Cloud computing in Japan

Market overview

Kinds of transaction

What kinds of cloud computing transactions take place in your jurisdiction?

Public and private cloud models are both common in Japan. In the public cloud model, multiple users share a single cloud environment provided by a cloud provider, and in the private cloud model, a company builds its own cloud environment for its use or use by its group companies. While both are expanding their market sizes year on year, currently, private cloud models have a larger share. The preference for most Japanese companies currently seems to be the private cloud model, probably because of concerns about the security level of public cloud environments. A recent trend within the private cloud model is the increasing use of the ‘community cloud’, where a limited number of companies share a private cloud, which is more cost-effective than an ordinary private cloud, which requires a user to construct their own cloud environment. Various types of cloud computing services, including software-as-a-service, infrastructure-as-a-service and platform-as-a-service, are provided by many prominent cloud providers.

Active global providers

Who are the global international cloud providers active in your jurisdiction?

International cloud computing providers in Japan include Amazon.com, Microsoft, Google and IBM for both public and private cloud computing services.

Active local providers

Name the local cloud providers established and active in your jurisdiction. What cloud services do they provide?

Local cloud computing providers in Japan include NTT Communications Corporation, NTT DATA Corporation, KDDI Corporation, Softbank Group Corporation, Fujitsu Limited, NEC Corporation and Internet Initiative Japan Inc. These entities provide both public and private cloud computing services.

Market size

How well established is cloud computing? What is the size of the cloud computing market in your jurisdiction?

Cloud computing in Japan is fairly well established and has been constantly evolving. The market is currently valued at about ¥700 billion and is expected to increase up to about ¥1,200 billion by 2023. The majority of Japanese companies now use cloud services, it being especially popular among finance and insurance companies, and large-cap companies. Companies use cloud computing services for various purposes such as inter- and intra-office communication, preserving and sharing data electronically, operating company servers and portal sites.

Impact studies

Are data and studies on the impact of cloud computing in your jurisdiction publicly available?

The Ministry of Internal Affairs and Communications (MIAC) issues a white paper on telecommunications annually, which contains the results of surveys that MIAC conducts regarding the cloud computing market. Further, think tanks such as Nomura Research Institute publish statistics and analyses of the current and future cloud computing market. According to the IT Navigator 2018, published by Nomura Research Institute, users of traditional network services such as leased line have been decreasing in recent years and their market sizes shrinking, in contrast to the rapid expansion of the cloud computing market.

Policy

Encouragement of cloud computing

Does government policy encourage the development of your jurisdiction as a cloud computing centre for the domestic market or to provide cloud services to foreign customers?

The Japanese government established the Strategic Headquarters for the Promotion of an Advanced Information and Telecommunications Network Society (IT Strategic Headquarters) within the Cabinet in January 2001. This organisation is tasked with promoting measures for an advanced information and telecommunications network society, expeditiously and intensively. Further, to encourage collaboration between the government, industry and academia in cloud computing services, the MIAC, the Ministry of Economy, Trade and Industry (METI) and the Ministry of Agriculture, Forestry and Fisheries, have established the Japan Cloud Consortium. This is a private sector organisation with more than 400 member corporations or organisations, and provides a forum for the members to share information on cloud computing services. MIAC in discussion with ASP-SaaS-Cloud Consortium, a non-governmental organisation, deals with matters regarding the provision and use of cloud computing services and guidelines regarding security issues. Moreover, MIAC regularly engages in discussions with foreign countries regarding security issues in cloud computing services.

Incentives

Are there fiscal or customs incentives, development grants or other government incentives to promote cloud computing operations in your jurisdiction?

Government authorities such as METI and the Tokyo Metropolitan Government grant subsidies to businesses aiming to introduce cloud computing services that use data centres with high energy efficiency, with a view to promoting energy conservation.

Legislation and regulation

Recognition of concept

Is cloud computing specifically recognised and provided for in your legal system? If so, how?

Although there are numerous legal issues pertaining to cloud computing, as we discuss below in detail, current Japanese statutory laws do not define cloud computing as a specific area of service to which certain restrictions or regulations apply.

Governing legislation

Does legislation or regulation directly and specifically prohibit, restrict or otherwise govern cloud computing, in or outside your jurisdiction?

There is no legislation or regulation that directly and specifically prohibits, restricts or otherwise governs cloud computing in or outside Japan.

What legislation or regulation may indirectly prohibit, restrict or otherwise govern cloud computing, in or outside your jurisdiction?

Under the Telecommunications Business Act (TBA), if cloud computing services include (i) telecommunications between the cloud provider and the customer and (ii) mediating telecommunications between two or more customers, then the cloud provider has either to file a notification or (if the cloud provider falls within the categories stipulated in TBA) register as a telecommunications carrier with the MIAC.

Under the Foreign Exchange and Foreign Trade Act, when a person or entity preserves data regarding certain technologies in servers located in foreign countries, that person or entity must obtain prior permission from METI. However, the interpretational guidelines issued by METI have clarified that if a customer preserves information in an overseas server of the cloud provider for the customer’s own use, then such permission is not necessary.

Breach of laws

What are the consequences for breach of the laws directly or indirectly prohibiting, restricting or otherwise governing cloud computing?

A person who breaches the obligation described in the first paragraph of question 10 is liable to be punished by imprisonment with labour for no more than three years or a fine of no more than ¥2 million under the TBA.

Consumer protection measures

What consumer protection measures apply to cloud computing in your jurisdiction?

First, with respect to business-to-consumer (B2C) cloud service agreements, certain provisions that could be considered unfair to an individual customer who does not execute the agreement on business (defined as a ‘consumer’) would be nullified under the Consumer Contract Act. Such provisions include:

• totally exempting the cloud provider from liability to compensate the consumer for damages arising from default or tort by the cloud provider;
• partially exempting the cloud provider from liability to compensate the consumer for damages arising from default or tort by the cloud provider (limited to default or tort owing to the cloud provider’s intentional act or gross negligence);
• setting an agreed amount of liquidated damages or establishing a fixed penalty in the event of cancellation, which amount or penalty would exceed the normal amount of damages that would be payable to the cloud provider as a result of the cancellation of a contract, when compared to other contracts of the same type; and
• limiting the consumer’s right to terminate the cloud service agreement when the cloud provider is in default.

Second, the Act on General Rules for Application of Laws also includes a rule to protect consumers. Under this rule, if the governing law in a cloud service agreement is a law other than the law of the consumer’s habitual residence, and the consumer has manifested his or her intention to the cloud provider that a specific mandatory provision from within the law of the consumer’s habitual residence should be applied, such mandatory provision would apply to the matters stipulated by such mandatory provision with regard to the formation and effect of the cloud service agreement.

And third, under the Japanese Code of Civil Procedure:

• a consumer would be able to sue the cloud provider in a Japanese court if the consumer’s residence is in Japan at the time the cloud service agreement is executed; and
• the cloud provider would not be able to sue the consumer in a foreign court that both parties have agreed has the jurisdiction unless:
• the consumer’s habitual residence was in the foreign country when the cloud service agreement was executed; or
• the consumer sues the cloud provider in the foreign court or agrees to defend himself or herself against the cloud provider’s claim in the foreign court.

Sector-specific legislation

Describe any sector-specific legislation or regulation that applies to cloud computing transactions in your jurisdiction.

When a medical institution uses a cloud computing service to handle its patients’ sensitive information, such as diagnostic records, maintaining the security of the cloud environment that stores such information is of crucial importance. Therefore, the Ministry of Health, Labour and Welfare, METI and MIAC each issue several guidelines that require such medical institutions to select a cloud provider that has a reliable security code and system, execute an agreement that ensures the cloud provider’s proper handling of the confidential information (including prohibiting the provider’s unauthorised browsing or analysis of the information) and oblige the medical institution to regularly supervise the cloud provider.

Additionally, a financial institution that uses a cloud computing service for its customers’ confidential information is required to follow certain laws and guidelines regarding the security of the cloud computing service to which it outsources the handling of such information.

For example, the relevant financial laws and regulations, such as the Banking Act and the Financial Instruments and Exchange Act, require that if a financial institution preserves customer information through cloud computing services, it must establish the necessary systems for maintaining the security of such information and for supervising the cloud provider to which it has delegated the handling of such information.

Further, the Center for Financial Industry Information Systems authorised by the Cabinet Office issued a report in November 2014, recommending that financial institutions take the following measures to ensure the proper handling by the cloud provider of customer information:

• conducting due diligence when selecting a cloud provider and executing a service agreement with the cloud provider;
• requesting the cloud provider to disclose information regarding the operation of the service and security management system;
• ensuring the proper operation of the cloud computing service including encryption of the confidential information and maintenance of the storage devices;
• upon the termination of the cloud service agreement, deleting, or having the cloud provider delete, the data, and/or transfer it to another cloud provider; and
• supervising the cloud provider’s handling of the confidential information (including through on-site inspections).

Insolvency laws

Outline the insolvency laws that apply generally or specifically in relation to cloud computing.

If a cloud provider is subject to a ruling for the commencement of bankruptcy proceedings, the cloud service agreement, which is typically categorised as a quasi-mandate (Jun-inin) contract, will automatically terminate pursuant to the Japanese Civil Code, unless the parties have stipulated otherwise in the agreement.

On the other hand, if a cloud provider is subject to a ruling for the commencement of rehabilitation proceedings, the cloud service agreement will not automatically terminate, although a customer may terminate the agreement if the cause of termination (such as the cloud provider’s breach of the agreement) has already existed before the commencement of rehabilitation proceedings.

If the cloud service agreement does not automatically terminate or is not terminated by the customer, the trustee of the cloud provider as appointed under bankruptcy laws can decide whether the cloud provider should continue the agreement or terminate it under Japanese bankruptcy laws. If the agreement is terminated, the customer can request the trustee to return its data stored in the cloud provider’s server, regardless of whether there is a specific provision in the cloud service agreement that enables the customer to do so. However, under the current laws in Japan, it is unclear whether the customer can request the trustee to destroy or delete the data from the cloud server completely.

Data protection/privacy legislation and regulation

Principal applicable legislation

Identify the principal data protection or privacy legislation applicable to cloud computing in your jurisdiction.

Unless the cloud service agreement prohibits a cloud provider from handling personal information provided by a customer (eg, where the personal information is stored in a data centre owned by the cloud provider but the personal information is not accessible to the cloud provider at all), the cloud provider is obliged to handle the personal information subject to the Act on the Protection of Personal Information (APPI). Such obligations include the following items:

• The cloud provider has an obligation to take necessary and appropriate measures to ensure the secure management of personal data (generally, personal information compiled in a database) (personal data).
• The cloud provider shall, in having its employees handle personal data, exercise necessary and appropriate supervision over the employees so as to ensure the security of the personal data.
• The cloud provider is prohibited from providing any personal data to a third party without the prior consent of the person who originally provided the personal data (data subject), unless exceptions to the consent requirement apply. An example of such exceptions is where the cloud provider delegates all or part of the handling of personal data to an outsourcing company. However, in that case, the cloud provider must exercise necessary and appropriate supervision over the outsourcing company to ensure the secure management of the personal data.

Under a provision of APPI regarding overseas data transfers, a cloud provider must obtain the prior consent of the data subject before it can transfer his or her personal data to a third party located in a foreign country.

However, the data subject’s consent to overseas data transfers is not necessary if:

1. the foreign country is specified in the Personal Information Protection Commission Ordinance (the PPC Ordinance) as a country which has a data protection regime with a level of protection equivalent to that of Japan; or
2. the third-party recipient has a system of data protection that meets the standards prescribed by the PPC Ordinance.

For item (1), as of July 2018, the PPC Ordinance has not identified any such foreign country. However, the recent adequacy dialogue between Japan and the EU confirmed that the PPC intends to identify the EU as having an adequate data protection regime in 2018.

For item (2), under the PPC Ordinance, the standards of the data protection system that a third-party recipient outside Japan must meet are either of the following:

• there is assurance, by appropriate and reasonable means (typically by entering into a contract), that the recipient will treat the disclosed personal data in accordance with the principles of the requirements for handling personal data under the APPI; or
• the recipient is certified under an international arrangement, recognised by the PPC, regarding its system of handling personal information.

Cloud computing contracts

Types of contract

What forms of cloud computing contract are usually adopted in your jurisdiction, including cloud provider supply chains (if applicable)?

For cloud computing services that are rendered in Japan, most cloud providers usually provide these services on the same terms and conditions for all customers, especially in B2C contracts. The normal practice is to provide a standard cloud service agreement on their websites, which the users must accept in order to use the services.

Typical terms for governing law

What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering governing law, jurisdiction, enforceability and cross-border issues, and dispute resolution?

Standard cloud service agreements provided by cloud providers typically stipulate that the location of the cloud provider’s head office is the governing law and the court that has jurisdiction over the head office is the court of first instance. However, conferring jurisdiction on a foreign court may sometimes be regarded as invalid under the Code of Civil Procedure, as described in question 12.

Typical terms of service

What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering material terms, such as commercial terms of service and acceptable use, and variation?

Material terms commonly include a stipulation for fees to be calculated as a fixed-rate or measured-rate fee, to be paid by a customer to the bank account designated by the cloud provider.

It is also common to prohibit a customer from undertaking certain activities such as:

• infringing the cloud provider’s or a third party’s IP or other rights;
• altering or deleting data owned by the cloud provider or a third party that is stored in the cloud server;
• activities that may obstruct or endanger the cloud provider’s systems or communication lines;
• pretending to be the cloud provider or a third party when using the cloud service;
• accessing the cloud provider’s system or network without the authorisation of the cloud provider;
• transmitting illegal or otherwise harmful contents to the cloud server; or
• other activities that are illegal or otherwise immoral.

Typical terms covering data protection

What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering data and confidentiality considerations?

It is common to require the cloud provider to implement necessary and reasonable security protection measures to secure the confidentiality of the customer’s data. To implement the requirement, it is also common to allow the cloud provider to take certain measures including suspension of the service when the cloud provider recognises the risk of the customer’s data being (or having been) divulged by, for example, a third party’s unauthorised access or malfunction of the cloud provider’s systems or communication lines.

However, there are provisions that exempt the cloud provider from all or part of liabilities arising from the security issues, described hereinafter. For example, some agreements stipulate that the cloud provider will not guarantee the thorough prevention of a third party’s unauthorised access or use of the server, nor indemnify damages incurred by the customer resulting from known or unknown security weaknesses. Other agreements require the customer to make backups of the data that it stores in on the cloud server and to preserve the ID or password appropriately, and exempt the provider from any liability when such ID or passwords are used by a third party.

Some agreements allow the customer to select the country where the cloud server is located.

Typical terms covering liability

What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering liability, warranties and provision of service?

In B2B cloud computing contracts, it is typical for the cloud provider and the customer to execute a service level agreement (SLA). Typical SLA terms include:

• the period during which the service is provided;
• the level of manpower of the support desk;
• the rate of operation and the management of data; and
• handling of system malfunction and level of security.

Many SLAs stipulate that if the cloud provider fails to meet the service level obligations, the customer may be exempted from paying part of the future service fees, or that the cloud provider will refund part of the service fee already paid.

Typical cloud service agreements include a provision that limits the cloud provider’s liabilities. For example, many cloud service agreements set a cap on the damages to be paid by the cloud provider to the customer as a result of actions attributable to the cloud provider, and allow the customer to claim only direct and ordinary damages (and exclude indirect, special and consequential damages). Other typical cloud service agreements exempt the cloud provider from any liability when the cloud provider is not at fault (such as in case of a third party’s unauthorised access, natural disaster, malfunction of systems or communication lines, or attack by a computer virus). It is also customary to stipulate that the cloud provider does not guarantee the commerciality, fitness for a specific purpose or non-existence of an infringement of third parties’ rights.

Typical terms covering IP rights

What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering intellectual property rights (IPR) ownership in content and the consequences of infringement of third-party rights?

Many cloud service agreements provide that the ownership of the intellectual property in data or information stored on the cloud server belongs to the person or entity who stored the data or information on the server (ie, the customer). Some agreements allow the cloud provider to copy the data in limited situations, such as when the cloud provider has to repair the communication line or equipment.

Further, in order to prevent the customer from infringing third parties’ rights and thereby causing the cloud provider to incur any liabilities towards the third parties, agreements also usually stipulate that the customer must not infringe a third party’s rights when it uses the cloud services. If the customer breaches the obligation and stores content that infringes third-party rights on the cloud server, the cloud provider will be able to claim an exemption from liability for any third party claims as a result.

Typical terms covering termination

What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering termination?

Many cloud service agreements allow the customer a simple termination option, whereby a customer may terminate the cloud service agreement without cause, just by giving prior notice. However, some agreements require the customer to use the service for a minimum period and if the customer terminates the agreement before the completion of such period, the customer has to pay a certain amount of money to the cloud provider.

Cloud service agreements also usually allow the cloud provider to terminate the agreement if the customer is in breach of its obligation under the agreement or the customer is adjudged insolvent or bankrupt, or is liquidated or the like.

In light of the security management of the data stored on the cloud server, it is customary to require the customer to download the data before the cloud service agreement is terminated or expired at the customer’s own responsibility, and limit or deny access to the data after termination or expiry. The cloud provider, on the other hand, is required to delete all of the customer’s data stored on the server to ensure the confidentiality of the data.

Employment law considerations

Identify any labour and employment law considerations that apply specifically to cloud computing in your jurisdiction.

There are no Japanese labour or employment laws currently regulating cloud computing.

Taxation

Applicable tax rules

Outline the taxation rules that apply to the establishment and operation of cloud computing companies in your jurisdiction.

If a foreign cloud provider does its business through a ‘permanent establishment’ (as defined in the OECD Model Tax Convention) located in Japan, which is likely to include the cloud server, then such a cloud provider will be subject to Japanese business income tax.

Indirect taxes

Outline the indirect taxes imposed in your jurisdiction that apply to the provision from within, or importing of cloud computing services from outside, your jurisdiction.

Providing cloud computing services through telecommunication lines (typically, the internet), will be regarded as a ‘provision of service using telecommunication’.

A provision of service using telecommunication will be subject to Japanese Consumption Tax if it is regarded as a ‘domestic transaction’. If the service is provided to the customer whose residence is in Japan, then this will be regarded as a domestic transaction regardless of whether the cloud computing service is provided from within or outside Japan. In that case, Japanese Consumption Tax will be imposed on the customer.

Recent cases

Notable cases

Identify and give details of any notable cases, or commercial, private, administrative or regulatory determinations within the past three years in your jurisdiction that have directly involved cloud computing as a business model.

There are no notable cases, or commercial, private, administrative or regulatory determinations within the past three years in Japan that have directly involved cloud computing as a business model.

Update and trends

Key developments of the past year

What are the main challenges facing cloud computing within, from or to your jurisdiction? Are there any draft laws or legislative initiatives specific to cloud computing that are being developed or are contemplated?

Key developments of the past year27 What are the main challenges facing cloud computing within, from or to your jurisdiction? Are there any draft laws or legislative initiatives specific to cloud computing that are being developed or are contemplated?

No update at this time.

The information in this chapter is correct as at October 2018.