Japan: Telecommunications Business Law Amendments Introducing New Regulations for Cookies and User Credentials

In short

On June 13, 2022, the amendment to the law on telecommunications companies (“Amendment“) was passed. The amendment includes new regulations for the use of personally identifiable information and other information about individuals, including cookies. Telecommunications service providers subject to the amendment will be required to take measures based on the relevant Ministerial Orders to be issued by the Ministry of Interior and Communications (MIAC) in the near future.


  1. Regulations on providing user information to third parties, including cookies
  2. Obligations to correctly handle specific user information
  3. Other amendments
  4. Possible impact on businesses

Regulations on providing user information to third parties, including cookies

Under the amendment, where certain telecommunications service providers (to be specified in an upcoming MIAC Ministerial Order) intend to send user information falling under the new regulations to a third party, they will be required to give the user a possibility of confirmation.

The scope of user information subject to this requirement will also be defined in a future MIAC order. So-called third-party cookies are a conceivable example, while first-party cookies and information about a user’s operating system, screen settings and language settings should be excluded.

After the Amendment comes into force, before transmitting regulated user information to third parties, a telecommunications service provider subject to the new regulations must: (1) inform the user or make the information regarding the transmission user information to third parties readily available to all users, (2) obtain user consent, or (3) take opt-out steps. The details of each measure will also be defined in an upcoming MIAC order.

Obligations to correctly handle specific user information

Under the amendment, telecommunications service providers that exceed a certain size may be designated by MIAC as companies required to properly handle information protected by communications secrecy and certain user identification information ( “Specific user information“). Designated Service Providers are required to:

  • Create and inform users of information handling regulations for specific user information;
  • Formulate and publish an information handling policy to indicate the content of specific user information collected, and the purpose and method of its use;
  • Self-assess the state of information handling and revise information handling regulations and policy based on said assessment; and
  • Appoint and notify a general manager of the specified user information.

The target industry and the size of the carrier have not yet been determined. However, a threshold of more than 10 million users is currently considered a criterion.

Other amendments

In addition to the above, the Amendment also introduces the following new regulations:

  • Telecommunications service providers will be required to report to the Minister of MIAC in the event of suspension of activity or leaking of certain information.
  • Operators that provide search services or equivalent intermediary telecommunications services (eg providers of online search engines and SRS networks) will be required to file a notification of their telecommunications activities.
  • No operator that provides certain wholesale telecommunications services (for example, major mobile operators and certain fixed-line providers) may refuse the provision of its service in its area of ​​activity and the disclosure of information concerning the conditions service contracts without a legitimate reason.

Possible impact on businesses

Although the effective date of the amendment is determined in an MIAC order, it is expected to come into force no later than June 16, 2023. Telecommunications service providers should monitor the promulgation of relevant ministerial orders and confirm s they are in force. made subject to the new rules of the Amendment.

In addition, affected telecom service providers will need to prepare for public announcements regarding data usage – such as third-party cookies – prior to the effective date. It is therefore essential that service providers closely monitor enacted MIAC orders, determine whether they are engaging in data processing subject to the Amendment and, if so, update their current privacy policies and take further action. other necessary measures.

Cookies and other information relating to individuals that does not by itself identify a specific person and which can allow an individual to be identified when correlated with other information are regulated as personal information under the law. on the protection of personal information (APPI). Additionally, if a company transfers such information to a third party who can then identify an individual even when the transferor cannot, the APPI applies and the transferor is required to confirm that the recipient has obtained consent from the transferor. ‘individual. Therefore, in summary, even if the processing of data does not fall under the new regulation of the amendment, it can still be regulated by the APPI currently in force.

When a telecommunications service provider is designated as subject to user-specific information regulations, it is required to take certain steps, including creating and informing users of its information handling regulations. Therefore, telecommunications service providers should pay particular attention to the criteria for awarding such designations by the Minister of MIAC.

The content is provided for educational and informational purposes only and is not intended and should not be construed as legal advice. This may qualify as “lawyer advertising” requiring notice in some jurisdictions. Prior results do not guarantee similar results. For more information, please visit: