Taking a Byte: “The Impact of the Amendments to Japan’s Telecommunications Business Act on Operators”

Article Overview

Japan’s Ministry of Internal Affairs and Communications (MIC or sômushô) working group publicized a revised version of the draft guidelines governing new regulations on Specified User’s Information under the amended Telecommunications Business Act (“Amended TBA”). As the effective date of the Amended TBA approaches, MIC working groups have updated MIC’s Telecommunications Business Entry Manual, following the release of the updated version of the draft guidelines for the new Cookie Regulation. These new materials will help Telecommunications business operators prepare for the implementation and better understand what their practices will be like under the new regulation.

The amendments will likely impact telecommunications business operators, irrespective of whether they are subject to the mandatory filing requirements under the Act, as business operators may be required under the Cookie Regulations to send a certain notice to users or take alternative measures if they are intending to process any data that would externally transfer user information stored in their terminals.

In this alert, we summarize the practical implications of these changes for business operators. Additionally, we compare the regulation under the Act on the Protection of Personal Information of Japan; explore the scope of the effected business operators; and discuss the regulation related to Specified User’s Information.

The current form of Japan’s Telecommunications Business Act (Act No. 86 of 1984) (the “Current TBA”) was amended at the 208th Ordinary Session of the national legislature of Japan (the “Diet”) on June 13, 2022, and officially announced on June 17, 2022 (as so amended, the “Amended TBA”). The Amended TBA will become fully effective on June 16, 2023. A primary purpose of the amendments is to enhance telecommunications business operators’ governance to respond to the increasing security risks in cyberspace, including the escalating exposure to potential information leakage in connection with telecommunications services.  

This alert summarizes a comparison of the regulations under the Act on the Protection of Personal Information of Japan (Act No. 57 of 2003, the APPI) and focuses on the provisions of the Amended TBA that may have a significant impact on telecommunications business operators, including the Cookie Regulations, expansion of the types of regulated telecommunications business operators, and regulations related to Specified User’s Information, as explained in detail in Section 2 below.[1]

Telecommunications business operators, irrespective of whether they are subject to the mandatory registration or notification requirements under the Amended TBA or not, should keep an eye on the development of MIC’s deliberations on the detailed practical rules regarding the Amended TBA.

1. Cookie Regulations

Overview

Under the Amended TBA, telecommunications business operators providing telecommunications services with the prescribed non-negligible effects on the interests of users may be subject to the newly introduced regulations in connection with cookie technologies. This means telecommunications business operators that have not been subject to the mandatory filing of a notification (todokede) might be subject to the Cookie Regulations.

The categories of the services that would be subject to the Cookie Regulations include, among others, the following services provided through a web browser or an application: services intermediating messages between users, social networking services, electronic bulletin board services, video sharing services, online search services, and online services that provide various information (e.g., news, weather, and maps). 

Required acts under the Cookie Regulations

If the telecommunications business operators that are subject to the Cookie Regulations are intending to process any data that would externally transfer any user information stored in their terminals (e.g., identification information generated using cookie technologies or behavior histories in connection with telecommunications services) (the “User Terminal Information”) during the provision of their telecommunications services, those operators are required in a prescribed manner to notify the users or clearly inform the users at a previous time about the processing of their User Terminal Information, the name of the person or the entity that would handle the information using the telecommunications facilities where the User Terminal Information would be sent, and the purposes for the use of the User Terminal Information for each transfer of that information.

Please note, however, that telecommunications business operators are exempted from the obligations above under any of the following circumstances:

• The User Terminal Information is the prescribed information that users need to send when using the relevant telecommunications services (e.g., information regarding the operating system, screen settings, and language settings);
• The User Terminal Information is the first-party cookie used to identify the user and distinguish the user from others;
• The relevant user has agreed that the User Terminal Information may be sent to the telecommunications service operators; and
• The relevant user has not selected an opt-out option when the telecommunications service operators have provided opt-out measures and informed the user so they can easily know the available method of opting out in advance.

Comparison with the cookie regulations under the APPI

Prior to the introduction of the above-mentioned Cookie Regulations under the Amended TBA, the amended APPI, that was enacted on April 1, 2022, has introduced a new restriction on the transfer of “Personally Referable Information” to a third party, which is intended to regulate the use of cookies via a data management platform (DMP). 

Previously, the collection, use, and transfer of cookie information in itself was in principle not regulated under the APPI since cookie information alone is not personally identifiable information unless retained together with other personally identifiable information. The amended APPI, however, newly defined “Personally Referable Information” to mean information relating to a living individual that does not fall under the other types of regulated information defined under the APPI, such as “Personal Data,” and restricted the transfer of Personally Referable Information to a third party in cases where it is assumed that the third party will receive the Personally Referable Information as personally identifiable information (i.e., the recipient will be able to collate the Personally Referable Information with other information that it holds, whereby a specific individual can be identified from the Personally Referable Information). If this restriction applies, the transferor cannot transfer the Personally Referable Information unless it has confirmed that the recipient has obtained the consent of the relevant user. In addition, if the recipient is located outside Japan or the EEA, the recipient must provide certain information including the name of the country where the recipient is located and the description of privacy legislation in the applicable country.

As the result of the amended APPI, a business operator, such as a DMP operator that collects cookie information from individuals who cannot be identified, may transfer the cookie information to its clients that will be able to identify the individuals only when they can confirm that they obtained the necessary consent or when the transferor has obtained consent on behalf of the clients.

If a business operator that will be subject to the information provision requirements under the Amended TBA is already compliant with the APPI requirements and transferring cookies based on consent, it is likely that no additional actions will be required since the Amended TBA does not require the provision of information when the user agreed to the submission of User Terminal Information. Business operators should review their privacy policies and/or cookie policies to confirm if they already meet the requirements under the Amended TBA and amend their policies where necessary.  

2. Other Relevant Amendments

Expansion of scope of the regulated telecommunications business operators

Under the Amended TBA, the telecommunications business operators that provide (i) search engine services or (ii) telecommunications services that substantially intermediate other persons’ communications (e.g., social networking services), with a large impact on the interests of users[2] (the “Newly Added Licensed Telecommunications Business Operators”), will also become subject to mandatory filing of a notification (todokede), even if the services do not intermediate communications between other persons. Please note that, under the Current TBA, only the telecommunications business operators that intermediate communications between other persons (e.g., closed chat services) and certain domain name system (DNS) service providers (the “Current Licensed Telecommunications Business Operators”) are generally subject to mandatory registration (tôroku) or filing of a notification.

Obligations related to the Specified User’s Information imposed on the designated large-scale Current Licensed Telecommunications Business Operators and Newly Added Licensed Telecommunications Business Operators

1. If MIC designates certain Current Licensed Telecommunications Business Operators and Newly Added Licensed Telecommunications Business Operators as those providing telecommunications services with a large impact on the interests of users,[3] those operators are required to, among other requirements, (i) formulate internal rules for handling the Specified User’s Information, (ii) file the internal rules with MIC, (iii) formulate and publicly announce the policy for handling the Specified User’s Information, (iv) conduct self-evaluations of the status of handling the Specified User’s Information, and (v) appoint a supervising manager for the Specified User’s Information and notify the MIC of the appointment.
2. “Specified User’s Information” is defined as information related to the users that is described in clauses a and b below:
1. Information obtained in connection with the telecommunications services that is included in subclauses (i) and (ii) below (i.e., information subject to the mandatory protections of confidentiality of communication under the Telecommunications Business Act)[4]:
1. Information that has not been known to the public; and
2. Information when it is generally recognized that the relevant person has a considerable benefit in their information not being known to others; and
2. The prescribed information obtained in connection with the telecommunications services to identify the users that have executed service agreements for, or signed up for, the relevant service.[5]      

Comparison of Specified User’s Information with Personal Data subject to the APPI 

The APPI requires that a business must notify or make public the purposes for its use of personally identifiable information (e.g., by publishing a privacy policy), as well as take appropriate measures for the security of Personal Data (e.g., the personally identifiable information stored in its database). These obligations broadly apply to business operators handling a database of personally identifiable information rather than only to designated operators. In light of such APPI requirements, a business operator that will be subject to the obligations related to the Specified User’s Information is likely to have already established certain internal rules and published a privacy policy; however, subject to the detailed practical rules of the Amended TBA, such rules and policy may need to be updated (or separate rules and policies may need to be established) to comply with the new requirements under the Amended TBA.  

Current Licensed Telecommunications Business Operators and Newly Added Licensed Telecommunications Business Operators need to consider establishing internal systems to comply with the Cookie Regulations under the Amended TBA and the obligations related to the Specified User’s Information, if they are triggered, by June 16, 2023 (i.e., the effective date).

While the Amended TBA and its implementing regulations have been publicly announced by MIC, we assume MIC is still in the process of establishing its internal practical rules for implementing the new regulations. Given the information above, irrespective of whether they are subject to the mandatory registration or notification requirements under the Amended TBA or not, telecommunication business operators should continue paying close attention to MIC’s efforts to implement new rules under the Amended TBA.  

[1] This summary is provided for information purposes only and should not be construed as legal advice for any specific matter. Please do not act or refrain from acting based on this information without seeking professional legal counsel for your specific matters.

[2] In the implementing rules of the Amended TBA publicly announced by MIC, the following services generally satisfy the condition of “with a large impact on the interests of users”: (a) with respect to search engine services, services that provide cross-sectorial search services with 10 million or more users, and (b) with respect to telecommunications services that substantially intermediate other persons’ communications, services that primarily and substantially intermediate interactions between unspecified users, with 10 million or more users. 

[3] MIC’s proposed threshold is generally that the number of users is (i) 10 million or more in the case of free telecommunications services and (ii) 5 million or more in the case of fee-based telecommunications services.

[4] For example, date and time or content of communication would generally fall within this category.

[5] Pursuant to the implementing regulations of the TBA, the prescribed information would be the information in the database.