The Legislative and Regulatory Framework

In Japan, the Personal Information Protection Act (Law No. 57 of 2003; chapters 1 to 3 effective May 30 2003 and chapters 4 to 6 effective April 1 2005) (the “PIPA”), establishes the basic principle regarding the fair handling of personal information and regulates the handling of Personal Information[1]  by business operators (“Information Handlers”).

In turn, various governmental agencies have promulgated guidelines regulating Information Handlers and activities falling under their jurisdiction. For example, the Ministry of Economy, Trade and Industry (“METI”) has issued guidelines for economic and industrial sectors (“METI Guidelines”), and the Ministry of Internal Affairs and Communications (“MIAC”) has issued guidelines for the telecommunication industry (“MIAC Guidelines”), applicable to businesses such as Internet Service Providers.

Security Breach Disclosure Guidelines

Although the PIPA requires Information Handlers to take certain measures to keep Personal Data[2] secure from such events as leakage, loss or damage (PIPA, Art. 20), it does not expressly require Information Handlers to generally disclose security breaches. 

However, some governmental agency guidelines (which do not, strictly speaking, have the force of law) encourage Information Handlers to disclose security breaches to the individuals concerned as well as competent authorities, and take certain other measures.

For example, the METI Guidelines encourage Information Handlers to take the following actions in case Personal Information has been leaked, lost or damaged:

1. conduct an investigation and determine the cause of the security breach;
   
   
2. identify the extent of the impact of the security breach;
   
   
3. report the security breach to individuals concerned and METI;
   
   
4. establish a plan to prevent recurrences of such security breach; and
   
   
5. formally announce details of the security breach and what the Information Handler plans to do in the future to prevent a recurrence.

The MIAC Guidelines similarly provide that if Personal Information has been leaked, lost or damaged, an Information Handler is encouraged to:

1. report the security breach to individuals concerned and MIAC as soon as possible; and
   
   
2. formally announce details of the security breach, together with information useful to limit the extent of the damage and prevent the occurrence of a similar security breach.

METI’s proposed amended Guidelines

As of the writing of this article, nearly two years have elapsed since the PIPA's entire effectiveness in April 2005. Yet, the PIPA and the various governmental agency guidelines are still not universally understood. For example, some Information Handlers are excessively cautious about providing certain necessary personal information, such as emergency contact information, even though disclosure of such information is permissible under the PIPA. Further, some Information Handlers assert that because the PIPA and government agency guidelines are not completely clear, PIPA compliance imposes unreasonable burdens.

In an effort to address these concerns, METI has proposed certain amendments to the METI Guidelines.

Under the draft amendments, it would not be necessary to report a security breach to the individuals concerned:

1. if leaked or lost Personal Information has been retrieved before any third parties have seen it;
   
   
2. if leaked or lost Personal Information was been highly encoded or encrypted; or
   
   
3. if no third party could identify any individuals with only the leaked or lost Personal Information.

The draft amendments also relieve the Information Handler from formally announcing details of a security breach and what the Information Handler plans to do in the future to prevent a recurrence of such security breach, in the following cases:

1. if all individuals concerned have been informed of the security breach;
   
   
2. if leaked or lost Personal Information has been retrieved before any third parties have seen it;
   
   
3. if leaked or lost Personal Information has been highly encoded or encrypted; or
   
   
4. if no third party could identify any individuals with only the leaked or lost Personal Information.

METI publicly disclosed its draft amendments to the METI Guidelines on December 14, 2006 and invited public comment until January 31, 2007.

Currently, MIAC has not proposed any amendments to the MIAC Guidelines; however, we believe it likely that MIAC will follow suit in the near future.

If promulgated in its current form, the METI amendments to its Guidelines would significantly reduce PIPA compliance burdens. However, it is unclear whether they would mitigate the excessive caution currently exercised by some Information Handlers.

For further information, please contact:

Anderson Mori & Tomotsune
Kunihiko Morishita (kunihiko.morishita@amt-law.com)
James Minamoto (james.minamoto@amt-law.com)
Nobuhito Sawasaki (nobuhito.sawasaki@amt-law.com)

Copyright 2007 Anderson Mori & Tomotsune. All rights reserved.

[1]“Personal Information” is defined as information regarding a living person that would allow identification of the person as a certain individual (including such information which can easily be viewed together with other information, which subsequently enables the identification of a certain individual) (PIPA, Art. 2, Para. 1).
[2]“Personal Data” is defined as Personal Information which constitutes a “Database of Personal Information” (PIPA, Art. 2, Para. 4).  “Database of Personal Information” is defined as a collection of information containing Personal Information systematically aggregated: i) with which it is possible, by using a computer, to search for and locate certain Personal Information (focusing on computer processed information); or ii) which is organised systematically based on a specific rule, with which certain Personal Information can easily be located by a manner other than using a computer (PIPA, Art. 2, Para. 2).