JAPAN Law and Practice Contributed by: Yoshifumi Onodera, Hiroyuki Tanaka, Naoto Shimamura and Rio Ichii, Mori Hamada & Matsumoto
• information and communication; • government and administration; • logistics and shipping; • medical;
security of personal data. Effective from 1 April 2024, the PPC Guidelines also require a handling operator to take security control over personal information that is collected and expected to be treated as personal data so that a cyber-attacker may not intercept such information on behalf of the operator. According to the APPI, when a handling operator allows its employees to handle personal data, it must exercise necessary and appropriate super - vision over the employees to ensure security control over the personal data (Article 24). The APPI also requires a handling operator to ensure that the entity to whom it has entrusted the han- dling of personal data (eg, a third-party vendor) takes appropriate measures to ensure security control over the personal data (Article 25). Under the Economic Security Promotion Act, important critical infrastructure businesses are individually designated by the competent minis - try as Specified Essential Infrastructure Service Providers. They are required to take measures to reduce or eliminate risk factors among par - ties involved in the supply chain. Some of the requirements include establishing measures to: • prevent unauthorised changes to specified critical facilities; • prevent service interruptions; • confirm any legal or contractual violations by parties involved in the supply chain; and • prevent unintended changes by subcontrac - tors. 2.3 Incident Response and Notification Obligations The Cybersecurity Policy for Critical Infrastruc - ture Protection provides for the reporting obliga - tions of critical information infrastructure opera - tors in the following instances:
• petroleum industry; • ports and harbours;
• railways; and • water supply.
The aforementioned Cybersecurity Policy also encourages critical information infrastructure operators to periodically assess their progress in implementing security measures and policies. 2.2 Critical Infrastructure Cybersecurity Requirements Under the APPI, a handling operator not limited to critical infrastructure must take necessary and appropriate action for security control over the personal data that it handles, including prevent - ing the leakage, loss or damage of or to personal data (Article 23). The PPC is the regulator primarily responsible for the APPI and the My Number Act; it has pub - lished guidelines for the handling of personal information (the “PPC Guidelines”). The PPC Guidelines provide examples of these handling measures, such as establishing and implementing basic policies, internal rules, and organisational, personal and technical security measures, as well as understanding of the exter - nal environment. “Understanding of the exter - nal environment” is a security measure, newly introduced by the amendments to the Guide - lines, which requires a handling operator who processes personal data in a foreign country to understand the foreign country’s legal system for personal information protection and, taking into consideration that legal system, to take nec - essary and appropriate measures to ensure the
169 CHAMBERS.COM
Powered by FlippingBook