Cybersecurity Compliance for Foreign Firms Entering Japan

With Japan a fertile ground for foreign businesses operating across dozens of sectors, the flow of data in, out of and through the country is greater than ever before. But in a market as risk-averse as Japan, cybersecurity is a topic of utmost importance, and any foreign firm trying to break into the market must stay abreast of the framework of Japanese cybersecurity laws, or risk falling at the first hurdle in this notoriously trust- and reputation-based market.

How is cybersecurity regulated?

Unlike the US or EU, Japan has yet to pass an overarching act centralizing cybersecurity requirements for businesses operating in its markets. Instead, compliance is managed through overlapping privacy and data laws, economic mandates and sector-specific requirements. A keen awareness of the intricacies of this piecemeal framework is essential for firms entering Japan, and vital in building trust with Japanese clients.

What are the main laws governing cybersecurity?

The Act on the Protection of Personal Information (APPI): This will be the priority for most firms entering the Japanese market. This act has extraterritorial breadth, so even preliminary research or data collected before establishing a physical presence in Japan is covered by this act.

The Economic Security Promotion Act (ESPA): To ensure the stability of businesses that are considered “essential infrastructure,” this act was amended in 2022. It requires businesses that operate in certain industries, such as financial, telecommunications and other vital services to submit to government screening and provide in-depth information on their personal affiliations.

METI (Japanese Ministry of Economy, Trade and Industry) and NISC (National Information Security Center) Guidelines: While not strictly laws, these industry-specific guidelines are invaluable resources and worth complying with. With Japan’s emphasis on trust between businesses, being in compliance can be an essential step in developing rapport with Japanese firms. Alternatively, particularly wary or risk-averse companies may refuse to sign a contract if a foreign firm is out of compliance.

How can foreign firms implement APPI?

As the APPI covers both data obtained from any individual in Japan, and any data involved in the provision of goods or services within Japan, it is safe to assume that all data from the Japanese branch of a foreign firm will fall under its purview. As such, there are four major tenets of the law which a firm must meet to be in compliance with Japanese law.

First, a business must ensure that it takes “necessary and appropriate” measures to avoid sensitive data being compromised. Though this term has not been strictly defined by Japanese cybersecurity laws, it is likely a business would need to show technical, organizational and premises security in the event of a breach. As such, a firm entering the Japanese market should ensure network security through robust technological measures combined with staff training and internal protocols on handling data.

Second, data may only be collected within defined parameters, with the owner’s consent, and must be accessible to the owner upon request. A foreign firm would need to create a data usage agreement to present to its Japanese clients, in which the scope and use of any data collected would be clearly detailed and consented to as an initial step. From there, the business must ensure any data retained is accurate and up to date, and deleted once no longer necessary, or if the owner wishes to have it deleted. The latter also applies to corrections, amendments and additions — reasonable provisions must be available for these requests.

Third, consent must be obtained when transferring data to a server or third party located outside of Japan. In requesting consent, Japanese cybersecurity laws require disclosure of the receiving party’s name, location and details on how data security will be maintained during the transfer. If requested, the data owner must also be informed of the privacy framework used by the receiver. If sending to certain “whitelisted” jurisdictions with equivalent data protection laws, the need for consent is waived, but due diligence is required to ensure the receiver meets the whitelist requirements before transferring data outside of Japan.

Finally, specific forms of breach or data leak must be reported to the Personal Information Protection Commission (PPC) and compromised individuals in a timely and clear manner. These include any incident where sensitive data is lost either virtually or physically (such as a USB drive being misplaced), the unauthorized release of sensitive data or any incident that could cause harm to individuals within Japan. Much like the “necessary and appropriate” measures from the first tenet, the scope of “harm” is not clearly defined in the APPI, but to ensure compliance, foreign firms should err on the side of caution and ensure any potential incidents are reported and internally investigated.

Highlights:

• Data must be collected under a specific, defined scope

• It must be kept updated, and removed once no longer necessary

• The original owner must be able to request changes or deletion

• The original owner must consent to the data being transferred out of Japan

• The data must be stored securely, both physically and virtually

• The PPC must be informed of specific breaches of sensitive information
  

Which businesses must comply with ESPA?

The critical element of ESPA for foreign firms is that compliance is mandatory when a business operates with or supplies a company designated by the act. As businesses may enter into contract at short notice, and often with urgent needs, being prepared may spell the difference between a successful and failed negotiation.

At present, over 200 critical infrastructure businesses are covered by the law, and foreign firms entering the market for the first time may be unaware of the requirement until in the midst of negotiations. The essential approach for these businesses is transparency and availability — having the necessary data prepared can ease disruption from government scrutiny. This data includes the names and nationalities of C-suite and board members, major sources of revenue and the locations of offices and manufacturing facilities.

Is compliance with METI and NISC guidelines necessary?

From a purely legal standpoint, any industry-specific guidelines published by either METI or NISC are advisory only. If a foreign firm does not comply with them, there is no penalty or sanction. However, the legal perspective is not the only factor to be considered. For a foreign firm entering the market, a significant barrier to entry is the lack of established connections or trust from Japanese clients. The establishment of trust is vital for long-term business relationships, and following METI and NISC guidelines demonstrates an ethos and reliability that sets a foundation for trust to develop.

FAQs

Conclusion: Important but not Insurmountable

Though the Japanese market might seem demanding in its needs, many familiar with international compliance will note the relative ease of fitting the Japanese cybersecurity laws in current business frameworks. Beyond the security acts such as the APPI provide, compliance should be seen as a valuable asset as well as a legal obligation — as it allows the cultivation of trust vital for success in the Japanese market.

If you’re ready to take your first steps into the Japanese market and want to benefit from experienced compliance professionals, carefully cultivated connections and a deep understanding of the demands of the Japanese business world, contact AIM B2B today.