On June 16, Japan will enact the amended Telecommunications Business Act, including the External Data Transmission Rule. This new rule, regarding the use of user information, shares some fundamental ideas with the cookie consent requirements of the EU ePrivacy Directive and applies to various online services provided through web browsers and apps. Businesses offering online services should confirm whether the rule applies to their services, and consider whether to amend existing policies or even establish new ones.
Data protection scope of the APPI
In Japan, the general privacy law is set out in the Act on the Protection of Personal Information, which provides rules for the handling of personal information and data. Under the APPI, "personal information" is defined as information about an individual that can be used or combined with other data to identify the specific individual. Personal data means personal information constituting part of a personal information database. Personal information and personal data are subject to various rules within the APPI, including the requirement of notification at the time of collection and the obligation to obtain consent of the data subject when personal data is provided to a third party.
It should be noted if certain information cannot be used to identify a specific individual, it does not fall into either personal information or personal data, even if such information relates to a natural person. However, the amended APPI, which came into effect April 2022, imposes a new obligation on data providers when they provide third parties with "personally referable information." Not falling under personal information, this data type includes a person's website browsing history collected through cookies and other online identifiers, as well as information indicating their product purchase history, service usage history and interests. Personally referable information also concerns, for the purpose of confirming a data subject's consent, whether the recipient will receive the information as personal data. That is to say, the recipient is able to identify the specific individual by combining the personally referable information with other information they have, thereby making the combined information personal data. In previous articles, we provided an overview of the new regulation and practical guidance on it by the guidelines.
Introduction of the External Data Transmission Rule
To ensure comprehensive transparency about the use of data concerning users of telecom services, the External Data Transmission Rule requires covered telecom businesses directing the transmission of user information (e.g., identifiers such as IDs recorded in cookies, advertising IDs, users' behavioral information such as webpage history, usernames, contact information of friends, etc.) recorded in the user's device to anyone other than the user themselves to do one of the following:
- Notify users of this transmission.
- Publicly announce this transmission.
- Obtain the consent of users for this transmission.
- Enable users to opt out of this transmission and publicly announce the existence of this option.
This applies when the business is offering telecom services specified in the applicable Ministry of Internal Affairs and Communications ordinance.
This rule covers broader situations on the use of user information than the APPI does, and is also conceptually similar to the cookie consent requirements of the EU ePrivacy Directive. However, in a sense, this rule is milder than the APPI and the ePrivacy Directive, because it does not require covered businesses to obtain the user consent. Instead, it merely requires a notice or public announcement that the transmission will suffice.
What is covered by the External Data Transmission Rule?
The scope of the rule is, in fact, very broad. Pursuant to the applicable MIC ordinance and the draft commentary to the rule released by the MIC in December 2022, the specific telecom services subject to the rule are:
- Telecom services intermediating communications between other persons, e.g., email services, direct messaging services and closed online meeting services.
- Telecom services that
- Record and store information received from users in servers and send such information at the request of unspecified users, e.g., social media services, online bulletin board services, video sharing services, online shopping malls, sharing services and matching services.
- Simultaneously send information received from users at the request of unspecified users, e.g., live streaming services, online gaming services.
- Online searching services.
- Services offering various types of information, including news, weather forecasts, videos, maps, transfer guides and job searches.
This rule can also apply to telecommunication services not required to be registered with the MIC under the TBA, and the above fourth category in particular covers a wide range of online services. However, if a business simply posts information about itself on its website, or sells its own products on its retail website, the business is then providing telecom services for its own purposes and is therefore not subject to the rule.
What must be done when the External Data Transmission Rule applies?
When the External Data Transmission Rule applies and businesses notify or publicly announce the required information, they are obligated to provide certain information in a prescribed manner. Specifically, business must inform users of:
- The items of user information to be transmitted.
- Which entity operates the destination (external) server.
- The purpose for which the user information is to be transmitted.
Businesses must provide this information in the following prescribed manner:
- Writing the information in Japanese, avoiding the use of technical terms and using plain language.
- Displaying text in an appropriate size without the need for additional user manipulation.
- Ensuring users can easily check this information in other respects, such as adopting easy-to-read font colors in consideration of websites or app backgrounds, and layering the webpage so users can see the entirety of the notification without scrolling.
In addition to the above, when businesses notify users of the information, the businesses must display either the information or the location of the page containing such information, like a URL, on the user's telecom device just in time, such as in a pop-up. If only some parts of the information are displayed in the notification, it is necessary to ensure users can easily reach the rest of the information. Alternatively, businesses must ensure users can recognize the information as easily as or more easily than the above.
Also, when businesses publicly announce the information, the businesses must:
- In the case of a website, display the information on a webpage the users access or a webpage easily locatable by users from such webpage.
- In the case of mobile apps, display the information on the first page of the app, or on a page easily locatable by users from the first page.
- Ensure users can recognize the information as easily as or more easily than in the above points.
Exemptions to the obligations of the External Data Transmission Rule
There are some exceptional cases where covered telecom businesses are not required to implement either of the above-mentioned measures.
One exception is for information that must be transmitted to use the telecom service, including:
- Information necessary for providing the telecom service, such as information necessary to properly display codes, sounds or images on the screen of users' telecom device, including operating systems, display settings, language settings and web browsers. In the draft commentary the MIC says information sent to the provider of the telecom service that the user actually and intentionally uses (as opposed to information transmitted automatically or without the user’s direct intention) falls within this exemption. This is fairly different from the EU ePrivacy Directive idea concerning a "strictly necessary" exemption, decided mainly on the purpose of the cookies.
- Information necessary for redisplaying information on the user's screen that the user previously input when using the telecommunication service. This includes information necessary for redisplaying goods in a shopping basket, when a user accessed an online shopping mall, put such goods in the their basket and later returned to the online shopping mall.
- Information necessary for redisplaying information concerning the user's authorization that they entered when using the telecom service.
- Information necessary for detecting abusive or improper acts against the telecom service, or for mitigating the damage of such unfair acts. In the draft commentary to the rule, the MIC says this exemption only applies to information transmission necessary for security measurements for the telecom services which the user uses.
- Information for appropriate operation of the telecom service, such as information necessary for load reduction or load balancing of the telecom facilities.
Another exception is for identification codes sent to the user by the telecom service provider that are sent back, such as first-party cookie identifiers.
What will happen next?
The MIC is now finalizing the draft commentary to the rule. It is expected to solicit public comments in March and April to finalize the rule and publicly announce it before the rule comes into force June 16.