Cybersecurity 2025

JAPAN Law and Practice Contributed by: Yoshifumi Onodera, Hiroyuki Tanaka, Naoto Shimamura and Rio Ichii, Mori Hamada & Matsumoto

1. General Overview of Laws and Regulators 1.1 Cybersecurity Regulation Strategy The Basic Act on Cybersecurity is Japan’s fun - damental law on cybersecurity, and the Act on the Protection of Personal Information (APPI) is the country’s principal data protection law. Pursuant to the APPI, a personal data breach is subject to mandatory reporting and notification requirements – see 2.3 Incident Response and Notification Obligations . However, there is no general regulation imposing a mandatory reporting obligation for a cyberse - curity incident that does not involve a personal data breach. The Unfair Competition Prevention Act prohibits the infringement of trade secrets, and the Act on Prohibition on Unauthorised Computer Access outlaws unauthorised computer access. The Penal Code also includes penalties for some cybersecurity crimes. The Telecommunications Business Act requires telecommunications car - riers to ensure the secrecy of communications. Japan does not have specific regulations for secure software development. For more details on the laws cited above and other relevant laws, see 1.2 Cybersecurity Laws . 1.2 Cybersecurity Laws The Basic Act on Cybersecurity regulates the responsibility of the national government and local governments for cybersecurity (Articles 4 and 5). It also stipulates the obligation of criti - cal information infrastructure operators, cyber - space-related business providers, and research

institutions such as universities (Articles 6, 7 and 8) to exert efforts to ensure cybersecurity. The APPI, Japan’s principal data protection law, provides the basic principles for the govern - ment’s regulatory policies and authority, as well as requirements for handling operators. Another important law is the Act on the Use of Numbers to Identify a Specific Individual in Administrative Procedures (the “My Number Act”), which stipulates special rules for “my number” – a 12-digit individual number assigned to each resident of Japan. The jyorei , or ordinances, enacted by local gov - ernments contain public sector obligations. The Unfair Competition Prevention Act prohibits the infringement of trade secrets and provides for cause of actions in civil cases, such as com - pensation for damages and injunctive relief, as well as criminal sanctions. Information that is not protected as a trade secret may instead be protected as “data for limited provision”. An unauthorised acquisition or utilisation of data for limited provision may be deemed to be unfair competition, which is subject to compensation for damages and injunctive relief but not criminal sanctions. The Act on the Prohibition on Unauthorised Computer Access outlaws: • the use of another person’s identification code (eg, a password) to access remote com - puters via a telecommunications network; • inputting information (excluding an identifica - tion code) or a command to evade access restrictions on remote computers via a tel - ecommunications network;

166 CHAMBERS.COM

Powered by