The metaverse has been attracting attention from businesses and government, and there have been considerable developments in related legal discussions and legislation. In November 2022, the government convened a council consisting of businesses, legal experts and government officials, which discussed legal issues related to the metaverse, and released a final report in May 2023. Two laws were amended in 2023 relating to the metaverse. One extends a protection for product design from the real world to the metaverse, and the other introduces a more expedited and simplified state licensing scheme for secondary use of user-generated contents (UGC).

Intellectual Property Rights

Copyright

Reproducing the real world in the metaverse will not infringe copyright in most cases. While architectural works with copyrightable properties are often used as landmarks in the metaverse, that use is permitted by Article 46 of the Copyright Act. Article 46 permits the use of architectural works or works of art that are publicly available (like a statue in a park), but does not apply to signboards or other works that are copyrightable. However, Article 30-2 of the Copyright Act allows a third-party copyrightable work to be incidentally included in another copyrightable work as long as the inclusion is minor and incidental to the principal copyrightable work (eg, where a third party’s copyrighted work was included in a photo). Based on this provision, when a vast space in the real world is reproduced in the metaverse, a signboard with copyrightable material that is also reproduced in the metaverse will be considered to be only a minor inclusion compared to the entire reproduced space so that the inclusion will be allowed under Article 30-2 of the Copyright Act.

In the metaverse, users often engage in creative activities and copyright for their creative works may be granted to them depending on the terms of use of the metaverse. If so granted, a third party who wants a secondary use of such user-generated contents must obtain a licence from the user holding the copyright. To facilitate such secondary use, even if the copyright owner does not timely respond to a licensing request, the Copyright Act was amended in May 2023 to allow a more expedited and simplified state licensing scheme for the secondary use of user-generated contents within three years from May 2023.

Design imitation

Under the current laws, a design owner usually cannot block a third party from replicating a product from the real world to the metaverse even if it is protected by a design right. To protect the design owner’s interest, the Unfair Competition Prevention Act was amended in 2023 to prohibit the provision via telecommunications of data which imitates another’s product, from April 2024.

Trade mark

Virtual goods may be produced with trade marks, as in real-world goods. Since the goods and service classifications between the real world and the metaverse are different, trade marks for real-world goods would not be protected in the metaverse unless they are registered for virtual goods and services. Having said that, since an increasing number of brand-owning companies apply for virtual goods and services, metaverse providers would need to be more careful about using a third-party’s trade marks. In light of the market growth of metaverse, more brand-owning companies are expected to register their trade marks for virtual goods and services.

Publicity rights

An avatar may be generated from an image of a public figure. There is a judicial precedent ruling that a publicity right is granted if the name or image of the public figure has the power to promote the sale of goods and that publicity right is infringed if the name or image is used solely for the purpose of promoting sales (Supreme Court, 2 February 2012). Thus, such an avatar cannot be used to promote sales, but a publicity right would not be infringed if the user generates the avatar only for personal satisfaction or use.

Privacy Law

Users’ actions in the metaverse are collected and recorded by metaverse service providers, which can also collect and use users’ data, such as the users’ profiles, behaviour, interests, and preferences.

Not all users’ information in the metaverse is considered “personal information” under the Act on the Protection of Personal Information (APPI). The APPI defines “personal information” as information relating to a living individual which contains a name, date of birth, or other descriptions through which a specific individual can be identified. Therefore, if, for example, an individual registers only a nickname to use a metaverse service, the information collected by the provider of the metaverse service would not be considered “personal information”. However, if in using the metaverse, an individual’s real name or email address that could identify that individual is registered, then that information is considered personal information under the APPI.

Separately from the APPI, Japanese courts recognise a person’s right to privacy, which is the right for that person’s private life not to be disclosed except for legitimate reasons. Certain information collected in the metaverse can be protected as part of a person’s private life. Therefore, even if a piece of information is not considered personal information under the APPI, it is necessary to examine whether certain users’ data is protected as part of the users’ private lives.

Telecommunications Business Act

The Telecommunication Business Act (TBA), which was amended in 2022, requires large-scale social networking services (SNS) (ie, SNS with at least 10 million users if the service is provided without consideration, and with at least 5 million users if the service is provided with consideration) to file a notification with the Ministry of Internal Affairs and Communications (MIC). Metaverse service providers may also be subject to the TBA if they are large-scale. See 7. Telecommunications for details on TBA.

In Japan, trading practices and consumer protection in the context of digital platforms recently attracted public attention and two pieces of legislation were promulgated in 2020 and 2021. Further legislation for fair competition and user protection is also currently under discussion. 

Transparency and Fairness of Digital Platforms

The Act on Improving Transparency and Fairness of Digital Platforms was enacted in June 2020 and took effect in February 2021. Under the Act, the Ministry of Economy, Trade and Industry (METI) designates providers of regulated digital platforms with a certain size in sales according to the category of the platform:

• e-commerce marketplace with annual sales of JPY30 billion or more;
• app store with annual sales of JPY20 billion or more;
• advertisement media with annual sales of JPY10 billion or more; and
• digital advertising platforms with annual sales of JPY5 billion or more.

If so designated, such digital platform providers are required to disclose the conditions of accepting business operators, reasons for requesting purchasing services, factors affecting rankings, and other information. Such designated providers are also required to annually report their complaints handling, disputes resolution, disclosure and self assessment to METI.

Consumer Protection of Digital Platforms

The Digital Platform Consumer Protection Act was enacted in May 2021 and took effect in May 2022. The Act applies to platforms on which consumers may purchase goods, services or rights for consideration, without regard to the size of sales. The Act requires platform providers to proactively protect consumers from sellers, which are not platform providers but just merchants in digital platforms. Digital platform providers are required to take measures to enable smooth communication between sellers and consumers, investigate sellers in response to consumer complaints about transactional conditions, and require sellers to provide information on their identity as necessary. Digital platform providers may be requested by the Consumer Affairs Agency to remove certain goods, services or rights if there are any false or misleading descriptions that are not voluntarily remedied. Consumers may require digital platform providers to disclose the names, addresses, phone and facsimile numbers, email addresses, and corporate registration numbers of sellers if they need the information to exercise their rights against sellers.

Fair Competition in the Digital Market

The Digital Market Competition Study Group administered by the Cabinet Secretariat released a report and called for public comments in June 2023. The report proposes to introduce new regulations on large-scale mobile OS providers, app stores, browser providers, and search engines. The proposed regulations include:

• prohibiting large-scale app stores from forcing in-app payment;
• obligating large-scale mobile OS providers to allow alternative app stores;
• obligating large-scale mobile OS providers and browser providers to allow users to easily change default settings;
• obligating large-scale mobile OS providers to provide an opportunity for users to elect pre-installed apps;
• obligating large-scale search engines to treat third-party services on a non-discriminatory basis vis-à-vis in-house services;
• prohibiting large-scale mobile OS providers, app stores, and browser providers from using non-public data for other services;
• obligating large-scale mobile OS providers, browser providers, and app stores to provide data portability;
• prohibiting large-scale app stores from forcing social login; and
• obligating large-scale mobile OS providers to allow third parties to equally access OS functions.

Although the report has generally taken a strict attitude, it also seems to agree that seemingly problematic acts may be justified if necessary for security or privacy. A bill is expected to be submitted to the Diet in 2024.

User Protection of Digital Platforms

The Platform Service Study Group administered by the MIC published their third report in January 2024. The report recommends that the government require providers of large-size digital platforms where unspecified users can distribute contents to take measures to protect defamed people, including having a complaint window, procedure for accepting a complaint, and a staff member familiar with Japanese culture and society, completing the investigation within one week, and notifying the complainant of the results of investigation. The report also recommends that such providers be required to publicly disclose their policies, notify contributors of the ground for banning, and publicly disclose how measures are implemented.

In Japan, there are no laws or regulations which are generally applicable to cloud computing. However, certain services using cloud computing, such as voice communication services and email services, may constitute a telecommunications business under the Telecommunications Business Act (TBA). Please see 7. Telecommunications.

Where personal information is stored in a cloud, the APPI will apply. The Personal Information Protection Commission (PPC), the principal regulatory authority regarding the APPI, has clarified that businesses using cloud services must take security measures to protect personal information stored in a cloud service provided by a third party, but they do not need to supervise the providers of the cloud service or obtain consent from data subjects if the cloud service providers cannot access the stored personal information, regardless of whether the relevant data centre is located in or outside Japan.

Industry-Specific Guidelines on Cloud Computing

Government cloud procurement

The Japanese government operates the Information System Security Management and Assessment Programme (ISMAP), pursuant to which Japanese government organisations may procure cloud services from cloud service providers registered with the ISMAP steering committee. The registration process requires applicants to submit an assessment report prepared by a third-party auditor registered with the committee, as well as other required information, including information regarding the risk of compulsory data access due to the applicability of foreign laws to enable the committee to review those foreign laws.

Cloud use by private-sector essential infrastructure

New legislation titled the Act on the Promotion of National Security through Integrated Economic Measures, which was promulgated in May 2022, imposes an additional requirement on essential infrastructure providers designated by the government from 14 essential infrastructure areas, namely, electric power, gas supply, petroleum, water, railways, motor freight, ocean freight, aviation, airports, telecommunications, broadcasting, postal services, financial services, and credit cards. Designated providers will be required to submit a written plan to the competent government ministry for review before they install certain essential facilities or outsource the maintenance or management of certain essential facilities, which include cloud services. In relation to the plan to use a cloud service, certain parts of the plan may be omitted if the provider is registered with the ISMAP steering committee.

Financial service operators

Financial service operators – such as banks, insurance companies and financial instrument business operators – are required by the supervisory guidelines issued by the Financial Services Agency (FSA) to take outsourcing management measures. Since the use of cloud services provided by a third-party service provider is a form of outsourcing, financial service operators must implement outsourcing management measures such as conducting a due diligence check of the service provider, entering into a service agreement that satisfies the supervisory guidelines and auditing the service provider. More specifically to cloud, the financial service sector often refers to the guide to cloud implementation and operation of financial institutions published by the Centre for Financial Industry Information Systems (FISC).

Healthcare information

The healthcare industry (eg, hospitals, clinics, dentists and pharmacies) is subject to the Security Guidelines for Medical Information issued by the Ministry of Health, Labour and Welfare. Providers of cloud services to the healthcare industry are subject to the Security Guidelines for Information Service Providers for Medical Information issued by METI and MIC. These guidelines include both mandatory requirements as well as government-recommended actions.

Product Liability and General Tort Liability

Under the Product Liability Act (the “PL Act”), a producer of a manufactured or processed movable good is liable for damages to human life or body, or property, caused by a defect in the good, regardless of whether or not the producer is negligent.

Since big data, machine learning and artificial intelligence (AI) are not movable goods, producers of big data, machine learning or AI themselves will not be subject to the PL Act. Rather, it is the producers of movable goods into which big data, machine learning or AI is installed which will be liable for the damages caused by a defect in those movable goods, including a defect in the installed big data, machine learning or AI.

Producers of big data, machine learning or AI may be subject to general tort liability under the Civil Code. General tort liability is not a strict liability, unlike liability under the PL Act, and the plaintiff must prove intentional act or negligence (including simple negligence) on the part of the defendant to successfully claim for damages.

Autonomous Vehicle Accident Liability

Under the Act on Securing Compensation for Automobile Accidents, any person who has control over or operates an automobile for their own benefit (eg, an owner or a driver) – the “responsible person” – is liable for damages for the death or bodily injury of another person arising from the operation of the automobile. The foregoing liability, however, does not apply if the responsible person proves that they and the driver exercised due care in controlling and operating the automobile, that the injured party or a third party other than the driver acted intentionally or negligently (including through simple negligence), and that there was no defect in the structure or functions of the automobile.

One issue is whether this special liability under the present automobile accident compensation framework should be modified to properly address car accidents caused by cars operated by AI, such as holding the car manufacturers liable for damages. The Research Report on Damage Liability regarding Autonomous Vehicles, which the Ministry of Land, Infrastructure and Tourism published in March 2018, concluded that it is appropriate not to modify the existing special liability for automobile accidents during the transition period until 2025 when autonomous vehicles are expected to be widely used. The report recommended that insurance companies that have compensated for damages caused by a defect in any autonomous driving equipment installed in a vehicle should be able to recover the compensation they paid from the car manufacturers that installed the defective artificial intelligence-driving equipment.

Based on the recommendation, the Japanese Road Transport Vehicle Act was amended in May 2019 so that any autonomous driving equipment is required to have recording equipment to provide insurance companies with evidence as to the cause of an automobile accident.

Data Protection Consideration

The APPI has not imposed strict conditions focused only on processing personal information by AI. The APPI requires business operators using a personal information database in their business (“handling operators”) to use personal information only within the scope of the purpose of use notified to data subjects or publicly announced when collecting personal information. Therefore, as a general rule, it is required to notify or publicly announce the purpose of machine learning in order to use personal information for machine learning.

In this regard, the purpose of generating statistical data by aggregating or analysing a large amount of personal information does not have to be notified to data subjects or publicly announced. However, the purpose of profiling, such as user journey analysis for targeted advertisement and credit scoring, must be notified to data subjects or publicly announced.

Further, if handling operators pseudonymously process personal data, they will be allowed to internally use the pseudonymously processed information beyond the original purpose of use that was notified to data subjects or publicly announced when collecting the original data. Thus, handling operators may use personal data for machine learning even where the machine learning is not included in the purpose of use notified to the data subjects when the personal data was collected.

In June 2023, PPC issued guidance to users and providers of generative AI. Users were advised not to input personal data to generative AI unless the use of AI is within the purposes of use notified to data subjects and there is assurance that the input data will not be used for machine learning. The guidance suggested that providers not collect sensitive data, which collection requires data subjects’ consent, and disclose purposes of use to data subjects. 

Copyrights Consideration

In the process of machine learning, copyrighted works may be copied or adapted, which may cause an infringement of copyrights. To promote AI developments, the Copyright Act grants an exemption allowing the use of copyrighted works to the necessary extent without permission from the copyright owner where the use (i) does not aim to let the user or others enjoy thoughts or sentiments expressed in the work, and (ii) does not unjustifiably harm the copyright owner’s interests, taking into consideration the type and purpose of the work and the manner in which the work is used.

This exemption covers the use of copyrighted works for extracting informative elements from a large amount of copyrighted or other works and analysis. The Copyright Act was amended in 2019 to clarify that this exemption covers not only statistical analysis but also deep learning, and not only copying but also transmission for grid computing.

In light of the recent increased use of generative AI, copyright holders have concerns about free riding, and the Agency for Cultural Affairs is expected to issue new guidelines regarding AI and copyrights in 2024. The guidelines are expected to clarify cases which will not allow the use of copyrighted works for AI. AI developers should pay attention to this development.

Protection of “Shared Data with Limited Access”

To promote data sharing between businesses so that big data will be more widely used, the amendment to the Unfair Competition Prevention Act introduced the protection of “shared data with limited access” which is defined as any technical or business information:

• that is accumulated in a reasonable amount by electronic means;
• that is provided to specified persons as a business; and
• the access of which is controlled by electronic means.

Information controlled as a secret was previously excluded from protection even if the foregoing conditions were met, but under a 2023 amendment, from April 2024, that information will also be protected as long as it is not protected as a trade secret. Most typically, where data such as location of smartphones or cars is collected by a business operator (the “data holder”) and sold to third-party business operators for a fee (or shared among business operators in a consortium without charge) under the condition that the data can be used only for a certain purpose such as internal marketing analysis and cannot be redistributed or used for unauthorised purposes, the data would be protected as shared data with limited access. If shared data with limited access is wrongfully acquired, redistributed to third parties or used for unauthorised purposes, the data holder may seek an injunction and damage compensation under the Act.

Under the Radio Waves Act (RWA), in principle, users of radio equipment – including internet of things (IoT) devices using radio waves such as Bluetooth or Wi-Fi – must obtain a radio station licence from MIC. However, certain smaller-scale radio stations, including Wi-Fi and Bluetooth devices, are exempted from such licence requirement if the device conforms to the technical requirements established by MIC and bears a certification mark indicating such conformity (an R-mark). For users to comply with the foregoing requirements, manufacturers, importers or sellers of those devices apply for the certificate of conformity and put the certification mark on their products.

Radio equipment that has undergone technical conformity certifications conducted by foreign certification bodies based on mutual recognition agreements between Japan and certain foreign countries (currently, the USA, the EU, the UK and Singapore) is deemed to conform to the technical standards established by MIC in Japan and may bear an R-mark without a separate certification in Japan.

There is an exemption to the certification requirement that is available for devices which conform to technical specifications designated by MIC such as IEEE802.11b/11a/11g/11n/11ac/11ad and Bluetooth Core Specification Version 2.1 or later, if solely used for testing purposes. To rely on this exemption, a notification must be filed with MIC stating the start and close of the testing period. The testing period must be 180 days or shorter. Before filing the start notification, one must ensure that the device complies with at least one of the technical specifications designated by MIC.

Internet Connection

Under the TBA, any telecommunications device which is connected to a telecommunications circuit facility, such as an internet connection provided by a telecommunications business operator, must satisfy certain technical requirements, be certified by a registered certification body, and bear a “T-mark”. However, the guidelines issued by MIC on 22 April 2019 clarified that a Bluetooth device is exempt from the TBA certification requirement if it:

• can be used by connecting to a smartphone;
• does not have other functions that directly connect to telecommunications circuit facilities; and
• is certified as complying with the Bluetooth specifications.

A similar exemption applies to a Wi-Fi device if:

• the Wi-Fi device cannot be directly connected to the internet provided by a telecommunications business operator and is connected to the internet only through a certified router which bears a T-mark; and
• there is a statement in the manual that the device cannot be directly connected to the internet. 

Data Protection Consideration

If an IoT device collects personal information, such as a person’s appearance recorded by a camera or a voice recording enabling the specification of a certain person, the service provider which collects the personal information through that IoT device would generally need to comply with the requirements under the APPI.

Licence for Broadcasting Business

As described in 7. Telecommunications, a telecommunications business under the TBA does not include broadcasting businesses, which are separately regulated under the Broadcasting Act. Note that the key regulator of both the telecommunications business and the broadcasting business is MIC. 

The Broadcasting Act requires a licence prior to offering broadcasting services in Japan, which include:

• terrestrial-based television broadcasting;
• satellite-based television broadcasting; and
• cable television broadcasting.

The Broadcasting Act does not apply to companies with video-sharing platform services. In fact, there is no specific law which regulates video-sharing platform services.

The Broadcast Act restricts foreign investments in the broadcasting business. The following entities or parties are not eligible to hold a broadcasting licence:

• a person who is not a Japanese national;
• a foreign government or its representative;
• a foreign entity; and
• a company or entity in which any of the aforementioned entities or persons is the executive director, or holds 20% or more of the voting rights.

Licence for Radio Station

As described in 5.1 Machine-to-Machine Communications, Communications Secrecy and Data Protection, users of radio equipment must obtain a radio station licence pursuant to the RWA, with certain exceptions. Thus, if a provider of broadcasting services uses radio equipment for the services, it must obtain a licence not only under the Broadcast Act but under the RWA as well.

As described in 7. Telecommunications, the RWA restricts foreign investments regarding licences to use radio equipment. While there are exceptions to such restriction, those exceptions are not available for the use of radio equipment for a broadcasting business.

Licence for Telecommunications Business

Under the TBA, “telecommunications” means sending, delivering or receiving codes, sounds or pictures by wire, wireless means, or any other electromagnetic means which includes the internet. A broadcasting business is excluded from the definition of telecommunications business.

The TBA requires a licence prior to offering telecommunications services in Japan. There are basically two types of such licences under the TBA, namely:

• a registration (toroku); and
• a notification (todokede).

If a provider of a telecommunications business installs or owns (including in the form of an “indefeasible right of use” or IRU) telecom circuits (eg, optic fibres or coaxial cables) at certain levels, it must be a registration carrier. Other providers who do not install such circuits (eg, ISPs) are basically required to only notify MIC prior to offering telecommunications services.

A party seeking to provide a telecommunications service must submit application documents to MIC. In the case of a registration, it must also appoint a general manager for the telecommunication facilities (denki tsushin setsubi toukatsu kanri sha) or a chief telecommunications engineer (denki tsushin shunin gijutsu sha). A notification is a relatively straightforward procedure which would take only several days if all the necessary documents are complete. The filing fee for registration is JPY150,000, but no fee is necessary for filing a notification. There is no licence term or annual fee for either registration or notification. It is advisable to unofficially consult with MIC before filing an official application.

Licence for Radio Stations

As described in 5.1 Machine-to-Machine Communications, Communications Secrecy and Data Protection, a user of a radio equipment must obtain a radio station licence pursuant to the RWA, with certain exceptions. Thus, if a provider of telecommunications services uses radio equipment for the services, it must obtain a licence not only under the TBA but also under the RWA.

The RWA restricts foreign investments in relation to obtaining a licence to use radio equipment. The following entities or parties are not eligible to hold the licence:

• a person who is not a Japanese national;
• a foreign government or its representative;
• a foreign entity; and
• a company or entity in which any of the aforementioned entities or persons is the executive director, or holds ⅓ or more of the voting rights.

However, there are exceptions to the foregoing restriction. For instance, if the purpose of the radio equipment is to operate a telecommunications business, the foregoing restriction does not apply.

The term of the licence is five years. There is also an annual fee for the use of radio frequencies. The amount of the licence application fee and the annual fee to use radio frequencies varies depending on the type of radio frequencies and the power of the antenna of the radio equipment.

IT Service Agreements

There are no specific laws or regulations that apply to IT service agreements. In addition, there are no laws that strictly regulate the location of data storage or a data centre, data-localisation, or price revision. However, the general contract law based on the will of the contracting parties applies to IT service agreements.

Parties should remember the following when incorporating a liability limitation clause into a contract:

• in a contract between a company and a consumer, a liability limitation clause may be invalidated under the Consumer Contract Act (CCA); and
• while the CCA does not apply to contracts between companies, a provision that exempts one contracting party from liability in the case of intentional or gross negligence may be invalidated under case law.

Data Localisation

There are no data localisation regulations. However, for some sectors, such as the medical sector, there are guidelines recommending storing data in locations where Japanese law applies, that is, Japan. These guidelines are not strictly required to be observed, but are usually complied with by the relevant sectors as a matter of practice.

Economic Security

Under the Act on the Promotion of National Security through Integrated Economic Measures, essential infrastructure businesses must file a plan with the government before introducing or entrusting management of certain important equipment. The government will review the plan and may issue a recommendation or order entities to modify or discontinue the plan if the government finds security issues. The essential infrastructure providers were designated in November 2023 and the requirements are expected to be implemented in May 2024. After the implementation, when contracting with designated essential infrastructure providers in Japan, this Act should be taken into consideration. Contractual risk management measures, including those related to cybersecurity, will be required.

Electronic Signatures

Japan does not have an equivalent to electronic identification and trust services (eIDAS) regulations to regulate trust services comprehensively, but the Act on Electronic Signatures and Certification Business (the “Electronic Signatures Act”) grants an “electronic signature” the same legal status as wet-ink signatures. An “electronic signature” refers to a measure taken with respect to information recorded electronically and which meets both of the following requirements (Article 2):

• a measure to indicate that the relevant electronic information was created by the person who has taken that measure; and
• a measure to confirm that the relevant information has not been altered.

Although government authorisation is not mandatory, nine electronic signature service providers received confirmation that they satisfy the requirements of enabling “electronic signatures” from the Digital Agency in accordance with Article 4, paragraph 1 of the Electronic Signatures Act.

The Legal Affairs Bureau, which operates the real property and company registration systems, does not accept all electronic signatures. Although electronic filing is permitted under laws and regulations, only electronic signatures designated by the Minister of Justice are accepted. Thus, there are still many applicants who apply for registration using physical documents, in which case, the originally signed documents may need to be submitted, depending on the type of registration they are applying for.

Time Stamp

There are no laws that require time stamps on documents, except when documents on national tax are electronically stored. The Electronic Book Preservation Act requires scanned data of paper-based documents on national tax and originally electronically produced documents on national tax to be accompanied by time stamps before they are electronically stored, except where substitute measures designated by the ordinance of the Electronic Book Preservation Act are taken. Providers of the time stamps must enable proof of non-tampering for the term of the statutorily required storage period and a batch verification for a certain taxable period. Although an authorisation is not required to issue time stamps, the time stamp in compliance with the Electronic Book Preservation Act must be provided by service providers that obtain an accreditation from MIC. To obtain the accreditation, the time stamps must meet certain requirements under the Public Notice issued by MIC. The Japan Data Communications Association, a private association, investigates whether or not the requirements are met. As of August 2023, three time stamp service providers were accredited by MIC.

Electronic Seal

In June 2023, the Cabinet approved the “Strategic Plan for Realising Digital Society”. According to the plan, the government will promote standards to evaluate the credibility and conformity of services which provide electronic seals. MIC established a study group to discuss how to promote electronic seals in line with the plan and called for public comments on the draft of its final report in March 2024. The draft proposes that MIC accredit providers of electronic seals that meet certain requirements, which is similar to accreditation given to providers of time stamps.

Japanese Public Key Infrastructure (JPKI)

For the purposes of tax and social welfare, a unique identification number is assigned to each individual residing in Japan, regardless of nationality. That unique identification number can be used only for the purposes of tax, social welfare or other statutorily defined purposes, and the collection and use of such unique number is strictly restricted in the private sector. However, each unique identification number card issued by the government is installed with a digital certificate, which the private sector can use to establish the identity of users online (called the Japanese Public Key Infrastructure or JPKI). From May 2023, the certificate can also be embedded into Android smartphones. A business may verify that digital certificate through the use of the revocation list or Online Certificate Status Protocol (OCSP) service provided by the Japan Agency for Local Authority Information Systems (J-LIS), provided that it obtains authorisation from the Minister of MIC or outsources the verification to an authorised service provider.

A considerable number of financial service providers use the JPKI for the purpose of complying with the Know Your Customer (KYC) requirement. Compared to traditional KYC measures, reliance on JPKI is efficient in time and cost. Driver’s licenses are also installed with an IC chip which can also be used for KYC purposes. In June 2023, the government issued a policy plan to abandon KYC using drivers’ licences or other identification and only allow KYC by JPKI in the future.

eKYC in the Financial Sector (other than JPKI)

In the context of KYC, separately from relying on the digital data stored in ID cards, another measure used by financial institutions to establish users’ identity online is to require a user to take a selfie (with a random pose) and a digital image of a government-issued ID card by installing and using a smartphone application provided by the financial institution and to send both the selfie and the ID card image to the financial institution. The financial institution will compare the photo printed on the government-issued ID card and the selfie photo sent by the user. The comparison can be automatically processed provided that the false acceptance rate (FAR) is lower than a certain level determined by the government (note that the number is not publicly disclosed). This KYC measure is used by an increasing number of financial service providers.