Lexology GTDT Market Intelligence provides a unique perspective on evolving legal and regulatory landscapes. This interview is taken from the Privacy & Cybersecurity volume discussing topics including government initiatives, M&A risks and cloud computing within key jurisdictions worldwide.

1 What were the key regulatory developments in your jurisdiction over the past year concerning cybersecurity standards?

The cybersecurity requirements applicable to most companies operating in Japan are those stipulated in the Act on the Protection of Personal Information (the APPI). The APPI requires companies to take necessary and proper measures to prevent leakage, loss or damage of personal data, and to provide other security control of personal data. Guidelines issued by the Personal Information Protection Commission (the PPC) explain what companies should do to comply with the requirements of such measures. According to the guidelines, a company is required to implement organisational, personnel, physical and technical security control measures. The guidelines make it clear that appropriate security control measures can differ from company to company, so a company should determine its appropriate security control measures while considering expected impacts on the rights and interests of data subjects in the case of data breaches as well as the possibility of data breaches.

The June 2020 amendments to the APPI are due to come into effect within two years and include several important changes for which businesses need to be prepared. With regard to cybersecurity requirements, the following two changes should be noted.

First, the penalty for the failure to implement appropriate security control measures has been strengthened. Under the existing Act, a company that receives a corrective order from the PPC owing to failure to take appropriate security control measures and that further fails to obey the order can currently be subject to a fine of up to ¥300,000. However, once the amended law comes into effect, the upper limit of the fine will be ¥100 million. Under the amended law, officers and employees who fail to obey the order can also be subject to a fine of up to ¥1 million or imprisonment for up to one year.

Second, the bill requires a company to report data breaches to the PPC and affected data subjects when such data breaches meet the conditions established by the PPC. The company is exempted from the requirement to report to affected data subjects if a situation arises that makes the reporting difficult and the business takes substitute methods to protect the rights and interests of data subjects.

Another relevant act is the Basic Act on Cybersecurity, the purpose of which is to move cybersecurity-related policies forward in a comprehensive and effective manner and to contribute to the creation of a more energetic and continuously developing economic society, consequently contributing to the national security of Japan. This Act mainly stipulates the basic principles of Japan’s national cybersecurity policy and the responsibilities of the national government, local governments and other public parties concerned. It requires businesses to make voluntary and proactive efforts to ensure cybersecurity, but there is no penalty for failing to fulfil this requirement. The Act was amended in 2019 to further ensure cybersecurity in Japan and be fully prepared to host the Tokyo 2020 Olympic and Paralympic Games. The changes include the establishment of a cybersecurity council to enable various public or private entities to mutually cooperate in sharing cybersecurity information and discussing necessary countermeasures, as well as provisions about additional operations to be handled by the Cyber Security Strategy Headquarters in communicating and making adjustments with parties within and outside Japan upon the occurrence of cybersecurity incidents.

2 When do data breaches require notice to regulators or consumers, and what are the key factors that organisations must assess when deciding whether to notify regulators or consumers?

As mentioned above, the APPI was amended in June 2020, and the amended APPI will require businesses to report breaches of personal data to the PPC and affected data subjects when these data breaches meet the conditions established by the PPC. The amendment is due to come into effect within two years after June 2020. Businesses will be exempted from the requirement to report to affected data subjects if there is a situation that makes the reporting difficult and the business takes substitute methods to protect the rights and interests of data subjects.

Under the existing APPI, there is no requirement to report data breaches to the government or the data subject. However, the guidelines issued by PPC require business operators to make efforts to report to the PPC once personal data has been breached. The following data breach incidents are to be reported to the PPC.

1 leakage, loss or damage to personal data;

2 leakage of information related to the process of producing anonymously processed information; and

3 likelihood of (1) or (2) above occurring.

However, the guidelines provide certain exceptions where the business is not required to report to the PPC:

  • When it is determined that a substantive data breach has not occurred, the report is not required. It is deemed that a substantive data breach has not occurred in the following situations:
    • an information-concealing process, such as an advanced encryption method, is adopted for the leaked information;
    • all of the leaked information is recovered before a third party can view it;
    • it is impossible for third parties to identify specific data subjects from the leaked information, and the leaked information itself is not likely to cause damage to the data subjects; and
    • the information is not leaked but is lost or damaged, and it is not reasonably expected that a third party will view the information.
  • When a data breach incident is caused by erroneous transmission of emails or facsimiles or erroneous shipment, etc, and it is a minor incident, the report is not required.

The guidelines also recommend that business operators notify affected data subjects of data breach incidents (or put information in a readily accessible condition for them) when it is appropriate to prevent secondary damage or similar data breach incidents, etc.

As mentioned above, the requirements to report to the PPC and affected data subjects are not provided as legal duties. However, it is highly recommended to make such reports if a data breach meets the said conditions. If secondary damage is caused, or similar data breach incidents arise, as a result of the failure of a business operator to make such report, such operator may be deemed to have failed to take appropriate security control measures and be subject to a penalty, and the damages that may be claimed by data subjects may increase.

3 What are the biggest issues that companies must address from a privacy perspective when they suffer a data security incident?

When suffering a data security incident, the main issues that companies need to address from a privacy perspective are: conducting a prompt and appropriate incident response; and ensuring accountability and transparency to data subjects and other stakeholders.

While companies have been increasing their use of data, such as by acquiring and analysing internet browsing history and location data for marketing purposes, major data security incidents attracting public attention have occurred in Japan in recent times. For example, there was unauthorised access to a mobile payment service operated by the subsidiary of a convenience store retail giant, and the service was scrapped just one month after its debut as the company struggled to resolve the security issues and restore the trust of its users. This incident reaffirmed that data breaches can have a significant impact on businesses and that preparing for incident response, including accountability and transparency to data subjects is extremely important for business continuity.

Although the incident response procedure and security measures to be taken by companies may vary depending on the individual data security incident, the following procedures are usually recommended to be conducted in the case of a data security incident to prevent the spread of damage and make sure of the accountability and transparency to data subjects and other stakeholders:

  • immediately verify the facts concerned, including the causes of the data security incident and the scope of data that has been leaked;
  • immediately announce accurate facts and express sincere apologies to data subjects at an early stage as a first quick announcement;
  • immediately report to the PPC and other related authorities depending on the industry that the company belongs to as a first quick report;
  • continuously announce and report the facts that may be revealed through subsequent investigations to data subjects and the relevant authorities;
  • perform investigations including digital forensics not only by internal members but also by a third-party committee consisting of specialists (including attorneys and technical specialists) who are in neutral positions to perform investigations;
  • plan security management measures to prevent any recurrence of the data security incident based on the results of the investigations performed;
  • report the results of the investigations performed and the security management measures to prevent any recurrence of the data security incident; and
  • implement the security management measures.

4 What best practices are organisations within your jurisdiction following to improve cybersecurity preparedness?

There is no single best practice to improve cybersecurity preparedness that applies to all businesses in Japan. Generally, the security management measures to be taken by companies should be determined through a self-assessment based on a risk-based approach. Accordingly, it is important to duly carry out the following process for improving cybersecurity preparedness: (i) collecting the latest cybersecurity-related information and trends; (ii) figuring out the current status of its security management measures; (iii) carrying out a risk assessment; (iv) establishing security management measures in accordance with the results of the assessment; and (v) operating it appropriately.

Since there are laws, regulations and guidelines as a baseline that can help companies to conduct the above assessment, we will provide the following example here.

First, as mentioned in question 1 above, the APPI requires companies to take necessary and proper measures to prevent the leakage, loss or damage of personal data, and to provide other security control of personal data. The guidelines issued by the PPC explain what companies should do in order to comply with the requirements of such measures. According to such guidelines, a company is required to implement organisational, personnel, physical and technical security control measures. In addition, the Financial Services Agency has issued additional guidelines that stipulate matters that require companies in the financial sector to take particularly strict security control measures in light of the nature and use of personal data in the financial sector.

Second, the Ministry of Economy, Trade and Industry has published the Cybersecurity Management Guidelines which are intended for companies that are utilising IT-related systems or services. The Guidelines describe managerial strategies from the perspective of protecting companies from cyberattacks and recommend companies to implement security management measures that are based on three principles that the manager of a company should be aware of, and 10 significant items that a manager of a company should instruct to the officer responsible for executing information security measures (eg, the chief information security officer who is in charge of supervising information security within the company).

Third, the Japan Institute for Promotion of Digital Economy and Community (JIPDEC) operates an assessment system for certifying whether or not the information security management system (ISMS) of a company is consistent with international standards (the ISMS conformity assessment system). Under this assessment system, examinations are made as to whether or not an ISMS implemented by a company is in conformity with JIS Q 27001 (ISO/IEC 27001). In addition, the JIPDEC also operates a PrivacyMark System to assess companies that take appropriate measures to protect personal data.

Fourth, the Centre for Financial Industry Information Systems (FISC) has established the ‘FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions’ to promote security measures on financial institution information systems. These guidelines have been voluntarily observed by most financial institutions in Japan.

5 Are there special data security and privacy concerns that businesses should consider when thinking about moving data to a cloud hosting environment?

Cloud hosting services are currently in use in a wide variety of situations in Japan; however, there are some points that should be considered by business operators upon using cloud hosting services.

The APPI regulates the transfer of personal data to third parties in countries outside Japan. Many of the cloud hosting services that are widely used in Japan are operated by service providers in foreign countries. If a foreign cloud service provider processes personal data in the cloud (ie, the cloud service provider accesses personal data managed by a user, a business operator in Japan, and extracts some data linked with such personal data), then the user is subject to personal data transfer regulations. Under the APPI, if personal data is transferred to a third party in a country outside Japan, the transferring party is generally required to obtain the prior consent of the relevant individual for such cross-border transfer. However, it is not practicable to obtain consent from the individuals upon using a cloud service. One of the exceptions that is widely used is where the third party is located in a foreign jurisdiction that the PPC determines and prescribes by its rules as providing an equivalent level of protection of personal data as Japan (which is currently only the European Economic Area). Another exception is where the relevant third party has established, and continues to utilise, an equivalent level of protective measures as those that are required under the APPI, which can be met by entering into appropriate agreements between the user and the cloud service provider.

Thus, in cases where the cloud service provider processes personal data in the cloud, the provider must process such personal data in Japan or meet one of the above exceptions.

In addition, in cases where the cloud service provider processes the personal data in the cloud, the user shall supervise the processing of personal data by the cloud service provider. Thus, upon choosing the cloud service, the user needs to validate the appropriateness and security of the cloud service provider.

On the other hand, if the cloud service provider and the user enter into an agreement whereby the provider undertakes not to access the personal data in the cloud, and the provider actually limits the accessibility to the personal data, it is considered that the provider does not process the personal data in the cloud and is, therefore, not subject to the personal data transfer regulations. However, that the user is fully liable for any incidents in the cloud in such a case. Thus, it is important for users of cloud services to validate the appropriateness and security of the cloud service provider in this case as well.

6 How is the government in your jurisdiction addressing serious cybersecurity threats and criminal activity?

The increasingly established nature of technologies in cyberspace, such as AI, IoT, fintech, robotics, 3D printers and AR/VR, has seen the expansion of cybersecurity threats.

The Basic Act on Cybersecurity enacted in 2014 provides for the basic policy for cybersecurity. Under the Act, the government provides its Cybersecurity Strategy (the latest of which was made in 2018). The Strategy shows the basic position and vision on cybersecurity, and objectives and implementation policies for three years (2019 to 2021).

The Cybersecurity Strategy states that Japan will aim for the sustainable development of cyberspace to realise a society where new values and services are continuously generated, bringing abundance to the people (Society 5.0), and Japan will promote public and private sector initiatives on cybersecurity based on the following three approaches:

  • Mission assurance for service providers: any organisation represented by companies, critical infrastructure operators, and government bodies understand the operations or services that they should carry out as their ‘missions,’ and ensure necessary capabilities and resources to reliably execute the same.
  • Risk management: minimising risks to an acceptable level by identifying, analysing and evaluating risks associated with ‘missions’ assigned to organisations.
  • Participation, coordination and collaboration: fundamental initiatives implemented by individuals or organisations from peacetime to prevent damage or its escalation possibly caused by threats in cyberspace.

In addition, numerous laws impose criminal sanction regarding cybersecurity threats. For example, the Act on Prohibition of Unauthorised Computer Access prohibits spoofing, security loophole attacks and phishing as unauthorised computer access. In addition, the Penal Code prohibits the unauthorised creation or provision of electromagnetic records of unauthorised commands that do not operate in accordance with other people’s intentions or that act against their intention, typically computer viruses.

7 When companies contemplate M&A deals, how should they factor risks arising from privacy and data security issues into their decisions? What are the privacy and data security risks in mergers and acquisitions?

Legal due diligence should be performed to mitigate privacy and data security issues in mergers and acquisitions from the perspectives that: (i) as the importance of data increases, buyers may engage in mergers and acquisitions in order to use the data held by the target company after the acquisition; and (ii) the need to perform legal due diligence from a data security perspective is high, and if the data held by the target company cannot be utilised after the acquisition, the purpose of the merger and acquisition will not be achieved.

What aspects of legal due diligence need to be performed?

The first aspect is how personal data held by the target company can be used after the acquisition. The second is whether the target company’s data security system is sufficient. In addition, there may be cases where potential security risks remain at the target company.

What points should be checked in terms of use of data?

If a buyer acquires a target company because it perceives the data owned by the company as valuable, the buyer will need to check whether it can use the target company’s data after the acquisition.

For example, when a food manufacturer acquires a company that operates a recipe website, the question is whether the food manufacturer can use the personal data of users visiting the recipe site.

In this case, the following checks should be performed in the legal due diligence:

  • Is the personal data held by the target company lawfully collected?
  • Can the buyer use the personal data held by the target company after the acquisition?

In the latter point, the question is whether the purposes of use after the acquisition are covered by the purposes of use held in the target’s privacy policy before the acquisition.

If this is not the case, it is necessary to obtain consent from the users before using their data for new purposes.

What points should be checked in terms of data security?

  • Does the target company establish a security system for personal data?
  • Has the target company experienced any data breach incidents?

In particular, it is very important to check whether there are any potential data breach incidents and to have the seller represent and warrant that there have been no such incidents. If the buyer overlooks potential data breach incidents and also fails to obtain the representation and warranty from the seller, then the buyer can be found solely responsible for incidents once they are revealed.


The Inside Track

When choosing a lawyer to help with cybersecurity, what are the key attributes clients should look for?

It is necessary to be familiar with the legal regulations in the cybersecurity field.

It is also important for lawyers to understand the latest threat information, examples of security incidents from other companies, and the security technologies used to defend against them, and to give appropriate legal advice to clients.

How is the privacy landscape changing in your jurisdiction?

The APPI was amended in 2017, introducing a rule that it would be reviewed every three years. The PPC, which was established as an independent authority for data protection under the amendment in 2017, has issued administrative guidance and corrective instructions in some cases where it found inappropriate processing of personal data. In addition, the APPI was amended in June 2020, with such amendments due to come into effect within two years, and a monetary sanction was increased up to ¥100 million. The regulatory environment for personal data will become stricter, and businesses should be more cautious about data processing.

What types of cybersecurity incidents should companies be particularly aware of in your jurisdiction?

A massive data breach caused by an advanced persistent threat (APT) is the issue that companies need to be most careful about in Japan. The Information-Technology Promotion Agency in Japan ranked APT as the top threat in its publication ‘10 Major Security Threats 2020’.

According to the IPA, the specific methods of APTs are as follows:

  • infecting computers with a virus through targeted email attacks, etc, and intruding on an organisation’s network;
  • persistently increasing the impact range of attacks; and
  • stealing an organisation’s confidential information.

To protect companies from APTs, it is important to establish an organisational framework (ie, developing a security policy, managing information and conducting incident training for employees, etc).