Basic Cybersecurity and Data Protection Legislation in Japan

The following laws and regulations are the basic legislation in Japan for cyber security and data protection:
 
(i)           Basic Act on Cybersecurity (Act No. 104 of 2014, as amended; the “Basic Act”)
 
The Basic Act provides the basic framework for the responsibilities and policies of the national and local governments to enhance cybersecurity. Further, it obligates operators of material infrastructure (e.g., financial institutions, operators of railroads, airplanes and other means of transportation, and providers of electricity, gas and water) and networks (e.g., telecommunications networks) to make efforts to voluntarily and proactively enhance cybersecurity and to cooperate with the national and local governments to promote measures to enhance cybersecurity. Based on the Basic Act, the National Center of Incident Readiness and Strategy for Cybersecurity (“NISC”) was established in 2015. NISC annually issues the basic policy on cybersecurity (the latest version of which is as of August 2017).
 
(ii)          Act on the Protection of Personal Information (Act No. 57 of 2003, as amended; the “APPI”)
 
The APPI is the principal data protection legislation in Japan. It is the APPI’s basic principle that the cautious handling of Personal Information under the principle of respect for individuals will promote the proper handling of Personal Information. “Personal Information” means information about specific living individuals which can identify them by name, date of birth or other descriptions contained in the information (including information that will allow easy reference to other information which may enable individual identification). A business operator handling Personal Information (the “Handling Operators”) may not disclose or provide Personal Information without obtaining the subject’s consent, unless certain conditions are met. The Personal Information Protection Committee (the “Committee”), which was established on 1 January 2016, supervises the enforcement and application of the APPI. If a Handling Operator violates the APPI, the Committee may urge it to cease the violation and take other necessary measures to correct the violation. If the Committee finds it necessary and certain requirements are met, it may order the Handling Operator to take the urged measures or to cease the violation and take other necessary measures to rectify the violation.
 
The APPI has no provision which is comparable to Article 35 of proposed EU Regulation regarding a Data Protection Officer. However, the Handling Operator is required to take necessary and proper measures for the prevention of leakage, loss, or damage, and for other security control, of personal data. The guidelines (the “Committee Guidelines”) issued by the Committee explain that such measures should include systematic, human, physical, and technical security control measures. The Committee Guidelines provide that the Handling Operator should, as systematic security control measures, (a) establish an organisational structure to take security control measures for personal data, (b) prepare regulations regarding security control measures for personal data and operate its business in accordance with those regulations, (c) prepare the means to make the handling of personal data transparent, (d) assess, review, and improve security control measures for personal data, and (e) respond to accidents or violations.
 
Prevention of Cyber Attacks
 
(i)           The Act on the Prohibition of Unauthorized Computer Access (Act No. 128 of 1999, as amended; the “UCAL”)
 
The UCAL criminalises cyber-attacks. Namely, the UCAL imposes criminal sanctions on any person who makes an unauthorised access to a computer (an “access controlled computer”) the access to and operation of which are under the control of an administrator (the “access administrator”). “unauthorised access” means any action which operates an Access Controlled Computer by either (a) inputting an identification code (shikibetsu-fugou) (e.g., password and ID) allocated to a user who is authorised to access the access controlled computer (an “authorised user”), without the permission of the access administrator or the authorised user, or (b) inputting any information (other than an identification code) or command which enables that person to evade control (e.g., cyber-attack of a security flaw), without the permission of the access administrator.
 
The UCAL requires access administrators to make efforts to manage the identification codes of authorised users, examine the validity of functions to control access to the access controlled computer, and implement necessary measures, including enhancing functions (e.g., encryption of codes, definite deletion of codes which have not been used for a long time, implementing a batch program to address a security flaw, program updates, and appointing an officer for network security).
 
(ii)          Telecommunication Business Act (Act No. 86 of 1984, as amended; the “TBA”)
 
The secrecy of communications is strongly protected under the TBA (Article 4). The secrecy of communications protects not only the contents of communications but also any information that would enable someone to infer the meaning or the contents of communications. In this regard, data on access logs and IP addresses are protected under the secrecy of communications. If a telecommunications carrier intentionally obtains any information protected under the secrecy of communications, discloses protected information to third parties, and uses protected information without the consent of the parties who communicated with each other, that telecommunications carrier is in breach of Article 4.
 
To prevent cyber-attacks, it would be useful for telecommunications carriers to collect and use information regarding the cyber-attacks, e.g., access logs of infected devices, and share information with other telecommunications carriers or public authorities. However, the TBA does not explicitly provide how a telecoms carrier may deal with cyber-attacks without breaching the secrecy of communications. The Ministry of Internal Affairs and Communications (“MIC”), the governmental agency primarily responsible for implementing the TBA, issued reports in 2014 and 2015 which address whether a telecoms carrier may deal with cyber-attacks and the issues that may arise in connection with the secrecy of communications. The findings in both reports are included in the guidelines on cyber-attacks and the secrecy of communications (the “Guidelines”) issued by the Council regarding the Stable Use of the Internet (the “Council”), a council composed of five associations which include the Japan Internet Providers Association, a voluntary association of telecommunications carriers, cable TV service providers and other companies conducting businesses related to the internet. The Guidelines include the contents of MIC’s 2014 and 2015 reports. The Guidelines, however, are not legally binding, although they carry a lot of weight because MIC confirmed them before they were issued by the Council.
 
Hiromi Hayashi
Tel:         +81 3 5220 1811
Email:    hiromi.hayashi@mhmjapan.com
 
Hiromi Hayashi is a partner at Mori Hamada & Matsumoto, which she joined in 2001. Her main fields of practice include telecommunications laws and data protection regulations. Her other areas of practice are international and domestic M&A transactions, takeover bids and corporate restructuring.

Background:

• Admitted to the Bar in 2001 in Japan and in 2007 in New York.
• The University of Tokyo (LL.B., 1997)
• Harvard Law School (LL.M., 2006)
• Worked at Davis Polk & Wardwell in New York (2006-2007)

Major Publications:

• “The International Comparative Legal Guide to: Telecoms, Media and Internet Laws” (Global Legal Group Ltd., 2009-2017, co-author)
• “The International Comparative Legal Guide to: Data Protection” (Global Legal Group Ltd., 2015-2017, co-author)
• “Comprehensive Analysis of M&A Laws in Japan” (Yuhikaku Publishing Co. Ltd., co-author)