JAPAN Law and Practice Contributed by: Yoshifumi Onodera, Hiroyuki Tanaka, Naoto Shimamura and Rio Ichii, Mori Hamada & Matsumoto
1.3 Cybersecurity Regulators The regulator tasked with enforcing and imple - menting the APPI is the Personal Information Protection Commission (PPC), which has the following powers under the APPI: • to require private business operators who handle personal information (handling opera - tors) to report or submit materials regarding its handling of personal information (Article 146), which the APPI defines as information about living individuals that can identify spe - cific individuals or contains what is referred to in the APPI as an “individual identification code” (Article 2.1); • to enter a handling operator’s offices or other places to investigate, make enquiries and check records or other documents (Article 146); • to provide guidance or advice to a handling operator (Article 147); • to recommend that a handling operator cease any act constituting a violation of the APPI and take other necessary measures to correct the violation (Article 148.1); • to order a handling operator to take neces - sary measures to implement the PPC’s rec - ommendation mentioned above and to rectify certain violations of the APPI (Articles 148.2 and 148.3); and • when the PPC issues an order pursuant to Articles 148.2 and 148.3, and a handling operator violates the order, the PPC may pub - licly announce the violation (Article 148.4). The National Police Agency and the Public Pros - ecutors Office are responsible for the criminal investigation and prosecution of cybercrimes. As for non-regulatory government authorities that are also directly involved with cybersecurity, the Information Technology Promotion Agency
of Japan (IPA) and the National Center for Inci - dent Readiness and Strategy for Cybersecurity (NISC) are notable. The IPA regularly publishes important guidelines and provides information on cybersecurity. The more important guidelines include the Cybersecurity Management Guide - lines, guidelines for small and mid-sized compa - nies on information security, and guidelines on preventing insider data breaches. The IPA also runs the J-CSIP, or the Initiative for Cybersecurity Information Sharing Partnership of Japan, which shares cybersecurity information of critical infor - mation infrastructure operators (ie, operators of businesses that provide infrastructure that is the foundation of people’s living conditions and economic activities, the functional failure or deterioration of which could have a highly sig - nificant impact on people). NISC is responsible for national-level cybersecurity under the Basic Act on Cybersecurity and regularly publishes updates to Japan’s Cybersecurity Strategy. For more on other regulators, refer to the previous sections in 1. General Overview of Laws and Regulators . 2. Critical Infrastructure Cybersecurity 2.1 Scope of Critical Infrastructure Cybersecurity Regulation The Cybersecurity Policy for Critical Infrastruc - ture Protection defines the following 15 sectors as critical information infrastructure:
• airports; • aviation; • chemical industry; • credit cards; • electric power supply; • financial services; • gas supply;
168 CHAMBERS.COM
Powered by FlippingBook