notified to the data subjects when the personal data was collected.
In the process of machine learning, copyrighted works may be copied or adapted, which may cause an infringement of copyrights. To promote AI developments, the Copyright Act grants an exemption allowing the use of copyrighted works to the necessary extent without permission from the copyright owner where the use (i) does not aim to let the user or others enjoy thoughts or sentiments expressed in the work, and (ii) does not unjustifiably harm the copyright owner’s interests, taking into consideration the type and purpose of the work and the manner in which the work is used.
This exemption covers the use of copyrighted works for extracting informative elements from a large amount of copyrighted or other works and analysis. The Copyright Act was amended in 2019 to clarify that this exemption covers not only statistical analysis but also deep learning, and not only copying but also transmission for grid computing.
Protection of “Shared Data with Limited Access”
To promote data sharing between businesses so that big data will be more widely used, the amendment to the Unfair Competition Prevention Act introduced the protection of “shared data with limited access” which is defined as any technical or business information:
Information controlled as a secret, which would be protected as a trade secret, is excluded from the concept of shared data with limited access. Most typically, where data such as location of smartphones or cars is collected by a business operator (the “data holder”) and sold to third-party business operators for a fee (or shared among business operators in a consortium without charge) under the condition that the data can be used only for a certain purpose such as internal marketing analysis and cannot be redistributed or used for unauthorised purposes, the data would be protected as shared data with limited access. If a shared data with limited access is wrongfully acquired, redistributed to third parties or used for unauthorised purposes, the data holder may seek an injunction and damage compensation under the Unfair Competition Prevention Act.
The Use of Radio Waves
Under the Radio Waves Act (the RWA), in principle, users of radio equipment – including Internet of Things (IoT) devices using radio waves such as Bluetooth or Wi-Fi – must obtain a radio station licence from the Ministry of Internal Affairs and Communications (the MIC). However, certain smaller-scale radio stations, including Wi-Fi and Bluetooth devices, are exempted from such licence requirement if the device conforms to the technical requirements established by the MIC and bears a certification mark indicating such conformity (an R-mark). For users to comply with the foregoing requirements, manufacturers, importers or sellers of those devices apply for the certificate of conformity and put the certification mark on their products.
Radio equipment that has undergone technical conformity certifications conducted by foreign certification bodies based on mutual recognition agreements between Japan and certain foreign countries (currently, the USA, the EU and Singapore) is deemed to conform to the technical standards established by the MIC in Japan and may bear an R-mark without a separate certification in Japan. Please note that, due to Brexit, the mutual recognition agreement between the EU and Japan no longer applies to certification bodies in the UK and there is no mutual recognition agreement between the UK and Japan. However, the Minister for Foreign Affairs of Japan has issued a letter stating that the Japanese government will accept the certification by certification bodies in the UK in accordance with Article 38-31 of the RWA, which is similar to a mutual recognition agreement framework except that only non-Japanese manufacturers can rely on this Article 38-31 and Japanese manufacturers cannot use the certification bodies in the UK unlike under mutual recognition agreements.
There is an exemption to the certification requirement that is available for devices which conform to technical specifications designated by the MIC such as IEEE802.11b/11a/11g/11n/11ac/11ad and Bluetooth Core Specification Version 2.1 or later, if solely used for testing purposes. To rely on this exemption, a notification must be filed with the MIC stating the start and close of the testing period. The testing period must be 180 days or shorter. Before filing the start notification, one must ensure that the device complies with at least one of the technical specifications designated by the MIC.
Under the TBA, any telecommunications device which is connected to a telecommunications circuit facility, such as an internet connection provided by a telecommunications business operator, must satisfy certain technical requirements, be certified by a registered certification body, and bear a “T-mark”. However, the guidelines issued by the MIC on 22 April 2019 clarified that if a Bluetooth device (i) can be used by connecting to a smartphone, (ii) does not have other functions that directly connect to telecommunications circuit facilities, and (iii) is certified as complying with the Bluetooth specifications, that Bluetooth device is exempt from the TBA certification requirement.
A similar exemption applies to a Wi-Fi device if (i) the Wi-Fi device cannot be directly connected to the internet provided by a telecommunications business operator and is connected to the internet only through a certified router which bears a T-mark, and (ii) there is a statement in the manual that the device cannot be directly connected to the internet.
Data Protection Consideration
If an IoT device collects personal information, such as a person’s appearance recorded by a camera or a voice recording enabling the specification of a certain person, the service provider which collects the personal information through that IoT device would generally need to comply with the requirements under the APPI. Please see 6.1 Core Rules for Individual/Company Data.
There are no specific laws or regulations that apply to IT service agreements. In addition, there are no laws that strictly regulate the location of data storage or data centre, data-localisation, or price revision. However, the general contract law based on the will of the contracting parties applies to IT service agreements.
The following points should be noted when including a liability limitation clause in a contract:
Core Rules Regarding Data Protection
Under the APPI, a handling operator must comply with the following obligations:
Under the TBA, the secrecy of communications handled by a telecommunications carrier must not be violated. The collection and processing of data against the communicating parties’ wills (including activities operated by systems that automatically collect or process data) and a breach of protected data are deemed as violations of the secrecy of communications. The scope of the secrecy of communications includes:
Distinction between Companies/Individuals
The APPI makes a clear distinction between companies and individuals. It does not protect a company’s data. However, it applies to the personal information of employees working obtained by their employers including companies.
On the other hand, the secrecy of communications under the TBA protects information regardless of whether or not it identifies a specific individual and, thus, applies to protect companies.
General Processing of Data
There are no general laws or regulations that apply to the processing of data.
The concept of ownership stipulated by the Civil Code does not apply to data processing. Data processing is determined exclusively based on contracts.
Processing of Personal Data
Unlike the EU General Data Protection Regulation (GDPR), there is no definition or a similar concept of data controller or data processor under the APPI. However, the regulations regarding entrusting data are partially relevant. If a handling operator entrusts all or part of the handling of personal data to a third party, it must exercise necessary and appropriate supervision over that third party.
The APPI applies to the handling of personal information of employees. When conducting monitoring, the purpose of use of the personal information must be specified and notified to the employees. Employers must also consider privacy rights.
Under case law, the legality of monitoring takes into consideration mainly the necessity, rationality of the purpose, the appropriateness of the means, and the degree of restrictions on employees. In addition, in a case involving the monitoring of location data, an employer who collected GPS data of employees outside of work hours was found liable for invasion of privacy; however, it is not an invasion of privacy to collect GPS data during paid work hours solely for legitimate purposes.
The PPC published guidelines which recommend the following measures regarding monitoring:
Licence for Telecommunications Business
As described in 1.1 Laws and Regulations, a telecommunications business is defined under the TBA. Under the TBA, “telecommunications” means sending, delivering or receiving codes, sounds or pictures by wire, wireless means, or any other electromagnetic means which includes the internet. A broadcasting business is excluded from the definition of telecommunications business.
The TBA requires a licence prior to offering telecommunications services in Japan. There are basically two types of such licences under the TBA, namely, (i) a registration (toroku) and (ii) a notification (todokede). If a provider of a telecommunications business installs or owns (including in the form of an "indefeasible right of use" or IRU) telecom circuits (eg, optic fibres or coaxial cables) at certain levels, it must be a registration carrier. Other providers who do not install such circuits (eg, ISPs) are basically required to only notify the MIC prior to offering telecommunications services.
A party seeking to provide a telecommunications service must submit application documents to the MIC. In the case of a registration, it must also appoint a general manager for the telecommunication facilities (denki tsushin setsubi toukatsu kanri sha) or a chief telecommunications engineer (denki tsushin shunin gijutsu sha). A notification is a relatively straightforward procedure which would take only several days if all the necessary documents are complete. The filing fee for registration is JPY150,000, but no fee is necessary for filing a notification. There is no licence term or annual fee for either registration or notification. It is advisable to unofficially consult with the MIC before filing an official application.
Licence for Radio Station
As described in 4.1 Restrictions on a Project's Scope, a user of a radio equipment must obtain a radio station licence pursuant to the RWA, with certain exceptions. Thus, if a provider of telecommunications services uses radio equipment for the services, it must obtain a licence not only under the TBA but also under the RWA.
The RWA restricts foreign investments in relation to obtaining a licence to use radio equipment. The following entities or parties are not eligible to hold the licence:
However, there are exceptions to the foregoing restriction. For instance, if the purpose of the radio equipment is to operate a telecommunications business, the foregoing restriction does not apply.
The term of the licence is five years. There is also an annual fee for the use of radio frequencies. The amount of the licence application fee and the annual fee to use radio frequencies varies depending on the type of radio frequencies and the power of the antenna of the radio equipment.
Licence for Broadcasting Business
As described in 8.1 Scope of Telecommunications Rules and Approval Requirements, a telecommunications business under the TBA does not include a broadcasting business, which is separately regulated under the Broadcasting Act. Note that the key regulator of both the telecommunications business and the broadcasting business is the MIC.
The Broadcasting Act requires a licence prior to offering broadcasting services in Japan, which include:
The Broadcasting Act does not apply to companies with video channels online. There is no specific law which regulates video channels online.
The Broadcast Act restricts foreign investments in the broadcasting business. The following entities or parties are not eligible to hold a broadcasting licence:
Licence for Radio Station
As described in 8.1 Scope of Telecommunications Rules and Approval Requirements, users of radio equipment must obtain a radio station licence pursuant to the RWA, with certain exceptions. Thus, if a provider of broadcasting services uses radio equipment for the services, it must obtain a licence not only under the Broadcast Act but under the RWA as well.
As described in 8.1 Scope of Telecommunications Rules and Approval Requirements, the RWA restricts foreign investments regarding licences to use radio equipment. While there are exceptions to such restriction, those exceptions are not available for the use of radio equipment for a broadcasting business.
There are no legal requirements on encryption for both the telecommunications business and the broadcasting business. However, the MIC’s Standards for Security and Reliability of the Information Network set forth certain rules to maintain a secured network, which include the obligation to use encryption for confidential telecommunications. These Standards do not have the mandate of law but, in practice, carry a lot of weight for telecommunications carriers.
The MIC allowed licence holders operating radio stations to defer the payment of fees for the use of radio waves for radio stations until 31 December 2020 pursuant to the law for the control of infectious diseases. To date, there is no expectation that existing legislation or government programmes relevant to TMT will be modified due to COVID-19.
Due to the pandemic, the government has been promoting remote work. The MIC encourages companies to introduce remote work by providing information regarding appropriate IT systems and network security. While the MIC had already issued and updated its guidelines for network security before the pandemic – the latest amendment was made in April 2018 – the MIC plans to further revise the guidelines by the end of March 2021. Further, the National Centre of Incident readiness and Strategy for Cybersecurity updated the information it provides on network security for remote work in response to the increase of cyber-attacks in the midst of the pandemic.