JAPAN Law and Practice Contributed by: Hiromi Hayashi, Daisuke Tsuta, Masaki Yukawa and Keiichi Bando, Mori Hamada & Matsumoto
lated separately from crypto assets since 2023. Under the regulatory framework introduced in 2023, stablecoins can only be issued by licensed banks, trust companies or funds transfer service providers. Moreover, intermediaries of stable - coins are also regulated. Security Tokens In 2020, new regulations regarding security tokens were introduced. Because even low- liquidity investment interests such as trust or partnership interests can easily be distributed and transferred to investors by tokenisation, such investment interests were subjected to more stringent disclosure and licensing require - ments to protect investors. 2. Cloud and Edge Computing 2.1 Highly Regulated Industries and Data Protection In Japan, there are no laws or regulations that generally apply to cloud computing. However, certain services using cloud computing, such as voice communication services and email services, may constitute a telecommunications business under the Telecommunications Busi - ness Act (TBA). See 6. Telecommunications . Where personal information is stored in a cloud, the Act on the Protection of Personal Informa - tion (APPI) will apply. The Personal Information Protection Commission (PPC), the principal regulator for the APPI, has clarified that busi - nesses using cloud services must take security measures to protect personal information stored in a cloud service provided by a third party, but they do not need to supervise the providers of the cloud service or obtain consent from data subjects if the cloud service providers cannot access the stored personal information, regard -
less of whether the relevant data centre is locat - ed inside or outside Japan. Industry-Specific Guidelines on Cloud Computing Government cloud procurement The Japanese government operates the Informa - tion System Security Management and Assess - ment Programme (ISMAP), pursuant to which Japanese government organisations may pro - cure cloud services from cloud service providers registered with the ISMAP steering committee. The registration process requires applicants to submit an assessment report prepared by a third-party auditor registered with the commit - tee, as well as other required information, includ - ing information regarding the risk of compulsory data access under foreign laws to enable the committee to review those foreign laws. Cloud use by private-sector essential infrastructure The Act on the Promotion of National Security through Integrated Economic Measures, which was promulgated in May 2022, imposes an addi - tional requirement on essential infrastructure providers designated by the government from 14 essential infrastructure areas, namely, electric power, gas supply, petroleum, water, railways, motor freight, ocean freight, aviation, airports, telecommunications, broadcasting, postal ser - vices, financial services, and credit cards. Fur - ther, the Act was amended in 2024 to include port transport services, which will take effect by mid-November 2025. Designated providers are required to submit a written plan to the compe - tent government ministry for review before they install certain essential facilities or outsource the maintenance or management of certain essential facilities, which include cloud services. In rela - tion to the plan to use a cloud service, certain
172 CHAMBERS.COM
Powered by FlippingBook