THE GDPR (General Data Protection Regulation)

Background and Purpose

·   Enacted on May 25, 2018, the General Data Protection Regulation (GDPR) marked a major shift in global data privacy laws.

·   Its goals included:

o   Harmonizing data protection laws across the EU.

o   Ensuring transparency about how personal data is used.

o   Empowering citizens to file complaints if their privacy rights are violated.

o   Encouraging informed consent and clear accountability for businesses operating in the EU.

Implementation Challenges

·   Despite its promise, GDPR implementation has exposed:

o   Persistent gaps in data governance and citizen awareness.

o   Ongoing issues with corporate compliance.

o   The emergence of new challenges not foreseen during drafting.

·   Needs going forward:

o   Stronger enforcement mechanisms and fines.

o   Cross-border regulatory collaboration.

o   Recognition and correction of policy blind spots.

Global Relevance

·   GDPR is rooted in concerns about privacy erosion and the manipulation of personal data, posing risks to democracy itself.

·   It reflects a global concern about how digital economies exploit personal information.

Key Activism and Legal Action

·   Max Schrems, an Austrian lawyer and privacy advocate, played a pivotal role:

o   In 2011, shocked by a 1,200-page data file Facebook held on him, he formed Europe v Facebook.

o   His activism influenced public opinion and GDPR policy direction.

·   Founded ‘noyb’ (None of Your Business) in 2017 to enforce GDPR via legal actions.

·   Filed the first GDPR complaints just minutes after the regulation took effect.

Looking Ahead

·   Full GDPR effectiveness requires:

o   Improved enforcement.

o   Public education on data rights.

o   Proactive corporate accountability.

Citizen-Centric Enforcement and GDPR Effectiveness

Early NGO Involvement

·   La Quadrature du Net (France) joined early enforcement efforts, targeting GAFAM (Google, Apple, Facebook, Amazon, Microsoft).

o   Complaints were crowdsourced from 12,000 French citizens.

o   Templates were made available for reuse across the EU, promoting grassroots enforcement.

Impact on Individuals: A Core Measure of GDPR's Success

·   Individual experience with GDPR is central to evaluating its effectiveness.

1. Informed Consent: A Mixed Outcome

·   Post-GDPR, users were bombarded with pop-ups and emails asking for consent.

o   Most users simply clicked “I agree” without reading — leading to “consent fatigue.”

o   This undermines the principle of meaningful, informed consent.

·   Key issues:

o   Vague wording, pre-ticked boxes, and binary options (consent or exit) violate GDPR's spirit.

o   Example: Google fined €50 million by CNIL (French data authority) for forcing non-specific consent.

o   Ongoing case: Planet49 used pre-checked cookie boxes, under review by the EU’s top court.

o   25 of 28 official EU websites found using tracking scripts without user consent.

2. Breach Notification: A Clear Success

·   GDPR mandates breach reporting to authorities within 72 hours.

o   Also requires notifying affected individuals promptly.

·   Results:

o   Over 89,000 breach incidents reported, doubling the rate from previous years.

o   Encouraged transparency, corporate accountability, and user protection.

·   Significance:

o   One of GDPR’s most effective and enforceable provisions.

o   Sets a global standard for breach notification protocols.

3. Automated Decision Making: A Weak Spot

·   GDPR includes provisions against solely automated decisions with significant impact (e.g., profiling).

·   However:

o   Lack of clarity and enforcement mechanisms around AI and algorithmic decision-making.

o   Fails to fully define individuals’ rights in this context.

·   Critics label it “toothless” in protecting users from opaque or biased automated systems.

Overall Evaluation

·   Strengths: Breach notification policy, public awareness, and stronger corporate accountability.

·   Weaknesses: Over-reliance on simplistic consent models, vague AI provisions, and inconsistent enforcement.

·   Ongoing need for refinement and stronger enforcement to fulfil GDPR’s citizen-first promise.

Positive Impacts of GDPR on Citizen Awareness and Engagement

·   Widespread Awareness:

o   73% of Europeans are aware of at least one of their new data protection rights.

·   Increased Citizen Action:

o   Over 144,000 individual complaints have been filed, showing active use of GDPR mechanisms.

·   Empowerment Through Rights:

o   Citizens are increasingly exercising rights like:

§  Data access

§  Objection to marketing

§  Data deletion (right to be forgotten)

§  Workplace privacy

·   Privacy as a Human Right:

o   GDPR has helped establish privacy as a fundamental human right, gaining public and policy recognition.

·   Influence on Broader Policy:

o   GDPR has triggered critical assessment of smart city initiatives; ensuring data protection is integrated into urban planning.

·   Global Model for Regulation:

o   The EU’s approach has inspired similar laws in other regions, amplifying the global conversation on privacy and digital rights.

·   Stronger Public Engagement:

o   Citizens now have concrete tools to challenge misuse of data, increasing accountability and transparency from organizations.

Regulating Cash-Rich Corporations: GDPR's Corporate Impact

Rooted in Public Concern

·   GDPR was born out of rising public anxiety over how tech companies collect and exploit personal data.

·   As data became more valuable, corporate practices grew more aggressive, fuelling the need for tighter regulation.

Industry-Focused Objectives

·   GDPR aims to reshape corporate data handling, especially among tech giants whose core business is personal data.

·   The regulation enhances existing laws rather than introducing radical new measures — a strength in continuity and clarity.

Potential to Transform the Ecosystem

·   GDPR holds long-term promise to change the entire data economy, not just penalize a few high-profile violators.

·   Whether it has achieved this yet remains an open question, but the foundation is strong for future reform.

Corporate Bureaucracy & Start-up Impact

·   Initial implementation led to:

o   Reduced venture capital funding for EU-based tech start-ups.

o   Cuts in advertising budgets, especially for smaller players.

·   Criticism: GDPR may have added compliance burdens instead of reshaping behaviour, especially for SMEs (small and medium enterprises).

The Role of Data Protection Officers (DPOs)

·   GDPR mandates DPOs in certain cases, pushing organizations towards continuous compliance and accountability.

·   Elizabeth Denham (UK Information Commissioner) emphasized that DPOs help organizations move from basic compliance to deeper responsibility.

·   According to the IAPP, around 500,000 DPOs have been appointed across Europe — a major leap toward embedding privacy practices into business operations.

Key Takeaways

·   GDPR is a step forward in regulating powerful tech firms, aiming for structural change over time.

·   While implementation challenges exist, especially for smaller companies, the regulation has:

o   Elevated data privacy as a business priority.

o   Encouraged creation of specialized roles like DPOs to support sustainable compliance.

Industry Competition, Compliance Costs, and GDPR Enforcement

Industry Consolidation & Compliance Complexity

·   Cory Doctorow (author and data rights advocate) argues:

o   GDPR compliance is costly and complex, favouring large corporations.

o   Big tech firms, especially American giants, are best positioned to navigate and exploit the system.

·   Resulting impact:

o   Smaller companies face disproportionate burdens, contributing to industry consolidation.

o   Some large companies give the illusion of compliance (e.g., redesigning UI/UX) without altering core data practices.

Need for Stronger Enforcement Mechanisms

·   GDPR’s self-reporting approach has value but requires reinforcement through:

o   Stronger, consistent enforcement.

o   Antitrust actions to address power imbalances between dominant tech players and smaller competitors.

o   Greater scrutiny of superficial compliance tactics used by large firms.

Fine Structure: Gaps and Disparities

·   Initial promise of harsh penalties attracted global attention, but real-world application shows uneven outcomes:

o   Example of disparity:

§  Knuddels.de (German chat site): €20,000 fine for a self-reported breach.

§  Hospital do Barreiro (Portugal): €400,000 fine for poor patient data protection.

·   Fines are often inconsequential for cash-rich tech giants:

o   In GDPR’s first year:

§  91 companies fined, but most fines were relatively minor.

§  A single €50 million fine on Google accounted for 89% of the total €56 million fined.

§  This fine is still far below the potential maximum fine of €3.7 billion (4% of global revenue).

Key Takeaways

·   Large corporations benefit from economies of scale and legal resources, using compliance complexity to maintain dominance.

·   Small and mid-sized firms are more heavily impacted, risking market consolidation.

·   Stronger and more proportionate enforcement is needed to:

o   Deter non-compliance across the board.

o   Ensure fines are meaningful enough to affect the behaviour of data-rich, wealthy firms.

o   Support fair competition and genuine data protection.

Strengthening Accountability & Enforcement

·   Organizational Reflection:

o   Some companies are beginning to rethink data collection practices, aiming to reduce intrusiveness and limit the volume of personal data gathered.

·   End of the Grace Period:

o   Countries like France, Germany, and Ireland have signaled that the GDPR grace period is ending, indicating a more assertive enforcement phase.

·   Ireland's Regulatory Action:

o   As home to the EU headquarters of major tech firms, Ireland is conducting 19 statutory investigations into big tech’s GDPR compliance.

·   Staff Expansion:

o   Data protection authorities across the EU are increasing their staffing, strengthening their capacity for enforcement and oversight.

·   Stronger Fines and Signals of Accountability:

o   The UK ICO fined British Airways £183.39 million for a massive data breach—four times greater than the CNIL fine against Google.

o   Commissioner Elizabeth Denham emphasized that data breaches are “more than an inconvenience” and stressed the fundamental right to privacy.

Global Influence & Standardization

·   International Policy Leadership:

o   GDPR is widely regarded as a global benchmark for data privacy regulation.

o   Its influence has led to new or updated privacy laws worldwide, including:

§  California’s CCPA

§  India’s Personal Data Protection Act

§  South Korea’s PIPA revision

·   Widespread Legal Inspiration:

o   GDPR’s most emulated features include:

§  Data breach notification rules

§  Rights of data subjects

§  Accountability and transparency requirements

o   Its omnibus-law approach, applying across all sectors, is increasingly adopted by other nations.

·   Linkage to Global Trade:

o   The EU ties privacy standards to trade agreements through “adequacy decisions”, encouraging countries to align with GDPR to:

§  Enable seamless data flows

§  Build trust in digital commerce

o   Countries aligning with GDPR standards include:

§  Japan, New Zealand, Israel, South Korea, Argentina, Colombia, Bermuda

Progress toward Unified Governance

·   A New Global Dialogue:

o   The GDPR has catalysed a global conversation about:

§  Responsible data governance

§  The role of tech giants in shaping digital economies

§  Cross-border privacy and enforcement standards

·   European Expansion:

o   Even non-EU countries like Switzerland, Norway, Iceland, and Liechtenstein are aligning closely with GDPR principles.

Ongoing Challenges despite Progress

·   While the GDPR aimed to harmonize data laws across the EU, implementation and enforcement, still vary by country.

·   Some national agencies are still developing infrastructure and operational capabilities to enforce the regulation uniformly.

Summary: A Step Forward for Global Data Governance

·   GDPR has:

o   Shifted the focus toward accountability, transparency, and user rights

o   Encouraged stronger enforcement practices

o   Inspired a wave of global legislative reforms

·   Though challenges remain, GDPR has laid a powerful foundation for modern data protection, both within Europe and internationally.

20 biggest GDPR fines so far

1. Meta (Facebook) – €1.2 Billion Fine

·   Date: May 2023

·   Authority: Irish Data Protection Commission (DPC)

·   Reason:

o   Transferred EU user data to the US without adequate safeguards.

o   Violated GDPR’s data transfer regulations.

·   Impact:

o   Largest GDPR fine ever imposed.

o   Meta plans to appeal—this case could shape the future of international data transfers.

·   Message: A landmark warning that GDPR non-compliance can lead to severe penalties.

2. Amazon – €746 Million Fine

·   Date: July 16, 2021

·   Authority: Luxembourg National Commission for Data Protection (CNPD)

·   Reason:

o   Complaint from 10,000 individuals via La Quadrature du Net.

o   Found to be using personal data for targeted advertising without proper consent.

·   Significance:

o   Second-highest GDPR fine to date.

o   Highlights issues with consent in ad-based business models.

3. Meta (Instagram) – €405 Million Fine

·   Date: September 5, 2022

·   Authority: Irish DPC

·   Reason:

o   Mishandling of children’s data on Instagram.

o   Public exposure of contact information for teenage users.

o   Failure to conduct a required Data Protection Impact Assessment.

·   Implication: Serious concerns over how children’s data is handled on social platforms.

4. Meta (Facebook & Instagram) – €390 Million Fine

·   Date: January 4, 2023

·   Authority: Irish DPC

·   Reason:

o   Changed legal basis from consent to contract for personal data processing.

o   Users were forced to accept new Terms of Service to access services.

·   Complaint: Argued that Meta was “forcing consent” under the guise of contractual necessity.

·   Outcome: Demonstrates the limits of using contracts to justify data collection.

5. TikTok – €345 Million Fine

·   Date: September 2023

·   Authority: Irish DPC

·   Reason:

o   Improper handling of children’s accounts.

o   Inadequate age verification and poor transparency practices.

·   Findings: Multiple breaches of GDPR related to child user data.

·   Action Taken:

o   Fine issued.

o   TikTok was ordered to fix data processing practices within 3 months.

6. LinkedIn – €310 Million Fine

·   Date: October 30, 2024

·   Authority: Irish DPC

·   Reason:

o   Unauthorized behavioural analysis and targeted ads.

o   Complaint initiated by French NGO La Quadrature Du Net.

·   Penalty:

o   Fine, public reprimand and orders to revise data practices.

·   Key Message: Stresses the need for lawful, fair, and transparent data usage.

7. Uber – €290 Million Fine

·   Authority: Dutch Data Protection Authority (DPA) 🇳🇱

·   Reason:

o   Improper transfer of personal data of European taxi drivers to the U.S.

o   Involved storage of sensitive data on U.S. servers without sufficient safeguards.

o   Violations followed the EU’s invalidation of the Privacy Shield framework.

·   Trigger: Complaints by over 170 French Uber drivers escalated due to Uber’s EU HQ being in the Netherlands.

·   Significance: Emphasizes compliance with post-Privacy Shield transfer mechanisms.

8. Meta – €265 Million Fine

·   Date: November 25, 2022

·   Authority: Irish Data Protection Commission (DPC)

·   Reason:

o   Investigation followed media reports about personal data of 533 million Facebook users appearing on a public hacking forum.

o   Data included phone numbers and email addresses, shared without authorization.

·   Key Findings:

o   Failures in technical and organizational measures across Facebook Search, Messenger, and Instagram Contact Importer tools.

o   Breach of Article 25 GDPR (Data Protection by Design and by Default).

9. Meta – €251 Million Fine

·   Authority: Irish DPC

·   Reason:

o   Major 2018 data breach affecting 29 million global users, including 3 million in the EU.

o   Breach exposed names, contact info, and sensitive data like political views and religion.

·   Violations Identified:

o   Inadequate breach notification.

o   Failure to document the incident properly.

o   Poor system design and data minimization practices.

·   Breakdown of Fine:

o   €8M: Notification failure

o   €3M: Documentation failure

o   €130M: Poor system design

o   €110M: Violation of data minimization principles

·   Note: Meta plans to appeal the decision.

10. WhatsApp – €225 Million Fine

·   Date: September 2, 2021

·   Authority: Irish DPC

·   Reason:

o   GDPR transparency violations related to how WhatsApp shares data with other Facebook companies.

·   Background:

o   Fine escalated after European Data Protection Board (EDPB) required reassessment of the DPC’s original ruling.

o   EDPB directed stricter evaluation of transparency and compliance timelines.

·   Outcome: One of the largest transparency-related GDPR fines ever imposed.

11. Meta – €91 Million Fine

·   Date: [Not specified]

·   Authority: Irish DPC

·   Reason:

o   2019 data breach where user passwords were stored in plaintext without encryption.

·   Violations:

o   Inadequate security measures.

o   Failure to provide timely breach notification.

·   Lesson: Highlights the critical importance of password encryption and fundamental cybersecurity hygiene.

12. Google LLC – €90 Million Fine

·   Date: December 31, 2021

·   Authority: French Data Protection Authority (CNIL) 🇫🇷

·   Reason:

o   YouTube users in France found it harder to refuse cookies than to accept them.

o   This discouraged refusal and favoured consent—against GDPR and ePrivacy norms.

·   Penalty:

o   €90 million fine, with an additional €100,000 per day of delay if Google didn’t comply within 3 months.

13. Enel Energia SpA – €79.1 Million Fine

·   Date: February 8, 2024

·   Authority: Italian Data Protection Authority (Garante)

·   Reason:

o   Unlawful acquisition of 978 contracts from four companies using illicit customer lists.

o   Failure to implement adequate security measures in the customer management system.

·   Outcome:

o   Ordered to notify 595 impacted individuals.

o   Required to enhance internal security measures.

·   Note: Seriousness emphasized due to the scale and Enel’s technological role.

14. Google Ireland – €60 Million Fine

·   Date: December 31, 2021

·   Authority: French CNIL 🇫🇷

·   Reason:

o   Same as the €90M fine to Google LLC — users were unable to refuse cookies as easily as accept them.

o   This fine specifically addressed Google’s search website (google.fr).

15. Facebook Ireland – €60 Million Fine

·   Date: December 31, 2021

·   Authority: French CNIL 🇫🇷

·   Reason:

o   Failure to provide simple mechanisms to refuse cookies.

o   Required multiple clicks to refuse cookies, compared to a single click to accept.

o   “Refuse” button misleadingly labelled as “Accept cookies” and placed on the second page of the interface.

·   Violation: Breach of transparency and consent rules under the GDPR and ePrivacy Directive.

16. Google France – €50 Million Fine

·   Date: January 21, 2019

·   Authority: CNIL 🇫🇷

·   Reason:

o   Lack of transparency, insufficient information, and invalid consent for personalized advertising.

o   Users weren’t properly informed or given enough control over how their data was being processed.

·   Note: First major GDPR fine for a tech giant, setting a precedent for enforcement.

17. CRITEO – €40 Million Fine

·   Date: June 15, 2023

·   Authority: CNIL

·   Reason:

o   Violations in behavioral retargeting advertising practices.

o   Improper consent collection, lack of transparency, and incomplete data access procedures.

·   Key Violations:

o   No consent for trackers.

o   Inadequate options for data erasure and withdrawal of consent.

o   Failure to implement joint controller agreements.

·   Significance: Highlights growing regulatory attention on adtech firms.

18. H&M – €35.3 Million Fine

·   Date: October 2020

·   Authority: Hamburg Commissioner for Data Protection and Freedom of Information 

·   Reason:

o   Surveillance and profiling of employees based on sensitive personal data, including medical history and family affairs.

o   Data was gathered via informal methods such as gossip and whisper campaigns.

·   Trigger: Technical error exposed data to unauthorized internal access.

·   Impact: Damaged employee privacy and trust, leading to public scrutiny.

19. Amazon France Logistique – €32 Million Fine

·   Date: December 2023

·   Authority: CNIL 🇫🇷

·   Reason:

o   Use of intrusive employee monitoring systems in Amazon warehouses.

o   Monitoring included excessive scanning activity metrics (e.g., inactivity time, speed).

·   Violations:

o   Unlawful data retention, lack of transparency, and inadequate safeguards.

·   Outcome:

o   CNIL ruled the surveillance was disproportionate and invasive, undermining employee privacy.

20. Clearview AI – €30.5 Million Fine

·   Date: September 3, 2024

·   Authority: Dutch Data Protection Authority (AP) 🇳🇱

·   Reason:

o   Illegal data scraping of facial images from the internet without consent.

o   Built a biometric database used for intelligence and surveillance purposes.

·   Additional Actions:

o   Clearview AI faces penalty payments for continued violations.

o   Dutch DPA is considering holding individual directors personally accountable.

 ACTS IN JAPAN FOR CYBERSECURITY

A) Basic Act on Cybersecurity (the “BAC”)

·   Establishes the basic framework for national and local government responsibilities to enhance cybersecurity in Japan.

·   In September 2021, pursuant to the BAC, the government issued the Cybersecurity Strategy, drafted by the Cybersecurity Strategy Headquarters (CSHQ).

·   The CSHQ was established under Article 25 of the BAC to promote cybersecurity measures nationwide.

·   The National Centre of Incident Readiness and Strategy for Cybersecurity (NISC) acts as the CSHQ’s secretariat.

·   Operators of critical infrastructure are required to voluntarily and proactively improve cybersecurity and cooperate with government efforts.

·   In December 2018, the BAC was amended to establish the Cybersecurity Council.

·   The Cybersecurity Council facilitates information sharing between government authorities and business operators to support cybersecurity proposals and implementation.

B) Telecommunication Business Act (the “TBA”)

·   Article 4 protects the secrecy of communications handled by telecommunications carriers by:

o   Prohibiting violation of communication secrecy.

o   Prohibiting disclosure of secrets obtained during the course of telecommunications business, even after leaving office.

·   Secrecy covers not only communication content but also information that reveals content, such as access logs and IP addresses.

·   Unauthorized acquisition, disclosure, or use of protected information by a carrier breaches Article 4(1).

·   To combat cyberattacks, carriers need to collect and share relevant information (e.g., access logs from infected devices).

·   The TBA does not explicitly clarify how to share cyberattack information without violating secrecy obligations.

·   The Ministry of Internal Affairs and Communications (MIC) issued reports (2014, 2015, 2018, 2021) discussing this issue.

·   These reports informed the Guidelines on Cyberattacks and the Secrecy of Communications, issued by the Council regarding the Stable Use of the Internet.

·   The Council includes five associations:

o   ICT Information Sharing and Analysis Centre Japan (ICT-ISAC Japan)

o   Telecommunications Carriers Association

o   Telecom Services Association

o   Japan Internet Providers Association

o   Japan Cable and Telecommunications Association

·   The Guidelines are not legally binding but carry significant influence, having been confirmed by the MIC.

·   In 2013, MIC launched ACTIVE (Advanced Cyber Threats response Initiative) to protect users by:

o   Collaborating with ISPs and IT system vendors.

o   Allowing ISPs in ACTIVE to warn users or block communications based on the Guidelines.

·   The TBA was amended in May 2018 to allow carriers to share information on cyberattack sources through MIC-approved associations.

·   ICT-ISAC Japan was designated by the MIC in January 2019 as the eligible association for facilitating this information sharing.

C) Act on the Protection of Personal Information (the “APPI”)

·   The APPI is Japan’s principal data protection law, emphasizing cautious handling of “Personal Information” with respect for individuals.

·   Personal Information is defined as information about specific living individuals that can identify them by name, birthdate, or other descriptors, including data that allows easy reference to other information for identification (Article 2, Paragraph 1).

·   Business operators handling Personal Information must not disclose or provide it without the subject’s consent, unless specific exceptions apply.

·   Collecting and sharing cyberattack-related information (e.g., access logs of infected devices) can be useful but if this information contains Personal Information, the APPI’s restrictions on use and disclosure apply.

·   Under the APPI, business operators must report to the Personal Information Protection Commission (PPC) and notify affected data subjects about any leakage, loss, or damage of Personal Data they handle, if certain conditions are met (Article 26).

D) Japanese Foreign Exchange and Foreign Trade Act (the “FEFTA”)

·   The FEFTA regulates:

o   The export of sensitive goods and technologies, including encryption software and hardware.

o   Inward direct investments, such as acquisitions of shares in Japanese companies by non-Japanese investors.

·   For national security reasons, prior notification to the Ministry of Finance and other authorities is required when acquiring 1% or more shares in a Japanese company engaged in IT, software, or telecommunications businesses (unless exempted).

·   The authorities have the power to order the cessation of such acquisitions.

E) New Security Clearance Legislation

·   Enacted in May 2024, the Act on the Protection and Use of Critical Economic Security Information expands the scope beyond the public sector, covering sensitive information in the private sector.

·   The Japanese government designates sensitive national security information as “Critical Economic Security Information”.

·   Operators with facility security clearance may access such information under government contracts.

·   Only personnel assessed as suitable with a personnel security clearance are allowed access to this information.

2.2 Cybersecurity Requirements for Critical or Essential Infrastructure and Services

·   The UCAL requires Access Administrators to:

o   Manage identification codes of authorized users.

o   Verify access control functions.

o   Implement necessary security measures such as:

§  Encryption of codes.

§  Secure deletion of unused codes.

§  Batch programs to fix security flaws.

§  Program updates.

§  Appointment of a network security officer (Article 8).

·   Critical Information Infrastructure Operators must:

o   Deepen their understanding of cybersecurity importance.

o   Voluntarily and proactively, ensure cybersecurity to provide stable and appropriate services (BAC, Article 6).

·   The BAC (Article 3(1)) defines these operators as those whose infrastructure failure or deterioration could severely affect lives and economic activities.

·   The Cybersecurity Strategy Headquarters (CSHQ) issued the Cybersecurity Policy for Critical Infrastructure Protection, a non-mandatory guideline covering 15 critical sectors:

1.              Information and communication

2.              Financial services

3.              Aviation

4.              Airports

5.              Railways

6.              Electric power

7.              Gas supply

8.              Government and administrative supply

9.              Medical

10.           Water

11.           Logistics

12.           Chemical

13.           Credit card

14.           Petroleum

15.           Seaports

·   The Act on the Promotion of Ensuring National Security through Integrated Implementation of Economic Measures, promulgated on 18 May 2022, introduces new requirements for essential infrastructure services:

o   Specified essential infrastructure providers must submit plans to competent ministries for review before installing or outsourcing management of certain essential facilities.

o   Ministries may recommend changes, discontinuation, or risk-reduction measures based on the review.

o   If recommendations are ignored, ministries may issue orders for necessary measures.

·   The law applies to 14 essential infrastructure sectors (mostly overlapping with BAC sectors but excluding medical), including:

o   Electric power, gas supply, petroleum, water, railways, motor freight, ocean freight, aviation, airports, telecommunications, broadcasting, postal services, financial services, credit cards.

·   In 2024, the law was amended to add seaports as an essential and critical infrastructure sector.

·       The amendment is effective by October 2025

Reporting to Authorities: Are organizations required or expected to report information related to Incidents or potential Incidents (including cyber threat information) to regulatory authorities?

   Under the Act on the Protection of Personal Information (APPI):

·   Business operators must report data breaches involving disclosure, loss, or damage of Personal Data to the Personal Information Protection Commission (PPC).

·   Reporting required if:

o   Breach involves “Special Care-required Personal Information” (e.g., health examination results).

o   Breach poses financial risk (e.g., credit card data).

o   Breach caused by wrongful intent (cyberattack or fraud).

o   Breach affects more than 1,000 data subjects.

o   There is a possibility of any of the above occurring.

·   Operators using advanced encryption or necessary protective measures may be exempt from reporting.

·   Reporting timelines:

o   Preliminary report promptly after awareness.

o   Definitive report within 30 days (60 days if caused by wrongful intent).

·   Report contents:

o   Overview of breach.

o   Details of affected Personal Data.

o   Number of breach occurrences.

o   Cause and secondary damages.

o   Response status to data subjects and public announcements.

o   Measures to prevent recurrence.

o   Other relevant details.

Under PPC guidelines:

·   Business operators must take internal reporting, damage prevention, investigation, impact assessment, and recurrence prevention measures.

·   Prompt disclosure of facts and measures is desirable depending on the case.

Examples of “Possibility of Data Breach” include:

·   Evidence of data theft via unauthorized access.

·   Infection with malware known for stealing data.

·   Communication with known command and control servers.

·   Security experts alerting to possible breaches.

Financial Services Agency (FSA) Guidelines:

·   Financial institutions may need to report incidents immediately, even if not a data breach.

·   Reports include incident date/time, affected services, causes, damages, responses, and preventive measures.

Telecommunications Business Act (TBA) Reporting:

·   Serious incidents (e.g., service suspension, secrecy breaches) must be promptly reported to the Ministry of Internal Affairs and Communications (MIC).

·   Detailed reports within 30 days must cover incident details, affected facilities, causes, measures, and past similar incidents.

IPA Reporting:

·   Companies are recommended to report incidents to IPA.

·   Reports include infection location, virus name/features, infection date, OS type, connection method, infection cause, damage extent, and removal status.

·   IPA provides consultation services for handling cyberattacks or unauthorized access.

2.5 Reporting to Affected Individuals or Third Parties: Are organizations required to notify affected individuals?

·   Cybersecurity Management Guidelines recommend identifying stakeholders and promptly disclosing incidents based on impact.

·   Under APPI, notification to affected individuals is mandatory for certain material data breaches.

2.6 Responsible Authorities:

·   MIC: Primary agency implementing the Telecommunications Business Act.

·   METI: Issues cybersecurity policies for industries but is not a specific regulator.

·   PPC: Independent body supervising APPI enforcement.

2.7 Penalties for Non-Compliance:

·   Telecommunications Business Act: Failure to report serious incidents may result in fines up to JPY 300,000.

·   APPI:

o   PPC can issue recommendations or orders.

o   Non-compliance with orders can lead to imprisonment up to 1 year or fines up to JPY 1 million for operators.

o   Corporate entities may face fines up to JPY 100 million if employees do not comply with PPC orders.

Protection of Critical Economic Security Information

As threats to national security increasingly intersect with economic activities, it is vital to establish a comprehensive framework to protect information related to Japan's critical economic foundation. The system must ensure proper classification, secure access, and legal accountability to prevent unauthorized disclosures and safeguard the nation.

1. Designation of Critical Economic Security Information

·   The government is responsible for:

o   Determining which officials are authorized to handle critical economic security information.

o   Taking necessary protective measures for this information.

·   Designation validity:

o   Initially valid for up to 5 years.

o   Can be extended, but the total period must not exceed 30 years in principle.

2. Provision of Critical Economic Security Information

·   The head of an administrative organ may:

o   Share information with other administrative organs, if deemed necessary.

o   Provide information to the Diet, courts, etc., when there is no risk of severe harm to national security.

o   Disclose information to eligible contractors, under the following conditions:

§  A contract exists;

§  The contractor meets security standards specified by a Cabinet Order;

§  Disclosure supports national security activities (e.g., removing vulnerabilities in critical infrastructure).

3. Restrictions on Persons Handling Critical Information

·   Only individuals who pass a security clearance assessment (SCA) and pose no risk of unauthorized disclosure may be assigned duties involving critical information.

·   Individuals already cleared for specially designated secrets (under the Act on the Protection of Specially Designated Secrets) may also be authorized.

4. Security Clearance Assessment (SCA)

·   Conducted by the head of an administrative organ, with the individual's consent.

·   Assessment based on an investigation conducted by the Prime Minister.

·   Validity period: 10 years.

·   If an individual was assessed within the past 10 years by another administrative organ and found safe:

o   The previous SCA result may be used without re-investigation.

·   The same SCA process applies to employees of eligible contractors.

Assessment covers factors such as:

·   Links to harmful or subversive activities;

·   Criminal and disciplinary history;

·   Misconduct in handling information;

·   Drug abuse, alcohol moderation, and mental health;

·   Financial condition, including credit status.

5. Penalties for Unauthorized Disclosure

·   Violators are subject to:

o   Imprisonment up to 5 years;

o   A fine up to 5 million yen;

o   Or both penalties, depending on the severity of the breach.