Understanding the 2023 Japanese Telecommunications Business Act Amendment: A Comprehensive Guide to New Cookie Regulations

The upcoming amendment to the Japanese Telecommunications Business Act (scheduled to be implemented in 2023 (Reiwa 5)) will introduce various rule changes to ensure smooth service provision and user protection, taking into account the changing environment surrounding telecommunications businesses. Among these changes, the regulation concerning Cookies is particularly noteworthy.

Currently, a wide range of online services use Cookies, and how the amendment to the Japanese Telecommunications Business Act will affect the operation of these services is a matter of concern for many companies. Significant changes in web marketing are also expected in the future.

In this article, we will introduce the amended Japanese Telecommunications Business Act, which was established in June 2022 and is expected to be implemented by June 17, 2023, along with the accompanying enforcement regulations. We will also provide a detailed explanation of the much-anticipated Cookie regulations.

Overview of the Amendments to the Japanese Telecommunications Business Act

The Japanese Telecommunications Business Act is a law designed to ensure the proper and rational operation of telecommunications businesses, promote fair competition among operators, and protect the interests of users (Article 1 of the Japanese Telecommunications Business Act). In simpler terms, it aims to establish a system that ensures the smooth provision of telecommunications services such as the internet and mobile phones, and to secure the benefits of users and the convenience of the public.

The businesses that fall under telecommunications operators are those that provide information and communication infrastructure such as telephones and the internet. In this amendment, the following changes have been implemented, including the expansion of the scope of target operators:

• Universalizing communication services like electricity, gas, and water services
• Including search engines and SNS as subjects of notification
• Establishing fair competition between major mobile phone carriers and low-cost SIM providers

Since 2020 (Reiwa 2), telework, web meetings, and remote education have rapidly become commonplace. The internet environment can now be considered an infrastructure accessible to everyone, not just a service chosen by individuals, like electricity or gas. In this amendment, a grant system was established to ensure stable service provision even in areas where internet operators cannot make a profit, in order to eliminate communication disparities between regions.

The scope of “telecommunications operators” has also changed. Large-scale search services and SNS, which were previously not targeted, have now become subject to regulation. In other words, large-scale search engines like Google and SNS like Twitter and Instagram are now subject to notification as telecommunications operators if they exceed a certain scale.

The following are the conditions for businesses that are newly subject to notification:

1. Search information telecommunications service (search engines like Google): User count of 10 million or more and cross-sectional search services
2. Mediation equivalent telecommunications service (SNS like Twitter): User count of 10 million or more and primarily mediating substantial exchanges between unspecified users

Furthermore, it was clearly stated that obligations such as the presentation of pricing methods would be imposed to achieve fair competition between the three major mobile phone companies and other MVNOs, etc.

What is the Newly Established “Specific User Information”?

According to the Enforcement Regulations of the Telecommunications Business Act (Japanese Telecommunications Business Act Enforcement Regulations), a new concept called “Specific User Information” has been established. The regulations target telecommunications business operators who provide telecommunications services that have a significant impact on user benefits. Specifically, businesses with a monthly active user count of over 10 million for free services and over 5 million for paid services will be subject to these regulations. Examples of such businesses would include fixed-line and mobile phone operators, internet service providers, search services like Google, and social networking services like Twitter.

“Specific User Information” refers to information such as email and phone records, which are considered communication secrets, user IDs, numbers, and other information that can identify users (Japanese Telecommunications Business Act Enforcement Regulations.jn Article 2-2, Article 22-2-21). Businesses handling this information are obligated to do the following (same Enforcement Regulations Article 22-2-22). Please note that information stored in cookies is also included in this specific user information.

1. Formulate and report handling regulations
2. Formulate and disclose handling policies
3. Self-evaluate handling status every business year and reflect it in handling regulations and policies
4. Appoint and report a supervisory manager at the above times
5. Report in case of leakage

Businesses handling specific user information are obligated to formulate and disclose their handling policies. They must also conduct self-evaluations of technical trends and cyber attack risks, and revise their policies as necessary.

In addition, they are required to appoint a supervisory manager with at least three years of experience, and in the event of a leak of information of more than 1,000 users, they must report to the Minister of Internal Affairs and Communications without delay.

Furthermore, the establishment of external transmission rules, commonly known as cookie regulations, is likely the most impactful point in this amendment. We will explain this in detail below.

Explicit Cookie Regulations

What are Cookies? Their Advantages and Issues

Cookies refer to a mechanism that stores information about users who visit a site in their browser. To explain in more detail, when a viewer of a website or similar accesses a web server from a device such as a PC, smartphone, or tablet, it refers to the file that the web server saves on the viewer’s device. The web server can refer to the cookies stored on the viewer’s device when it receives access from the viewer.

As a result, when you access a website of a web service you have used before, the system can recognize that it is a user who has visited before. For example, when you are shopping on an EC site, you may have had the experience of “putting a product you like in the cart, browsing another product page for a while, and then looking at the cart again to find the product you put in the cart earlier still there”. In fact, this mechanism uses cookies.

In simple terms, a cookie is data that aggregates a wide range of user information, such as an ID to identify the user, and the date and number of times the user visited the site. Because cookies can identify users, they can provide optimal information when the user visits the site for the second time or later.

By using cookies, it is also possible to collect personal information without the user’s intention. By collecting information about which user is accessing which website from which device, it is possible to analyze the user’s hobbies and preferences.

However, most users cannot know when and what data cookies are recording and what data they are sending to the server. The data from cookies can also be used by third-party companies that the user is unaware of for business purposes. Therefore, from the perspective of privacy infringement, cookies have been designated as “personal related information” by the amendment to the Personal Information Protection Law in April 2022 (Gregorian calendar year).

Until now, many website operators have used cookies to understand user information and launch more accurate and effective marketing approaches. However, in many foreign countries, including the EU, privacy infringement using cookies has been a problem, and measures have been taken. In particular, many of you may have noticed that when you browse websites in the EU area, a message prompting you to agree to the use of cookies is displayed.

First-Party Cookies and Third-Party Cookies

Cookies can be broadly divided into two types: first-party cookies and third-party cookies.

First-party cookies are those that are directly issued from the domain of the website that the user is visiting. In other words, these are cookies where the “domain issuing the cookie” equals the “domain of the visited website”. The term “first party” means “the party involved”. These cookies are called first-party cookies because the exchange of cookies is completed between the server of the website visited by the viewer and the user’s device.

On the other hand, third-party cookies are those issued from a server other than the website visited by the viewer (a third party). These cookies are called third-party cookies because the exchange of data using cookies does not complete between the server of the website visited by the viewer and the user’s device, but between other servers.

The main target of cookie regulations in the amendment to the Japanese Telecommunications Business Act is the use of third-party cookies.

Third-party cookies can collect user browsing history information across multiple domains. If the browsing history of a device can be obtained, it becomes possible to profile what the user of that device is interested in. If a user’s hobbies and preferences are profiled and used for advertising without the user’s knowledge, it can lead to user anxiety and raise issues from a privacy perspective. Many people may have experienced seeing more advertisements for sites they have visited in the past or for related products.

In Japan, there were no legal rules directly regulating the use of cookies. In a research report on the economic effects and user protection of behaviorally targeted advertising published by the Ministry of Internal Affairs and Communications’ Institute for Information and Communications Policy in March 2010, it was suggested that businesses using targeted advertising should disclose their use and obtain consent in advance. As the word “desirable” suggests, there was no clear legal obligation.

The amendment to the Japanese Telecommunications Business Act takes a step forward from “desirable” to “must”, indicating a move to establish new legal rules that directly regulate the use of cookies.

Content of Cookie Regulations

Article 27-12 of the revised Japanese Telecommunications Business Act states, “When providing telecommunications services to users and intending to transmit information to the user’s telecommunications equipment (omitted), it is necessary to notify the user in advance of the content of the information related to the user that will be transmitted by the information transmission function activated by the information transmission instruction communication, the telecommunications equipment that will be the destination of the information, and other matters specified by the Ministry of Internal Affairs and Communications, or to make it easily known to the user.”

Although the wording of the clause is a bit complex, in summary, it means:

• When providing telecommunications services (i.e., online services) to users, and
• When intending to transmit information to the user’s telecommunications equipment (PCs or smartphones)

It is necessary to notify the user of certain matters or make it easy for the user to know them.

So, what exactly does the “certain matters” that need to be notified to the user refer to?

According to Article 27-12 of the revised Japanese Telecommunications Business Act and Article 22-2-29 of the Enforcement Regulations of the Japanese Telecommunications Business Act, when intending to transmit such information, the following matters must be notified to the user or made easily known to the user:

• The content of the “information related to the user” to be transmitted
• The name/title of the person handling the “information related to the user” using the destination server
• The purpose of using the “information related to the user” to be transmitted

In other words, when using cookies subject to cookie regulations, it is necessary to introduce a mechanism to notify the individual of information such as the collected cookie information, the destination, and the purpose of use, or to make it easily known to the user by publishing a cookie policy, etc.

Four Exceptions to Cookie Regulations

According to Article 27-12 of the Revised Japanese Telecommunications Business Law, there are four cases where it is not necessary to notify users of certain matters or to make it easy for users to know.

First, information that is necessary to properly display the codes, sounds, or images transmitted in the telecommunications service on the screen of the user’s telecommunications equipment, or other information that the user needs to transmit when using the telecommunications service, as defined by the Ministry of Internal Affairs and Communications.

According to Article 22-2-30 of the Enforcement Regulations of the Revised Japanese Telecommunications Business Law, the following apply:

• Information truly necessary to provide the service
• Information necessary to re-display the information entered by the user when using the service (including authentication information)
• Information necessary for detecting fraudulent activities and mitigating damage
• Information necessary for the proper operation of the server

Second, the identification code transmitted to the user’s telecommunications equipment by the telecommunications carrier or the third-party business operator when providing the telecommunications service to the user (referring to the personalitys, numbers, symbols, and other codes used by the telecommunications carrier or the third-party business operator to distinguish the user from others when providing the telecommunications service), which is to be transmitted to the telecommunications equipment of the telecommunications carrier or the third-party business operator by the information transmission function activated by the information transmission instruction communication.

Although it’s a bit complicated, this assumes the case where “the ID sent by the company to the user’s device is sent to the company’s server”. In other words, first-party cookies are exceptions, and only third-party cookies are subject to regulation.

Third, information that the user has agreed to be transmitted to the user’s telecommunications equipment.

The often-seen phrase “Do you agree to the use of cookies?” is for this clause. For users who have agreed, this notification is not necessary.

Fourth, information that the user has not requested the application of the measures stipulated by the user, if the information transmission instruction communication falls under all of the following.

This refers to the so-called opt-out measures, where users can refuse the collection and use of cookie information at any time.

Conclusion: Consult with Experts for Measures Against the Revised Japanese Telecommunications Business Law

Due to the rapid development of online services, legal amendments are made very frequently in this field. The rapid changes make it difficult to find literature, and keeping up with the latest information and responding to it may not be easy.

We recommend proceeding with measures against the Japanese Telecommunications Business Law and its associated regulations while obtaining advice from experts.

Introduction to Our Firm’s Measures

Monolith Law Office is a legal office with extensive experience in both IT, particularly the internet, and law. The revised ‘Japanese Telecommunications Business Law’ is complex, and it can be said that it is difficult to understand without being an expert. A legal check is necessary to conduct business legally, so please feel free to consult with us. Details are described in the following article.

Areas of practice at Monolith Law Office: IT and Venture Corporate Legal Affairs