Metaverse is currently attracting attention from businesses and government, and accordingly discussions on legal issues related to the metaverse have been going on. In November 2022, the government set up a council consisting of businesses, legal experts and government officials to discuss legal issues regarding the metaverse. The council is expected to publish a report in 2023.

Intellectual Property Rights

Copyright

Reproducing the real world in the metaverse will not infringe copyright in most cases. While architectural works with copyrightable properties are often used as landmarks in the metaverse, that use is permitted by Article 46 of the Copyright Act. Article 46 permits the use of architectural works or works of art that are publicly available (like a statue in a park), but does not apply to signboards or other works that are copyrightable. However, Article 30-2 of the Copyright Act allows a third party copyrightable work to be incidentally included in another copyrightable work as long as the inclusion is minor and incidental to the principal copyrightable work (eg, where a third party’s copyrighted work was included in a photo). Based on this provision, when a vast space in the real world is reproduced in the metaverse, a signboard with copyrightable material that is also reproduced in the metaverse will be considered to be only a minor inclusion compared to the entire reproduced space so that the inclusion will be allowed under Article 30-2 of the Copyright Act.

An avatar that is generated using a user’s creativity may be copyright-protected. However, if the avatar lacks creativity (eg, it resembles a real person), it is not copyright-protected. Thus, determining creativity for purposes of copyright protection would be an issue. A further issue is determining what rules would be fair or appropriate for user generated contents.

Trade mark

Virtual goods may be produced with trade marks as in real-world goods. Since the goods and service classifications between the real world and the metaverse are different, trade marks for real-world goods would not be protected in the metaverse unless they are registered for virtual goods and services. Having said that, since an increasing number of brand-owning companies apply for virtual goods and services, metaverse providers would need to be more careful about using a third party’s trade marks. In light of the market growth of metaverse, more brand-owning companies are expected to register their trade marks for virtual goods and services.

Publicity rights

An avatar may be generated from an image of a public figure. There is a judicial precedent ruling that a publicity right is granted if the name or image of the public figure has the power to promote the sale of goods and that publicity right is infringed if the name or image is used solely for the purpose of promoting sales (Supreme Court, 2 Feb 2012). Thus, such an avatar cannot be used to promote sales, but a publicity right would not be infringed if the user generates the avatar only for personal satisfaction or use.

Privacy Law

Users’ actions in the metaverse are collected and recorded by metaverse service providers, which can also collect and use users’ data, such as the users’ profiles, behaviour, interests, and preferences.

Not all users’ information in the metaverse is considered “personal information” under the Act on the Protection of Personal Information (APPI). The APPI defines “personal information” as information relating to a living individual which contains a name, date of birth, or other descriptions through which a specific individual can be identified. Therefore, if, for example, an individual registers only a nickname to use a metaverse service, the information collected by the provider of the metaverse service would not be considered “personal information”. However, if in using the metaverse, an individual’s real name or email address that could identify that individual is registered, then that information is considered personal information under the APPI.

Separately from the APPI, Japanese courts recognise a person’s right to privacy, which is the right for that person’s private life not to be disclosed except for legitimate reasons. Certain information collected in the metaverse can be protected as part of a person’s private life. Therefore, even if a piece of information is not considered personal information under the APPI, it is necessary to examine whether certain users’ data are protected as part of the users’ private lives.

Telecommunications Business Act

The Telecommunication Business Act (TBA), which was amended in 2022, requires large-scale social networking services (SNS) (ie, SNS with at least 10 million users if the service is provided without consideration, and with at least 5 million users if the service is provided with consideration) to file a notification with the Ministry of Internal Affairs and Communications (MIC). Metaverse service providers may also be subject to the TBA if they are large-scale as previously described. See 7. Telecommunications for details on TBA.

In Japan, trading practices and consumer protection in the context of digital platforms recently attracted public attention and two pieces of legislation were promulgated in 2020 and 2021.

Transparency and Fairness of Digital Platforms

The Act on Improving Transparency and Fairness of Digital Platforms was enacted in June 2020 and took effect in February 2021. Under the Act, the Ministry of Economy, Trade and Industry (METI) designates providers of regulated digital platforms with a certain size in sales according to the category of the platform:

• e-commerce marketplace with annual sales of JPY30 billion or more;
• app store with annual sales of JPY20 billion or more;
• advertisement media with annual sales of JPY10 billion or more; and
• digital advertising platforms with annual sales of JPY5 billion or more.

If so designated, such digital platform providers are required to disclose the conditions of accepting business operators, reasons for requesting purchasing services, factors affecting rankings, and other information. Such designated providers are also required to annually report their complaints handling, disputes resolution, disclosure and self assessment to METI.

Consumer Protection of Digital Platforms

The Digital Platform Consumer Protection Act was enacted in May 2021 and took effect in May 2022. The Act applies to platforms on which consumers may purchase goods, services or rights for consideration, without regard to the size of sales. The Act requires platform providers to proactively protect consumers from sellers, which are not platform providers but just merchants in digital platforms. Digital platform providers are required to take measures to enable smooth communication between sellers and consumers, investigate sellers in response to consumer complaints about transactional conditions, and require sellers to provide information on their identity as necessary. Digital platform providers may be requested by the Consumer Affairs Agency to remove certain goods, services or rights if there are any false or misleading descriptions that are not voluntarily remedied. Consumers may require digital platform providers to disclose the names, addresses, phone and facsimile numbers, email addresses, and corporate registration numbers of sellers if they need the information to exercise their rights against sellers.

In Japan, there are no laws or regulations which are generally applicable to cloud computing. However, certain services using cloud computing, such as voice communication services and email services, may constitute a telecommunications business under the Telecommunications Business Act (TBA). Please see 7. Telecommunications.

Where personal information is stored in a cloud, the APPI will apply. The Personal Information Protection Commission (PPC), the principal regulatory authority regarding the APPI, has clarified that businesses using cloud services must take security measures to protect personal information stored in a cloud service provided by a third party, but they do not need to supervise the providers of the cloud service or obtain consent from data subjects if the cloud service providers cannot access the stored personal information, regardless of whether the relevant data centre is located in or outside Japan.

Industry-Specific Guidelines on Cloud Computing

Government cloud procurement

The Japanese government operates the Information System Security Management and Assessment Programme (ISMAP), pursuant to which Japanese government organisations may procure cloud services from cloud service providers registered with the ISMAP steering committee. The registration process requires applicants to submit an assessment report prepared by a third-party auditor registered with the committee, as well as other required information, including information regarding the risk of compulsory data access due to the applicability of foreign laws to enable the committee to review those foreign laws.

Financial service operators

Financial service operators – such as banks, insurance companies and financial instrument business operators – are required by the supervisory guidelines issued by the Financial Services Agency (FSA) to take outsourcing management measures. Since the use of cloud services provided by a third-party service provider is a form of outsourcing, financial service operators must implement outsourcing management measures such as conducting a due diligence check of the service provider, entering into a service agreement that satisfies the supervisory guidelines and auditing the service provider. More specifically to cloud, the financial service sector often refers to the guide to cloud implementation and operation of financial institutions published by the Centre for Financial Industry Information Systems (FISC).

Healthcare information

The healthcare industry (eg, hospitals, clinics, dentists and pharmacies) is subject to the Security Guidelines for Medical Information issued by the Ministry of Health, Labour and Welfare. Providers of cloud service to the healthcare industry are subject to the Security Guidelines for Information Service Providers for Medical Information issued by METI and MIC. These guidelines include both mandatory requirements as well as government recommended actions.

Product Liability and General Tort Liability

Under the Product Liability Act (the PL Act), a producer of a manufactured or processed movable good is liable for damages to human life or body, or property caused by a defect in the good, regardless of whether or not the producer is negligent.

Since big data, machine learning and artificial intelligence (AI) are not movable goods, producers of big data, machine learning or artificial intelligence themselves will not be subject to the PL Act. Rather, it is the producers of movable goods into which big data, machine learning or artificial intelligence is installed which will be liable for the damages caused by a defect in those movable goods, including a defect in the installed big data, machine learning or artificial intelligence.

Producers of big data, machine learning or artificial intelligence may be subject to general tort liability under the Civil Code. General tort liability is not a strict liability, unlike liability under the PL Act, and the plaintiff must prove intentional act or negligence (including simple negligence) on the part of the defendant to successfully claim for damages.

Autonomous Vehicle Accident Liability

Under the Act on Securing Compensation for Automobile Accidents, any person who has control over or operates an automobile for their own benefit (eg, an owner or a driver) – the “responsible person” – is liable for damages for the death or bodily injury of another person arising from the operation of the automobile. The foregoing liability, however, does not apply if the responsible person proves that they and the driver exercised due care in controlling and operating the automobile, that the injured party or a third party other than the driver acted intentionally or negligently (including through simple negligence), and that there was no defect in the structure or functions of the automobile.

One issue is whether this special liability under the present automobile accident compensation framework should be modified to properly address car accidents caused by cars operated by artificial intelligence, such as holding the car manufacturers liable for damages. The Research Report on Damage Liability regarding Autonomous Vehicles, which the Ministry of Land, Infrastructure and Tourism published in March 2018, concluded that it is appropriate not to modify the existing special liability for automobile accidents during the transition period until 2025 when autonomous vehicles are expected to be widely used. The report recommended that insurance companies that have compensated for damages caused by a defect in any autonomous driving equipment installed in a vehicle should be able to recover the compensation they paid from the car manufacturers that installed the defective artificial intelligence-driving equipment.

Based on the recommendation, the Japanese Road Transport Vehicle Act was amended in May 2019 so that any autonomous driving equipment is required to have recording equipment to provide insurance companies with evidence as to the cause of an automobile accident.

Data Protection Consideration

The APPI has not imposed strict conditions focused only on processing personal information by AI. The APPI requires business operators using a personal information database in their business (“handling operators”) to use personal information only within the scope of the purpose of use notified to data subjects or publicly announced when collecting personal information. Therefore, as a general rule, it is required to notify or publicly announce the purpose of machine learning in order to use personal information for machine learning.

In this regard, the purpose of generating statistical data by aggregating or analysing a large amount of personal information does not have to be notified to data subjects or publicly announced. However, the purpose of profiling, such as user journey analysis for targeted advertisement and credit scoring, must be notified to data subjects or publicly announced.

Further, if handling operators pseudonymously process personal data, they will be allowed to internally use the pseudonymously processed information beyond the original purpose of use that was notified to data subjects or publicly announced when collecting the original data. Thus, handling operators may use personal data for machine learning even where the machine learning is not included in the purpose of use notified to the data subjects when the personal data was collected.

Copyrights Consideration

In the process of machine learning, copyrighted works may be copied or adapted, which may cause an infringement of copyrights. To promote AI developments, the Copyright Act grants an exemption allowing the use of copyrighted works to the necessary extent without permission from the copyright owner where the use (i) does not aim to let the user or others enjoy thoughts or sentiments expressed in the work, and (ii) does not unjustifiably harm the copyright owner’s interests, taking into consideration the type and purpose of the work and the manner in which the work is used.

This exemption covers the use of copyrighted works for extracting informative elements from a large amount of copyrighted or other works and analysis. The Copyright Act was amended in 2019 to clarify that this exemption covers not only statistical analysis but also deep learning, and not only copying but also transmission for grid computing.

Protection of “Shared Data with Limited Access”

To promote data sharing between businesses so that big data will be more widely used, the amendment to the Unfair Competition Prevention Act introduced the protection of “shared data with limited access” which is defined as any technical or business information:

• that is accumulated in a reasonable amount by electronic means;
• that is provided to specified persons as a business; and
• the access of which is controlled by electronic means.

Information controlled as a secret, which would be protected as a trade secret, is excluded from the concept of shared data with limited access. Most typically, where data such as location of smartphones or cars is collected by a business operator (the “data holder”) and sold to third-party business operators for a fee (or shared among business operators in a consortium without charge) under the condition that the data can be used only for a certain purpose such as internal marketing analysis and cannot be redistributed or used for unauthorised purposes, the data would be protected as shared data with limited access. If shared data with limited access is wrongfully acquired, redistributed to third parties or used for unauthorised purposes, the data holder may seek an injunction and damage compensation under the Unfair Competition Prevention Act.

Under the Radio Waves Act (the RWA), in principle, users of radio equipment – including Internet of Things (IoT) devices using radio waves such as Bluetooth or Wi-Fi – must obtain a radio station licence from MIC. However, certain smaller-scale radio stations, including Wi-Fi and Bluetooth devices, are exempted from such licence requirement if the device conforms to the technical requirements established by MIC and bears a certification mark indicating such conformity (an R-mark). For users to comply with the foregoing requirements, manufacturers, importers or sellers of those devices apply for the certificate of conformity and put the certification mark on their products.

Radio equipment that has undergone technical conformity certifications conducted by foreign certification bodies based on mutual recognition agreements between Japan and certain foreign countries (currently, the USA, the EU and Singapore) is deemed to conform to the technical standards established by MIC in Japan and may bear an R-mark without a separate certification in Japan.

Please note that, due to Brexit, the mutual recognition agreement between the EU and Japan no longer applies to certification bodies in the UK and there is no mutual recognition agreement between the UK and Japan. However, the Minister for Foreign Affairs of Japan has issued a letter stating that the Japanese government will accept the certification by certification bodies in the UK in accordance with Article 38-31 of the RWA, which is similar to a mutual recognition agreement framework except that only non-Japanese manufacturers can rely on this Article 38-31 and Japanese manufacturers cannot use the certification bodies in the UK unlike under mutual recognition agreements. 

There is an exemption to the certification requirement that is available for devices which conform to technical specifications designated by MIC such as IEEE802.11b/11a/11g/11n/11ac/11ad and Bluetooth Core Specification Version 2.1 or later, if solely used for testing purposes. To rely on this exemption, a notification must be filed with MIC stating the start and close of the testing period. The testing period must be 180 days or shorter. Before filing the start notification, one must ensure that the device complies with at least one of the technical specifications designated by MIC.

Internet Connection

Under the TBA, any telecommunications device which is connected to a telecommunications circuit facility, such as an internet connection provided by a telecommunications business operator, must satisfy certain technical requirements, be certified by a registered certification body, and bear a “T-mark”. However, the guidelines issued by MIC on 22 April 2019 clarified that a Bluetooth device is exempt from the TBA certification requirement if it:

• can be used by connecting to a smartphone;
• does not have other functions that directly connect to telecommunications circuit facilities; and
• is certified as complying with the Bluetooth specifications.

A similar exemption applies to a Wi-Fi device if:

• the Wi-Fi device cannot be directly connected to the internet provided by a telecommunications business operator and is connected to the internet only through a certified router which bears a T-mark; and
• there is a statement in the manual that the device cannot be directly connected to the internet. 

Data Protection Consideration

If an IoT device collects personal information, such as a person’s appearance recorded by a camera or a voice recording enabling the specification of a certain person, the service provider which collects the personal information through that IoT device would generally need to comply with the requirements under the APPI.

Licence for Broadcasting Business

As described in 7. Telecommunications, a telecommunications business under the TBA does not include broadcasting businesses, which are separately regulated under the Broadcasting Act. Note that the key regulator of both the telecommunications business and the broadcasting business is MIC. 

The Broadcasting Act requires a licence prior to offering broadcasting services in Japan, which include:

• terrestrial-based television broadcasting;
• satellite-based television broadcasting; and
• cable television broadcasting.

The Broadcasting Act does not apply to companies with video-sharing platform services. In fact, there is no specific law which regulates video-sharing platform services.

The Broadcast Act restricts foreign investments in the broadcasting business. The following entities or parties are not eligible to hold a broadcasting licence:

• a person who is not a Japanese national;
• a foreign government or its representative;
• a foreign entity; and
• a company or entity in which any of the aforementioned entities or persons is the executive director, or holds 20% or more of the voting rights.

Licence for Radio Station

As described in 7. Telecommunications, users of radio equipment must obtain a radio station licence pursuant to the RWA, with certain exceptions. Thus, if a provider of broadcasting services uses radio equipment for the services, it must obtain a licence not only under the Broadcast Act but under the RWA as well.

As described in 7. Telecommunications, the RWA restricts foreign investments regarding licences to use radio equipment. While there are exceptions to such restriction, those exceptions are not available for the use of radio equipment for a broadcasting business.

Licence for Telecommunications Business

Under the TBA, “telecommunications” means sending, delivering or receiving codes, sounds or pictures by wire, wireless means, or any other electromagnetic means which includes the internet. A broadcasting business is excluded from the definition of telecommunications business.

The TBA requires a licence prior to offering telecommunications services in Japan. There are basically two types of such licences under the TBA, namely:

• a registration (toroku); and
• a notification (todokede).

If a provider of a telecommunications business installs or owns (including in the form of an “indefeasible right of use” or IRU) telecom circuits (eg, optic fibres or coaxial cables) at certain levels, it must be a registration carrier. Other providers who do not install such circuits (eg, ISPs) are basically required to only notify MIC prior to offering telecommunications services.

A party seeking to provide a telecommunications service must submit application documents to MIC. In the case of a registration, it must also appoint a general manager for the telecommunication facilities (denki tsushin setsubi toukatsu kanri sha) or a chief telecommunications engineer (denki tsushin shunin gijutsu sha). A notification is a relatively straightforward procedure which would take only several days if all the necessary documents are complete. The filing fee for registration is JPY150,000, but no fee is necessary for filing a notification. There is no licence term or annual fee for either registration or notification. It is advisable to unofficially consult with MIC before filing an official application.

Licence for Radio Station

As described in 5.1 Machine-to-Machine Communications, Communications Secrecy and Data, a user of a radio equipment must obtain a radio station licence pursuant to the RWA, with certain exceptions. Thus, if a provider of telecommunications services uses radio equipment for the services, it must obtain a licence not only under the TBA but also under the RWA.

The RWA restricts foreign investments in relation to obtaining a licence to use radio equipment. The following entities or parties are not eligible to hold the licence:

• a person who is not a Japanese national;
• a foreign government or its representative;
• a foreign entity; and
• a company or entity in which any of the aforementioned entities or persons is the executive director, or holds ⅓ or more of the voting rights.

However, there are exceptions to the foregoing restriction. For instance, if the purpose of the radio equipment is to operate a telecommunications business, the foregoing restriction does not apply.

The term of the licence is five years. There is also an annual fee for the use of radio frequencies. The amount of the licence application fee and the annual fee to use radio frequencies varies depending on the type of radio frequencies and the power of the antenna of the radio equipment.

IT Service Agreements

There are no specific laws or regulations that apply to IT service agreements. In addition, there are no laws that strictly regulate the location of data storage or a data centre, data-localisation, or price revision. However, the general contract law based on the will of the contracting parties applies to IT service agreements.

Parties should remember the following when incorporating a liability limitation clause into a contract:

• in a contract between a company and a consumer, a liability limitation clause may be invalidated under the Consumer Contract Act (CCA); and
• while the CCA does not apply to contracts between companies, a provision that exempts one contracting party from liability in the case of intentional or gross negligence may be invalidated under case law.

Data Localisation

There are no data localisation regulations. However, for some sectors, such as the medical sector, there are guidelines recommending storing data in locations where Japanese law applies, that is, Japan. These guidelines are not strictly required to be observed, but are usually complied with by the relevant sectors as a matter of practice.

Economic Security

In 2022, the Act on the Promotion of National Security through Integrated Economic Measures was legislated. Under the Act, essential infrastructure businesses such as electric power, telecommunication and financial service providers must file a plan with the government before introducing or entrusting management of certain important equipment. The government will review the plan and may issue a recommendation or order entities to modify or discontinue the plan if the government finds security issues. The provisions of this Act regarding the designation of essential infrastructure business operators will take effect within 18 months of 18 May 2022 and those regarding the requirement to submit the plan will take effect within 21 months of 18 May 2022. If contracting with designated critical infrastructure business operators in Japan, this Act should be taken into consideration.

Electronic Signatures

Japan does not have an equivalent to electronic identification and trust services (eIDAS) regulations to regulate trust services comprehensively, but the Act on Electronic Signatures and Certification Business (the Electronic Signatures Act) grants an “electronic signature” the same legal status as wet-ink signatures. An “electronic signature” refers to a measure taken with respect to information recorded electronically and which meets both of the following requirements (Article 2):

• a measure to indicate that the relevant electronic information was created by the person who has taken that measure; and
• a measure to confirm that the relevant information has not been altered.

Although government authorisation is not mandatory, 12 electronic signature service providers received confirmation that they satisfy the requirements of enabling “electronic signatures” from the Minister of Justice in accordance with Article 7, Paragraph 2 of the Act on Strengthening Industrial Competitiveness.

Please note that the Legal Affairs Bureau, which operates the real property and the company registration systems, does not accept all electronic signatures. Although electronic filing is permitted under laws and regulations, only electronic signatures designated by the Minister of Justice are accepted. Thus, there are still many applicants who apply for registration using physical documents, in which case, the originally signed documents may need to be submitted, depending on the type of registration they are applying for.

Time Stamp

There are no laws that require time stamps on documents, except when documents on national tax are electronically stored. The Electronic Book Preservation Act requires scanned data of paper-based documents on national tax and originally electronically produced documents on national tax to be accompanied by time stamps before they are electronically stored. Providers of the time stamps must enable proof of non-tampering for the term of the statutorily required storage period and a batch verification for a certain taxable period. Although an authorisation is not required to issue time stamps, the Japan Data Communications Association, a private association, established a voluntary accreditation programme for time stamp service providers.

Japanese Public Key Infrastructure (JPKI)

For the purposes of tax and social welfare, a unique identification number is assigned to each individual residing in Japan, regardless of nationality. That unique identification number can be used only for the purposes of tax, social welfare or other statutorily defined purposes and the collection and use of such unique number is strictly restricted in the private sector. However, each unique identification number card issued by the government is installed with a digital certificate, which the private sector can use to establish the identity of users online (called the Japanese Public Key Infrastructure or JPKI). A business may verify that digital certificate through the use of the revocation list or Online Certificate Status Protocol (OCSP) service provided by the Japan Agency for Local Authority Information Systems (J-LIS), provided that it obtains authorisation from the Minister of MIC or outsources the verification to an authorised service provider.

A considerable number of financial service providers recently started to rely on the JPKI for the purpose of complying with the Know Your Customer (KYC) requirement. Compared to traditional KYC measures, reliance on JPKI is efficient in time and cost. Driver’s licenses are also installed with an IC chip which can also be used for KYC purposes.

eKYC in the Financial Sector (other than JPKI)

In the context of KYC, separately from relying on the digital data stored in ID cards, another measure used by financial institutions to establish users’ identity online is to require a user to take a selfie (with a random pose) and a digital image of a government-issued ID cards by installing and using a smartphone application provided by the financial institution and to send both the selfie and the ID card image to the financial institution. The financial institution will compare the photo printed on the government-issued ID card and the selfie photo sent by the user. The comparison can be automatically processed provided that the false acceptance rate (FAR) is lower than a certain level determined by the government (note that the number is not publicly disclosed). This KYC measure is used by an increasing number of financial service providers.

Future Trust Services in Japan

According to the Comprehensive Strategy regarding Data issued by the Digital Agency in June 2021, Japan aims to establish a basis to introduce trust services within the early 2020s, such as by introducing standards for trust services and accreditation of trust services by a certification body.