What is the 'Cloud Exception' in the Personal Information Protection Law? Explaining Based on Actual Cases of Administrative Guidance Received by Cloud Service Providers
Business operators handling personal information are subject to various regulations under the Japanese Personal Information Protection Act. Our personal information is deeply connected to our privacy and includes critical details about physical personalityistics and finances, so it’s only natural that strict rules are established to protect it.
However, there are certain exceptions within this law. One such exception is known as the “cloud exception.”
So, what exactly is the “cloud exception”? In this article, we will clearly explain the outline and application conditions of the “cloud exception,” based on the case of MK System, which received administrative guidance in Reiwa 6 (2024).
Principles and Exceptions When Providing Personal Data to Third Parties Under Japanese Law
First, let’s review the principles and exceptions regarding the provision of personal data to third parties as stipulated in the Japanese Personal Information Protection Law.
Principles Under the Personal Information Protection Law When Providing Personal Data to Third Parties
When a personal information handling business operator utilizes cloud services, it is considered as “entrusting all or part of the handling of personal data” under Article 27, Paragraph 5, Item 1 of the Personal Information Protection Law. Consequently, it is a fundamental principle that the operator must conduct necessary and appropriate supervision over the cloud service provider in accordance with Article 25 of the Personal Information Protection Law.
Understanding the Cloud Exception Under Japanese Law
The so-called “Cloud Exception” refers to a specific legal concept.
In this context, “Cloud Service Providers” primarily offer IT infrastructure such as storage and servers (IaaS/PaaS), and they manage, store, and process data from other companies via the internet. Examples of such providers include:
- Amazon Web Services (AWS): Provided by the American company Amazon and widely adopted by Japanese companies.
- Microsoft Azure: A cloud infrastructure service by Microsoft, with numerous implementations in government agencies.
- Google Cloud Platform (GCP): Offered by Google, known for strengths in AI and big data processing.
The Cloud Exception becomes relevant when businesses that develop systems on the cloud infrastructure (IaaS or PaaS) of these Cloud Service Providers and offer them to customers as SaaS (Software as a Service) handle personal data.
According to the Q&A on the “Guidelines for the Protection of Personal Information Law” by the Personal Information Protection Commission, the following is stated in Q7-53 regarding Cloud Service Providers:
(When not considered a third party) Q7-53 If a business operator handling personal information utilizes an external service provider through a cloud service contract for an information system that handles electronic data containing personal data, is it necessary to obtain “consent from the individual” (Article 27, Paragraph 1 of the Law)? Or, is it considered “entrusting all or part of the handling of personal data” (Article 27, Paragraph 5, Item 1), thus requiring supervision of the cloud service provider based on Article 25 of the Law?
A7-53 There are various forms of cloud services, but whether the use of a cloud service constitutes a third-party provision requiring the individual’s consent (Article 27, Paragraph 1) or an entrustment (Article 27, Paragraph 5, Item 1) depends not on whether the stored electronic data includes personal data, but on whether the cloud service provider is handling the personal data. If the cloud service provider is not handling the personal data, the business operator handling personal information does not need to obtain the individual’s consent. Furthermore, in the aforementioned case, since it is not considered a provision of personal data, it does not fall under the category of “provision associated with entrusting all or part of the handling of personal data” (Article 27, Paragraph 5, Item 1), and there is no obligation to supervise the cloud service provider based on Article 25. The considerations for safety management measures by the business operator handling personal information when the cloud service provider is not handling the personal data can be found in Q7-54. A case where the cloud service provider is not handling the personal data may include situations where the contract stipulates that the external business operator will not handle the personal data stored on the server and appropriate access control is being conducted. For the relationship with Article 28, refer to Q12-3.
Q&A on the Guidelines for the Protection of Personal Information Law| Personal Information Protection Commission
In other words, users of cloud services in Japan do not need to supervise cloud service providers if the exception requirements are met. To qualify for the Cloud Exception, the following two conditions must be met:
- The contract stipulates that the external business operator will not handle the personal data stored on the server.
- Appropriate access control is being conducted.
Administrative Guidance Issued to MK System Corporation Under Japanese Personal Information Protection Law
On March 25, Reiwa 6 (2024), the Personal Information Protection Commission issued guidance to MK System Corporation based on Article 147 of the Japanese Personal Information Protection Law. This action was taken in response to a significant data breach affecting approximately 7.5 million individuals. Following this incident, the Personal Information Protection Commission has released an alert titled “Points to Note for Cloud Service Providers as Personal Information Handlers under the Personal Information Protection Law.”
Let’s review the administrative guidance issued to MK System Corporation regarding the cloud exception under the Japanese Personal Information Protection Law.
Case Overview
MK System Corporation had constructed a social insurance and human resources support system using servers from China’s Tencent Cloud, providing services to users such as social insurance labor consultant offices.
In June of Reiwa 5 (2023), the server was subjected to unauthorized access, raising concerns about the potential leak of personal data managed within the system. This data included names, dates of birth, genders, addresses, basic pension numbers, employment insurance beneficiary numbers, and My Number (personal identification numbers) of employees from companies and businesses that are clients of the social insurance labor consultants.
When applying the guidelines to the relationship between these three entities, it results in the following:
| Position under the Guidelines | Business Operator | Content |
| Contracting Party | Users such as social insurance labor consultants (Personal Information Handling Business Operators) | In charge of handling personal data of clients (companies and individuals) |
| Contracted Party | MK System Corporation | Provides a system on the cloud that substitutes and supports social insurance labor consultant tasks. Processes personal data based on client instructions |
| Subcontracted Party | Tencent Cloud (China) | Entrusted by MK System Corporation with cloud infrastructure. Potential for being considered as providing data overseas |
The Personal Information Protection Commission has determined that there were deficiencies in MK System Corporation’s technical and safety management measures.
Guidance on Administrative Directions
The Personal Information Protection Commission has issued administrative guidance based on the provisions of Article 147 of the Japanese Personal Information Protection Act, as well as the collection of reports pursuant to Article 146, Paragraph 1 of the same act.
Alert from the Personal Information Protection Commission
The Personal Information Protection Commission has released a notice titled “Points to Note for Cloud Service Providers as Personal Information Handlers under the Personal Information Protection Law (Alert).”
This alert primarily advises users of cloud services to determine whether the use of such services constitutes the entrustment of personal data handling (as per Article 27, Paragraph 5, Item 1 of the Personal Information Protection Law). If it does constitute entrustment, the personal information handlers using the cloud service must exercise necessary and appropriate supervision over the service provider.
Regarding MK System, the following three points indicate that the cloud exception does not apply, and it is considered a personal information handler, thus requiring appropriate supervision in handling personal data:
Points to Note for Cloud Service Providers as Personal Information Handlers under the Personal Information Protection Law (Alert) | Personal Information Protection Commission
- The terms of use stipulate that the cloud service provider may perform necessary actions such as monitoring, analyzing, and investigating data when deemed necessary for maintenance and operational purposes, and that, except in certain cases, the provider must not use or disclose the data on the system to third parties without permission.
- The cloud service provider possesses a maintenance ID, allowing access to the personal data of the cloud service users, and no technical access control measures have been implemented to prevent handling.
- The provider has actually handled the personal data of the cloud service users after exchanging confirmation documents with them.
Key Points for Cloud Service Providers
Taking into account the legal issues and administrative guidance/warnings explained so far, what should cloud service providers (such as MK System in the aforementioned example) be mindful of?
Reassess Whether You Meet the Requirements for the Cloud Exception
First, reassess whether the services you provide meet the requirements for the cloud exception.
In light of the recent advisory from the Personal Information Protection Commission, businesses using cloud services may scrutinize whether their cloud service providers are fulfilling the cloud exception requirements.
Therefore, cloud service providers should also make sure to reassess whether they are indeed meeting the requirements for the cloud exception.
If You Do Not Meet the Cloud Exception, You Must Respond to Oversight from Your Clients
If you do not meet the requirements for the cloud exception, you must respond to oversight from the users of your cloud services (in this case, the social insurance and labor offices or companies that have been using MK System’s services).
Oversight from cloud service users includes the following actions, as stated in the Guidelines for the Protection of Personal Information (General Provisions) 3-4-4 Supervision of Contractors (related to Article 25 of the law):
- Appropriate selection of contractors: It is necessary to confirm that the safety management measures of the contractor are equivalent to those required of the principal by Article 23 and these guidelines.
- Conclusion of a subcontracting agreement: It is desirable to have a contract that incorporates the principal’s reasonable understanding of the handling status of the entrusted personal data.
- Understanding the handling status of personal data by the contractor: Regularly evaluate through audits to ensure appropriateness.
If the safety management measures of the contractor are inadequate, there is a possibility that the contract may be terminated, and the contractor may be compelled to take necessary safety management measures or comply with regular audits.
Conclusion: Consult a Lawyer for Personal Information Protection on Cloud Services
In this article, we have explained the risks for cloud service providers when they fail to meet the cloud exception, based on the administrative guidance published in March 2025 (Reiwa 7) by the Personal Information Protection Commission.
The information leak in question prompted the Personal Information Protection Commission to issue a warning to users of cloud services. The warning is relevant not only to the users but also to the cloud service providers, who need to review their services and be mindful of the potential burdens that may arise.
In light of this administrative guidance, if you are uncertain about the risks to your company or the necessary measures to take, we recommend consulting a lawyer.
Guidance on Measures by Our Firm
Monolith Law Office is a law firm with extensive experience in both IT, particularly the internet, and legal matters. In today’s world, where many IT companies have come to expand their businesses using cloud services like AWS, the leakage of personal information has become an indispensable aspect of risk management in business operations. Should personal information be leaked, it can have a critical impact on corporate activities. Our firm possesses specialized knowledge in preventing and responding to information leaks. Please refer to the article below for more details.
Areas of practice at Monolith Law Office: Services Related to the Japanese Personal Information Protection Law
Category: IT
Tag: ITTerms of Use
