AI Regulation Practical Guide for Users: From Engineers to Business Professionals

Why AI Engineers Need to Understand Regulations

As someone who has been an AI engineer, founder of an AI education company, and now a leader promoting AI-driven organizational transformation, I've consistently operated at the intersection of technology and business. While witnessing the remarkable evolution of generative AI technologies in recent years, I've also observed the rapid changes in the legal frameworks supporting them.

The enactment of the EU AI Act, various national approaches, and Japan's distinctive copyright exemptions have complicated the international AI regulatory landscape. I've realized the need to systematically organize these fragments of knowledge that I've gathered. To that end, I conducted research, partly for my own edification, to compile legal risks and practical decision criteria that AI engineers and business users should understand.

To advance innovation while balancing technology potential with compliance requirements, we need practical judgment criteria for "what is permitted and to what extent." In this article, I'll clearly organize and communicate the regulatory knowledge truly necessary for those involved in AI development and implementation, drawing on my perspective as an engineer now operating in management roles. I particularly believe that understanding the overall landscape is more important than grasping all the details initially—legal specialists can handle the finer points.

Throughout my career, I've pursued technological possibilities while consistently recognizing the importance of legal and ethical frameworks for gaining social trust. I hope this dual perspective helps you navigate the complex landscape of AI regulation.

The 2025 AI Regulatory Landscape - Essential Background Knowledge

First, it's important to understand the distinction between "hard law" and "soft law"¹. Hard law refers to legally binding laws and regulations that carry penalties for violations. Soft law, meanwhile, comprises ethical guidelines and frameworks without direct legal force but with expectations of voluntary compliance. In practice, the boundary between these two is fluid, and industry standards and other soft law elements can gain de facto binding force when referenced in contracts or regulations—a critical point to keep in mind.

図表を生成中...

What's crucial is that despite varying regulatory forms, there are widely referenced values to be protected. These typically converge on three main areas:

1. Protection of human dignity and fundamental rights: Privacy, non-discrimination, etc.
2. Ensuring transparency and accountability: Whether AI decisions can be explained
3. Safety and risk management: Controlling potential harm to human life and society

However, it's important to note that interpretations and priorities regarding these values differ significantly across jurisdictions. For example, the EU emphasizes fundamental rights protection, while China prioritizes social stability and state control, creating geopolitical tensions and interpretive differences. AI applications considered appropriate in one region may be problematic in another—a crucial awareness for global deployment.

AI engineers and business users should recognize that these regulations aren't mere obstacles but rather foundations for sustainable AI development.

Who Should Be Cautious About What - Considerations by Role

AI regulatory compliance varies by role, with different priorities and perspectives. The following diagram illustrates key considerations for different positions:

図表を生成中...

Risk-based Approach and Governance

Many regulations adopt a "risk-based approach," meaning the stringency of applied regulations varies according to an AI system's use case and risk level².

Risk assessment typically considers the following aspects:

1. Purpose and field of use: Is it for critical decision-making in sectors like healthcare or finance?
2. Affected subjects: Does it impact vulnerable groups or specific populations?
3. Transparency and explainability: Can the decision process be explained?
4. Human oversight and intervention: Are mechanisms in place for human review and final judgment?

Evaluating risks from these perspectives and establishing appropriate AI governance forms the foundation for regulatory compliance.

Legal Risk Guide for AI Developers

Legal Risks During the Training Phase

In the training phase, the first step in AI development, there are two main legal risks to consider: copyright issues and personal data protection.

Copyright Issues

The 2018 amendment to Japan's Copyright Law introduced a special exemption provision for AI training purposes (Article 30-4)³. This provision allows the use of copyrighted works for AI learning without permission from rights holders—considered progressive by some experts internationally.

However, there's a significant caveat: this exemption is strictly limited to "training" use, and there remains a substantial risk of copyright infringement if a trained AI reproduces whole or substantial portions of copyrighted works in its output. This legal risk regarding output is an extremely important and unresolved issue in current legal interpretation and cannot be overlooked when commercializing AI. If output from an AI developed under this exemption resembles training data, developers or providers may face infringement liability due to the absence of clear legal standards or safe harbors. Additionally, this provision is Japanese law; international service provision requires consideration of other countries' legal systems.

In the US, AI training may be permitted under the "fair use" doctrine in some cases, but this is still being litigated⁴. The EU's 2019 copyright directive provides a text and data mining exception, but it's restrictive for commercial purposes.

Personal Data Protection

When AI training data contains personal information, compliance with data protection laws is necessary. Key considerations include:

1. Specifying, notifying, and publishing the purpose of use: When using personal information for AI training, its purpose must be specified and communicated to the data subject
2. Data security management: Measures to prevent leakage of datasets containing personal information
3. Restrictions on third-party provision: Obtaining consent when providing personal data to third-party AI services

In June 2023, Japan's Personal Information Protection Commission issued a "Caution Notice Regarding the Use of Generative AI Services," warning that inputting personal information into generative AI may constitute "third-party provision"⁵. This warning has very broad implications. For example, simply entering employee names and contact information in a prompt to ChatGPT for internal business efficiency could potentially qualify as "third-party provision" under Japanese personal information protection law. This means many companies face potential legal risks when using generative AI tools in daily operations without appropriate protective measures. This is particularly concerning as the amended Personal Information Protection Law has increased the maximum fine for legal entities to 100 million yen⁶, making it a significant compliance concern.

図表を生成中...

Legal Risks During Model Development and Implementation

During model development and implementation (commonly called deployment), the following legal risks require attention:

1. Bias and discrimination issues: Training data biases may produce discriminatory results toward specific races, genders, or age groups—a serious legal and ethical concern.

2. Accountability and transparency: The EU AI Act in particular requires explainability and transparency for high-risk AI⁷.

3. Model safety: Appropriate safety measures are needed to prevent AI outputs from containing harmful content or dangerous instructions.

To address these risks, the following measures are important:

• Using diverse and balanced training data (e.g., including data equally across various attributes like gender and age)
• Implementing fairness evaluation metrics (e.g., measuring result differences between different attribute groups)
• Building human review and monitoring systems (e.g., introducing processes for human verification of AI decisions)
• Establishing output restriction mechanisms (e.g., filters to detect and exclude harmful content)
• Adopting explainable AI methods (e.g., utilizing technologies that enable interpretation of model judgment grounds)

Legal Decision Criteria for Business Users of AI

Considerations When Using Services Like ChatGPT

When using generative AI like ChatGPT in business, legal risks related to "data input" and "output utilization" require special attention.

Input Considerations

1. Prohibition on personal information input: Inputting others' personal information into AI may constitute "third-party provision" under data protection law
2. Handling of confidential information: Inputting company confidential information or customer data creates information leakage risks
3. Copyrighted materials: While inputting others' copyrighted works may be legal in Japan, it could be problematic in other countries

Output Utilization Considerations

1. Copyright attribution: Copyright ownership of AI-generated content is defined in the terms of service, and commercial use permission requires verification
2. Fact-checking responsibility: Users bear responsibility for verifying factual accuracy and misinformation in AI outputs
3. Appropriate citation and sourcing: When using AI-generated content, it's advisable to disclose that AI was used

図表を生成中...

Key Points for Internal Usage Policies

When utilizing AI in an enterprise setting, establishing clear internal usage policies is important. Elements to include are:

1. List of approved AI services and certification processes
2. Clear definition of prohibited input information (personal information, confidential information, etc.)
3. Handling of AI outputs (distinguishing between internal, public, and commercial use)
4. Clarification of responsibilities
5. Violation response processes

Creating such policies allows organizations to promote AI utilization while minimizing legal risks.

Comparing AI Regulations in Japan and Globally - An Engineer's Perspective

AI regulatory approaches vary significantly by country and region. Here I compare regulations in Japan, the EU, US, and China, organizing key points for engineers.

Comparing Approaches by Country/Region

Japan's Approach

Japan's AI regulation takes a "soft law" centered approach². Rather than legally binding regulations, it promotes healthy AI development through guidelines such as the "Human-Centered AI Society Principles."

Additionally, the copyright law exception (Article 30-4) creates an environment where copyrighted works can be used for AI learning purposes, which is considered progressive compared to other countries.

Regarding personal information protection, the 2022 amended Personal Information Protection Act strengthened breach reporting requirements and cross-border transfer regulations⁶. Penalties for violations were also enhanced, with legal entities facing fines of up to 100 million yen.

EU's Approach

The EU enacted a comprehensive AI regulatory law called the "AI Act" in 2024⁸. This law first broadly defines "AI systems" as "systems that generate content, predictions, recommendations, or decisions using machine learning approaches, logic and knowledge-based approaches, or statistical approaches for human-defined objectives"—a definition potentially encompassing many software systems.

The AI Act adopts an approach that classifies AI systems by risk level and applies regulations accordingly:

• Prohibited AI: Social scoring, real-time biometric identification for remote identification (with some exceptions for law enforcement purposes), etc.
• High-risk AI: AI used in fields such as medical diagnosis, recruitment selection, educational assessment, credit scoring, etc.
• Limited-risk AI: Generative AI like chatbots subject only to transparency requirements (obligation to disclose interaction with AI)
• Minimal-risk AI: AI with only minor risks, such as spam filters

High-risk AI in particular faces stringent requirements:

• Risk assessment and management: Systems for identifying and managing potential AI system risks
• Data governance: Quality control and bias elimination in training data
• Technical documentation: Detailed documentation of system development and operation
• Record keeping: Preservation of AI system operation logs
• Transparency: Explanation and information provision to users
• Human oversight: Mechanisms allowing humans to verify AI decisions
• Accuracy and robustness: Ensuring technical accuracy and safety of systems

Importantly, the EU AI Act has powerful extraterritorial effect (the so-called "Brussels Effect"). Companies outside the EU are subject to the law when providing AI systems to the EU market or services within the EU. This means the law could effectively become a de facto global standard for many international companies.

US Approach

The US currently lacks a comprehensive AI regulatory law like the EU's. Instead, the Federal Trade Commission (FTC) applies existing consumer protection and anti-discrimination laws to monitor deceptive claims and discriminatory algorithms related to AI⁹.

Notably, despite the absence of federal law, a kind of regulatory consensus is forming in the US. Through the White House's "Blueprint for an AI Bill of Rights" and the AI Risk Management Framework published by NIST (National Institute of Standards and Technology) in 2023¹⁰, agreement on principles such as bias mitigation, explainability, and transparency is spreading. While voluntary, these suggest the direction of future regulations and enforcement priorities (especially FTC activities), and companies operating in the US should recognize that compliance with these principles is expected even without a single comprehensive law.

At the state level, partial AI-related regulations exist, such as California's Consumer Privacy Act (CCPA/CPRA) and Illinois' Biometric Information Privacy Act (BIPA).

China's Approach

China implemented the "Generative AI Service Management Provisions" in August 2023, introducing regulations for generative AI like ChatGPT¹¹. While this regulation might appear to aim solely at strict "control," it's important to understand it has the dual purpose of "control" and "promotion." China has a national strategy to establish global leadership in AI technology and is working toward strong AI development and deployment within state-managed boundaries.

The regulation imposes the following obligations on generative AI providers:

• Preliminary safety assessment: Obligation to undergo authority evaluation before service provision
• Content filtering: Measures to prevent generation of illegal/harmful content
• Algorithm management: Prohibition of algorithms contrary to public interest
• User identification: Real-name registration management of service users
• Data security: Protection of personal information and important data

These regulations aim to protect national values and security while simultaneously creating an environment where companies can develop and deploy AI technologies within a clear framework. For foreign companies, understanding both compliance with these regulations and China's state-led AI development promotion is important.

International Trends and Timeline of AI Regulations

Examining the global trend of AI regulation chronologically reveals a shift from soft law toward hard law.

Decision-Making Guides by Development and Usage Stage

Finally, I present decision trees useful for judgments in actual AI development and usage scenarios.

Decision Tree for AI Developers

The following tree shows a general flow of legal decisions in AI development, but this simplifies complex legal judgments and cannot be applied to all situations. A particularly important note is that expressions like "high risk" and "low risk" used here do not necessarily align with the official risk classifications of the EU AI Act. Actual legal determinations often require more complex elements and context-dependent judgments than shown here, so consultation with legal experts is recommended for important decisions.

図表を生成中...

Decision Tree for Business Users

The following tree illustrates a general flow of legal decisions for AI use in business environments, but simplifies complex legal judgments. In actual business situations, judgments may vary based on many factors such as company size, industry, nature of data handled, and international activities. Terms like "high risk," "medium risk," and "low risk" indicate general caution levels and may differ depending on each company's situation and applicable laws. Use this tree as a reference and consider consulting legal departments or experts for important decisions.

図表を生成中...

Toward Coexistence of AI and Regulations

From an AI engineer's perspective, examining regulations reveals they are not barriers to technological development but rather foundations for sustainable innovation. Regulations and AI technology are not opposing forces but should evolve together.

Throughout my career, I've pursued technological possibilities while consistently considering their social acceptance and ethical dimensions. This research has reinforced my appreciation for the importance of building "bridges between technology and society."

However, I am not a legal professional, so while I've written this article carefully after verifying beneficial information for my own learning, you must make your own final judgments. I strongly recommend consulting specialized legal professionals when facing legal issues.

Currently, Japan offers a relatively free environment for domestic development and use, but global expansion requires attention to regulatory differences between countries. In particular, early preparation is needed for the full implementation of the EU's AI Act.

The AI regulatory environment will continue to evolve rapidly. As engineers and business users, it's important to stay updated on the latest developments while valuing fundamental principles like "human-centricity," "transparency," and "safety" to harmonize technology and regulations.

References

Footnotes

1. Ministry of Internal Affairs and Communications "AI Utilization Guidelines" (2019). Explains concepts of soft law and hard law. ↩

2. Cabinet Office "Human-Centered AI Society Principles" (2019). Foundational document for Japan's AI ethics principles. ↩ ↩²

3. Agency for Cultural Affairs "Amended Copyright Law (Smooth Utilization of Works in Digital Network Society) Explanatory Materials" (2018). Explains Article 30-4 information analysis provision. ↩

4. U.S. Copyright Office "Artificial Intelligence and Copyright" (2023 report). Analyzes the relationship between AI and copyright from a U.S. perspective. ↩

5. Personal Information Protection Commission "Caution Notice Regarding the Use of Generative AI Services" (June 2023). Warns of risks in inputting personal information into generative AI. ↩

6. Personal Information Protection Commission "Overview of Amended Personal Information Protection Act" (2022). Explains strengthened breach reporting requirements and cross-border transfer regulations. ↩ ↩²

7. European Commission "Proposal for a Regulation on Artificial Intelligence" (2024). Explains the structure of EU AI Act and risk-based approach. ↩

8. European Parliament "AI Act (Artificial Intelligence Act)" (2024). Full text and adoption process of EU AI Act. ↩

9. U.S. Federal Trade Commission "Guidance on AI and Automated Systems" (2023). Explains FTC's AI monitoring approach. ↩

10. U.S. National Institute of Standards and Technology "AI Risk Management Framework 1.0" (2023). Presents systematic approach to AI risk management. ↩

11. Cyberspace Administration of China "Generative AI Service Management Provisions" (2023). Explains China's generative AI regulation content. ↩