ブログ
[Crisis Management & Criminal Investigations] Electronic Record Production Orders and Confidentiality Orders Currently in Force: Three Practical Steps In-House Counsel Should Promptly Take
2026.07.16
Introduction
The principal provisions of Article 1 of the Act Partially Amending the Code of Criminal Procedure and Related Laws to Address Advances in Information and Communications Technology (Act No. 39 of 2025, the “Amendment Act”), which was enacted on May 16, 2025 and promulgated on May 23, 2025, entered into force on May 21, 2026. Article 1 of the Amendment Act amends the Code of Criminal Procedure.
To extend to criminal proceedings the digitization of judicial procedures that had already been implemented with respect to civil proceedings, the Amendment Act establishes provisions enabling the electronic processing of a number of criminal procedures. Of particular significance to corporate legal practice, the Electronic Record Production Order and the Confidentiality Order took effect upon the entry into force of these provisions. The provisions of Article 2 and the subsequent articles of the Amendment Act, including those concerning the digitization of documents and other materials, are scheduled to take effect on a date no later than March 31, 2027, to be specified by Cabinet Order.
Although investigative authorities have long been able to compel companies to provide data through conventional seizure procedures and seizures accompanied by an order to preserve records, the present amendments introduce substantial changes, including new mechanisms and criminal penalties. Corporate legal departments should therefore familiarize themselves with the amendments and promptly consider and implement appropriate measures required by these amendments.
Overview of the Electronic Record Production Order
(i) Purpose of the Regime
An Electronic Record Production Order is a compulsory measure by which a public prosecutor, a prosecutorial official, or a judicial police officer may, where necessary for a criminal investigation, pursuant to a warrant issued by a judge, compel the person subject to the order to produce specified electronic records (Articles 218(1) and 102-2(1) of the amended Code of Criminal Procedure).
The former “seizure accompanied by a record preservation order” under Article 99-2 of the previous Code of Criminal Procedure has been eliminated and is subsumed within this new regime, which has been reconstituted as a more robust structure. Its most significant feature is that, because non-compliance is subject to criminal sanctions, an Electronic Record Production Order now constitutes a genuinely compulsory investigative measure.
(ii) Two Methods of Production
An Electronic Record Production Order provides for the following two methods of production:
- Physical Media Submission Method. Under this method, electronic records are copied or transferred to a storage medium, such as a USB drive or DVD-R, and the storage medium is then submitted to the investigating authority.
- Online Transfer Method. Under this method, electronic records are transmitted directly, via a telecommunications network, to a storage medium controlled by the investigating authority issuing the order. This approach is groundbreaking in that it is completed entirely through electronic communications without the movement of any physical object, thereby enabling, as a matter of law, large volumes of data stored in the cloud to be transmitted directly to the servers of the investigating authority.
Confidentiality Orders—Tension with Notification Obligations
Confidentiality Orders operate in tandem with Electronic Record Production Orders (Article 218(3) of the amended Code of Criminal Procedure). With a judge’s authorization, an investigating authority may order the person subject to the Electronic Record Production Order, for a period not exceeding one year, not to disclose without justification either the fact that the order has been issued or whether the specified electronic records were, or were not, produced in response to the order. Once the need for confidentiality ceases to exist, the investigating authority is required to revoke the order (Article 218(7)).
From a corporate legal perspective, the Confidentiality Order raises issues of considerable practical significance. In particular, a business that is contractually obligated to notify customers or business partners when their data are disclosed to a third party, including an investigating authority, may find that compliance with that notification obligation is legally restricted by the Confidentiality Order. The issues become even more complex for multinational businesses where the laws of other jurisdictions impose data-subject notification requirements in connection with disclosures to third parties. Numerous questions will therefore require case-by-case analysis, including whether notice should be given retroactively after the Confidentiality Order is lifted and, if so, the appropriate timing and manner of such notice.
Penalties—Imprisonment for up to One Year or a Fine of up to JPY 3 Million; Corporate Liability Applies
Violations of an Electronic Record Production Order or a Confidentiality Order are punishable by imprisonment for up to one year or a fine of up to JPY 3 million (Articles 124-2 and 222-2 of the amended Code of Criminal Procedure). The amended Code also contains a dual-liability provision: where a representative of a corporation, or an agent, employee, or other worker of a corporation or individual, commits a violation in the course of the business of that corporation or individual, both the offender and the relevant corporation or individual are subject to criminal sanctions, with the latter being liable to a fine.
As a result, a company may itself be penalized if its officers or employees mishandle compliance with an order and thereby commit a violation. Companies should therefore treat the establishment of appropriate internal compliance frameworks as a core compliance responsibility, including written response procedures, communication protocols for relevant departments, and centralized points of contact for handling such orders.
Practical Implications for Corporate Legal Departments—Three Immediate Action Items
Now that these provisions are in force, corporate legal departments should promptly review their organizations’ preparedness from the following three perspectives:
1. Establishing and Reviewing Internal Response Procedures
Companies should ensure that, from May 21, 2026, they have in place an internal escalation process that will function effectively upon receipt of an Electronic Record Production Order from an investigating authority. As a practical matter, it is advisable to document the entire response process, including designation of the initial point of contact for receipt of the order (typically the legal department or customer support function), immediate notification of the legal department, prompt consultation with external counsel, coordination with the information systems department, and reporting to senior management.
In particular, compliance with the Online Transfer Method described in Section 1(ii)(b) requires an appropriate technical framework. Companies should therefore work with their information systems departments promptly to determine and document how data can be extracted from their systems and transmitted securely in the event that direct transmission to servers operated by an investigating authority is required.
2. Comprehensive Review of Contractual Provisions
Companies should promptly review the data-handling provisions contained in their existing agreements with customers and business partners. The following points warrant particular attention:
(a) Notification obligations in the event of disclosures to third parties. Companies should confirm whether disclosures made pursuant to applicable law or requests from investigating authorities are expressly carved out as exceptions and whether the agreement addresses situations in which a Confidentiality Order legally precludes notification. Where such provisions exist, companies should determine in advance the legal basis for, and manner of, their response if a Confidentiality Order is issued. They should also consider contingency measures, including whether key business partners should be notified in advance that future legislative changes may, in certain circumstances, prevent the company from fulfilling otherwise applicable disclosure or notification obligations.
(b) Interaction with duties of due care relating to the storage and processing of data. Companies should clarify the allocation of responsibility vis-à-vis customers for data disclosed pursuant to an Electronic Record Production Order.
(c) Procedures for providing notice after the revocation of an order. Companies should establish, under their contracts and internal policies, the procedures for providing any required notifications once the relevant order has been revoked.
3. Procedures for Assessing Whether to File a Quasi-Appeal
Where the scope of an Electronic Record Production Order extends to material unrelated to the alleged offense, the person subject to the order may file a quasi-appeal (Articles 420(2) and 430(1) of the amended Code of Criminal Procedure).
A key precedent in this regard is the so-called Bekkoame Case (Tokyo District Court decision of February 27, 1998, Hanrei Jiho No. 1637, p. 152). In that case, which involved the seizure of records held by the internet service provider Bekkoame, the court held that there was no need to seize customer data unrelated to the alleged offense and revoked the seizure order to that extent. Cloud service providers, SaaS providers, telecommunications carriers, and other businesses that store data belonging to third parties may therefore, in order to protect the rights and privacy of their users, need to consider filing a quasi-appeal even if they are not themselves the direct subject of the order.
In addition, as a means of restoring the status quo, a party may request copies of data produced pursuant to an order (Articles 123(3) and 123-2(1) of the amended Code of Criminal Procedure). In most cases, business continuity will not be affected because it is sufficient to provide copies of the relevant data to the investigating authority. Depending on the circumstances, however, entire computers or servers may be seized, leaving the company without the data necessary for its ordinary operations. Whenever data essential to business operations are subject to production, companies should therefore keep these remedies firmly in mind.
Conclusion
Following the enactment and promulgation of the Amendment Act in May 2025, many companies may have assumed that implementation remained some way off and therefore deferred their preparations. Now that the relevant provisions have entered into force on May 21, 2026, however, investigating authorities may issue Electronic Record Production Orders in practice, and the associated penalty regime is fully operative.
The impact of these amendments is particularly significant for providers of digital services, businesses that maintain substantial volumes of customer data, and companies that host or process the operational data of third parties in cloud environments.
TMI Associates provides comprehensive support in connection with the Amendment Act, including strategic advice to companies, assistance in developing internal response manuals, review and revision of contractual provisions, and representation in quasi-appeal proceedings and other urgent matters. We would be pleased to discuss how we may assist your organization.
Member
PROFILE
