Japan's Provider Liability Act: Supreme Court Clarifies "Infringement-Related Information" for Online Takedowns & Identifying Anonymous Posters

Japanese Attorney at Law - Bengoshi L.L.

8 min read

Addressing rights infringements such as defamation or intellectual property violations in the often-anonymous realm of the internet presents a persistent challenge globally. In Japan, the legal framework for identifying anonymous individuals who make infringing online posts has been evolving, culminating in a significant clarification by the Supreme Court on December 23, Reiwa 6 (2024). This judgment delves into the crucial concept of "infringement-related information," particularly in the context of "login-type" websites like social media platforms, and refines the pathway for victims seeking redress.

While the primary legislation governing these disclosures, the Act on the Limitation of Liability for Damages of Specified Telecommunications Service Providers and the Right to Request Disclosure of Identification Information of the Senders (commonly known as the Provider Liability Limitation Act), has recently been superseded by the "Act on Countermeasures for Information Distribution Platforms" (情報流通プラットフォーム対処法 - Jōhō Ryūtsū Purattofōmu Taisho Hō), effective February 1, 2025, the core principles and requirements for sender information disclosure requests, as interpreted by this Supreme Court ruling, remain highly pertinent.

The Shifting Sands of Japan's Online Liability Framework

Historically, Japan's Provider Liability Limitation Act centered on enabling victims to request the disclosure of sender identification information directly associated with the "infringement communication" itself—the defamatory post, the copyright-infringing image, etc. However, the architecture of many modern online services, especially social media and forums often referred to as "login-type" (ログイン型 - roguin-gata) websites, presented a hurdle. These platforms typically retain records of user logins to their accounts but not necessarily the specific network logs for each individual post or action made after login. This meant that targeting the infringing post itself for sender information often yielded no useful data from the content platform.

To address this, amendments to the Provider Liability Limitation Act, effective October 1, 2022, introduced the concept of "infringement-related communications" (侵害関連通信 - shingai kanren tsūshin). This broadened the scope of disclosable information to include communications not directly causing the infringement but closely linked to it, such as account creation logs, login/logout logs, and account deletion logs. Login communications became a key target for identifying anonymous posters on these platforms.

However, this expansion was not without limits. To balance the needs of victims with the protection of privacy and freedom of expression (including anonymous speech), the amendments stipulated that such infringement-related communications could only be subject to disclosure if they possessed "substantial relevance" (相当の関連性 - sōtō no kanrensei) to the primary rights infringement. The specifics of what constitutes "substantial relevance" were delegated to an ordinance by the Ministry of Internal Affairs and Communications (MIC). The underlying policy was to restrict disclosures to the minimum necessary to identify the perpetrator.

The new Information Distribution Platform Countermeasures Act has now taken over as the principal statute for these matters. While it brings broader changes to platform regulation, the fundamental legal requirements and procedures for sender information disclosure requests remain largely consistent with those established under the amended Provider Liability Limitation Act. Therefore, the Supreme Court's interpretation in the December 2024 case continues to be a vital guide.

The Supreme Court Case (December 23, Reiwa 6): Facts and Journey

The case before the Supreme Court involved an instance of rights infringement via an impersonation account on a popular social media service. The victim (Plaintiff X) sought to identify the anonymous individual behind the account. The process, typical in such cases, involved multiple stages:

  1. Initial Disclosure from the Content Platform: Plaintiff X first successfully petitioned the U.S.-based social media platform operator for information. The platform disclosed IP addresses and timestamps for 32 separate login instances associated with the infringing account.
  2. Second-Stage Request to the Access Provider: Armed with this login data, Plaintiff X approached an intermediary internet access provider (Defendant Y). Based on its own records, Provider Y was able to link 8 of these login events (IP address/timestamp combinations) to specific subscribers. Plaintiff X then filed a request for the disclosure of subscriber identification information (name, address, etc.) for these 8 traceable logins.
  3. Lower Court Rulings: Both the first instance court and the appellate court ordered Provider Y to disclose the sender information for all 8 login communications. Their reasoning, rooted in the pre-2022 amendment understanding, was that the individual posting the infringing content and the individual logging into the account were presumed to be the same person, thus justifying disclosure without a stricter limitation on which specific login records were targeted.
  4. Appeal to the Supreme Court: Provider Y appealed to the Supreme Court, arguing two main points:
    • The amended Provider Liability Limitation Act (with its "substantial relevance" requirement) should apply, given that the lower court decisions were being made after the amendment's effective date, even though the infringing posts and logins occurred prior.
    • Under this stricter standard, the 8 login communications for which disclosure was ordered did not meet the "substantial relevance" criterion.

The Supreme Court first affirmed that the amended Act's principles (and by extension, those of the new Platform Act) concerning disclosure requirements would indeed apply if the final court decision is rendered after their entry into force, aligning with the general legal principle of tempus regit actum (the law in force at the time of judgment governs procedural and certain substantive matters). This set the stage for the core issue: the interpretation of "substantial relevance."

The Supreme Court's Interpretation of "Substantial Relevance"

The MIC Ordinance (specifically, Article 5 of the Enforcement Regulations of the Provider Liability Limitation Act) lists four types of infringement-related communications: account creation, login, logout, and account deletion. For each, it requires "substantial relevance" to the infringing transmission. The Supreme Court provided crucial guidance on how this standard should be applied to login communications:

1. The General Principle: Minimum Necessary for Identification:
The Court reiterated the MIC's view that the "substantial relevance" test is designed to confine disclosure to the minimum scope of information necessary to identify the sender of the infringing information.

2. Temporal Proximity as a Key Factor:
For login communications, the Court recognized that, in many instances, the most direct indicator of relevance is their temporal proximity to the infringing post. An individual must log in to post, so logins occurring close in time to the infringement are logically more likely to be connected to the act.

3. The "Most Temporally Proximate (Viable) Login":
The Supreme Court articulated a nuanced approach:

  • As a starting point, the login communication that is most temporally proximate to the infringing information is generally presumed to possess "substantial relevance".
  • However, the analysis does not end there. The Court introduced a critical qualifier: if this most proximate login cannot lead to the sender's identification by the intermediary access provider (for example, because the access provider no longer retains the necessary logs, or the login was a "social login" that doesn't directly map to an identifiable subscriber of that specific access provider for that specific event), then other logins may become relevant.

4. "Circumstances Establishing Necessity" for Other Logins:
The Court stated that login communications other than the most temporally proximate one can be deemed to have "substantial relevance" if there are "circumstances establishing the necessity" to seek their disclosure to identify the sender. The inability to identify the sender through the most proximate login due to technical or data retention issues at the access provider level constitutes such a "circumstance establishing necessity".

This interpretation is highly practical. It acknowledges that the theoretically "best" piece of data (the closest login) might be a dead end for technical reasons, and it allows victims to pursue other, slightly less proximate but potentially viable, login records.

Application to the Case and the "Re-Try" Implication

Applying these principles to the facts, the Supreme Court undertook a careful examination:

  • It was established that Provider Y (the access provider) could identify the sender for one specific login out of the eight in question (referred to as Login ② in the judgment summary). This Login ② was the most proximate to the infringing posts among those for which Provider Y actually held identifiable sender information.
  • However, the evidence also showed that there were other login events (referred to as "intervening logins" or 本件介在ログイン - honken kaizai roguin, collectively Login ①) that were even closer in time to the infringing posts. Crucially, Provider Y could not identify the sender from these truly most proximate Login ① records.

Given this, the Supreme Court ruled:

  • Login ② (the most proximate login from which Provider Y could identify the sender) was deemed to have "substantial relevance." The "necessity" for disclosing this login arose precisely because the truly most proximate logins (Login ①) were not useful for identification at Provider Y's level. This allowed the victim to target the next most viable option.
  • The remaining seven login records (Logins ③-⑧, and the parts of Login ① for which Y had no info) for which Provider Y held information were found not to have substantial relevance. Since Login ② was available and sufficient for identification by Provider Y, there were no further "circumstances establishing necessity" to compel disclosure of these more temporally distant login records. The disclosure was thus limited to the single, viable, most proximate login.

The "Re-Try" Implication:
This ruling has a significant practical consequence, often termed the "re-try" possibility. If a victim obtains disclosure of what the content platform (e.g., the SNS operator) identifies as the most proximate login, but this information subsequently proves insufficient to identify the sender at the access provider stage (e.g., logs are missing, it was an untraceable type of login event for that provider), the victim is not necessarily at a dead end.

Based on the Supreme Court's reasoning, the failure to identify the sender using the initially disclosed "most proximate" login data from the content platform creates the "circumstances establishing necessity." This allows the victim to potentially go back to the content platform and request disclosure of the next most temporally proximate login communication (excluding, of course, any already provided and found to be dead ends). This iterative approach acknowledges the practical difficulties in these multi-stage investigations and provides a more robust path for victims.

The Supreme Court's December 23, Reiwa 6 (2024) decision has several important ramifications:

  • For Victims of Online Infringement: The ruling offers a clearer and more pragmatic framework. While the initial focus remains on the most proximate login, the recognition of "necessity" provides a pathway to pursue other login records if the initial leads are technically unfruitful at the access provider level. This requires a strategic approach, anticipating potential data gaps.
  • For Content Platforms (Social Media, Forums, etc.): Their obligation is generally to disclose the most proximate login communication for which they have records. However, they must now anticipate that they might receive subsequent, more targeted requests if the initially disclosed information does not lead to sender identification by the access provider. This necessitates robust systems for logging and retrieving user login data with accurate timestamps.
  • For Internet Access Providers: Their role continues to be the disclosure of subscriber information when presented with valid court orders based on IP addresses and timestamps. The set of login records they are asked to trace might become more targeted or subject to iterative requests based on the success of prior steps.
  • The Critical Importance of Log Retention: The feasibility of identification, and thus the application of the "necessity" principle, heavily depends on the availability and duration of log retention by both content platforms and access providers.
  • Understanding "Social Logins": The technical nuances of different login methods, such as "social logins" (where a user logs into one service using their credentials from another, e.g., "Login with Google/Facebook"), are important. These can sometimes complicate the tracing process through a specific access provider if the login event is primarily authenticated via the third-party service.

Conclusion

The Supreme Court's judgment of December 23, Reiwa 6 (2024), brings welcome clarity to the interpretation of "substantial relevance" concerning the disclosure of login information under Japan's sender identification regime, now governed by the Information Distribution Platform Countermeasures Act. By endorsing a pragmatic approach that considers the technical realities of sender identification and effectively allowing for a "re-try" when initial efforts to trace an anonymous infringer through the most proximate login data prove futile at the access provider stage, the Court has enhanced the system's effectiveness for victims. This ruling carefully balances the right of victims to seek redress against the privacy interests of users, ensuring that disclosures are limited to what is demonstrably necessary for identification. It is a development that will undoubtedly shape the practice of unmasking anonymous online wrongdoers in Japan for the foreseeable future.