Cyber Law in Japan
Overview of Cyber Law in Japan
Japan’s cyber law regime comprises statutes addressing data protection, cybersecurity, computer crime, and platform regulation. The landscape has evolved in response to the EU’s GDPR, the Budapest Convention on Cybercrime, high-profile data breaches, and the government’s digital transformation agenda under the Digital Agency (established 2021). Japan’s approach combines legislation, government guidelines, and industry self-regulation.
Data Protection: The APPI
The Act on the Protection of Personal Information (Law No. 57 of 2003 — APPI) is Japan’s primary data protection law. Originally effective in 2005, it was reformed in 2015 and 2020.
The APPI applies to personal information (kojin jōhō) — information relating to a living individual that can identify that individual. The 2020 amendment expanded the definition to include pseudonymously processed information (gimei kako jōhō). Key obligations for business operators handling personal information include: specification of purpose of use, restriction on use beyond that purpose (Article 16), prohibition on improper acquisition (Article 19), mandatory security control measures (Article 23), supervision of employees and contractors (Articles 24–25), and restrictions on third-party provision (Article 27).
The 2020 amendment introduced mandatory breach reporting to the PPC where the breach is likely to infringe individuals’ rights (Article 26), expanded data subject rights (Article 35), strengthened criminal penalties (Article 88), and extraterritorial application to foreign operators (Article 5).
The Personal Information Protection Commission
The PPC (Kojin Jōhō Hogo Iinkai), established in 2016, is Japan’s independent data protection authority, comprising a chairperson and eight commissioners appointed by the Prime Minister with Diet consent. The PPC issues guidelines (gaidorain) with significant de facto force, conducts investigations, issues cease-and-desist orders, and participates in international cooperation.
Cross-Border Data Transfers
Article 28 restricts transfers of personal data to foreign third parties. Transfer requires: (1) data subject consent (with disclosure of the recipient country’s data protection regime); (2) an adequacy decision by the PPC designating the jurisdiction as providing an equivalent level of protection; or (3) equivalent standards implemented by the recipient through a PPC-certified framework.
Japan received an adequacy decision from the European Commission on 23 January 2019 — the first Asian country under the GDPR. The decision was supplemented by “Supplementary Rules” for additional protections on sensitive data, individual rights, and onward transfers.
Cybersecurity Legislation
The Basic Act on Cybersecurity (Saibā Sekyuriti Kihon Hō, Law No. 104 of 2014) provides the overarching cybersecurity framework. It establishes the Cybersecurity Strategy Headquarters (Saibā Sekyuriti Senryaku Honbu), chaired by the Prime Minister, and requires formulation of a triennial Cybersecurity Strategy (most recently released in 2021). The Act imposes obligations on operators in 14 designated critical infrastructure sectors (energy, finance, transportation, telecommunications, healthcare). The National Center of Incident Readiness and Strategy for Cybersecurity (NISC) serves as the operational coordination hub.
Computer Crime Offences
Unauthorised Computer Access — The Act on Prohibition of Unauthorized Computer Access (Law No. 128 of 1999) criminalises unauthorised access to access-controlled computers, provision of another’s access credentials without justification, and preparatory acts including the sale of credentials.
Penal Code Provisions — Article 246bis (computer fraud) criminalises creating a false electromagnetic record (denji kiroku) for unlawful gain. Article 258 (damage to electromagnetic records) criminalises rendering another’s electromagnetic record unusable. Article 163bis (unauthorised creation of electromagnetic records) covers counterfeit digital documents and access credentials.
Japan acceded to the Council of Europe Convention on Cybercrime (Budapest Convention) in 2011, which has shaped domestic cybercrime provisions.
Provider Liability
The Provider Liability Limitation Act (Law No. 137 of 2001) regulates ISP and platform liability for third-party content. An ISP is not liable for damages caused by third-party transmission if it was “technically impossible” to prevent or if it did not know and had no reasonable grounds to know of the infringement. The Act provides a safe harbour for good-faith takedowns in response to rights-infringement complaints. Rightsholders may demand sender identification subject to judicial oversight. Japanese courts have interpreted this as a relatively narrow safe harbour compared to Section 230 of the US Communications Decency Act.
Anti-Spam Regulation
The Act on Regulation of Transmission of Specified Electronic Mail (Law No. 26 of 2002) requires commercial email senders to include their name and address, provide an opt-out mechanism, refrain from sending to opted-out recipients, and refrain from falsifying the sender’s identity. The Act applies to both domestic and foreign senders targeting recipients in Japan. Violations may result in MIC orders and criminal penalties.
The My Number System
The Act on the Protection of Specified Personal Information (Law No. 57 of 2015 — the “My Number Act”) governs Japan’s social security and tax identification number system. Stricter rules than the APPI apply: My Numbers may only be collected and used for authorised statutory purposes; enhanced security measures (encryption, access logging) are required; and third-party transfer restrictions are more stringent. Unauthorised acquisition or use of My Number data carries imprisonment of up to four years.
Relevant Legislation
- Act on the Protection of Personal Information (APPI), Law No. 57 of 2003
- Act on the Protection of Specified Personal Information (My Number Act), Law No. 57 of 2015
- Basic Act on Cybersecurity, Law No. 104 of 2014
- Act on Prohibition of Unauthorized Computer Access, Law No. 128 of 1999
- Provider Liability Limitation Act, Law No. 137 of 2001
- Act on Regulation of Transmission of Specified Electronic Mail (Anti-Spam Act), Law No. 26 of 2002
Further Reading
- Rauhofer, Judith & Fujii, Yukiko. “Japan’s Data Protection Reform” (2020) 6 International Data Privacy Law 85
- Kono, Toshiyuki & Yamauchi, Shinjiro. Cyber Law in Japan (Wolters Kluwer, 3rd ed., 2021)
- Personal Information Protection Commission. Guidelines on the APPI (various, www.ppc.go.jp)
- Takano, Katsumi. “The Budapest Convention and Japan’s Cybercrime Legislation” (2012) 15 Journal of East Asian Law 231