New Cookie Regulations in Japan – Amendment of Telecommunications Business Act

22.05.2023

The Telecommunications Business Act (“TBA”) is a law administered by the Ministry of Internal Affairs and Communications of Japan. Under the amended law, certain regulations for telecommunication businesses sending information to third parties (including cookies) have been newly established.

The Telecommunications Business Act (“TBA”) is a law administered by the Ministry of Internal Affairs and Communications of Japan. The TBA applies to business involved in providing Telecommunications Services, which is defined as services "intermediating other persons' communications through the use of telecommunications facilities, or other acts of providing telecommunications facilities for use in other persons' communications" under the TBA. However, the current legislation exempts businesses that provides telecommunications services other than telecommunications services that use telecommunications facilities to mediate the communications of others (excluding domain name telecommunications services), without installing telecommunications line facilities (“Exempted Businesses”).

The TBA was amended last year and is scheduled to come into effect on June 16, 2023. Under the amended law, certain regulations for telecommunication businesses sending information to third parties (including cookies) have been newly established. The new regulations will also apply to these Exempted Businesses.

 

1.    Services subject to the New Regulations

The new regulations under the amended TBA apply to “Businesses who operate a Telecommunications Business”. Whether a company operates a Telecommunications Business will mainly depend on whether a company provides services for other parties.

In cases where companies operating websites for introducing the company or its products, or where the website for selling its own products, are not considered as Telecommunication Businesses. However, the new regulations will apply to telecommunications services that are essential to the business, such as online news, video channels, E-commerce websites which sell third party products or services.

The new regulations applies to telecommunications services that have a “significant impact on the interests of users”. Whether having a significant impact does not depend on the number of users, but on the nature of the services. Emails, chats, web meeting systems social media platforms, E-commerce sites, streaming services, online search services, video streaming services are highly likely to be construed as having services having a significant impact to the users.

 

2.    Communications subject to the New Regulations

The new regulations apply when a business conducts “Information Transmission Command Communications”. Information Transmission Command Communications are defined as transmission of telecommunications that commands a user’s telecommunications facilities in which information about the user is recorded, to transmit to telecommunications facilities other than the user.


“Telecommunications facilities" include personal computers and smartphones.

“Information about the user” is not limited to personal information, but also includes terminal identifiers such as IDs stored in cookies, the URLs of websites visited, and user information of personal computers/smartphones.

"Telecommunications facilities other than the user” include third-party servers as well as the operators of websites and app providers which are viewed or used by users.

To summarize, the amended act will apply to communications where information is sent from a user's computer or smartphone to a third party.

 

3.    Obligations

Businesses to which the new regulations apply are required to notify or to make public (in a readily accessible manner) the following information:
(1)    The content of the information about the user to be transmitted,
(2)     The name (s) of the person or business who will handle the information and
(3)    The purpose of using the information.

In the draft of the guidelines, that are currently undergoing public consultation, the notification or publications are required to be made in the following manners:
-    To be in Japanese
-    Not to use technical terms.
-    To use plain language.
-    To be displayed at proper size
-    To be displayed on a screen or page easily accessible from the top page (for public announcements)

However, notices or publications are not necessary for the following information:

(1)     Information that need to be sent when using telecommunications services

Ex. OS, screen setting, language setting, browsers, and other information necessary for the telecommunications services, information necessary for user authentication, information necessary for security measures, information necessary for network management

(2)    Identification codes sent by the service provider to users

Ex. ID codes stored in First Party cookies.

(3)    Information for which the consent of the user has been obtained

* Users need to actively give consent

(4)    Information for which the user has not requested the application of the opt-out measure, in cases where the company has taken opt-out measures

* Certain requirements for opt-out measures are stipulated in the guidelines.

The guidelines also advise businesses to notify and/or make public certain information to users such as, opt-out measures, the retention period of the information to be sent, and the contact information at the sender of the information transmission command communication.

4.    Impact to Businesses

Any businesses that provide Telecommunication Services (i.e. Emails, chats, web meeting systems social media platforms, E-commerce sites, streaming services, online search services, video streaming services) in Japan, who send information (i.e. cookies) to third parties need to re-check their service policies, and ensure that information are notified or to made public complying with the TBA before the amended act comes into effect.

 

Article provided by INPLP member: Satoshi Shono (MATSUDA & PARTNERS, Japan)

 

 

Discover more about the INPLP and the INPLP-Members

Dr. Tobias Höllwarth (Managing Director INPLP)

What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.