Cyber Security in Japan

Is it unlawful in this jurisdiction to access third party data without authorisation? Is it unlawful to store data which has been accessed without authority? Yes. Under the Act on Prohibition of Unauthorized Computer Access, engaging in “Unauthorized Computer Access”, which is defined to mean access to a computer by circumventing access restrictions set up for the said computer, is prohibited. Accordingly, an unauthorised use of other peoples’ passwords and attacking the computer through its vulnerability (e.g. defect in the security programs or erroneous setting in security control) typically fall within Unauthorized Computer Access. Storage of data obtained through unauthorised access is not a crime or illegal act under Japanese laws, but usage or disclosure of the data can constitute unfair competition defined under the Unfair Competition Prevention Act if the data falls under a “Trade Secret”. Both of the unauthorised access and usage or disclosure of the data obtained through unauthorised access can trigger civil liability based upon general tort laws and the Unfair Competition Prevention Act. Is there a legal mechanism whereby you can seek access to or retrieve the copy of data which has been accessed without authority? Is there a legal mechanism that enables you find out information about who may have accessed your data without authority and/or how it was used? Yes. If the identity of the party who accessed the data or who owns the data is already known, there are some options to demand the party disclose the relevant data concerning the unauthorised access. If the data in question is maintained by entities (e.g. governmental organisation, business enterprises), a Japanese qualified attorney can request the entity to disclose the data if the disclosure is necessary to resolve the case for which the attorney is retained. This is a legal mechanism called “23 Jou Shokai” (or Article 23 Inquiry). To make this request of 23 Jou Shokai, the attorney shall submit the written request to the Bar Association to which he or she belongs, and the Bar Association will send the request to the entity specified in the attorney’s request. The entities which receive the request are generally required to disclose the requested information. In a civil litigation, it is possible to leverage a “Document Submission Order” issued by the court. Under the Japanese Civil Code, the court has the authority to order the owner of documents (including but not limited to the party to the litigation) to submit the documents as evidence upon the party’s petition (Document Submission Order). If the order is issued against either of the parties to the litigation and the party does not comply with the order, the court can deem the other party’s argument concerning the document to be true. In principle, the petitioner must identify the subject document by the type, title, date, author or writer or other specific information of the document in the petition. However, if the specific information is not available to the petitioner, the petitioner can file the petition without the specific information as long as the petition provides information which enables the document owner to identify the subject document. Is there any restriction on the use that can be made of the information or documentation obtained regarding a data breach incident using a legal process? Yes. Attorneys are prohibited from using 23 Jou Shokai for any purposes other than resolving the case which he or she handles. Therefore, for example, using customer data obtained through 23 Jou Shokai for business not related to the dispute is prohibited. With respect to evidence submitted to the court in a litigation (including those submitted pursuant to the Document Submission Order) concerning patent, trademark trade secret or copyright, the court may issue a confidentiality order, which prohibits the parties to the litigation, its attorney, employees, and agents etc. from using the information for any purpose other than the litigation if the information constitutes a trade secret under Japanese laws. Is it possible to maintain confidentiality in relation to the legal steps necessary to get access to the data or information? Yes. A party to a litigation concerning intellectual property rights can file a petition to the court to issue a confidentiality order as mentioned above. Another means is to file a petition to restrict access to the case record. Due to a constitutional requirement, case records are generally accessible by the public, however, if the record contains important, private confidential information or a trade secret, upon the party’s petition, the court can restrict the general public’s access to the confidential information or trade secret in the case records. Even before the court issues its decision to restrict access, the court tentatively restricts the access to such information automatically once the petition is filed. If it is later determined that proceedings should be commenced in another jurisdiction (for example, the perpetrator is found to reside there), can you stop the proceedings in this jurisdiction in such a way that you are not prevented from commencing proceedings on the same issue as a result of the application of res judicata, double jeopardy or some other similar principle? Yes. A plaintiff can withdraw its complaint freely before the defendant responds to the action at the court or submits an answer to the court. After the defendant’s response or submission of an answer, the plaintiff needs to obtain the defendant’s consent to withdraw the complaint. Withdrawal is permitted even after the court issues its judgment as long as the defendant consents. The Japanese Civil Procedure Code prohibits filing another action which is the same as what was withdrawn after the issuance of the judgment in the prior case. In other words, litigation in another jurisdiction after the withdrawal is not prohibited if the prior action was withdrawn before the court issues the judgment. The Japanese Civil Procedure Code also authorises the court to transfer the case with or without the party’s petition for transfer, when certain requirements are met. Once the court’s order to transfer the case becomes effective and binding, the case is deemed to have been pending before the court to which the case was transferred. Is there an obligation in your jurisdiction to hold personal information securely? Yes. According to the Act on Protection of Personal Information (the “APPI”), governing data privacy in Japan, any individual or entity who maintains and manages personal data of more than 5,000 individuals for its business must take necessary and appropriate measures to prevent leakage, loss or damage of the personal information and otherwise ensure security management of the personal information. While the language of the act in this respect is relatively broad, the security requirement is detailed in industry-specific guidelines released by several governmental authorities.

Does the law in your jurisdiction restrict or place conditions on the transfer of personal or other information to other foreign jurisdictions?

No. The current APPI does not prevent data controllers from transferring the personal information to other jurisdictions. If the transfer involves transfer of personal information to a third party, it requires consent from the data subject unless the transfer falls within any of the exceptions set forth in the APPI. However, the current rules on transfer of personal information do not vary depending on whether the personal information is transferred to foreign jurisdictions or not. It should be noted, however, the bill of amendments to the APPI that the congress is discussing (submitted to the congress on 10 March 2015) states that transfer of personal information to third parties located outside Japan in principle requires consent from the data subject. Is there a generally applicable obligation to notify data subjects of a data breach in your Jurisdiction? There is no express provision in the APPI creating an obligation to notify data subjects in the event of a data security breach. However, some of the sector specific guidelines published by governmental authorities state that the data controllers must notify the data subjects promptly upon a data security breach. In addition, the prompt notification of data subjects and the public announcement of a data security breach may help minimise existing and future damages to the affected data subjects so that, in turn, may also help to minimise the data controller’s potential obligation to compensate the data subjects for damages incurred. Is there a generally applicable obligation to notify the authorities of a data breach in your jurisdiction? There is no express provision in the APPI creating an obligation to notify the authorities in the event of a data security breach. However, competent ministries have the authority to collect reports from, advise, instruct, or give orders to the data controllers, and, as a result, the data controller may be required by competent ministries to notify the data subjects and/or competent ministries in the event of a data security breach within a specific time frame in accordance with ministerial orders.

Are there sector specific mandatory data breach notification obligations in your jurisdiction?

Yes. Some of the sector specific guidelines create an obligation to notify the governmental authorities promptly upon occurrence of a data security breach. For example, according to the guidelines issued by the Financial Service Agency, banking and other financial businesses need to take such action in the event of a data security breach in accordance with the relevant guidelines.