Cybersecurity 2021

Last Updated March 16, 2021

Japan

Law and Practice

Authors



Mori Hamada & Matsumoto is a full-service law firm that has served clients with distinction since its establishment in December 2002. Mori Hamada & Matsumoto has experienced lawyers with considerable expertise in the constantly evolving and increasingly complex areas of information technology, life sciences and intellectual property, providing a variety of legal services in response to the diverse legal needs of its clients. These legal services include advising on regulatory requirements, setting up business, corporate housekeeping, contract negotiations and dispute resolution. In terms of data protection, the firm has noted expertise in leveraging user information while protecting clients’ businesses. Mori Hamada & Matsumoto’s data protection team comprises approximately 15 lawyers.

The Basic Act on Cybersecurity is the fundamental law on cybersecurity.

The Act on the Protection of Personal Information (the APPI) is the principal data protection legislation in Japan.

An amendment of the APPI was approved in June 2020. The effective date of most parts of the amendment will be designated separately but is not expected to be later than June 2022. It is expected that the amendment will be effective from approximately April 2022. A part of the amendment concerning heavier criminal punishment has been effective since December 2020.

The Unfair Competition Prevention Act prohibits the infringement of trade secrets.

The Act on the Prohibition on Unauthorised Computer Access prohibits unauthorised computer access.

The Penal Code also penalises some cybersecurity crimes.

The Telecommunications Business Act requires telecommunications carriers to ensure the secrecy of communications.

For details of the laws cited above, and for other laws, please refer to 2.1 Key Laws.

The regulator tasked with enforcing and implementing the APPI is the Personal Information Protection Commission (the PPC), which has the following powers under the APPI:

  • to require private business operators who handle personal information (the handling operators) to report or submit materials regarding its handling of personal information (Article 40), which the APPI defines as information about living individuals that can identify specific individuals or contains what is referred to in the APPI as an “individual identification code” (Article 2.1);
  • to enter a handling operator’s offices or other places to investigate, make enquiries and check records or other documents (Article 40);
  • to provide guidance or advice to a handling operator (Article 41);
  • to recommend that a handling operator cease any violation of the APPI and take other necessary measures to correct the violation (Article 42.1);
  • to order a handling operator to take necessary measures to implement the PPC’s recommendation mentioned above and to rectify certain violations of the APPI (Articles 42.2 and 42.3); and
  • under the latest amendment of the APPI, when the PPC issues an order pursuant to Articles 42.2 and 42.3, and a handling operator violates the order, the PPC may publicly announce the violation (Article 42.4).

The National Police Agency and the Prosecutors’ Office are responsible for the criminal investigation and prosecution of cybercrimes.

For other regulators, please refer to Section 2 Key Laws and Regulators at National and Subnational Levels.

The PPC does not have the authority to conduct criminal investigations, and the APPI explicitly stipulates that the PPC’s power to conduct on-site inspections does not include criminal investigations (Article 40.3).

It is important to note that the APPI imposes no administrative fines. In addition, criminal sanctions may only be imposed under the APPI if the handling operator refuses to co-operate with or makes any false report in response to an investigation by the PPC (Article 83), provides information to unauthorised persons or misuses any personal information database for unlawful gains (Article 84), or violates any order given by the PPC as a part of an administrative sanction (Article 85).

The National Police Agency and the Prosecutors’ Office have enforcement powers against cybercrimes or related crimes under the Criminal Procedure Code.

As for personal information, Japan is a member of the APEC Cross Border Privacy Rules (CBPR) system. While local governments have enacted local regulations, those regulations are applicable only to the local public sector.

The Ministry of Economy, Trade and Industry (METI) and the Information Technology Promotion Agency of Japan (IPA) published the Cybersecurity Management Guidelines (amended in November 2017), which serve as the basic cybersecurity guidelines for companies in Japan.

The IPA regularly publishes important guidelines and provides information on cybersecurity. The more important guidelines include the Cybersecurity Management Guidelines mentioned above, guidelines for small and mid-sized companies on information security, and guidelines on preventing insider data breach. The IPA also runs the J-CSIP, or the Initiative for Cybersecurity Information Sharing Partnership of Japan, which shares cybersecurity information of critical information infrastructure operators (ie, operators of businesses that provide infrastructure that is the foundation of people’s living conditions and economic activities, the functional failure or deterioration of which could have a highly significant impact on people).

The Japan Network Security Association (JNSA) also provides information regarding cybersecurity.

The Japan Computer Emergency Response Team Co-ordination Centre (JPCERT/CC) acts as a CSIRT (Computer Security Incident Response Team) within the Japanese community and publishes security alerts, incident news, and manuals.

The IPA, the JNSA, and the JPCERT/CC accept reports or notices from the public regarding cybersecurity incidents and publish useful information.

The Cybersecurity Policy for Critical Infrastructure Protection (4th Edition) (lastly amended on 30 January 2020), published by the Cybersecurity Strategies Headquarters of the Cabinet, provides for certain reporting obligations and sharing of cybersecurity information in relation to critical infrastructure service providers.

The Cybersecurity Council was established in April 2019 under Article 17 of the Basic Act on Cybersecurity to enable the sharing of necessary information and consultations for cybersecurity between the public sector and the private sector.

The APPI follows the Organisation for Economic Co-operation and Development's eight privacy principles. Japan and the EU and Japan and the UK have certified each other’s country/territory as an "adequate" country for Japan and the EU/UK data protection purposes. However, this does not mean that the APPI is identical to Regulation (EU) 2016/679 (the General Data Protection Regulation, or GDPR). Japanese data protection law is closer to the EU omnibus model than the US sectoral/subnational approach in a sense that Japan has a comprehensive data protection law, the APPI.

The amendment of the APPI was approved, and most parts of the amendment are expected to come into force in spring 2022.

In line with the amendment of the APPI, amendments of the relevant cabinet order, the PPC Ordinance, guidelines, and FAQs of the APPI are under discussion and are expected to be finalised by summer 2021. Currently, the public sector is regulated by the Act on the Protection of Personal Information Held by Administrative Organs and the Act on the Protection of Personal Information Held by Independent Administrative Agencies.

Local governments also have their own local regulations (jyorei) about data protection in the public sector, but these vary from one to the other. The government is considering introducing a new rule to establish nationwide principles for jyorei and implementing guidelines for that purpose. It is expected that the bill implementing the amendments necessary to integrate these public data protection laws into the APPI will be submitted to the Diet in 2021

The Basic Act on Cybersecurity regulates the responsibility of the national government and local governments for cybersecurity (Articles 4 and 5). It also stipulates the obligation of critical information infrastructure operators, cyberspace-related business providers, and research institutions such as universities (Articles 6, 7 and 8) to exert efforts to ensure cybersecurity.

The APPI, the principal data protection legislation in Japan, provides the basic principles for the government’s regulatory policies and authority, as well as the handling operators.

Another important law is the Act on the Use of Numbers to Identify a Specific Individual in the Administrative Procedure (the My Number Act), which stipulates special rules for "my number" – a 12-digit individual number assigned to each resident of Japan.

The obligations of the public sector in the handling of personal information are stipulated in the Act on the Protection of Personal Information Held by Administrative Organs, the Act on the Protection of Personal Information Held by Independent Administrative Agencies, and the local regulations (jyorei) legislated by local governments.

The Unfair Competition Prevention Act prohibits the infringement of trade secrets and provides for cause of actions in civil cases, such as damage compensation and injunctive relief, as well as criminal sanctions. Information that is not protected as a trade secret may instead be protected as "data for limited provision". An unauthorised acquisition or utilisation of data for limited provision may be deemed to be unfair competition, which is subject to damage compensation and injunctive relief but not to criminal sanctions.

The Act on the Prohibition on Unauthorised Computer Access prohibits: the use of another person’s identification code (eg, a password) to access remote computers via a telecommunications network; inputting information (excluding an identification code) or a command to evade access restrictions on remote computers via a telecommunications network; or obtaining, supplying, or storing someone else's identification code without legitimate reason (Articles 3, 4, 5 and 6). It also forbids phishing or creating a false impression of being the network administrator concerned and requesting identification codes (Article 7).

The Penal Code prohibits:

  • the creation of false electromagnetic records that are related to rights, duties or certification of facts (Article 161-2);
  • fraud by using computers (Article 246-2);
  • the destruction of electromagnetic records in use by a public office or concerning private rights or duties (Articles 258 and 259);
  • the obstruction of a business by damaging its computers or electromagnetic records or causing them to operate counter to the original purpose (Article 234-2); and
  • the creation, provision, acquisition or storage of a computer virus (Articles 168-2 and 168-3).

The Telecommunications Business Act requires telecommunications carriers to ensure the secrecy of communications (Article 41-5 (iii)) and to report serious incidents of breach to the Ministry of Internal Affairs and Communications (MIC).

The Instalment Sales Act requires businesses who handle credit card numbers to take necessary and appropriate measures to prevent the leakage, loss of, or damage to those credit card numbers (Article 35-16).

The Payment Services Act requires prepaid payment instrument issuers, funds transfer service providers, and virtual currency exchange service providers to take necessary and appropriate measures to prevent the leakage, loss of, or damage to information pertaining to their respective businesses (Articles 21, 49 and 63-8).

Sector-specific regulators impose additional information security obligations for some industries including the financial and healthcare industries. Regarding the financial industry, the Financial Services Agency (FSA) issued the Comprehensive Guidelines for the Supervision of Major Banks, which provide for cybersecurity obligations of financial institutions. As for the healthcare industry, various ministries have issued relevant guidelines:

  • the Ministry of Health, Labour and Welfare (MHLW) issued the Guidelines on the Safety Management of Medical Information Systems (May 2017);
  • METI and MIC jointly issued the Guidelines for Safety Management of Medical Information by Providers of Information Systems and Services Handling Medical Information (August 2020);
  • MIC published comprehensive measures for the security of the internet of things (IoT).

The National Police Agency and the Prosecutors’ Office are responsible for the criminal investigation and prosecution of cybercrimes. (For other regulators, please see the rest of this Section, below.)

The National Centre for Incident Readiness and Strategies for Cybersecurity (NISC) is responsible for national-level cybersecurity under the Basic Act on Cybersecurity, and regularly publishes Cybersecurity Strategies of Japan.

The regulator tasked with enforcing and implementing the APPI is the PPC. The PPC's powers are explained in 1.2 Regulators.

As stated above, the FSA is the regulator for the financial sector, and MIC is the regulator for telecommunications business operators. As mentioned in 2.1 Key Laws, there are also other sector-specific regulators, such as the MHLW and METI.

Please see 1.5 Information Sharing Organisations.

Commonly deployed guidance is provided by JIS Q 27000:2019 (based on ISO/IEC27000), JIS Q 27001:2014 (based on ISO/IEC27001), and JIS Q 27002:2014 (based on ISO/IEC27002).

JIS Q 27017:2016 (based on ISO/IEC 27017, ISO/IEC 27018) provides guidance for securing cloud services.

JIS Q 15001:2017 is the standard that covers personal information and is used as the standard for issuing “privacy mark” certifications, which major Japanese companies commonly pursue.

The Instalment Sales Act requires a business that handles credit card numbers to take necessary measures to control the numbers (Article 35-16). Most companies adopt the PCI DSS security standard.

Please refer to 3.1 De Jure or De Facto Standards and 3.3 Legal Requirements.

Written Information Security Plans or Programmes

The Cybersecurity Management Guidelines issued by METI and the IPA provide for ten instructions, including the recognition of cybersecurity risks and the development of company-wide measures such as drafting data security policies. In addition, the PPC Guidelines (defined in 4.1 Personal Data) include the implementation of a basic policy and internal rules on personal data (defined in 5.2 Data Elements Covered) as an example of security measures that should be taken for personal data protection.

Incident Response Plans

The Cybersecurity Management Guidelines provide for the development of an emergency organisation framework for incidents and a recovery organisation framework to recover damages resulting from any incident identified in the ten instructions. In addition, the PPC Guidelines indicate the creation of an incident response plan as an example of security measures that should be taken for the protection of personal data.

Appointment of Chief Information Security Officer or Equivalent Position

There are no general legal obligations to appoint a chief information security officer (CISO). However, the Cybersecurity Management Guidelines require the management of companies to work steadily towards putting together cybersecurity measures by giving the CISO directions on the following ten important items:

  • recognising cybersecurity risks and developing company-wide measures;
  • building a structure or process for cybersecurity risk management;
  • securing resources (such as budget and manpower) for the implementation of cybersecurity measures;
  • developing plans to deal with cybersecurity risks based on the prevention of cybersecurity risks and security;
  • building a system to deal with cybersecurity risks;
  • implementing a cybersecurity measures framework (a "plan-do-check-act" or PDCA);
  • developing an emergency organisation framework for incidents;
  • developing a recovery organisation framework to recover from damages caused by incidents;
  • taking measures and monitoring the company’s whole supply chain, including business partners and outsourcing companies; and
  • collecting and utilising information on cyber-attacks through participation in information-sharing activities and developing the environment to utilise such information.

In addition, the PPC Guidelines indicate the appointment of a person in charge of the processing of personal data as an example of security measures that should be taken for the protection of personal data.

Involvement of Board of Directors or Equivalent Authority

Under the Japanese Companies Act, the board of directors of a large company must determine the company’s internal control systems, including cybersecurity management; the failure to put in place or comply with such a system may be a breach of the directors’ duty of due care of a prudent manager. In addition, the CISO or the director in charge of supervising the company’s cybersecurity may be in breach of his or her duty of due care of a prudent manager if he or she does not properly take necessary actions on cybersecurity. The Cybersecurity Management Guidelines stress the importance of the directors’ involvement in cybersecurity management.

Conducting Internal Risk Assessments, Vulnerability Scanning and Penetration Tests

The Cybersecurity Management Guidelines mention the importance of PDCA cycles for cybersecurity and provide a checklist for cybersecurity management.

In addition, the PPC Guidelines indicate taking regular audits of the processing of personal data as an example of security measures that should be taken for the protection of personal data.

Multi-factor authentication, Anti-phishing Measures, Protection against Business Email Compromise, Ransomware and Threat Intelligence

The Cybersecurity Management Guidelines do not directly mention multi-factor authentication, anti-phishing measures, ransomware, protection against business email compromise, or threat intelligence. However, they mention the importance of collecting and utilising information on cyber-attacks through participation in information-sharing activities and developing the environment to utilise such information.

Insider Threat Programmes

The IPA has published guidelines on how to prevent insider data breach. The Cybersecurity Management Guidelines refer to the IPA’s guidelines as useful guidance in minimising and dealing with insider threat.

Vendor and Service Provider Due Diligence, Oversight and Monitoring

The Cybersecurity Management Guidelines mention taking measures with respect to, and monitoring, a company’s entire supply chain, including business partners and outsourcing companies. The guidelines also state that PDCA for cybersecurity including internal audits and oversight must be conducted with respect to business partners and outsourcing companies.

Article 22 of the APPI also requires a handling operator to properly supervise any person to whom it has entrusted the handling of personal data. The PPC Guidelines require the handling operator to select a proper vendor and service provider, enter into an agreement with that provider and have a good grasp of how that provider processes personal data.

Use of Cloud, Outsourcing and Offshoring

The Cybersecurity Management Guidelines mention the importance of multi-layer defences for terminals, networks, systems and services including cloud used for important business.

For offshoring, please note that there are special restrictions on the transfer of personal data to a foreign country. In principle, the APPI requires the transferor to obtain the prior consent of individuals whose personal data will be transferred to a third party located in a foreign country (Article 24). In other words, the overseas transfer restrictions will apply if a foreign company transfers user data to another company outside Japan. Conversely, if a foreign company transfers user data to a company in Japan, the overseas transfer restrictions will not apply. The overseas transfer restrictions apply even in the cases of outsourcing which are exceptions to local third-party data transfer restrictions.

The data subjects’ consent to overseas data transfers is not necessary only if: (i) the foreign country is designated by the PPC as a country with a data protection regime with a level of protection equivalent to that of Japan (only EEA member countries and the UK have been designated to date); or (ii) the third-party recipient has an equivalent system of data protection that meets the standards prescribed by the Ordinance issued by the PPC (the PPC Ordinance) – ie, either firstly that there is assurance, by appropriate and reasonable methodologies, that the recipient will treat the disclosed personal data in accordance with the spirit of the requirements on handling personal data under the APPI, or secondly that the recipient has been certified under an international arrangement, recognised by the PPC, regarding its system of handling personal data.

The implementation of the PPC Ordinance is set out in the PPC Guidelines, which provide that “appropriate and reasonable methodologies” include agreements between the data importer and the data exporter, or inter-group privacy rules, which ensure that the data importer will treat the disclosed personal data in accordance with the spirit of the APPI. With respect to a PPC recognised international framework, to date, the PPC Guidelines have identified only the APEC CBPR as a recognised international framework on the handling of personal data.

Amendment of Offshoring

Under the latest amendment of the APPI, offshoring will be permitted with additional requirements. First, when handling operators transfer personal data to a foreign country based on the aforementioned consent mechanism, they will be required to provide a data subject with certain information as specified by the amended ordinance issued by the PPC (the amended PPC Ordinance) (Article 24.2). The amended PPC Ordinance has not been finalised yet, but a proposed draft (the proposed PPC Ordinance) was published in December 2020. According to the proposed PPC Ordinance, information about the name of the foreign country, the personal information protection system in the foreign country, and measures to be taken by a recipient party to protect personal information is required to be provided to the data subject.

Secondly, when handling operators transfer personal data relying on the recipient's equivalent system of data protection, they will be required to take steps necessary to ensure that the overseas recipient continuously takes equivalent measures and to provide a data subject with certain information about the measures to be taken upon a request in accordance with the amended PPC Ordinance (Article 24.3). In this regard, according to the proposed PPC Ordinance, one of the measures to ensure such matters is to periodically confirm the implementation status of the equivalent measures taken by the recipient and presence or absence of a system in the foreign country that might affect the implementation of the equivalent measures.

The other measure is to take necessary and appropriate measures if the implementation of the equivalent measures by the recipient party is interfered with in some way and to suspend the provision of personal data if it becomes difficult to ensure the continuous implementation of the equivalent measures. The proposed PPC Ordinance also states that the information to be provided to a data subject upon request is:

  • the recipient party's equivalent system of data protection;
  • an outline of the equivalent measures taken by the recipient;
  • the frequency and method of confirmation of the status of the equivalent measures and the system in the foreign country that might affect the implementation of the measures;
  • the name of the foreign country;
  • the presence or absence of a system in that foreign country that might affect the implementation of the equivalent measures;
  • the presence or absence of any impediment to the implementation of the equivalent measures; and
  • an outline of the measures to be taken in response to any such impediment.

Training

The Cybersecurity Management Guidelines include the securing of proper resources, such as setting aside adequate budget and sufficient manpower, for the implementation of cybersecurity measures in the ten instructions.

In addition, since Article 21 of the APPI requires a handling operator to properly supervise its employees who handle personal data, the PPC Guidelines indicate that training is an example of security measures that should be taken to protect personal data.

The Cybersecurity Policy, which was issued as a Cabinet Order, emphasises the importance of multinational co-operation.

Under the APPI, a handling operator must take necessary and appropriate action for security control over the personal data that it handles, including preventing the leakage, loss or damage of or to personal data (Article 20).

The PPC is the regulator primarily responsible for the APPI and the My Number Act, and has published guidelines for the handling of personal information (the PPC Guidelines).

The PPC Guidelines provide examples of these handling measures, such as establishing and implementing basic policies, internal rules, and organisational, personal and technical security measures.

According to the APPI, when a handling operator allows its employees to handle personal data, it must exercise necessary and appropriate supervision over the employees to ensure security control over the personal data (Article 21). The APPI also requires a handling operator to ensure that the entity to whom it has entrusted the handling of personal data (eg, a third-party vendor) takes appropriate measures to ensure security control over the personal data (Article 22).

As discussed elsewhere, for some industrial sectors, the ministry with jurisdiction over them has published data protection guidelines for those sectors. For example, the FSA and the PPC have jointly published data protection guidelines for the financial sectors, and MIC has issued data protection guidelines for telecommunications business operators.

Reporting is required in relation to an investigation by the PPC for a breach of the APPI, but there is no obligation for periodic reporting to the PPC.

No information has been provided.

The Cybersecurity Policy for Critical Infrastructure Protection (4th Edition) defines the following 14 sectors as critical information infrastructure:

  • airports;
  • aviation;
  • chemical industry;
  • credit cards;
  • electric power supply;
  • financial services;
  • gas supply;       
  • information and communication;
  • government and administration;
  • logistics and shipping;
  • medical;
  • petroleum industry;
  • railways;
  • water supply.

The aforementioned cybersecurity policy also encourages critical information infrastructure operators to:

  • periodically assess their progress in implementing security measures and policies;
  • understand and respond to questions regarding any critical infrastructure outages;
  • ensure that top management:
    1. show leadership in promoting the operator’s security measures,
    2. involve business partners and corporate affiliates in implementing security measures,
    3. make known the operator’s incident response readiness,
    4. advocate for necessary budget and resources;
  • accept NISC cabinet secretariat annual site visits;
  • respond to surveys of the NISC cabinet secretariat.

The Cybersecurity Policy for Critical Infrastructure Protection (4th Edition) provides for the reporting obligations of critical information infrastructure operators in the following instances:

  • if there is a legal reporting requirement by law or regulation;
  • if the operator has determined that an incident has a serious impact on the lives of people or the operator’s services and that information must be shared;
  • in other cases where the operator has determined that information must be shared.

The relevant incident and other useful information may be shared with other critical information infrastructure operators.

In addition, governmental authorities that have specific jurisdiction over some of the 14 critical information infrastructure sectors have issued specific guidelines described below concerning cybersecurity.

The FSA issued the Comprehensive Guidelines for the Supervision of Major Banks which include detailed cybersecurity obligations. The Comprehensive Guidelines recognise the prevention of cybersecurity incidents and prompt recovery as significant management issues, and assert the necessity for certain major measures such as the appointment of a CSIRT, implementation of multi-layered defences for cybersecurity incidents, and conducting continuous evaluations for cybersecurity risks.

For the healthcare industry, please refer to 5.4 Security Requirements for Medical Devices.

The Ministry of Land, Infrastructure, Transport and Tourism (MLIT) issued:

  • the Safety Guidelines for Ensuring Information Security for Air Transport Operators for aviation services;
  • the Safety Guidelines for Securing Information Security in the Airport Sector for airport services;
  • the Safety Guidelines for Ensuring Information Security for Railway Operators for railway services; and
  • the Safety Guidelines for Ensuring Information Security for the Logistics Sector for logistics services. 

The MHLW issued the Information Security Guidelines for the Water Sector for water services.

There are no special requirements regarding the prevention of denial of service attacks or similar attacks on system or data availability or integrity.

MIC has published comprehensive measures for the security of IoT. The MLIT has issued the Safety Guidelines for Ensuring Information Security for the Logistics Sector for logistics services.

Regarding personal data, the PPC’s Notification No 1 (2017) defines a breach of data security as the leakage, loss of, or damage to data. There is also a special rule for "my numbers" under the My Number Act.

There are no definitions of reportable data security incidents or breaches relating to other data.

The PPC’s Notification No 1 (2017) covers the following (excluding personal data containing "my number") breaches of data security:

  • leakage, loss, or damage of or to personal data held by a handling operator;
  • leakage of a processing method for “anonymously processed information” held by a handling operator;
  • possible occurrence of either of the above.

Under the latest amendment of the APPI, a mandatory data breach reporting obligation will be introduced. However, the detailed rules remain to be specified by the amended PPC Ordinance. The proposed PPC Ordinance defines a data security incident or breach as the occurrence or possible occurrence of the leakage or loss of, or damage to personal data (data breach).

Breach of data security is applicable to personal data. The APPI defines personal data as personal information that is contained in a personal information database (Article 2.6), which is a collection of information (which includes personal information) that is systematically organised to enable a computer, or through another means, to search for particular personal information. However, this term excludes a collection of information that a Cabinet Order indicates as having little possibility of harming an individual’s rights and interests considering how that collection uses personal information (Article 2.4). Examples of collections of information that are excluded from this definition include a commercially available telephone directory or a car navigation system.

Under the proposed PPC Ordinance, a mandatory data breach report is required if a data breach involves personal data (excluding advanced encryption or other measures that are necessary to protect the rights and interests of the individual)

  • containing "special care required personal information";
  • that is likely to cause property damage if used inappropriately;
  • that is likely to have been committed for an improper purpose; or
  • of more than 1,000 individuals.

Special care required personal information is defined as personal information comprising a principal’s race, creed, social status, medical history, criminal record, the fact of having suffered damages from crime, or other descriptions that may be prescribed by a cabinet order as requiring special care in handling so as not to cause unfair discrimination, prejudice or other disadvantages to the data subject (Article 2.3)

Under the Telecommunications Business Act, if an accident occurs and causes a suspension or deterioration of the quality of services for more than two hours and affects 30,000 or more users, the telecommunications business operator must report the accident to MIC. Furthermore, MIC has the authority to issue orders to improve the business practices of licensed telecommunications service providers.

There is no restriction for the systems covered.

The MHLW has issued the Guidelines on the Safety Management of Medical Information Systems (May 2017).

The MIC and METI have jointly issued the Guidelines for Safety Management of Medical Information by Providers of Information Systems and Services Handling Medical Information (August 2020).

However, no special rule has been issued for data breach reporting and notification.

No information has been provided.

MIC has published comprehensive measures for the security of IoT.

According to the PPC’s Notification No 1 (2017), a handling operator must endeavour to report a breach to the government through the PPC, an accredited personal information protection organisation (which is a non-governmental organisation accredited by the PPC), or any other supervising authority or organisation.

The foregoing notification also provides that it is preferable for a handling operator to notify the data subjects who may be affected by the data breach to prevent further damage and to announce publicly the fact of the data breach and the operator’s recurrence prevention measure to prevent further damage and similar data breaches in other companies.

Please note that, generally speaking, the APPI does not have any specific or explicit mandatory notification requirements in the case of data breaches. However, if the personal data affected by a data breach is handled by financial institutions under the control of the FSA, there is legal obligation to report to the FSA and to notify data subjects. In addition, if personal data affected by a data breach contains "my numbers", there is a legal obligation to report to the PPC for some serious incidents.

Under the latest amendment of the APPI, a data breach reporting obligation will be introduced. When a mandatory data breach reporting obligation is triggered (please see 5.2 Data Elements Covered), handling operators must report to the PPC in general pursuant to the amended PPC Ordinance. Any outsourcee who processes personal data on behalf of another company is exempt from this reporting obligation, provided that it reports any data breach to the outsourcer company (Article 22-2.1). In addition, in any case of data breach, handling operators are also required to notify the data subjects whose personal data is compromised pursuant to the amended PPC Ordinance. This notification obligation, however, does not apply when it is difficult to inform data subjects and when necessary alternative action is taken to protect a data subject's rights and interests (Article 22-2.2).

Under the proposed PPC Ordinance, reporting to the PPC is twofold. The first report should be made promptly after recognition of the data breach and contain such of the following matters as have been ascertained: overview, categories of (likely) affected personal data, the number of (likely) affected individuals, cause, likelihood and details of secondary damage, status of the response to the individual, status of any public announcement, measures to prevent recurrence, and other helpful information.

The second report should be made within 30 days from the date of recognition of the data breach, and this second report must include all the above matters. However, if the data breach is caused by intentional acts such as unauthorised access, the second report may be submitted within 60 instead of 30 days. In addition, handling operators should promptly notify data subjects with an overview of the data breach, categories of (likely) affected personal data, cause, likelihood and details of secondary damage, and other helpful information.

With respect to "risk of harm" and thresholds, reporting is not required in the following cases: (i) the handling operator determines that there has been no substantial leakage of personal data (for example, the personal data is secured by high-level encryption); or (ii) minor wrong transmissions of email or fax or erroneous dispatches of a package (for example, the personal data leaked was only the name of the addressor or addressee of the email or the fax or package and just that email, fax or package).

Under the latest amendment of the APPI, the reporting obligation to the PPC and affected individuals will be limited to the extent prescribed in the amended PPC Ordinance. Please see 5.2 Data Elements Covered.

An employer may monitor and inspect the emails of its employees in connection with the implementation of its internal rules regarding email monitoring, as long as the actual email monitoring is conducted only to the extent necessary. Some companies also use other digital forensic measures (eg, website monitoring, recording application log, and packet inspection) to boost cybersecurity.

See 6.1 Cybersecurity Defensive Measures.

There is no mandatory sharing of cybersecurity information; for authorised sharing of cybersecurity information, please refer to 1.5 Information Sharing Organisations.

Please refer to 1.5 Information Sharing Organisations.

From May 2017, when the PPC became the regulator and enforcement authority of the APPI, until August 2019, the PPC had not issued any official recommendations or administrative orders. However, on 26 August 2019, the PPC first made an official recommendation to a company operating an online job platform. It was considered that the company captured users' likelihood of declining a job offer based on their web browsing history and sold the data to potential employers. The PPC decided that the company did not comply with the required procedures under the APPI.

On 29 July 2020, the PPC first issued two administrative orders regarding non-compliance with an official recommendation. In these cases, two anonymous internet-based companies published the personal data of bankrupts, including names and addresses in violation of required procedures in the APPI. No criminal sanction for non-compliance with an order or reporting requirement has been imposed.

As for significant data breach incidents, before the PPC was created to enforce the APPI, in 2014 METI issued recommendation to an educational company regarding the leakage of personal information of approximately 30 million data subjects (children) to take necessary action to rectify the violation of the APPI. Several civil cases were filed in relation to this leakage of personal information.

Please refer to 8.1 Regulatory Enforcement or Litigation.

The data subject may go to court to seek compensation for damages or distress caused by a breach of data protection. There are two major types of legal causes.

Firstly, Japanese courts recognise the right to privacy, which is the right of a person not to have his or her private life disclosed except for a legitimate reason. A breach of the right to privacy consists of torts under Article 709 of the Civil Code.

Secondly, if a business promises to keep personal data confidential in an agreement such as terms of use, but then compromises the data, the legal cause of breach of contract may also be available.

In a decision issued in October 2017, the Supreme Court found that the breach of a right to privacy may give rise to a claim for compensation for distress caused by the leakage of personal data (eg, names, birth dates, addresses and telephone numbers). The case has been remanded to the Osaka Appeal Court for further examination, and the Appeal Court awarded JPY1,000 to the claimant on 20 November 2019. Many cases have been brought for the same data breach. For example, the Tokyo Appeal Court awarded JPY3,300 to other plaintiffs on 25 March 2020. These are some of the cases mentioned in 8.1 Regulatory Enforcement or Litigation.

The Act on Special Measures Concerning Civil Court Proceedings for Collective Redress for Property Damage Incurred by Consumers allows for class actions to be filed by consumers. Please note that claims allowed under that law are limited to property damage and do not cover compensation for distress caused by a breach of the APPI. However, as a practical matter, a number of data subjects may select the same lawyer to represent them and that lawyer can initiate one litigation for those data subjects, which can be similar to class action.

Japanese companies have started to recognise that conducting due diligence regarding cybersecurity in corporate transactions is important, especially after the UK’s Information Commissioner’s Office published their Statement: Intention to fine Marriott International, Inc more than GBP99 million under GDPR for data breach in July 2019. Subsequently, in October 2020, the ICO issued a fine of GBP18.4 million.

There are no non-cybersecurity-specific laws which legally mandate disclosure of an organisation’s cybersecurity risk profile or experience; however, in practice, it is common for publicly listed companies to disclose cybersecurity risks in the “risk of business” section of their annual securities reports. The Cybersecurity Management Guidelines issued by METI and the IPA, as well as the Point of View regarding Cybersecurity for Enterprise Management issued by NISC, both mention the possibility of public disclosure. The MIC published Manuals for Information Disclosure of Cybersecurity Measures (28 June 2019).

All significant issues have been dealt with above.

Mori Hamada & Matsumoto

16th Floor, Marunouchi Park Building
2-6-1 Marunouchi
Chiyoda-ku
Tokyo
Japan
100-8222

+81 3 6212 8330

+81 3 6212 8230

mhm_info@ mhm-global.com www.mhmjapan.com
Author Business Card

Law and Practice

Authors



Mori Hamada & Matsumoto is a full-service law firm that has served clients with distinction since its establishment in December 2002. Mori Hamada & Matsumoto has experienced lawyers with considerable expertise in the constantly evolving and increasingly complex areas of information technology, life sciences and intellectual property, providing a variety of legal services in response to the diverse legal needs of its clients. These legal services include advising on regulatory requirements, setting up business, corporate housekeeping, contract negotiations and dispute resolution. In terms of data protection, the firm has noted expertise in leveraging user information while protecting clients’ businesses. Mori Hamada & Matsumoto’s data protection team comprises approximately 15 lawyers.

Compare law and practice by selecting locations and topic(s)

{{searchBoxHeader}}

Select Topic(s)

loading ...
{{topic.title}}

Please select at least one chapter and one topic to use the compare functionality.