Japanese Breach Disclosure Law
I believe that I follow breach notification pretty closely. So I was surprised to learn that I had missed the passage of a law in Japan. Bird & Bird, Notification of data security breaches explains:
In Japan, the Personal Information Protection Act (Law No. 57 of 2003; chapters 1 to 3 effective May 30 2003 and chapters 4 to 6 effective April 1 2005) (the “PIPA”), establishes the basic principle regarding the fair handling of personal information and regulates the handling of Personal Information[1] by business operators (“Information Handlers”).
A presentation by Morrison & Foster, “Data Security and Incident Notification: The Impact of Foreign Law” tells us:
You may have obligations under Japanese privacy law if:
- You are affiliated with a Japanese company or institution.
- You use or have access to employee or student information maintained in Japan.
- A Japanese institution with which you are involved, for example, in a study-abroad program enters into a contract with you, according to which you assume privacy obligations under Japanese law.
To date, I’m aware of breach disclosure laws in 38 US states and Japan. Are there others?
so how you’d briefly explain what a “Breach Disclosure Law” is?
“Although the PIPA requires Information Handlers to take certain measures to keep Personal Data[2] secure from such events as leakage, loss or damage (PIPA, Art. 20), it does not expressly require Information Handlers to generally disclose security breaches ”
Emphasis mine
Chris, you’re right, but it does allow ministries to define more stringent rules. Which I think is perhaps why we see so many disclosures from Japan.
Sorry if I sounded snarky.
I put Japan in with the UK. Nothing like our state laws, but they have stuff on the books that in some instances gets the job done (or could). I am thinking of the FSA’s power in the UK when I say this.
It’s hard for me to be enthusiastic about half-measures when, in the UK at least until they gave up PII on half the population, the government actually disregarded the advice of their own expert panels — repeatedly.
I realize you’re talking about Japan, but I am concerned that absent clear guidance, leaving it to ministerial choice gets you little.
There’s no snarking on this blog.
More seriously, I think you may be applying US experience to Japan. There, ministerial guidance may be enough. It’s not clear (to me) if disclosures are actually much higher, and only a small fraction are being translated into English.