Global Data and Cyber Handbook

Japan

Select a Topic
Start Comparison
Security Requirements and Breach Notification
Jump to
Security Requirements and Breach Notification Start Comparison
Do data privacy laws or regulations impose obligations to maintain information security controls to protect personal data from unauthorized access or processing?

Last review date: 17 January 2025

Yes.

☒         general obligation to take appropriate / reasonable technical, physical and/or organizational security measures

Do other laws or regulations impose obligations to protect systems from cyberattack?

Last review date: 17 January 2025

No.

While the government has guidance on cybersecurity applicable to providers of critical infrastructure under the Basic Act on Cybersecurity, the guidance does not impose legal obligations to private companies to protect their systems from cyberattacks.

The Act on Prohibition of Unauthorized Computer Access prohibits entering another person's ID or password or making it available for unauthorized use. However, there are no obligations to protect systems from cyberattacks under this Act either.

Has there been regulatory activity – including enforcement action, investigations, regulatory guidance or other public statements by the regulator – relating to cybersecurity by the following regulators in the last 12 months?

Last review date: 17 January 2025

        Data privacy

        telecommunications

Does data privacy or cybersecurity law impose obligations to make notifications about personal data security breaches?

Last review date: 17 January 2025

Yes.

Under the amended APPI and its bylaws, business owners must notify the PPC and the data subjects about serious personal data security breaches (i.e., leakage, loss, damage or other event pertaining to security of personal data). The relevant ordinances provide that the following "serious personal data security breaches" need to be notified to the PPC and/or data subjects:

  • The data includes sensitive data.
  • The data is likely to be used unlawfully and cause financial damages.
  • The breach of personal data (including personal information that has been obtained or is about to be obtained by the business operator and is planned to be handled as personal data) was committed or is likely to be committed with a wrongful purpose.
  • The data breach of more than 1,000 data subjects has occurred or is likely to have occurred.
Controllers/Owners have to notify:

Last review date: 17 January 2025

         data protection authorities

Under the amended APPI and its bylaws, business owners must report a personal data security breach (meeting a certain threshold) to the data protection authorities (PPC) immediately (usually three to five days, according to the PPC guidelines), followed by a more detailed report within 30 days after becoming aware of the breach (or within 60 days in a case where it is likely that the breach was committed with an unlawful purpose).

         affected individuals

Under the amended APPI and its bylaws, business owners must "promptly" notify a personal data security breach (meeting a certain threshold) to data subjects. The APPI does not provide for any specific timeframe.

Processors/Agents have to notify:

Last review date: 17 January 2025

Under the amended APPI and its bylaws, processors (i.e., outsourcees who process personal data on behalf of controller) must notify the controller (i.e., outsourcer of the processing) of personal data security breaches meeting a certain threshold.

Are there any additional sector-specific or non-personal data security breach notification requirements?

Last review date: 17 January 2025

Yes.

         financial services requirements

         telecommunication requirements

         other

Details regarding the identified data security breach notification requirements

Telecommunication requirements

Article 28 of the Telecommunications Business Act requires telecommunication carriers to report to the Ministry of Internal Affairs and Communications (MIC) within 30 days after becoming aware of any violation of the secrecy of communications. Non-compliance with the reporting obligations may be subject to a criminal fine of not more than JPY 300,000 (approx. USD 2,067).

Financial institutions

The Guidelines on the Protection of Personal Information in Financial Industries issued by the Japanese data protection authority (PPC) and the Financial Services Agency (FSA) require banks and other financial institutions to "immediately" report to the supervising authority when a data breach occurs. The Guidelines do not provide for any specific timeframe for reporting. There are no penalties for non-compliance with the reporting obligations.

In addition, the Comprehensive Supervisory Guidelines for Major Banks, etc. issued by the FSA require major banks, etc. to "immediately" report to the supervising authority when a system failure or cyber security incident occurs, and report again when recovery is completed and when the cause is identified, but in no event within one month from the breach even if recovery has not yet been completed or the cause has not yet been identified yet. There are no penalties for non-compliance with the reporting obligations; however, non-compliance may be subject to administrative guidance.

While these guidelines are not binding, many financial institutions follow the guidelines in practice.

{{ $store.state.loadingScreen.message }} ...