Some Main Laws to be Considered when Developing IoT business in Japan
Currently, in Japan, there are no laws to directly regulate Internet of Things (“IoT”). If you develop a business using IoT in Japan, you have to consider regulations based on various kinds of laws related to IoT in response to the actual style of the business. The laws to be considered depend on the style of the business and cannot be systematically categorized, but this article will introduce general concepts of some main laws to be considered for conducting a business related to IoT in Japan as below.
Product Liability Act
In Japan, under Article 3 of Product Liability Act, a manufacturer, a processor, an importer or others shall be liable for damages arising from the infringement of life, body or property of others which is caused by the defect in the delivered product which was manufactured, processed, or imported. “Defect” is defined under Article 2 of the Act as “a lack of safety that the product ordinarily should provide, taking into account the nature of the product, the ordinarily foreseeable manner of use of the product, the time when the manufacturer, etc. delivered the product and other circumstances concerning the product”. Thus, if a product for IoT lacks the safety that the product ordinarily should have provided and damages (e.g. data leakage) occur, the manufacture, etc. are liable for the damages even if there is no negligence.
In addition, as for safety, in July, 2016, the IoT Promotion Consortium, the Ministry of Internal Affairs and Communications, and the Ministry of Economy, Trade and Industry issued „IoT Security Guideline ver 1.0“. This Guideline introduces 5 guidelines as security measures, showing a total of 21 points. This is just a guideline which has no legally binding effect unlike a law, but it can be a norm to consider whether IoT has sufficient safety.
Electrical Appliance and Material Safety Act
For conducting a business using IoT, you have to consider a regulation based on Electrical Appliance and Material Safety Act. This Act covers about 450 items of electrical appliances. The “electrical appliances” are defined in Article 2, Paragraph 1 of the Act, and what you use by connecting to an outlet is generally applicable to electric appliances.
Even if a product is not applicable to electric appliances originally, it might be applicable to electric appliances by connecting to the Internet. Generally, when a product is covered by the Act, a person manufacturing or importing the product must file business notification, and attach a “PSE mark” on the product. Also, a person selling the product must confirm that the product has the “PSE mark”.
In Japan, when selling things emitting radio waves by connecting to the Internet, it is necessary to consider regulations based on the Radio Act. As a general rule, when using a product that emits radio waves, it is necessary for the user to acquire a license based on the Act.
Therefore, in the case where a product originally not connected to the Internet was connected to the Internet in the form of emitting radio waves, a procedure for acquiring the license on the product is required.
Personal Data Protection Act
When you connect a thing to the Internet and obtain data related to the thing, if the data includes „personal information“, it will be subject to the Personal Information Protection Act. Under this Act, personal information means “those containing a name, date of birth, or other descriptions… whereby a specific individual can be identified (including those which can be readily collated with other information and thereby identify a specific individual). Thus, even where it is a small amount of information, if it leads to identifying a specific person, the information is applicable to „personal information“. Therefore, the range of information to which the Act applies can be said to be broad.
In the case of applying the Personal Information Protection Act, persons dealing with the data including personal information are obliged to specify as much as possible the purpose of using personal information. In addition, in order to provide personal information to a third party, as a general rule, it is necessary to obtain the consent of the person in advance, and record the date of providing, the name of the recipient. Also, detailed obligations other than the above are stipulated by the Act, and it is necessary to comply with it.
Intellectual Property Act
When developing businesses related to IoT, you must carefully consider whether your business infringes the intellectual property rights of others. In particular, it was enough to consider the intellectual property rights for the “things” before connecting the thing to the Internet, but you must consider the intellectual property rights including data transmission and processing by connecting the things to the Internet. Therefore, you must proceed more carefully than before.
The general concepts of some main laws to be considered for conducting a business related to IoT in Japan are as the above. As mentioned in the “I. Introduction”, specific laws to be considered depend on the style of the business. Thus, you have to consider not only the above main laws but also regulations based on various kinds of laws related to IoT in response to the actual style of the business.
 Article 2 of Basic Act on the Advancement of Public and Private Sector Data Utilization, enacted as of 2016, defines IoT as follows: “The term „internet of things utilization-related technology“ as used in this Act means technology for the utilization of a large amount of information which is sent from or to various and many objects connected to the internet, which brings improvement in the management efficiency and productivity of companies, creation of new businesses and increase of employment opportunities through creation of added value by utilizing the information, thereby contributing to improvement of the citizens‘ lives and sound development of the national economy.” (http://www.japaneselawtranslation.go.jp/law/detail_main?re=02&vm=04&id=2975)
This Act is for utilizing public and private sector data, but not for regulating IoT.