Tech, IP and Telecoms Law Newsletter Vol.19 January 2026

On December 23, 2025, the Japanese government adopted by Cabinet decision the Artificial Intelligence Basic Plan (the “Plan”), which sets the direction for the research, development, and use of AI in Japan. The Plan, issued pursuant to the Act on Promotion of Research and Development, and Utilization of AI-related Technology (the “AI Act”), establishes the government’s medium to long-term AI strategy. 

The Plan articulates an ambitious policy goal of making Japan “the world’s most AI-friendly country for development and deployment” and, in pursuit of that goal, seeking to achieve “trustworthy AI” by balancing the promotion of innovation with appropriate risk management. As highlighted in our previous Tech, IP and Telecoms Law Newsletter Vo.18 November 2025, the Plan serves as a policy roadmap outlining measures the government should take, including: promoting the extensive use of AI by national and local governments; supporting the strengthening of Japan’s AI development capabilities, such as by developing trustworthy foundational AI models; encouraging the development and deployment of AI in sectors including healthcare, caregiving, finance, and education; and enhancing the functions of the AI Safety Institute, a government-affiliated body responsible for AI risk- and safety-related initiatives. The government is expected to move forward with policy implementation in accordance with the Plan.

Separately, on December 19, 2025, the AI Strategy Headquarters, an inter-ministerial body responsible for coordinating Japan’s AI policy, adopted and published the “Guideline for Ensuring the Appropriateness of Research & Development and Utilization of Artificial Intelligence-Related Technology” (the “Guidelines”). A notable feature of the Guidelines is that they are not legally binding on private-sector entities, but are positioned as non-binding guidance to encourage voluntary efforts to ensure responsible AI development and use. For example, the Guidelines call on companies using AI to establish internal AI governance frameworks to identify and assess risks and to ensure a reasonable level of transparency with respect to AI training data.

In addition, on December 26, 2025, the Intellectual Property Strategy Promotion Secretariat of the Cabinet Office released a draft “Principle-Code for Protection of intellectual property and transparency for the appropriate use of generative AI (provisional title)” (the “Draft Principle-Code”) and solicitated public comments widely from citizens and businesses. The Draft Principle-Code is aimed at AI developers, providers, and other AI-related businesses, seeking to establish common principles regarding the disclosure of information, including the general characteristics of AI models, summaries of training data, and measures to enhance transparency, and indicating the direction of a voluntary governance framework that balances these disclosure expectations with the protection of intellectual property rights.

Although the Draft Principle-Code is positioned as a form of “soft law” and does not create legally binding obligations, it states that businesses choosing to adopt the principles are expected to publicly disclose their acceptance (for example, on their websites) and notify the government. It also introduces a “comply-or-explain” approach, under which businesses that endorse the Draft Principle-Code but do not implement certain provisions are expected to explain their reasons. As the Draft Principle-Code may be revised following the public comment procedure, ongoing monitoring of its future developments will be important.

On November 19, 2025, the Tokyo District Court issued a judgment in a case brought by four major publishing companies against Cloudflare, Inc., a U.S. operator that had provided CDN (content delivery network) services to manga piracy websites, finding the company liable for damages for copyright infringement.

A CDN is a system that improves the efficiency of content delivery by replicating and storing website content on edge servers located around the world and delivering it from edge servers closer to end users. In this judgment, the court found that the party that publicly transmitted the copyrighted works was not the CDN operator but the operator of the piracy websites; nevertheless, the court recognized the CDN operator’s role in aiding and abetting the piracy website operator on the ground that the provision of CDN services facilitated the copyright infringement.

Although CDN services are inherently useful, it has been noted that, because of their nature, once they are abused by piracy websites, they can enable the efficient and large-scale distribution of pirated content. In this case, the court placed particular weight on facts such as the CDN operator’s failure to verify the identities of the piracy website operator and its failure to take timely and appropriate action even after receiving infringement notifications from copyright holders. While the decision is based on those specific factual findings, this is a valuable precedent that addresses squarely a CDN operator’s liability in relaying illegal copyrighted works. How the appellate courts treat these issues should be closely watched.

In 2026, numerous bills concerning data handling and security are likely to be submitted. In Japan, the dissolution of the House of Representatives earlier this year has necessitated an election, so it remains unclear how this will impact the Diet session schedule and bill deliberations this year. Below is a summary of notable proposals.

The Act on the Protection of Personal Information (the “APPI”) was scheduled to be amended in 2025, but the revision was postponed for various reasons. On January 9, 2026, the Personal Information Protection Commission published its “Policy for Revising the Personal Information Protection Act: The So-called Triennial Review.” This policy aims to promote appropriate data utilization, establish regulations to adequately address risks, prevent improper use, and ensure the effectiveness of compliance. It is highly likely that an amendment bill incorporating these elements will be submitted to the Diet in 2026.

The Digital Government and Administrative Reform Council, for which the Cabinet Secretariat serves as the secretariat, adopted the “Basic Policy on the Framework for Data Utilization.” on June 13, 2025, and had aimed to submit a bill to the next regular Diet session to establish a data utilization framework that would facilitate smooth data sharing, including for AI applications. According to Document 1 of the 16th meeting of the Council’s Working Group on Data Utilization Systems, held on January 27, 2026, “Status of Consideration Regarding Institutional Arrangements for Promoting Data Utilization,” consideration is being given to amend part of the Act on the Advancement of Government Administration Processes That Utilize Information and Communications Technology to include provisions such as requiring the Digital Agency to formulate guidelines outlining the fundamental direction for data utilization, and establishing a mechanism under which the Digital Agency, after consulting with the Personal Information Protection Commission and other relevant ministries and agencies, would certify business plans related to data utilization. A bill incorporating these measures may be submitted to the Diet this year.

The Act on the Promotion of Ensuring National Security Through Integrated Implementation of Economic Measures (the “Economic Security Promotion Act”), enacted in 2022, stipulates a review within three years of its enforcement (Article 4 of the Supplementary Provisions). Discussions have been progressing in the Expert Panel on Economic Security Legislation since November 2025. According to the “Outline of Recommendations Concerning Amendments to the Economic Security Promotion Act (Data Security),” one of the panel’s key recommendations published on January 16, 2026, measures concerning privately held data that are critical to security (such as genomic data, medical information, financial information, biometric authentication data, and location information), and measures to protect large volumes of data stored in data centers and the cloud are under consideration. A bill reflecting these measures may be submitted to the Diet in 2026.

In November 2025, the Japan Interactive Advertising Association (the “JIAA”) formulated and published the Basic Principles for Data Processing (the “Principles”) and the Self-Check Sheet for the Basic Principles for Data Processing (the “Check Sheet”) concerning the handling of consumer data in digital advertising.¹

The Principles set out three overarching principles that businesses are encouraged to observe when using consumers’ attribute and behavioral data for advertising and marketing purposes: the Principle of Consideration for Information Asymmetry, the Principle of Consideration for Divergent Interests, and the Principle of Social Responsibility.

The Principle of Consideration for Information Asymmetry aims to address the gap in understanding that may arise between businesses and consumers regarding data collection and use. More specifically, this principle emphasizes the importance of clearly explaining the types of data obtained from consumers, the methods of data collection, and the purposes of use. It also calls for establishing mechanisms that allow consumers to choose whether their data will be collected and used, and limiting the collection and use of data to the minimum necessary.

The Principle of Consideration for Divergent Interests recognizes the potential misalignment between businesses that seek to use more detailed consumer data and consumers who may harbor concerns regarding such data utilization. More specifically, this principle calls for careful processing of information inferred from behavioral data analyses so as not to use it in ways that may disadvantage consumers. It also calls for avoiding advertising practices that may cause excessive anxiety to consumers, and for ensuring accountability with respect to advertising displays and data use, including sincere and appropriate responses to consumer inquiries and concerns.

The Principle of Social Responsibility reflects the social responsibilities of the digital advertising and marketing industry and encourages ethical and responsible conduct. More specifically, this principle extends beyond the protection of privacy to include ethical considerations and respect for human rights in data processing, calls for particular care in data processing and advertising content involving minors and children, and promotes the sound development of the industry through awareness-raising efforts among business partners and the sharing of knowledge and best practices across the industry as a whole.

The Check Sheet is designed to enable companies to self-assess their implementation of each item set forth in the Principles. By visualizing the degree to which the Principles are being achieved, the Check Sheet is expected to facilitate the identification of areas for improvement and to support improvements in internal practices.

One key significance of the Principles is their ability to facilitate compliance-related discussions concerning data utilization by enabling businesses, while maintaining legal compliance as a prerequisite, to step back and consider broader, overarching principles. As digital advertising continues to develop and regulatory frameworks—including the APP—become increasingly complex, practical discussions often focus on interpretations of individual statutory provisions and technical compliance measures. In such circumstances, there is a risk that the broader, principle-based perspectives that should guide data utilization may be overlooked.

However, evaluations of data utilization require a multifaceted perspective that goes beyond legal compliance alone and encompasses consideration of consumers’ understanding and acceptance, ethical concerns, and social responsibility. The Principles are therefore highly valuable in that they provide a framework for incorporating these broader perspectives.

Furthermore, while the APPI has traditionally been viewed as a legal framework centered primarily on formal rules, its substantive aspects have become increasingly important in recent years, as exemplified by the prohibition on improper use introduced in the 2020 amendment (Article 19). The ongoing triennial review of the APPI is likewise proceeding toward greater incorporation of such substantive perspectives. Against this backdrop, responses to the APPI increasingly require not only formal compliance but also careful consideration of its underlying purposes and objectives. In this respect, the perspectives articulated in the Principles also offer useful guidance for complying with the substantive rules of the APPI.

On December 17, 2025, the Ministry of Economy, Trade and Industry (“METI”), pursuant to the Act on Improving Transparency and Fairness of Specified Digital Platforms (the “Transparency Act”), compiled evaluations concerning the transparency and fairness of designated digital platform providers in the following three areas: (i) general merchandise online marketplaces, (ii) app stores, and (iii) digital advertising. These evaluations were prepared based on reports submitted by the relevant platform providers, information received via consultation desks, and opinions expressed at monitoring meetings. With respect to the evaluation for the digital advertising section, the portion addressing the handling of personal data acquired and used for targeted advertising was developed in consultation with the Ministry of Internal Affairs and Communications (“MIC”) and prepared with reference to the “Monitoring Results on the Handling of User Information” by MIC’s Working Group on User Information.

The evaluations of (i) general merchandise online marketplaces and (ii) app stores mark the fourth assessment for each. While METI acknowledges that platform providers have made certain operational improvements in response to prior evaluations information disclosure requests, it also identifies specific remaining issue on a provider-by-provider basis and points to the need for further efforts such as additional information gathering and operational improvements with respect.

The (iii) digital advertising sector was evaluated for the third time. The evaluation focuses primarily on providers’ remediation of previously identified issues, including continued responses to “impersonation advertisements,” which were one of the issues identified in the prior evaluation.

With respect to the method of obtaining opinions from specified digital platform providers for this evaluation process, because these matters concern governance structures and technical issues, communications were conducted, in principle, through written correspondence rather than hearings.