This country-specific Q&A provides an overview to technology, media and telecom laws and regulations that may occur in Japan.
This Q&A is part of the global guide to TMT. For a full list of jurisdictional Q&As visit http://www.inhouselawyer.co.uk/practice-areas/tmt-3rd-edition/
What is the regulatory regime for technology?
See question 3.
Are communications networks or services regulated?
If so, what activities are covered and what licences or authorisations are required?
Telecommunications services (including businesses that provide telecommunications services) are regulated by the Telecommunication Business Act (the Telecom Act), which came into effect in 1985 when the telecommunications market of Japan was liberalised. The Wire Telecommunications Act and the Radio Act also regulate the establishment and operation of telecommunications facilities. Broadcasting is separately regulated by the Broadcasting Act.
Telecommunications services are defined as certain services that intermediate communications of third parties through the use of telecommunications facilities or that otherwise provide telecommunications facilities for the use of communications by third parties. Telecommunications facilities are broadly defined to include machines, equipment, wires and cables or other electrical facilities for the operation of telecommunications.
Under the Telecom Act, any person who intends to operate a telecommunications business must obtain registration from the Minister of Internal Affairs and Communications (MIC), except in cases where (i) it installs no telecommunications circuit facilities, (ii) it only installs small-scale telecommunications circuit facilities (i.e., relevant telecommunication facilities remain within certain local area), or (iii) it installs radio facilities of radio stations which separately require a license under the Radio Act. In these exceptional cases, such person must file a notification with the MIC (instead of obtaining registration from the MIC).
Is there any specific regulator for the provisions of communications-related services?
Telecommunication services are administered by the MIC.
Are they independent of the government control?
The MIC is a government regulatory body and as such is not independent of government control.
Are platform providers (social media, content sharing, information search engines) regulated?
There are no laws and regulations specifically targeting platform providers (e.g., social media, content sharing, and information search engines) in general, but depending on the nature of their services and roles, they might be subject to certain industry-specific laws and other regulations. For instance, social media platform providers might be regulated by the Act on the Protection of Personal Information (APPI) with respect to their handling of personal data and/or the Telecom Act as for the privacy of communications between users on their platform. One notable recent movement in Japan is the enactment of the Private Lodging Business Act in 2017, under which platform providers are regulated as private lodging agents serving as brokers for private lodging services between guests and private lodging business operators (typically, landlords and lessees).
If so, does the reach of the regulator extend outside your jurisdiction?
It depends on laws and regulations that are applicable to platform providers, but there are some laws and regulations containing a provision of extraterritorial application, which enables the regulator to enforce such laws and regulations against platform providers located outside of Japan (e.g., the Private Lodging Business Act and the APPI), but generally speaking, enforcement actions via-a-vis such platform providers located outside of Japan have not been so active.
Does a telecoms operator need to be domiciled in the country?
Under the Telecom Act, there are no regulations that require a telecommunications carrier (i.e., any person who has obtained registration or has filed a notification to operate a telecommunications business under the Telecom Act) to be domiciled in Japan.
Are there any restrictions on foreign ownership of telecoms operators?
Under the Act on Nippon Telegraph and Telephone Corporation, Etc., one-third or more of the total number of the issued shares of Nippon Telegraph and Telephone Corporation (NTT Corporation) must be held by the Japanese government, and the aggregate voting rights of shares in NTT Corporation held directly or indirectly by (i) any person who does not have Japanese nationality, (ii) any foreign government or its representative or (iii) any foreign juridical person or entity (subject to the calculation method of indirectly held voting rights under the Act) may not exceed one-third of the total voting rights of the issued shares of NTT Corporation. There are also certain restrictions on foreign ownership under the Radio Act and the Broadcasting Act.
Furthermore, certain direct inward investments into Japan (e.g., acquisition of 10% or more of a listed company in Japan or any shares of an unlisted company in Japan) by foreign investors in the area of telecommunications business are subject to a prior filing requirement under the Foreign Exchange and Foreign Trade Act and could be subject to order of the Japanese government to change or stop the transaction (although such order has never been reported in the area of telecommunication business in the past).
Are there any regulations covering interconnection between operators?
If so are these different for operators with market power?
Under Article 32 of the Telecom Act, all telecommunications carriers must accept a request from another telecommunications carrier to interconnect the facilities of the requesting carrier with the circuit facilities that the requested carrier installs, except where (i) the interconnection is likely to hinder telecommunications services from being smoothly provided, (ii) the interconnection is likely to unreasonably harm the interests of the requested carrier, or (iii) there are justifiable grounds specified by an Ordinance of the MIC.
In addition, there are specific regulations on telecommunications carriers who install basic and important telecommunications facilities as designated by the MIC. Such designated carriers are obligated to establish interconnection tariffs concerning the amount of money that a carrier will receive and the technical conditions required at the points of interconnection with other carriers’ facilities. Such interconnection tariffs must be authorised by the MIC (in the case of fixed line facilities) or must be submitted to the MIC prior to implementation of the interconnection tariffs (in the case of mobile facilities).
What are the principal consumer protection regulations that apply specifically to telecoms services?
The Telecom Act provides certain consumer protection regulations, which include:
- review of tariffs by the MIC;
- obligation of the carrier to explain terms and conditions;
- obligation of the carrier to deliver certain explanatory documents;
- consumer’s right to terminate the contract;
- certain prohibited conducts of the carrier (e.g., intentional failure to disclose or misrepresentation of material information about the contract, or continuous solicitation to already rejected users); and
- obligations of the carrier to make proper guidance to sales intermediaries.
What legal protections are offered in relation to the creators of computer software?
Under Japanese law, computer software may be legally protected by patents and copyrights.
Under the Patent Act, a computer program, including any information that is to be processed by a computer and equivalent to a computer program, can be protected where the software program fulfils the requirements of an invention, which is defined as a highly advanced creation of technical ideas utilizing the laws of nature.
While patents protect the ideas of computer software, copyrights protect the expression of those ideas. Copyrights provide the copyright owners of certain works (including computer programming works) with certain exclusive rights, including the right to reproduce, distribute, transfer and create derivative works of the software. Registration is not required to secure copyrights or exercise copyrights against third parties, but registration is required to assert the transfer of copyrights against third parties.
Do you recognise specific intellectual property rights in respect of data/databases?
In Japan, there are no unique intellectual property rights that protect data itself; but certain kinds of data may be protected under patents, copyrights, or trade secrets under limited circumstances. For instance, data may be protected by patents when data exist as a form of a computer program (see question 6) or by copyrights when copyrightable works are expressed in a data format. Also, data may be protected as “trade secrets” under the Unfair Competition Prevention Act or by tort claim under the Civil Code.
Furthermore, to enhance the legal protection of data in order to encourage its utilization, the Ministry of Economy, Trade and Industry (METI) amended the Unfair Competition Act to include the wrongful acquisition, disclosure, use and so forth of “data for limited provision” (Protected Data) under the scope of conduct amounting to “unfair competition” under the Unfair Competition Prevention Act. Similar to how trade secrets are protected under the Act, injunctions can also be issued and monetary damages can be awarded by a court in respect of data infringements. However, unlike trade secrets, criminal sanctions will not apply with respect to Protected Data. This amendment is scheduled to come into force on July 1, 2019.
While there are no special rights for databases, such as database sui generis rights recognised in the EU, a database that constitutes a creation in light of its selection or systematic construction of information contained therein may be protected under the Copyright Act. In addition, databases may, in certain circumstances, be protected under the Patent Act, under the Unfair Competition Prevention Act, or by tort claim under the Civil Code.
What key protections exist for personal data?
The Act on the Protection of Personal Information (the APPI) is a comprehensive, cross-sectorial framework for the protection of personal information. While the APPI regulates private businesses using personal information, use of personal information by the public sector is separately regulated by certain laws and local ordinances. The APPI is implemented by cross-sectoral administrative guidelines prepared by the Personal Information Protection Committee (the Committee). With respect to certain sectors, such as medical, financial and telecommunications, sector-specific guidance and guidelines are published by the Committee or the relevant governmental ministries given the highly sensitive nature of personal information handled in those sectors. Self-regulatory organisations and industry associations have also adopted their own policies or guidelines. In addition, the Act on Utilisation of Numbers to Identify a Specific Individual in Administrative Procedures provides special rules concerning the handling of “individual numbers”, which are granted to each resident of Japan under the Individual Social Security and Tax Numbering System (known in Japan as the “My Number System”), and other specific personal information (i.e., personal information containing any “individual number”).
The obligations of all business operators handling “personal information” include: (i) specifying and notifying the purposes for which the personal information is used and processing the personal information only to the extent necessary for achieving such specified purposes; and (ii) not using deceptive or wrongful means in collecting personal information.
In addition, business operators handling “personal data” (i.e., personal information constituting a personal information database) are subject to certain obligations, such as: (i) endeavouring to keep the personal data accurate and up to date to the extent necessary for the purposes of use; (ii) undertaking necessary and appropriate measures to safeguard personal data; (iii) conducting necessary and appropriate supervision over its employees and its service providers who process its personal data; (iv) not providing personal data to any third party without the prior consent of the relevant individual (subject to certain exemptions); (v) preparing and keeping records of third-party transfers of personal data; and (vi) when acquiring personal data from a third party other than data subjects (subject to certain exceptions), verifying the name of the third party and how the third party acquired such personal data.
Business operators handling “retained personal data” (i.e., personal data that a business operator has the authority to disclose, correct, add content to or delete content from, discontinue the use of, erase, and discontinue its provision to a third party) are required, among other things, to: (i) make accessible to the relevant individual certain information regarding the retained personal data; and (ii) respond to a request of the relevant individual to, e.g., provide a copy of retained personal data to such individual, correcting, adding or deleting the retained personal data, or discontinuing the use of or erasing such retained personal data.
The APPI imposes stringent rules for “sensitive personal information”, which includes race, beliefs, social status, medical history, criminal records and the fact of having been a victim of a crime, and disabilities.
The APPI provides for special rules for “anonymized personal data”, which must meet certain requirements under the APPI. Business operators that created or retain such anonymized personal data are subject to certain obligations (e.g., disclosure of the creation of such anonymized personal data and prohibition of re-identification) but no consent of the data subject is required for the use or provision of such anonymized personal data.
Are there restrictions on the transfer of personal data overseas?
Under the APPI, personal data may not be transferred to a third party located outside of Japan without the prior consent of the relevant individual unless:
- the relevant third-party transferee is located in a foreign country that the Commission considers has the same level of protection of personal information as Japan (only the 31 member countries of the EEA are officially designated as such by the Committee based on the framework for the mutual and smooth transfer of personal data between Japan and the EU that was implemented on January 23, 2019);
- the relevant third-party transferee has established a system to continuously ensure its undertaking of the same level of protective measures as personal data users would be required under the APPI; or
- the transfer falls under an enumerated exception in the APPI.
What is the maximum fine that can be applied for breach of data protection laws?
Under the APPI, there is no administrative fine that can be applied for breach of the APPI, but criminal penalties may be imposed on business operators handling personal information under certain circumstances. The maximum criminal penalties are penal servitude of up to one year or a criminal fine of up to ¥500,000, which may be imposed if any current or former officer, employee or representative of a business operator handling personal information provides such information to a third party or steals such information from a personal information database established in connection with the business of such business operator with the purpose of providing unlawful benefits to himself or herself or third parties.
What additional protections have been implemented, over and above the GDPR requirements?
Since the regulatory framework and basic concepts under the APPI are different from those under the GDPR in many aspects, it is not easy to compare the APPI with the GDPR in terms of the protections implemented thereunder. Generally speaking, however, more protections are implemented under the GDPR than under the APPI with limited exceptions (e.g., while the anonymized data is not subject to the regulations under the GDPR, the anonymously processed data is still subject to the regulations under the APPI which are different from and less strict than those applicable to the personal data). It is notable that the APPI is currently under periodic review with the aim of amending it in 2020, and it is debated whether to implement additional protections and regulations by reference to those under the GDPR (e.g., the right to data portability, the right not to be subject to a decision based solely on automated processing (including profiling), and the obligation to notify a personal data breach to the supervisory authority).
Are there any regulatory guidelines or legal restrictions applicable to cloud-based services?
In Japan, there are no specific laws that directly prohibit, restrict or otherwise govern cloud-based services. Where the data being placed in the cloud is personal information/data, use of cloud-based services may be considered as constituting the provision of personal data to third-parties under the APPI, which requires the prior consent of the relevant individual (subject to certain exemptions depending on whether such third-parties are located in or outside of Japan) (see questions 9 and 10). However, the guidelines published by the Committee provide that the use of cloud services to store personal data does not constitute the provision of personal data to cloud service providers under the APPI as long as it is ensured by contract or otherwise that the cloud service providers are properly restricted from accessing the personal data stored in the cloud.
Aside from the personal data protection regulations, provision or use of cloud-based services may be subject to other restrictions depending on the nature of the services or the stored data, including consumer protection regulations and sector-specific guidelines in medical and financial sectors.
Are there specific requirements for the validity of an electronic signature?
As for a handwritten signature, if a document is signed or sealed by the principal or his or her agent, such document will be presumed to be authentically created under the Code of Civil Procedure. Likewise, in order for a digital record with an electronic signature by the principal to be presumed to be created authentically, such electronic signature must meet the requirements set forth under the Act on Electronic Signatures and Certification Business. There are no other specific requirements for the validity of an electronic signature.
In the event of an outsourcing of IT services, would any employees, assets or third party contracts transfer automatically to the outsourcing supplier?
No transfer of employees, assets or third party contracts would occur automatically in the context of outsourcing IT services. A transfer will occur only if the parties agree to such a transfer. In the case that the parties agree to transfer a certain business (including employees, assets, third-party contracts and liabilities), and not merely an outsourcing of IT services, by way of a company split (kaisha-bunkatsu), however, employees who are primarily engaged in the transferred business but who will not be transferred, and employees who are not primarily engaged in the transferred business but who will be transferred, are entitled to certain opt-out rights concerning their non-transfer or transfer, respectively, under the Act on the Succession to Labor Contracts upon Company Split.
If a software program which purports to be a form of A.I. malfunctions, who is liable?
In Japan, there is no clear rule on the liability for malfunctions of a software program that purports to be a form of A.I. Theoretically, such liability may be found based on (i) strict liability under the Product Liability Act, (ii) tort under the Civil Code, or (iii) breach of contract or defective product under the Civil Code. If such software program is incorporated into certain equipment or other product and such product is found to be defective, the manufacturer of such product may be liable under the Product Liability Act. If such malfunctions were foreseeable by a party (e.g., a manufacturer or user of the software program) and the negligence (or intent) of such party is established, such party may be liable for damages flowing from a causal relationship under a tort claim, but it would heavily depend on the nature of the A.I. and the malfunctions or other circumstances whether such malfunctions were foreseeable.
What key laws exist in terms of: (a) obligations as to the maintenance of cybersecurity; (b) and the criminality of hacking/DDOS attacks?
a) obligations as to the maintenance of cybersecurity; and
The key laws imposing obligations on companies to maintain cybersecurity include the Basic Cybersecurity Act and the APPI. More generally, an internal control system required under the Companies Act and the Financial Instruments and Exchange Act may, but is not necessarily required to, include the measures to maintain cybersecurity.
The Basic Cybersecurity Act provides that, in accordance with the basic principles set forth under the Act, cyberspace-related business entities (referring to those engaged in business regarding the maintenance of the Internet and other advanced information and telecommunications networks, the utilization of information and telecommunications technologies, or those involved in business related to cybersecurity) and other business entities must make a voluntary and proactive effort to ensure cybersecurity in their businesses and to cooperate with the measures on cybersecurity taken by the national or local governments.
The APPI does not directly set forth obligations to maintain cybersecurity, but the APPI and sector-specific guidelines provide rules for information security concerning personal information. For instance, under the APPI, a business operator handling personal information is required to take necessary and proper measures for the prevention of leakage, loss, or damage, and for other security of the personal data.
b) The criminality of hacking/DDOS attacks
The Penal Code and the Unauthorised Computer Access Prohibition Act cover the criminality of hacking/DDOS attacks. Also, the acquisition of a trade secret or a specially designated secret through an unauthorised access or the like may be subject to criminal penalty under the Unfair Competition Prevention Act or the Specially Designated Secret Protection Act, respectively.
What technology development will create the most legal change in your jurisdiction?
While it is expected that Internet of Things (IoT), artificial intelligence (AI) and robotic process automation (RPA) will continue to cause substantial changes in the legal arena, blockchain or distributed ledger technologies have the potential to make a significant impact on various transactions (such as payment transactions and financial instruments) and will most likely create a new legal system (such as smart contracts, IP rights management and property title registrations). Such movement will entail substantial changes in laws and regulatory bodies.
Which current legal provision/regime creates the greatest impediment to economic development/ commerce?
One of the greatest impediments to economic development and commerce is vertically segmented legal and regulatory systems. Although cross-sectoral, innovative businesses and services are expected to develop, the current legal and regulatory systems are still sector-oriented and rigid, which tends to create grey areas of law and inefficiency of compliance and regulations. The government initiated a study group to consider the possibility of reframing the legal and regulatory systems to address such issues.
Do you believe your legal system specifically encourages or hinders digital services?
While there exist certain issues in the legal system that could hinder digital services to some extent (see Opinion 2), the Japanese government has adopted, and continues to consider, various measures to change the legal system to encourage digital services. For instance, the Regulatory Sandbox was introduced as one of the measures under the Act on Special Measures for Productivity Improvement for the purpose of allowing businesses to conduct demonstration tests and pilot projects quickly and collect data that may contribute to regulatory reforms.
To what extent is your legal system ready to deal with the legal issues associated with artificial intelligence?
As mentioned above (see question 16), the current legal system can solve the legal issues associated with artificial intelligence (AI) to some extent, but there is no legislation that specifically deals with AI. Thus there remain many uncertainties related to the legal issues associated with AI (such as civil and criminal responsibilities concerning malfunctions of AI and protections of AI software and AI deliverables).
To address such uncertainties, in June 2018, METI published the “Contract Guidelines on Utilization of AI and Data”, which consists of two sections: Data and AI (the METI Guidelines). The AI section explains a fundamental approach to be taken in relation to contracts that concern the development and utilization of AI-based software from the perspective of promoting the development and utilization of software using AI technology. The METI Guidelines also provide sample provisions for development contracts for AI-based software.