This country-specific Q&A provides an overview to technology laws and regulations that may occur in the Japan.
It will cover communications networks and their operators, databases and software, data protection, AI, cybersecurity as well as the author’s view on planned future reforms of the technology market.
This Q&A is part of the global guide to Technology. For a full list of jurisdictional Q&As visit http://www.inhouselawyer.co.uk/index.php/practice-areas/technology
Are communications networks or services regulated? If so what activities are covered and what licences or authorisations are required?
Telecommunications services (including businesses that provide telecommunications services) are regulated by the Telecommunication Business Act (the Telecom Act), which came into effect in 1985 when the telecommunications market of Japan was liberalised. The Wire Telecommunications Act and the Radio Act also regulate the establishment and operation of telecommunications facilities. Broadcasting is separately regulated by the Broadcasting Act.
Telecommunications services are defined as certain services that intermediate communications of third parties through the use of telecommunications facilities or that otherwise provide telecommunications facilities for the use of communications by third parties. Telecommunications facilities are broadly defined to include machines, equipment, wires and cables or other electrical facilities for the operation of telecommunications.
Under the Telecom Act, any person who intends to operate a telecommunications business must obtain registration from the Minister of Internal Affairs and Communications (MIC), except in cases where (i) it installs no telecommunications circuit facilities, (ii) it only installs small-scale telecommunications circuit facilities (i.e., relevant telecommunication facilities remain within certain local area), or (iii) it installs radio facilities of radio stations which separately require a license under the Radio Act. In these exceptional cases, such person must file a notification with the MIC (instead of obtaining registration from the MIC).
Is there any specific regulator for the provisions of communications-related services? Are they independent of the government control?
Telecommunication services are administered by the MIC. The MIC is a government regulatory body and as such is not independent of government control.
Does an operator need to be domiciled in the country? Are there any restrictions on foreign ownership of telecoms operators?
Under the Telecom Act, there are no regulations that require a telecommunications carrier (i.e., any person who has obtained registration or has filed a notification to operate a telecommunications business under the Telecom Act) to be domiciled in Japan.
Under the Act on Nippon Telegraph and Telephone Corporation, Etc., one-third or more of the total number of the issued shares of Nippon Telegraph and Telephone Corporation (NTT Corporation) must be held by the Japanese government, and the aggregate voting rights of shares in NTT Corporation held directly or indirectly by (i) any person who does not have Japanese nationality, (ii) any foreign government or its representative or (iii) any foreign juridical person or entity (subject to the calculation method of indirectly held voting rights under the Act) may not exceed one-third of the total voting rights of the issued shares of NTT Corporation. There are also certain restrictions on foreign ownership under the Radio Act and the Broadcasting Act.
Furthermore, certain direct inward investments into Japan (e.g., acquisition of 10% or more of a listed company in Japan or any shares of an unlisted company in Japan) by foreign investors in the area of telecommunications business are subject to a prior filing requirement under the Foreign Exchange and Foreign Trade Act and could be subject to order of the Japanese government to change or stop the transaction (although such order has never been reported in the area of telecommunication business in the past).
Are there any regulations covering interconnection between operators? If so are these different for operators with market power?
Under Article 32 of the Telecom Act, all telecommunications carriers must accept a request from another telecommunications carrier to interconnect the facilities of the requesting carrier with the circuit facilities that the requested carrier installs, except where (i) the interconnection is likely to hinder telecommunications services from being smoothly provided, (ii) the interconnection is likely to unreasonably harm the interests of the requested carrier, or (iii) there are justifiable grounds specified by an Ordinance of the MIC.
In addition, there are specific regulations on telecommunications carriers who install basic and important telecommunications facilities as designated by the MIC. Such designated carriers are obligated to establish interconnection tariffs concerning the amount of money that a carrier will receive and the technical conditions required at the points of interconnection with other carriers’ facilities. Such interconnection tariffs must be authorised by the MIC (in the case of fixed line facilities) or must be submitted to the MIC prior to implementation of the interconnection tariffs (in the case of mobile facilities).
What are the principal consumer protection regulations that apply specifically to telecoms services?
The Telecom Act provides certain consumer protection regulations, which include:
(i) review of tariffs by the MIC;
(ii) obligation of the carrier to explain terms and conditions;
(iii) obligation of the carrier to deliver certain explanatory documents;
(iv) consumer’s right to terminate the contract;
(v) certain prohibited conducts of the carrier (e.g., intentional failure to disclose or misrepresentation of material information about the contract, or continuous solicitation to already rejected users); and
(vi) obligations of the carrier to make proper guidance to sales intermediaries.
What legal protections are offered in relation to the creators of computer software?
Under Japanese law, computer software may be legally protected by patents and copyrights.
Under the Patent Act, a computer program, including any information that is to be processed by a computer and equivalent to a computer program, can be protected where the software program fulfils the requirements of an invention, which is defined as a highly advanced creation of technical ideas utilizing the laws of nature.
While patents protect the ideas of computer software, copyrights protect the expression of those ideas. Copyrights provide the copyright owners of certain works (including computer programming works) with certain exclusive rights, including the right to reproduce, distribute, transfer and create derivative works of the software. Registration is not required to secure copyrights or exercise copyrights against third parties, but registration is required to assert the transfer of copyrights against third parties.
Do you recognise specific intellectual property rights in respect of data/databases?
In Japan, there are no unique intellectual property rights that protect data itself; but certain kinds of data may be protected under patents, copyrights, or trade secrets under limited circumstances. For instance, data may be protected by patents when data exist as a form of a computer program (see question 6) or by copyrights when copyrightable works are expressed in a data format. Also, data may be protected as trade secrets under the Unfair Competition Prevention Act or by tort claim under the Civil Code.
While there are no special rights for databases, such as database sui generis rights recognised in the EU, a database that constitutes a creation in light of its selection or systematic construction of information contained therein may be protected under the Copyright Act. In addition, databases may, in certain circumstances, be protected under the Patent Act, under the Unfair Competition Prevention Act, or by tort claim under the Civil Code.
What key protections exist for personal data?
The Act on the Protection of Personal Information (the APPI) is a comprehensive, cross-sectorial framework for the protection of personal information. While the APPI regulates private businesses using personal information, use of personal information by the public sector is separately regulated by certain laws and local ordinances. The APPI is implemented by cross-sectoral administrative guidelines prepared by the Personal Information Protection Committee (the Committee). With respect to certain sectors, such as medical, financial and telecommunications, sector-specific guidance and guidelines are published by the Committee or the relevant governmental ministries given the highly sensitive nature of personal information handled in those sectors. Self-regulatory organisations and industry associations have also adopted their own policies or guidelines. In addition, the Act on Utilisation of Numbers to Identify a Specific Individual in Administrative Procedures provides special rules concerning the handling of “individual numbers”, which are granted to each resident of Japan under the Individual Social Security and Tax Numbering System (known in Japan as the “My Number System”), and other specific personal information (i.e., personal information containing any “individual number”).
The obligations of all business operators handling “personal information” include: (i) specifying and notifying the purposes for which the personal information is used and processing the personal information only to the extent necessary for achieving such specified purposes; and (ii) not using deceptive or wrongful means in collecting personal information.
In addition, business operators handling “personal data” (i.e., personal information constituting a personal information database) are subject to certain obligations, such as: (i) endeavouring to keep the personal data accurate and up to date to the extent necessary for the purposes of use; (ii) undertaking necessary and appropriate measures to safeguard personal data; (iii) conducting necessary and appropriate supervision over its employees and its service providers who process its personal data; (iv) not providing personal data to any third party without the prior consent of the relevant individual (subject to certain exemptions); (v) preparing and keeping records of third-party transfers of personal data; and (vi) when acquiring personal data from a third party other than data subjects (subject to certain exceptions), verifying the name of the third party and how the third party acquired such personal data.
Business operators handling “retained personal data” (i.e., personal data that a business operator has the authority to disclose, correct, add content to or delete content from, discontinue the use of, erase, and discontinue its provision to a third party) are required, among other things, to: (i) make accessible to the relevant individual certain information regarding the retained personal data; and (ii) respond to a request of the relevant individual to, e.g., provide a copy of retained personal data to such individual, correcting, adding or deleting the retained personal data, or discontinuing the use of or erasing such retained personal data.
The APPI imposes stringent rules for “sensitive personal information”, which includes race, beliefs, social status, medical history, criminal records and the fact of having been a victim of a crime, and disabilities.
The APPI provides for special rules for “anonymized personal data”, which must meet certain requirements under the APPI. Business operators that created or retain such anonymized personal data are subject to certain obligations (e.g., disclosure of the creation of such anonymized personal data and prohibition of re-identification) but no consent of the data subject is required for the use or provision of such anonymized personal data.
Are there restrictions on the transfer of personal data overseas?
Under the APPI, personal data may not be transferred to a third party located outside of Japan without the prior consent of the relevant individual unless:
(i) the relevant third-party transferee is located in a foreign country that the Commission considers has the same level of protection of personal information as Japan (in July 2018, the EU and Japan reportedly agreed to a mutual adequacy arrangement, but at the time of writing, no country is officially designated as such by the Committee);
(ii) the relevant third-party transferee has established a system to continuously ensure its undertaking of the same level of protective measures as personal data users would be required under the APPI; or
(iii) the transfer falls under an enumerated exception in the APPI.
What is the maximum fine that can be applied for breach of data protection laws?
Under the APPI, there is no administrative fine that can be applied for breach of the APPI, but criminal penalties may be imposed on business operators handling personal information under certain circumstances. The maximum criminal penalties are penal servitude of up to one year or a criminal fine of up to ¥500,000, which may be imposed if any current or former officer, employee or representative of a business operator handling personal information provides such information to a third party or steals such information from a personal information database established in connection with the business of such business operator with the purpose of providing unlawful benefits to himself or herself or third parties.
Are there any restrictions applicable to cloud-based services?
In Japan, there are no specific laws that directly prohibit, restrict or otherwise govern cloud-based services. Where the data being placed in the cloud is personal information/data, use of cloud-based services may be considered as constituting the provision of personal data to third-parties under the APPI, which requires the prior consent of the relevant individual (subject to certain exemptions depending on whether such third-parties are located in or outside of Japan) (see questions 8 and 9). However, the guidelines published by the Committee provide that the use of cloud services to store personal data does not constitute the provision of personal data to cloud service providers under the APPI as long as it is ensured by contract or otherwise that the cloud service providers are properly restricted from accessing the personal data stored in the cloud.
Aside from the personal data protection regulations, provision or use of cloud-based services may be subject to other restrictions depending on the nature of the services or the stored data, including consumer protection regulations and sector-specific guidelines in medical and financial sectors.
Are there specific requirements for the validity of an electronic signature?
As for a handwritten signature, if a document is signed or sealed by the principal or his or her agent, such document will be presumed to be authentically created under the Code of Civil Procedure. Likewise, in order for a digital record with an electronic signature by the principal to be presumed to be created authentically, such electronic signature must meet the requirements set forth under the Act on Electronic Signatures and Certification Business. There are no other specific requirements for the validity of an electronic signature.
In the event of an outsourcing of IT services, would any employees, assets or third party contracts transfer automatically to the outsourcing supplier?
No transfer of employees, assets or third party contracts would occur automatically in the context of outsourcing IT services. A transfer will occur only if the parties agree to such a transfer. In the case that the parties agree to transfer a certain business (including employees, assets, third-party contracts and liabilities), and not merely an outsourcing of IT services, by way of a company split (kaisha-bunkatsu), however, employees who are primarily engaged in the transferred business but who will not be transferred, and employees who are not primarily engaged in the transferred business but who will be transferred, are entitled to certain opt-out rights concerning their non-transfer or transfer, respectively, under the Act on the Succession to Labor Contracts upon Company Split.
If a software program which purports to be an early form of A.I. malfunctions, who is liable?
In Japan, there is no clear rule on the liability for malfunctions of a software program that purports to be an early form of A.I. Theoretically, such liability may be found based on (i) strict liability under the Product Liability Act, (ii) tort under the Civil Code, or (iii) breach of contract or defective product under the Civil Code. If such software program is incorporated into certain equipment or other product and such product is found to be defective, the manufacturer of such product may be liable under the Product Liability Act. If such malfunctions were foreseeable by a party (e.g., a manufacturer or user of the software program) and the negligence (or intent) of such party is established, such party may be liable for damages flowing from a causal relationship under a tort claim, but it would heavily depend on the nature of the A.I. and the malfunctions or other circumstances whether such malfunctions were foreseeable.
What key laws exist in terms of obligations as to the maintenance of cyber security?
The key laws imposing obligations on companies to maintain cybersecurity include the Basic Cybersecurity Act and the APPI. More generally, an internal control system required under the Companies Act and the Financial Instruments and Exchange Act may, but is not necessarily required to, include the measures to maintain cybersecurity.
The Basic Cybersecurity Act provides that, in accordance with the basic principles set forth under the Act, cyberspace-related business entities (referring to those engaged in business regarding the maintenance of the Internet and other advanced information and telecommunications networks, the utilization of information and telecommunications technologies, or those involved in business related to cybersecurity) and other business entities must make a voluntary and proactive effort to ensure cybersecurity in their businesses and to cooperate with the measures on cybersecurity taken by the national or local governments.
The APPI does not directly set forth obligations to maintain cybersecurity, but the APPI and sector-specific guidelines provide rules for information security concerning personal information. For instance, under the APPI, a business operator handling personal information is required to take necessary and proper measures for the prevention of leakage, loss, or damage, and for other security of the personal data.
What key laws exist in terms of the criminality of hacking/DDOS attacks?
The Penal Code and the Unauthorised Computer Access Prohibition Act cover the criminality of hacking/DDOS attacks. Also, the acquisition of a trade secret or a specially designated secret through an unauthorised access or the like may be subject to criminal penalty under the Unfair Competition Prevention Act or the Specially Designated Secret Protection Act, respectively.
What technology development will create the most legal change in your jurisdiction?
While it is expected that Internet of Things (IoT), artificial intelligence (AI) and robotic process automation (RPA) will continue to cause substantial changes in the legal arena, blockchain technologies have the potential to make a significant impact on various transactions (such as payment transactions and financial instruments) and will most likely create a new legal system (such as smart contracts, IP rights management and property title registrations). Such movement will entail substantial changes in laws and regulatory bodies.
Which current legal provision/regime creates the greatest impediment to economic development/commerce?
One of the greatest impediments to economic development and commerce is vertically segmented legal and regulatory systems. Although cross-sectoral, innovative businesses and services are expected to develop, the current legal and regulatory systems are still sector-oriented and rigid, which tends to create grey areas of law and inefficiency of compliance and regulations. The government initiated a study group to consider the possibility of reframing the legal and regulatory systems to address such issues.
Do you believe your legal system specifically encourages or hinders digital services?
While there exist certain issues in the legal system that could hinder digital services to some extent (see question 18), the Japanese government has adopted, and continues to consider, various measures to change the legal system to encourage digital services. For instance, the Regulatory Sandbox was introduced as one of the measures under the Act on Special Measures for Productivity Improvement for the purpose of allowing businesses to conduct demonstration tests and pilot projects quickly and collect data that may contribute to regulatory reforms.
To what extent is your legal system ready to deal with the legal issues associated with artificial intelligence?
As mentioned above (see question 14), the current legal system can solve the legal issues associated with artificial intelligence (AI) to some extent, but there is no legislation that specifically deals with AI. Thus there remain many uncertainties related to the legal issues associated with AI (such as civil and criminal responsibilities concerning malfunctions of AI and protections of AI software and AI deliverables).