Japan’s legal environment for technology, media and telecommunications (TMT) is built on a combination of sector‑specific regulations, platform and competition rules, privacy protections, and emerging digital‑governance measures. The key components are outlined below.

Telecommunications Law and Regulation

Telecommunications Business Act (TBA)

The TBA governs all providers of telecommunications services in Japan, including foreign and internet‑based operators that handle user communications.

Key requirements include:

• registration with the Ministry of Internal Affairs and Communications (MIC);
• appointment of a local representative; and
• compliance with reporting duties and strict protections for the secrecy of communications.

Foreign operators and licensing

The TBA applies even to services without physical infrastructure in Japan. Foreign platforms offering services to Japanese users – such as cloud or streaming services – may be subject to registration and compliance obligations.

Digital Platforms and Competition Law

Transparency Act

The Act on Improving Transparency and Fairness of Digital Platforms imposes obligations on designated “specified digital platform providers.” Requirements include:

• clear disclosure of terms and conditions;
• transparency on search and ranking criteria; and
• providing reasons for account suspensions or content removals.

Anti-monopoly Act (AMA)

Japan’s general competition law, enforced by the Japan Fair Trade Commission (JFTC), applies fully to digital markets. It addresses:

• abuse of superior bargaining position;
• monopolistic practices; and
• unfair trade behaviours, including restrictive default settings in mobile ecosystems.

Mobile Software Competition Act/DMA‑Style Rules

Japan has introduced legislation similar to the EU Digital Markets Act, targeting dominant mobile operating systems and app‑store ecosystems. These rules promote:

• fair access for third‑party apps;
• alternative payment systems; and
• penalties for anti‑competitive behaviour based on revenue.

Platform Content and Safety Regulations

Recent amendments (2024–2025), including the Information Circulation Platform Countermeasures Act, impose obligations on large platforms to enhance:

• transparency in content moderation; and
• procedures for deletion requests involving harmful or infringing content.

Data Protection and Consumer Rights

Act on the Protection of Personal Information (APPI)

The APPI is Japan’s primary privacy law, covering:

• handling of personal data;
• individual rights;
• breach reporting obligations; and
• restrictions on cross‑border data transfers.

It is enforced by the Personal Information Protection Commission (PIPC). Revisions in 2022 strengthened compliance obligations.

Provider Liability Law

This law provides safe‑harbour protections for ISPs and platforms hosting user‑generated content, provided they follow required procedures for handling takedown notices.

Act for Protection of Consumers Who Use Digital Platforms (APCDP)

The APCDP enhances consumer protection in online marketplaces by requiring platforms to:

• disclose seller information; and
• support consumer claims and dispute resolution.

Intellectual Property and Media Regulation

Copyright Law

Japan’s copyright regime includes the “right to make transmittable”, which covers uploading and online distribution. This affects platform liability and content‑distribution models.

Broadcasting and Media Regulations

Traditional media sectors (television, radio and film) are regulated by specific broadcasting laws that intersect increasingly with digital‑distribution frameworks, often involving licensing and content‑control rules.

Emerging and Strategic Legal Developments

AI Act (2025)

Japan’s new AI Act promotes safe development and deployment of AI technologies. It establishes governance structures such as the AI Strategy Headquarters and sets expectations for responsible innovation.

Cybersecurity and critical infrastructure

Various laws and proposals – including the Active Cyber Defense bill – address cybersecurity risks to national infrastructure, though such measures must remain consistent with privacy protections.

Policy initiatives

Government programmes such as Society 5.0 support ongoing legal reforms, digital transformation, and technological innovation across the economy.

Regulatory and Enforcement Bodies

Japan’s digital and technology landscape is overseen by several authorities, including the following.

• The Ministry of Internal Affairs and Communications (MIC).
• Japan Fair Trade Commission (JFTC).
• The Ministry of Economy, Trade and Industry (METI).
• The Personal Information Protection Commission (PIPC).
• The Agency for Cultural Affairs.

The key regulations governing the digital economy in Japan include the Act on Improving the Transparency and Fairness of Digital Platforms, as outlined below, and the Digital Platform Consumer Protection Act (see 1.5 Consumer Protection).

Transparency and Fairness of Digital Platforms

The Act on Improving the Transparency and Fairness of Digital Platforms, enacted in June 2020 and effective from February 2021, establishes obligations for large digital platform providers. Under this Act, the Ministry of Economy, Trade and Industry (METI) designates specific digital platform operators whose business scale exceeds certain annual sales thresholds in the following categories.

• E‑commerce marketplaces: JPY30 billion or more.
• App stores: JPY20 billion or more.
• Advertisement media: JPY10 billion or more.
• Digital advertising platforms: JPY5 billion or more.

Designated platform providers must disclose key operational information, including:

• conditions for accepting business operators;
• reasons for requiring the purchase of particular services;
• factors influencing rankings; and
• other essential terms and practices.

They are also required to submit annual reports to METI detailing their handling of complaints, dispute resolution processes, disclosure practices, and results of self‑assessments.

User Protection of Digital Platforms

In January 2024, the Platform Service Study Group, administered by the Ministry of Internal Affairs and Communications (MIC), issued its third report. The report recommends that the government require operators of large digital platforms – particularly those that allow unspecified users to distribute content – to implement specific user‑protection measures. These include:

• establishing a dedicated complaint window and clear complaint‑handling procedures;
• ensuring the involvement of staff members knowledgeable about Japanese culture and society;
• completing investigations of complaints within one week; and
• providing complainants with the results of those investigations.

The report further recommends that platform providers publicly disclose their content and enforcement policies, notify contributors of the grounds for bans, and make public how such measures are carried out.

Based on these recommendations, the Act on Dealing with the Infringement of Rights Caused by Information Distribution via Specified Telecommunications was enacted in 2024. For more information, see 10.1 Laws and Regulations for Social Media.

Income Tax (Individual Income Tax and Corporate Tax)

General rules

If a business operator is a resident individual or domestic corporation for Japanese income tax purposes, its worldwide income is subject to individual income tax or corporate tax.

If the operator is a non‑resident individual or foreign corporation, only domestic‑source income – including income attributable to a permanent establishment in Japan – is subject to individual income tax or corporate tax.

No digital services tax

Japan does not impose a digital services tax.

However, foreign business operators providing electronic services to customers in Japan should be aware of the treatment of consumption tax described below.

Licensing of software sales

When a Japanese company is licensed by a foreign producer or provider to sell software to Japanese customers, the issue arises whether payments made by the Japanese company to the foreign entity qualify as domestic‑source income and are therefore subject to withholding tax in Japan.

If Japanese customers download software from servers or cloud services located outside Japan, and the Japanese company merely facilitates the sale, the payments are treated as compensation for marketing services and are not subject to withholding tax in Japan.

However, if the Japanese company receives reproduction or modification rights, it may be regarded as selling software it has reproduced or modified. In that case, payments are treated as copyright licence fees, and withholding tax applies in Japan.

Consumption Tax (Value Added Tax)

General rules

Sales or leases of goods located in Japan are subject to consumption tax, and the seller/lessor must file a consumption tax return and pay the tax.

Sales or leases of goods located outside Japan are not subject to consumption tax.

• Services provided inside Japan are generally subject to consumption tax.
• Services provided outside Japan are generally not subject to consumption tax.

However, services classified as the “provision of electronic services” follow special rules (explained below).

Provision of Electronic Services

Services provided via electronic or telecommunications networks – such as the internet – are classified as electronic services. Taxability depends on the location of the recipient, not the provider.

• Electronic services provided to recipients in Japan are generally subject to consumption tax.
• Electronic services provided to recipients outside Japan are generally not subject to consumption tax.
• Electronic services include (but are not limited to):

1. providing e‑books, digital newspapers, music, videos, and software (including apps and games) online;
2. allowing customers to access cloud‑based software and databases;
3. providing cloud storage for customer data;
4. internet advertising distribution;
5. access to online shopping or auction platforms (eg, posting fees);
6. access to online marketplaces for selling game software and other products;
7. providing online reservation sites for accommodation and restaurants (eg, posting fees); and
8. providing online English lessons.

Services not treated as electronic services (because they are ancillary to asset transfers or are traditional telecom services) include:

• basic telecommunications (telephone, fax, telegraph, data transmission, and internet access);
• software development;
• administration or management of assets outside Japan (including internet banking);
• collecting and analysing information outside Japan; and
• litigation services provided by foreign legal professionals outside Japan.

Classification of Electronic Services

Tax treatment depends on whether services are classified as:

• B2B electronic services; or
• B2C electronic services.

A service is B2B if, based on its nature or terms, it is normally limited to business operators.

If not limited to business operators, it is treated as B2C, including services used by individuals or businesses.

B2B Electronic Services (Reverse Charge Mechanism)

When a foreign business operator provides B2B electronic services to business operators in Japan, the Japanese recipients must file and pay the consumption tax. This is known as the reverse charge mechanism.

Foreign providers must notify recipients in advance that they are responsible for filing and paying consumption tax on the transaction.

B2C Electronic Services (Platform Taxation or Filing by the Foreign Operator)

The reverse charge mechanism does not apply to B2C electronic services. Therefore, the foreign service provider is generally responsible for filing and paying consumption tax in Japan.

Platform Taxation (Effective 1 April 2025)

Beginning 1 April 2025, if a foreign operator:

• provides B2C electronic services via a digital platform; and
• receives compensation through a specified platform business operator,

then the platform operator must file and pay the consumption tax.

This shift is known as platform taxation.

According to the Outline of the 2026 Tax Reform Proposals, Japan plans to expand platform taxation to certain sales of goods in Japan by foreign business operators, and rename “specified platform business operator” to “type‑1 platform business operator (TBA)”.

Designation Requirement

A digital platform operator that receives over JPY5 billion in a taxable year for B2C electronic services must submit a designation notification to Japan’s National Tax Agency (NTA).

The NTA publishes a list of designated operators.

As of 6 December 2024, the list includes the following.

• iTunes K.K. (App Store, Apple Books, and Apple Podcasts).
• Amazon Web Services Japan G.K. (AWS Marketplace).
• Google Asia Pacific Pte. Ltd (Google Play).
• Nintendo Co., Ltd. (Nintendo eShop).

Income Tax (Individual Income Tax and Corporate Tax)

See 1.3 Digital Economy Taxation.

Consumption Tax (Value Added Tax)

The distribution of advertisements over the internet is considered a provision of electronic services. Whether this activity is subject to consumption tax depends on the location of the service recipient.

When a Japanese company or individual pays for advertisement distribution provided by a foreign business operator, that payment is subject to consumption tax. In this context, advertisement distribution by a foreign operator is classified as the provision of B2B electronic services.

Under the reverse charge mechanism, Japanese business operators are generally required to file a consumption tax return and pay the applicable consumption tax for such services. Accordingly, a foreign business operator distributing advertisements for a Japanese business operator must inform the recipient in advance that the recipient will be responsible for filing the consumption tax return and paying the applicable consumption tax.

Conversely, when a foreign company or individual pays for advertisement distribution performed by a Japanese business operator, that payment is not subject to consumption tax.

For further details regarding consumption tax, see 1.3 Digital Economy Taxation.

Overview

There are several laws governing consumer protection in Japan, including the Consumer Contract Act and the Act on Specified Commercial Transactions. However, the primary legislation focused on protecting consumers in relation to digital goods and services is the Digital Platform Consumer Protection Act. The main regulatory authority overseeing these laws is the Consumer Affairs Agency.

Consumer Protection of Digital Platforms

The Digital Platform Consumer Protection Act was enacted in May 2021 and came into force in May 2022. It applies to platforms through which consumers can purchase goods, services, or rights for consideration, regardless of the scale or volume of sales.

Under this Act, platform providers are required to take proactive steps to protect consumers from sellers who operate on their platforms but are not the platform providers themselves. These obligations include:

• facilitating smooth communication between sellers and consumers;
• investigating sellers when consumer complaints arise regarding transaction conditions; and
• requiring sellers to disclose identifying information when necessary.

Additionally, if a seller fails to correct false or misleading descriptions voluntarily, the Consumer Affairs Agency may request that the platform provider remove the relevant goods, services, or rights.

Consumers also have the right to request that platform providers disclose key information about sellers when needed to exercise their rights. Such information includes the seller’s name, address, phone number, fax number, email address, and corporate registration number.

Overview

Blockchain technology is widely used in Japan. While the technology itself is not regulated, certain types of tokens fall under specific legal categories such as crypto-assets, stablecoins, or security tokens.

Crypto-Assets

Since 2017, exchange services involving crypto-assets such as Bitcoin have been regulated under the Payment Services Act. To operate a crypto-asset exchange, businesses must register with the Financial Services Agency (FSA). Registered providers are required to follow AML rules, segregate client assets, and meet other compliance obligations.

Separately, since 2020, margin trading of crypto-assets has been regulated under the Financial Instruments and Exchange Act (the FIEA). In December 2025, an FSA‑convened working group proposed reforms to strengthen crypto-asset regulations. These proposals include:

• regulating spot transactions of crypto-assets under the FIEA;
• introducing disclosure requirements; and
• implementing prohibitions on unfair trading.

A legislative amendment reflecting these reforms is expected in 2026.

Crypto-assets are defined as either:

• (i) electronically recorded financial value that can be used for payment to, and bought or sold by, unspecified persons and that is electronically transferable; or
• (ii) other financial value that can be exchanged with the financial value described in (i) between unspecified persons.

This definition excludes assets denominated in fiat currency.

In the gaming industry, careful attention is required to determine whether in‑game currencies, items, or rewards fall within regulated categories. The FSA’s administrative guidelines offer some clarification, and although the 2025 working group recommended not expanding the scope of crypto‑asset regulation, the upcoming legal amendments should still be monitored.

Stablecoins

Because the definition of crypto-assets excludes tokens that are linked to, or exchangeable solely for, a specific fiat currency, stablecoins are regulated separately. A dedicated regulatory framework introduced in 2023 restricts stablecoin issuance to licensed banks, trust companies, or funds transfer service providers. Intermediaries dealing with stablecoins are also subject to regulation.

Security Tokens

In 2020, new regulations were introduced for security tokens. These rules acknowledge that tokenisation allows even low‑liquidity investment interests – such as trust or partnership interests – to be widely distributed and transferred with ease. As a result, such tokenised interests are now subject to more stringent disclosure obligations and licensing requirements to ensure investor protection.

In Japan, there are no laws or regulations that broadly apply to cloud computing in general. However, certain services that rely on cloud technologies – such as voice communication services and email services – may fall under the definition of a telecommunications business and therefore be subject to the Telecommunications Business Act (TBA). See 6. Telecommunications.

When personal information is stored in the cloud, the Act on the Protection of Personal Information (APPI) applies. The Personal Information Protection Commission (PPC), which oversees the APPI, has clarified that businesses using cloud services must implement security measures to protect personal information stored in a third‑party cloud environment. However, if the cloud service provider cannot access the stored personal information, the business does not need to supervise the provider or obtain consent from data subjects – this applies regardless of whether the data centre is inside or outside Japan.

Industry‑Specific Guidelines on Cloud Computing

Government cloud procurement

The Japanese government operates the Information System Security Management and Assessment Programme (ISMAP). Through ISMAP, government organisations may only procure cloud services from providers registered with the ISMAP steering committee. To be registered, applicants must submit an assessment report prepared by a committee‑registered third‑party auditor, along with additional required documentation. This includes information on the risks of compulsory data access under foreign laws, enabling the committee to review the implications of those laws.

Cloud use by private sector essential infrastructure

The Act on the Promotion of National Security through Integrated Economic Measures, promulgated in May 2022, imposes additional requirements on designated essential infrastructure providers across 14 sectors, including electric power, gas supply, petroleum, water, railways, motor freight, ocean freight, aviation, airports, telecommunications, broadcasting, postal services, financial services, and credit cards. An amendment in 2024 added port transport services, effective 1 April 2025.

Designated providers must submit a written plan to the relevant government ministry for review before installing certain essential facilities or outsourcing their maintenance or management. This requirement extends to the use of cloud services. If a cloud service provider is registered with ISMAP, certain sections of the plan may be omitted.

Financial service operators

Financial service operators – such as banks, insurance companies, and financial instrument business operators – are subject to supervisory guidelines issued by the Financial Services Agency (FSA). As the use of third‑party cloud services constitutes outsourcing, operators must implement outsourcing management measures, including conducting due diligence on the provider, entering into a compliant service agreement, and auditing the provider. In practice, institutions in the financial sector also refer to the Guide to Cloud Implementation and Operation of Financial Institutions published by the Centre for Financial Industry Information Systems (FISC).

Healthcare information

The healthcare sector (including hospitals, clinics, dentists, and pharmacies) is regulated by the Security Guidelines for Medical Information issued by the Ministry of Health, Labour and Welfare. Cloud service providers supporting the healthcare industry are subject to the Security Guidelines for Information Service Providers for Medical Information issued by METI and MIC. These guidelines contain both mandatory requirements and recommended best practices.

Interim Report Regarding AI Legislation (Revised Version)

On 1 September 2025, the Act on the Promotion of Research, Development, and Utilization of Artificial Intelligence Technologies (the “AI Act”) came into force. This marks Japan’s first comprehensive statutory framework specifically addressing AI. Until now, AI‑related legal issues in Japan had largely been governed by non‑binding measures such as the government’s AI Guidelines for Businesses. As enacted, the AI Act establishes foundational principles for the research, development, and use of AI technologies and assigns national and local governments responsibility for implementing measures aligned with these principles.

Under the AI Act, a new governmental body, the “Artificial Intelligence Strategy Headquarters”, was created. On 23 December 2025, this headquarters formulated the AI Fundamental Plan, outlining policy directions for promoting AI development and utilisation. Much of the Act functions as a basic law: it articulates principles and governmental policy directions rather than creating detailed regulatory obligations.

Regarding private-sector responsibilities, the AI Act requires AI‑utilisation businesses to co-operate with AI‑related initiatives led by the national and local governments. However, unlike the EU AI Act – which imposes extensive obligations and significant penalties on private entities – Japan’s AI Act places relatively limited obligations on businesses. Even so, the Act empowers the government to issue guidance, advice, and information to AI‑utilisation businesses and to take necessary measures where appropriate. This suggests that the government may provide guidance in cases of serious misconduct or noncompliance. Notably, the Act includes no penal provisions for violations.

Product Liability and General Tort Liability

Under the Product Liability Act (PL Act), producers of manufactured or processed movable goods are strictly liable for damage to life, body, or property caused by defects in those goods, regardless of negligence.

Because big data, machine learning systems, and AI themselves are not considered movable goods, their producers are not directly subject to the PL Act. Instead, liability falls on producers of movable goods into which such technologies are embedded. These producers are responsible for damages caused by defects in the final product, including defects arising from the installed AI systems.

Producers of big data, machine learning systems, or AI may, however, be liable under Japan’s general tort framework in the Civil Code. Unlike strict liability under the PL Act, general tort liability requires plaintiffs to prove that the defendant acted intentionally or negligently (including simple negligence).

Autonomous Vehicle Accident Liability

Under the Act on Securing Compensation for Automobile Accidents, individuals who control or operate an automobile for their own benefit (eg, owners or drivers) are deemed “responsible persons” and are liable for damages resulting from death or bodily injury caused by automobile operation. This liability does not apply if the responsible person proves that:

• they and the driver exercised due care in controlling and operating the automobile;
• the injured party or a third party (other than the driver) acted intentionally or negligently (including simple negligence); and
• there was no structural or functional defect in the automobile.

A central issue is whether this liability framework should be updated to address accidents involving AI‑operated vehicles – for example, by shifting liability to automobile manufacturers. In March 2018, the Ministry of Land, Infrastructure and Tourism published the Research Report on Damage Liability regarding Autonomous Vehicles. It concluded that the existing liability system should remain unchanged during the transitional period until 2025, when autonomous vehicles were expected to see widespread adoption. The report recommended that insurers who compensate for damages arising from defects in autonomous driving equipment should be able to seek reimbursement from the manufacturers responsible for the defective AI‑driving equipment.

Based on these recommendations, the Japanese Road Transport Vehicle Act was amended in May 2019 to require autonomous driving equipment to include recording devices capable of providing insurers with evidence regarding the cause of accidents.

Data Protection Considerations

Japan’s APPI does not impose AI‑specific restrictions on the processing of personal information. Instead, it requires handling operators using personal information databases to use personal data only within the scope of the stated purpose of use, which must be notified to data subjects or publicly announced at the time of collection. Accordingly, machine learning that uses personal information generally needs to be included in the announced purpose of use.

Creating statistical data through aggregation or analysis of large amounts of personal information typically does not require notification. However, profiling activities – such as targeted advertising, credit scoring, or user‑journey analytics – must be notified or publicly announced.

If personal data is pseudonymously processed, handling operators may internally use that pseudonymously processed information beyond the originally notified purpose of use. This allows pseudonymised data to be used for machine learning even if machine learning was not part of the initial stated purpose.

In June 2023, the PPC issued guidance for users and providers of generative AI. Users were advised not to input personal data into generative AI unless doing so falls within the originally notified purpose of use and there is assurance that the input will not be used for machine learning. Providers were advised not to collect sensitive data – except with consent – and to disclose their purposes of use to data subjects.

Copyright Considerations

Machine learning may involve copying or adapting copyrighted works, which can potentially infringe copyright. To support AI development, Article 30‑4 of the Copyright Act provides an exemption allowing copyrighted works to be used to the extent necessary if:

• (i) the use does not aim to allow the user or others to enjoy the thoughts or sentiments expressed in the work; and
• (ii) the use does not unjustifiably harm the copyright owner’s interests, considering the nature and purpose of the work and how it is being used.

This exemption covers uses such as extracting informational elements from a large volume of copyrighted or other works, conducting analysis, and supporting statistical processing. The 2019 copyright amendment clarified that the exemption applies to deep learning and to transmissions necessary for grid computing.

With the surge in generative AI, copyright holders have raised concerns about free riding. In July 2024, the Agency for Cultural Affairs issued General Understanding of AI and Copyright in Japan, which examines potential copyright risks across:

• AI development and training; and
• AI‑generated content creation and use.

The report notes that if AI is trained with the intention of producing content similar to the copyrighted works it was trained on, requirement (i) of the exemption is not satisfied, and such use may constitute infringement. The Agency has stated it will continue monitoring technological developments and global trends, and may update the report accordingly.

Protection of “Shared Data With Limited Access”

To promote data sharing and increase business use of big data, amendments to the Unfair Competition Prevention Act introduced protection for “shared data with limited access”. This category covers technical or business information that:

• is accumulated in a reasonable amount by electronic means;
• is provided to specified persons as a business; and
• has its access controlled electronically.

Previously, information also controlled as a secret was excluded from this protection, but under a 2023 amendment effective April 2024, such information can be protected as shared data with limited access so long as it is not otherwise protected as a trade secret.

A common example is location data from smartphones or cars collected by a business operator (the data holder) and sold to third‑party businesses for a fee – or shared within a consortium – under restrictions prohibiting redistribution or use beyond agreed purposes (eg, internal marketing analysis). If such data is wrongfully acquired, redistributed, or used for unauthorised purposes, the data holder may seek an injunction and damages under the Act.

Internet of Things (IoT) Devices

Under the Radio Waves Act (RWA), users of radio equipment – including IoT devices that rely on radio waves such as Bluetooth or Wi‑Fi – are in principle required to obtain a radio station licence from the Ministry of Internal Affairs and Communications (MIC). However, certain small‑scale radio stations, such as typical Wi‑Fi and Bluetooth devices, are exempt from this licence requirement if the device meets the technical standards set by MIC and bears a certification mark (an R‑mark) indicating conformity. To support compliance, manufacturers, importers, or sellers apply for a certificate of conformity and affix the R‑mark to their products.

Radio equipment that has already undergone technical conformity certification by foreign certification bodies under mutual recognition agreements between Japan and several foreign jurisdictions (currently the USA, the EU, the UK, and Singapore) is treated as meeting MIC technical standards. Such devices may bear an R‑mark in Japan without undergoing a separate domestic certification process.

There is also an exemption from the certification requirement for devices used solely for testing purposes, provided the device conforms to technical specifications designated by MIC (such as IEEE 802.11b/11a/11g/11n/11ac/11ad or Bluetooth Core Specification Version 2.1 or later). To rely on this exemption, a notification must be submitted to MIC specifying the start and end dates of the testing period, which must not exceed 180 days. Before submitting the start notification, the user must ensure that the device complies with at least one of the designated technical specifications.

Under the Telecommunications Business Act (TBA), any telecommunications device connected to a telecommunications circuit facility – such as an internet connection provided by a telecommunications operator – must satisfy specific technical requirements, be certified by a registered certification body, and display a T‑mark. However, Bluetooth and Wi‑Fi devices may be exempt from this T‑mark requirement if they satisfy the conditions set out in MIC’s guidelines (latest version: 3rd edition, dated 1 October 2025).

Secrecy of Communications

The TBA requires that the secrecy of communications be strictly protected. Any “infringement” of the “secrecy of communications” without the “consent” of the parties involved constitutes a violation of the Act.

“Secrecy of communications” includes:

• the content of individual communications; and
• all of the following information related to an individual communication, where knowledge of such information would allow inference of the communication’s content:
1. the date and time of the communication;
2. the location of the communication;
3. the names, addresses, and whereabouts of the communicating parties;
4. identifiers for the communicating parties (eg, telephone numbers); and
5. the frequency of communication.

Notably, the TBA does not include an exemption for machine‑to‑machine communications.

JC‑STAR

On 30 September 2024, the Information‑Technology Promotion Agency (IPA) published the “Labeling Scheme based on Japan Cyber‑Security Technical Assessment Requirements (JC‑STAR)”. This scheme is not legally binding. Its primary purpose is to help procurers – including government agencies and private companies – identify IoT products that satisfy required security standards and to encourage broader adoption of devices with appropriate security measures.

The main objectives of JC‑STAR are:

• to assess and visualise the security features of products procured by organisations using a common and easily understood standard;
• to ensure that IoT products with sufficient security measures are adopted in specific fields; and
• to reduce the burden on vendors exporting IoT products by enabling mutual recognition with equivalent schemes overseas.

There are no specific regulations governing the deployment of IoT solutions. However, it is necessary to assess whether providing IoT solutions qualifies as a telecommunications business that requires a licence (see 6.1 Scope of Regulation and Pre‑Marketing Requirements), and whether the devices used in such IoT solutions qualify as radio‑station operations that also require a licence (see 4.1 Machine‑to‑Machine Communications, Communications Secrecy and Data Protection).

In addition, when IoT solutions are deployed by essential infrastructure providers under the Act on the Promotion of National Security, those providers may be required to submit a written plan to the regulator for review prior to deployment. For further details, see 2.1 Highly Regulated Industries and Data Protection.

If an IoT device collects personal information – such as appearance data recorded by a camera or voice recordings that enable the identification of an individual – the service provider that gathers this personal information through the IoT device is generally required to comply with the APPI.

The government’s Digital Administrative Reform Headquarters formulated a basic policy on the framework for data utilisation systems on 13 June 2025. This policy outlines efforts to establish a data utilisation framework that enables seamless data sharing and supports the adoption of AI. A bill reflecting these initiatives is scheduled to be submitted to the Diet in 2026.

Licences for Broadcasting Businesses

As described in 6. Telecommunications, a telecommunications business under the TBA does not include broadcasting businesses, which are regulated separately under the Broadcasting Act. However, the key regulator for both telecommunications and broadcasting businesses is the Ministry of Internal Affairs and Communications (MIC).

The Broadcasting Act requires companies to obtain a broadcasting licence before providing broadcasting services in Japan. These services include:

• terrestrial television broadcasting;
• satellite television broadcasting; and
• cable television broadcasting.

The Broadcasting Act does not apply to companies that operate video-sharing platforms or streaming services, and there is currently no specific legislation regulating such platforms.

The Broadcasting Act also imposes restrictions on foreign investment in the broadcasting industry. The following entities or individuals are ineligible to hold a broadcasting licence:

• a person who is not a Japanese national;
• a foreign government or its representative;
• a foreign entity; and
• any company or entity in which any of the above holds an executive director position or possesses 20% or more of the voting rights.

Licences for Radio Stations

As described in 4.1 Machine-to-Machine Communications, Communications Secrecy and Data Protection, users of radio equipment must obtain a radio station licence under the Radio Waves Act (RWA), unless a specific exemption applies. Therefore, providers of broadcasting services that utilise radio equipment must obtain licences under both the Broadcasting Act and the RWA.

As noted in 6. Telecommunications, the RWA includes restrictions on foreign investment in relation to licences for the use of radio equipment. While certain exceptions to these restrictions exist, they do not apply when the radio equipment is used for broadcasting businesses.

Licences for Telecommunications Businesses

Under the TBA, telecommunications refers to sending, delivering, or receiving codes, sounds, or pictures by wire, wireless means, or any other electromagnetic means, including the internet. Broadcasting businesses, however, are expressly excluded from this definition.

The TBA requires businesses to obtain a licence before providing telecommunications services in Japan. There are two types of licences:

• registration (toroku); and
• notification (todokede).

A provider that installs or owns telecom circuits – such as fibre‑optic or coaxial cables, including ownership through an indefeasible right of use (IRU) – must obtain a registration. Other providers that do not install such circuits (for example, ISPs) are generally required only to submit a notification to the MIC before offering services.

To provide telecommunications services, a party must submit the necessary application documents to the MIC. For a registration, the provider must also appoint a general manager for telecommunications facilities (denki tsūshin setsubi tōkatsu kanri sha) or a chief telecommunications engineer (denki tsūshin shunin gijutsu sha).

A notification is comparatively straightforward and typically takes only a few days if all required documents are complete. The filing fee for a registration is JPY150,000, while notifications carry no fee. There is no licence term or annual fee for either registration or notification. It is generally advisable to consult informally with the MIC before filing an official application.

Licences for Radio Stations

As noted in 4.1 Machine‑to‑Machine Communications, Communications Secrecy and Data Protection, users of radio equipment must obtain a radio station licence under the RWA, with certain exceptions. Therefore, if a telecommunications service provider uses radio equipment to deliver its services, it must obtain licences under both the TBA and the RWA.

The RWA imposes restrictions on foreign investment when obtaining a radio station licence. The following entities or individuals are not eligible to hold such a licence:

• non‑Japanese nationals;
• foreign governments or their representatives;
• foreign entities; and
• companies or entities in which any of the above persons or entities either serve as executive directors or hold one‑third or more of the voting rights.

However, there are exceptions. Notably, if the radio equipment is used to operate a telecommunications business, these foreign ownership restrictions do not apply.

A radio station licence is valid for five years. Annual fees also apply for the use of radio frequencies. Both the application fee and the annual frequency‑use fee vary depending on factors such as the type of radio frequency and the antenna power of the radio equipment.

There are currently no rules that specifically ensure network neutrality. However, in April 2019, the MIC released an Interim Report addressing this issue. The report emphasised the importance of establishing rules regarding bandwidth control, priority control, and zero‑rating services, based on the principle that users must have fair access to the network.

In response, a council composed of five associations – the Japan Internet Providers Association, the Telecommunications Carriers Association, the Telecom Services Association, the IPoE Council, and the Japan Cable and Telecommunications Association – revised their packet‑shaping guidelines in December 2019 to align with the Interim Report. The revised guidelines state that, generally, packet‑shaping violates the TBA because it infringes on the secrecy of communications protected by the Act. However, packet‑shaping may be permitted in exceptional circumstances, such as when heavy‑traffic users prevent general users from accessing the network, or when a specific application is consuming an excessive amount of bandwidth. The guidelines also specify that telecommunications operators must inform users – through their service terms and conditions – about the possibility of packet‑shaping and the circumstances under which it may occur.

Additionally, in March 2020 the MIC released guidelines on zero‑rating services. These guidelines outline scenarios in which zero‑rating may violate the TBA, such as cases involving unjustified differential treatment of users or potential breaches of communication secrecy. The purpose is to help zero‑rating service providers avoid possible violations.

Although these guidelines are not legally binding, the MIC’s working group continues to monitor how telecommunication service providers handle packet‑shaping and zero‑rating services to ensure they follow the guidelines.

While businesses in the TMT sector must continue to comply with laws that predate the emergence of new technologies – such as the RWA for hardware and the TBA for telecom services – they also need to monitor new regulations and guidelines issued periodically by various regulators. These new regulatory measures are often closely aligned with, or inspired by, frameworks adopted in other jurisdictions. For example, JC‑STAR (see 4.1 Machine‑to‑Machine Communications, Communications Secrecy and Data Protection) was introduced following developments such as the EU’s Cyber Resilience Act. Because emerging technologies frequently prompt regulatory updates and policy discussions around the world, the legal framework governing the TMT sector is expected to remain in a constant state of evolution.

Technology Agreements

There are no specific laws or regulations that apply exclusively to technology agreements, nor are there strict rules governing data‑storage location, data‑centre placement, data‑localisation, or price revision. Instead, general contract law – based on the mutual intent of the contracting parties – applies to IT service agreements.

When including a liability‑limitation clause in a contract, parties should keep the following in mind.

• In agreements between a company and a consumer, a liability‑limitation clause may be invalidated under the Consumer Contract Act (CCA).
• Although the CCA does not apply to agreements between companies, case law may still invalidate a clause that exempts a party from liability for intentional misconduct or gross negligence.

Data Localisation

Japan has no binding data‑localisation requirements. However, certain sectors, such as the medical field, are subject to guidelines recommending that data be stored in locations where Japanese law applies – typically within Japan. While these guidelines are not legally mandatory, they are generally followed in practice by the relevant industries.

AI

In February 2025, the Ministry of Economy, Trade and Industry published an “AI Use and Development Contract Checklist” designed to be easily used by Japanese businesses. Its purpose is to support balanced allocation of benefits and risks between parties and to promote broader utilisation of AI, particularly in response to recent market developments such as the rapid spread of generative AI.

Economic Security

Under the Act on the Promotion of National Security through Integrated Economic Measures, essential infrastructure operators must submit a plan to the government before introducing, or outsourcing the management of, certain important equipment. The government reviews these plans and may issue recommendations or orders requiring entities to modify or discontinue them if security concerns are identified.

When contracting with designated essential infrastructure providers in Japan, this Act must be taken into account. Contracts will require risk‑management measures, including those related to cybersecurity.

In March 2024, the Cabinet Office released a draft set of reference contractual provisions as a resource for organisations subject to these requirements.

The specific elements included in telecommunications service agreements depend on the type of telecommunication service being provided, and there are no universally mandated components.

Businesses are generally required to adhere to the standard terms and conditions established by major cloud service providers. In practice, it is often difficult to negotiate special provisions or deviations from these standard terms.

Telecommunications carriers are obligated to comply with interconnection requests and cannot refuse them (TBA, Article 32). Carriers that install Type I designated telecommunications facilities must obtain approval from the MIC for their interconnection agreements and make these agreements publicly available. Similarly, carriers that install Type II designated telecommunications facilities must submit their interconnection agreements to the MIC and also make them public.

However, only NTT West and NTT East install Type I designated telecommunications facilities, while the installation of Type II designated telecommunications facilities is primarily carried out by mobile service providers.

Electronic Signatures

Japan does not have a comprehensive framework equivalent to the EU’s eIDAS regulation for electronic identification and trust services. However, under the Act on Electronic Signatures and Certification Business (the Electronic Signatures Act), an “electronic signature” is granted the same legal status as a handwritten (wet‑ink) signature.

An “electronic signature” is defined as an electronic measure applied to digitally recorded information that satisfies both of the following conditions (Article 2):

• it indicates that the relevant electronic information was created by the person who applied that measure; and
• it ensures that the relevant information has not been altered.

Although government authorisation is not required to provide electronic signature services, nine service providers have received confirmation from the Digital Agency that they satisfy the statutory requirements under Article 4, paragraph 1 of the Electronic Signatures Act.

It is important to note that the Legal Affairs Bureau, which manages real property and company registration systems, does not accept all electronic signatures. While electronic filing is generally permitted, only electronic signatures designated by the Minister of Justice are accepted for these registrations.

Time Stamp

Japanese law does not generally require documents to include time stamps, except for records related to national tax matters that are electronically stored. Under the Electronic Book Preservation Act, both scanned data of paper-based national tax documents and originally electronic national tax documents must include a time stamp before electronic storage, unless substitute measures specified by the Act’s ordinance are used.

Providers of time stamps must ensure proof of non‑tampering for the duration of the statutory storage period and must enable batch verification for each taxable period. Although authorisation is not mandatory for issuing time stamps, time stamps compliant with the Electronic Book Preservation Act must be issued by service providers accredited by the Ministry of Internal Affairs and Communications (MIC). To obtain accreditation, time stamps must meet the requirements set out in a Public Notice issued by MIC, and compliance is assessed by the Japan Data Communications Association, a private organisation. As of March 2025, six time stamp service providers had been accredited by MIC.

Electronic Seal

MIC recommends the use of electronic seals by private‑sector organisations to certify authenticity and prevent fraud. To support this, MIC published implementation procedures for accrediting electronic seal services in March 2025, and accreditation is expected to begin in or before March 2026.

Japanese Public Key Infrastructure (JPKI)

For tax and social welfare purposes, every individual residing in Japan – regardless of nationality – is assigned a unique identification number. This number may only be used for statutorily defined purposes such as tax and social welfare, and its collection and use by the private sector is strictly limited.

However, the identification card issued to each individual contains a digital certificate, known as the Japanese Public Key Infrastructure (JPKI), which private‑sector businesses may use for online identity verification. This digital certificate can also be embedded into smartphones.

Businesses may verify the certificate through the revocation list or the Online Certificate Status Protocol (OCSP) service provided by the Japan Agency for Local Authority Information Systems (J‑LIS). To do so, they must obtain authorisation from the Minister of MIC or outsource verification to an authorised service provider.

A significant number of financial service providers use JPKI to satisfy Know Your Customer (KYC) requirements, as it is more time‑efficient and cost‑efficient than traditional KYC processes. Additionally, Japanese drivers’ licences contain IC chips that can also be used for KYC purposes.

eKYC in the Financial Sector

Financial institutions and other service providers subject to KYC requirements have commonly relied on smartphone applications that capture a selfie (often with a random pose) alongside a digital image of a government‑issued ID card. However, this method has been criticised for being insufficiently robust.

In response, the National Police Agency amended the rules on KYC in June 2025. Under the revised rules, the use of JPKI or the IC chips embedded in government‑issued ID cards will become mandatory for KYC procedures starting in April 2027.

Overview

While Japan does not have a single comprehensive law regulating the game industry, several specific regulations apply to game developers and should be carefully considered.

Prohibition of Gambling

The Penal Code prohibits gambling, which is defined as competing for the gain or loss of property or financial benefits based on the outcome of chance events. For example, if a game charges players and randomly grants non‑fungible tokens (NFTs) in return, the system must ensure that every player receives tokens with a value equal to or greater than the amount paid. No player may be put at a financial disadvantage purely because the reward was determined at random. The Guidelines on Blockchain Games, jointly issued by three game industry associations, provide additional clarity on how to design game mechanics that avoid constituting gambling.

Prohibition of Multi‑Tier Loot Boxes

Many mobile games allow players to obtain items at random in exchange for payment. This general “loot box” mechanic is not fully prohibited. However, in 2012, the Consumer Affairs Bureau declared that “multi‑tier loot boxes” violate the Act against Unjustifiable Premiums and Misleading Representations. Before this prohibition, games often rewarded players with additional items when they collected a complete set of randomly drawn items, which encouraged repeated spending. This practice is now banned. Under current rules, an item may still be granted at random when a loot box is drawn, but developers cannot award extra items based on the player’s collection history.

Payment Services Regulations

If in‑game currencies or items are purchased and do not expire within six months, they may be classified as prepaid payment instruments under the Payment Services Act. When the total purchased but unused balance exceeds JPY10 million on either 30 September or 31 March, the developer must file with the Financial Services Agency (FSA) and deposit 50% of the unused amount with the government. To avoid falling under these requirements, in‑game currencies and items should be designed to expire within six months of purchase.

Crypto-Asset Regulations

If players can earn tokens within a game, developers must consider whether these tokens could be regulated as crypto-assets. According to administrative guidelines issued by the FSA, two conditions help ensure that in‑game tokens are not treated as crypto-assets:

• the game’s terms of use must prohibit using the tokens for payment; and
• the minimum unit value must be sufficiently high, or the ability to divide tokens into small fractions must be limited.

Prohibition of Gambling

The prohibition on gambling under the Penal Code is primarily enforced by the National Police Agency. Gambling is punishable by a criminal fine of up to JPY500,000, while engaging in gambling on a continuous basis may result in imprisonment for up to three years. In practice, because online gambling websites are typically operated from outside Japan, enforcement tends to focus on players using overseas gambling services and the payment service providers involved, rather than on the foreign operators themselves.

Prohibition of Multi‑Tier Loot Boxes

The Consumer Affairs Bureau enforces the Act against Unjustifiable Premiums and Misleading Representations. Although multi‑tier loot boxes are not directly subject to criminal penalties, the Bureau may issue corrective orders in cases of violations. See 9.1 Regulations for further details on multi‑tier loot boxes.

Payment Services and Crypto-Asset Regulations

The Financial Services Agency (FSA) enforces the Payment Services Act. Failure to file with the FSA before issuing a payment instrument may result in imprisonment for up to six months or a criminal fine of up to JPY500,000. Additionally, operating a crypto‑asset business without registering with the FSA is punishable by imprisonment for up to three years or a criminal fine of up to JPY3 million.

User‑Generated Content

Game players may engage in creative activities within a game, and they may obtain copyright protection for the works they create, depending on the platform’s terms of use. When copyright is granted to the player, any third party wishing to make secondary use of such user‑generated content must obtain a licence from the player who holds the rights.

From April 2026, an amendment to the Copyright Act will introduce a state‑licensing scheme that permits secondary use of published creative works when reasonable efforts to obtain a licence have failed and there is no clear indication that the copyright holder refuses the secondary use.

Design Imitation

To protect the interests of design owners, the Unfair Competition Prevention Act was amended in 2023. Beginning in April 2024, the Act prohibits the provision of data via telecommunications that imitate another party’s product design.

Trade Mark

Because the classifications of goods and services differ between the real world and virtual environments, trade marks registered for real‑world goods are generally not protected in virtual settings unless they are also registered for virtual goods and services.

With an increasing number of brand‑owning companies now filing trade‑mark applications specifically for virtual items and services, game developers must exercise greater caution when using third‑party trade marks in virtual environments.

Publicity Rights

An avatar may be created using the image of a public figure. According to judicial precedent (Supreme Court, 2 February 2012), publicity rights arise when a public figure’s name or image has the power to promote the sale of goods, and those rights are infringed when the name or image is used solely for sales promotion.

Therefore, an avatar based on a public figure cannot be used for commercial promotion, but no infringement occurs when a user generates such an avatar solely for personal satisfaction or personal use.

Telecommunication Business Act

Certain social networking services (SNS) fall under the scope of the Telecommunication Business Act (TBA). For example, SNS platforms that provide direct messaging functions are required to file a notification under the TBA.

Additionally, even if an SNS does not offer direct messaging, some service providers operating SNS platforms with more than 10 million users – classified as providing “equivalent to intermediary telecommunications services” – have been designated by the Ministry of Internal Affairs and Communications (MIC) as being required to submit a notification under the TBA. For more details on the notification procedure, see 6.1 Scope of Regulation and Pre‑Marketing Requirements.

Information Distribution Platform Act

In 2024, the “Act on Dealing with Infringement of Rights Caused by Information Distribution via Specified Telecommunications” (Information Distribution Platform Act) was enacted as an amendment to the “Act on the Limitation of Liability for Damages of Specified Telecommunications Service Providers and the Right to Demand Disclosure of Identification Information of the Senders” (Provider Liability Limitation Act). The amended law came into effect on 1 April 2025.

To address the increasing spread of illegal or harmful information online (eg, slander and libel), the new Act imposes obligations on platform operators above a certain scale. These obligations include:

• establishing and publicly disclosing methods for individuals who believe their rights have been infringed to request removal of relevant posts (Article 22);
• investigating alleged rights infringements upon receiving a request, making a decision within 14 days, and appropriately notifying the requester of the result (Articles 23 and 25); and
• establishing and publicly disclosing criteria for deleting posts (Article 26).

The name of the law was amended to reflect its broader scope, which now extends beyond mediation of sender identification disclosure – previously one of the law’s primary functions.

Countermeasures Against Disinformation and Misinformation

On 10 September 2024, the MIC released the Summary of the Study Group on Ensuring the Soundness of Information Distribution in Digital Spaces. This document outlines the risks and challenges associated with disinformation and misinformation in digital environments and proposes measures to enhance the reliability of information distribution. Although the Summary is not legally binding, it may guide future legislative developments.

The Summary sets out a series of “basic principles” that outline the responsibilities and roles of various stakeholders in managing risks related to information dissemination.

To support wide‑ranging public and private initiatives aimed at improving user literacy, the MIC launched the “Digital Positive Action” awareness‑raising project in January 2025. This initiative is led by the ministry and involves collaboration across both public and private sectors.

See 1.2 Key Challenges, 6.1 Scope of Regulation and Pre‑Marketing Requirements, and 10.1 Laws and Regulations for Social Media.

Social media operators are often classified as telecommunications business carriers under the TBA. As a result, the MIC frequently assumes regulatory responsibility in this area. The MIC has the authority to issue guidance to service providers that fail to comply with the TBA. If such guidance is not followed, the MIC may escalate its response by issuing business improvement orders.

In recent years, the MIC has taken enforcement actions against several social media service providers. For example, where unauthorised access has led to the leakage of user information – including breaches affecting the confidentiality of communications – the MIC has required service providers to take measures to safeguard communication confidentiality and strengthen their cybersecurity frameworks.

Applicable Laws and Guidelines

In the telecommunications sector, data privacy is primarily governed by the APPI. Telecommunications carriers are also required under the TBA to protect the secrecy of communications. Sector‑specific guidance is provided by the Guidelines on the Protection of Personal Information in the Telecommunications Business, jointly issued by the PPC and the MIC. These guidelines play a crucial role in practice by explaining how the general principles of the APPI apply within telecommunications services.

In addition, certain large‑scale telecommunications providers are subject to enhanced governance obligations to safeguard the secrecy of communications and user information – such as login credentials and communication records – classified as Specified User Information under the TBA. For example, when these providers outsource the handling of Specified User Information to third‑party vendors (including cloud service providers), they must establish internal rules for supervising such vendors. If vendors are located overseas or rely on foreign servers, providers must also publicly disclose the country involved and indicate whether that jurisdiction has legal frameworks that could affect proper handling of the Specified User Information.

Key Practical Challenges

In practice, the secrecy of communications is considered a constitutionally protected right in Japan and is therefore subject to particularly strict safeguards. As a general rule, acquiring, using, or disclosing information that falls within the scope of the secrecy of communications is unlawful unless a valid legal justification exists. Telecommunications providers must always identify a clear legal basis when handling such information.

Cross‑Border Data Transfers

Cross‑border data transfers are regulated under the APPI, which requires either consent from the data subject or the implementation of measures ensuring that the recipient maintains a level of protection equivalent to that provided under the APPI. No additional cross‑border transfer rules apply specifically to telecommunications providers.

Lawful Interception and Privacy

Telecommunications providers must strictly protect the secrecy of communications. Any interference with this secrecy requires either the consent of the communicating parties or a lawful statutory basis. Law enforcement authorities are not exempt from this requirement: communication interception for investigative purposes requires prior judicial authorisation, typically through a warrant issued under the Act on Wiretapping for Criminal Investigation.

Impact of Evolving Data Privacy Regulations on Infrastructure

Even before the introduction and subsequent amendments of the APPI, the secrecy of communications under the TBA had long been subject to strict protection. As a result, evolving data privacy regulations have not, in practice, significantly hindered innovation within telecommunications infrastructure services.

External Transmission Rules Under the TBA

In addition to the APPI, digital media and streaming service providers in Japan must also comply with the external transmission rules set out under the TBA. These rules apply to providers of certain telecommunications services, such as messaging platforms, social networking services, search services and online content platforms.

When these providers transmit users’ cookies, device identifiers or similar information to third parties through browsers or applications, they are required to either notify or publicly disclose – in advance – the specific details of the information being transmitted, the recipients and the purposes for which the information will be used. In some situations, they may instead be required to obtain users’ consent.

Although these rules do not directly regulate advertisers, they can still apply when advertising delivery or access analytics are carried out through online services.

Other Security-Specific Regulations

At present, there are no additional cybersecurity regulations that apply specifically or uniquely to digital media or streaming service providers beyond the general legal framework described in this chapter.