What Are the Contractual Risks of Corporate AI Implementation? Explaining the Ministry of Economy, Trade and Industry's "Checklist" to Prevent Crises Before They Arise

In recent years, the adoption of AI (Artificial Intelligence) in the business world has been advancing rapidly. However, the use and development of AI come with unique risks and legal challenges that differ from those associated with traditional systems.

With this backdrop, in February of Reiwa 7 (2025), Japan’s Ministry of Economy, Trade and Industry published the “AI Utilization and Development Contract Checklist.” This checklist is designed as a practical support tool to help various companies involved in AI service contracts and usage to efficiently organize and verify contract terms.

This article will explain how to effectively incorporate AI into business, based on the “AI Utilization and Development Contract Checklist.” We will categorize AI-related contracts and discuss the key points to consider when entering into agreements.

AI Utilization and Development Contract Checklist: Target AI-Related Services

The “AI Utilization and Development Contract Checklist” targets a wide range of AI-related services, including generative AI, and is not limited to specific industries or AI technologies.

The checklist is structured from two perspectives, “Input” and “Output,” to systematically organize practical issues related to the provision and use of services. This design allows for comprehensive consideration of matters throughout the entire lifecycle of AI services, while enabling parties to easily extract items relevant to their own company.

Inputs and Outputs in the “Contract Checklist for AI Utilization and Development”

The checklist is structured based on the following two phases in AI services:

[Inputs]

Inputs refer to the information, data, specifications, and conditions that are provided and used for the construction, learning, and operation of AI services. Examples include training data, algorithms, business rules, and system conditions. If these inputs are insufficient or inappropriate, they can directly affect the performance and reliability of the AI’s outputs, making them critical items for consideration.

[Outputs]

Outputs pertain to the results processed, inferred, or generated by AI, as well as how these results are handled, utilized, and disclosed. For instance, this includes generated text and images, inference results, the basis for decisions, the scope of external provision, and the location of responsibility.

AI output results require checks for accuracy, transparency, and legal risks. The “Contract Checklist for AI Utilization and Development” organizes key discussion points in contract practice from both perspectives: inputs (provision of prerequisite information) and outputs (handling of AI results).

Definitions of Parties Involved

In contracts involving AI, the roles of stakeholders such as “those who develop AI,” “those who provide AI,” and “those who utilize AI” may vary depending on the type of AI service.

For instance, consider the case where a generic AI service is fine-tuned and implemented specifically for a certain company (as in the following section, “Type 2: Customized”). In this scenario, the service involves integrating a generic AI service provided by another company and adjusting it to fit the specifications of the requesting company.

In this case, Business B, which provides the customization service, stands as the “AI Service Provider (Vendor)” in relation to Business A (the AI user) as shown in the diagram below (①).

On the other hand, in relation to Business C (the AI developer/provider) that supplies the original generic AI (as shown in diagram ②), Business B assumes the role of an AI service user.

As such, a single business entity may become a “provider” or a “user” depending on the counterpart involved, which is why it is crucial to clearly define each party’s position and scope of responsibility when entering into a contract.

Source: Ministry of Economy, Trade and Industry | AI Usage and Development Contract Checklist

Contract Types in the “AI Usage and Development Contract Checklist” Under Japanese Law

This checklist categorizes contracts related to AI-related services into three representative types. The purpose is to make it easier for contracting parties to understand the checklist items that correspond to their own position and objectives.

Each contract type has its own personalityistic issues and risks, and it is crucial to identify the appropriate type based on the purpose of AI implementation and the form of service provision.

Below, we will introduce the three contract types in more detail.

Type 1: General Use Service Model

This model typically involves contracts where users utilize AI services that are already completed and made available to the public as they are.

A classic example would be the use of generative AI services such as ChatGPT or image creation AIs (e.g., DALL·E, Stable Diffusion) on the web.

Generally, these services require users to agree to the terms of use and service conditions predetermined by the vendor. It is almost impossible for users to negotiate or change the terms of the contract.

In the checklist, the main point of discussion is how users understand and grasp the risks associated with using AI services provided under pre-determined conditions.

Type 2: Customized Solutions

This type of contract involves the AI service provider customizing their existing models and technologies to meet the specific needs of the client company.

For instance, this could involve the client company providing their own data and rules for additional training of the provider’s AI model, or making adjustments and changes to parts of the system. Imagine, for example, the development of a marketing chatbot to be deployed within a company. A generic generative AI could be fine-tuned for that company by loading its product database and learning from customer queries, enabling it to provide tailored responses.

In such contracts, the provider leverages their original technology and expertise while delivering a service that meets the unique demands of the user. The checklist for these agreements typically includes considerations such as the ownership of intellectual property for the customized elements, the possibility of reuse, and the allocation of responsibilities.

Furthermore, since the nature of the deliverables and the type of contract may change depending on the customization, it is crucial to clearly define the roles of both parties and the expected inputs and outputs.

Type 3: New Development Model

This model involves a contract in which the user commissions an AI service provider to develop a completely new AI system. Commonly referred to as “full-scratch development,” it entails building a dedicated AI model or system from scratch, tailored to the user’s business operations and needs.

In this case, the user often provides the training data and specifications, and the AI model or deliverables to be developed are designed based on the user’s unique requirements.

Therefore, the following points are particularly important in the contract:

• Clarification of the scope and content of deliverables
• Setting targets for accuracy and performance
• Provision and handling of training data
• Intellectual property rights and ownership of deliverables
• Responsibility sharing for maintenance and updates

Because this model requires significant alignment of design and specifications between the provider and the user, a detailed examination is required in the checklist.

Now, let’s take another look at some concrete examples of inputs and outputs, referring to the diagram below.

Reference: Ministry of Economy, Trade and Industry | AI Usage and Development Contract Checklist

Checklist: Inputs

As previously mentioned, inputs refer to the content that is fed into AI. Specific examples include training data, algorithms, and prompts (instructions or command sentences for AI).

In AI services, inputs are essential. Without them, vendors cannot proceed with the design, learning, and inference processing of AI. So, what should be considered when providing inputs in such cases?

Handling User Inputs to Vendors Under Japanese Law

Therefore, it is essential to clearly define in the contract terms whether users have an obligation to provide information (inputs) such as learning data, rules, and specifications to vendors, and the specifics of such information. The details include the following:

• What kind of inputs the user will provide
• The timing, format, and quality standards for provision
• Whether there are any conditions that the inputs provided by the user to the vendor must meet in terms of content (nature, volume, granularity, etc.)
• Whether the above conditions are acceptable in light of the user’s purpose for using the service

Handling of Input Information from Vendors to Third Parties Under Japanese Law

In AI services, vendors use input (e.g., data or specifications) received from users to build and provide AI solutions.

However, it is crucial to confirm in the contract whether the vendor can provide or reuse this input for third parties, and under what conditions, as there are cases where such external provision is possible.

Particularly, since the input may include the user’s business know-how, confidential information, personal data, and intellectual property, providing it to third parties can lead to significant risks.

Therefore, it is necessary to ensure that the following points are clearly stipulated in the contract:

• Whether the vendor is allowed to provide the input received from the user to third parties
• If external provision is permitted, are there any restrictions on the recipients, scope, or purpose of such provision?
• How to handle intellectual property rights and confidential information included in the user’s input

If there are concerns regarding the above points, strategies such as “not providing unnecessary information” or “considering abandoning the contract if third-party provision of input is not acceptable” can be contemplated.

Managing Vendor Input

In AI services, the input provided by users to vendors (such as training data, business rules, specifications, etc.) often contains personal information, confidential information, and intellectual property.

Therefore, it is crucial to clarify the responsibilities vendors have regarding the handling and management of such input.

So, what should be considered contractually regarding the management of input? Here are some examples:

(Presence and Standard of Management Obligations)

• The type of management obligations vendors have for the input received from users
• If vendors have management obligations, the required standard of management and corresponding measures
• Whether users can request audits or information provision regarding the vendor’s management system
• Whether the management system is appropriate in light of the user’s service usage objectives

(Retention Period of Input)

• The duration for which vendors can retain the input
• The actions vendors should take after the retention period ends

(Obligation to Delete)

• Whether vendors are obligated to delete the input upon user request or at the end of the contract
• Whether there is an obligation to issue a certificate of deletion (deletion certificate, etc.)
• Whether such deletion measures are reasonable in light of the user’s business objectives

When providing personal data, if the vendor’s use for its own purposes or matching is permitted, it may not be organized as a consignment but as a third-party provision, which may require the individual’s consent. Therefore, it is necessary to organize a personal data handling scheme considering this.

In cases involving the consignment of personal data, it is essential to examine whether the supervisory authority that can be exerted on the vendor is at a sufficient level to process it as a consignment (if not, consider processing it as a third-party provision, etc.). Additionally, when transferring personal data to foreign countries, regardless of whether it constitutes a “provision” under the Personal Information Protection Law, it is necessary to be mindful that information provision regarding the held personal data may be required.

When providing personal information, if a leak of personal information by the vendor occurs, the user may be required to report to the supervisory authority, so particular attention is necessary.

Regarding the obligation to delete, if the applicable laws require the vendor’s obligation to delete, it is also possible to request deletion as an exercise of rights outside the contract.

Checklist: Outputs

Outputs, simply put, refer to the results produced by AI. These are commonly in the form of text or images, but can also include program code, blueprints, marketing strategy documents, and more, with a variety of output formats. Some outputs may contain highly confidential information, so they must be handled with care.

When Users Distribute Outputs Externally

By utilizing AI services such as generative AI, users can obtain various outputs (generated text, images, inference results, etc.).

These outputs are not only utilized internally but are also often provided or disclosed to third parties such as customers, business partners, and the general public.

However, outputs generated by AI may potentially include risks such as inaccurate information, infringement of rights, and ethical issues. To prevent unintended third-party distribution (including information leaks), it is essential to establish a management system and conduct thorough internal training.

Therefore, when users provide outputs outside the company, contractual arrangements and risk management become critical considerations. Make sure to check the following points:

• Whether the user can provide the output to a third party
• If the user can provide to a third party, what conditions for third-party distribution (recipients, scope of provision, and other conditions) are imposed. In the case of a usage-based service, it may be necessary to indicate that the service is provided using AI
• Considering the user’s purpose of service use, whether the above conditions are acceptable

Outputs from Vendors to Users (b-5-1)

Outputs obtained through the use of AI services (generated text, images, blueprints, reports, etc.) become valuable assets for users.

However, arrangements regarding the ownership of rights to these outputs, such as “Who has the rights?” and “Can they be freely used?” must be clearly defined in the contract to avoid future disputes. Specifically, the following points need to be clarified:

• Whether the user acquires certain rights, such as intellectual property rights, in relation to the output
• If the user acquires rights, what conditions for acquiring those rights (subject of rights transfer, whether there is a consideration, existence and terms of licenses, and other conditions) exist
• Considering the user’s purpose of service use, whether the above conditions are acceptable

Key Considerations When Utilizing a Checklist

This checklist is not legally binding as a contract but is designed to organize contractual discussion points from both the user and vendor perspectives regarding the provision and use of AI-related services. Therefore, when actually entering into a contract, it is necessary to select the relevant checklist items and concretize the contractual terms for each item, based on the specific factual circumstances of the contract (such as the form of the contract, the content of the services, the nature of the inputs and outputs, and the rights and obligations of the parties involved).

The appropriate response based on the checklist depends on the specific circumstances of the individual user. Therefore, it is necessary to make a comprehensive judgment by considering the following elements, which include the relevant circumstances:

• The content of the AI-related services provided by the vendor
• The form of the contract (terms of use or individual contract)
• The risks associated with accepting the contractual wording
• The feasibility of fulfilling each contractual obligation
• The availability of alternative services and methods in light of the intended use of AI
• The effort required for contract negotiations
• The possibility of risk reduction through methods outside the contract (such as actual operation)

Conclusion: Consult with Experts on AI Contracts

Thus far, we have delved into the “AI Utilization and Development Contract Checklist” published by the Ministry of Economy, Trade and Industry, examining in detail the contractual issues related to inputs and outputs, types of contracts, and points to consider when utilizing AI.

AI technologies, including generative AI, are expected to become increasingly integrated into the core of business in the future. However, their use involves numerous legal and practical points that need to be carefully organized, such as copyright, personal information, confidentiality, the possibility of reuse, and the allocation of responsibilities.

To properly utilize AI, it is not enough to simply introduce the technology; it is essential to clarify the rights and obligations between parties through contracts and prevent risks before they occur. Especially with complex AI contracts, proceeding with the advice of in-house legal and intellectual property departments or external experts ensures a safe and practical approach.

While promoting the use of AI, make sure not to neglect the review of contract contents and collaboration with specialists to minimize legal risks.

Guidance on Measures by Our Firm

Monolith Law Office is a law firm with high expertise in both IT, particularly the internet, and legal matters. Our firm provides a variety of legal support, including the drafting and reviewing of contracts, for clients ranging from Tokyo Stock Exchange-listed companies to venture businesses. For more details, please refer to the article below.

Areas of Practice at Monolith Law Office: Corporate Legal Affairs for IT & Startups