Answer ... (a) Certain sectors, businesses or industries (eg, critical infrastructure, national security, financial services, healthcare)?
Certain cyber laws and guidelines apply to critical infrastructure of certain businesses, such as financial services and healthcare. In addition, so-called Critical Information Infrastructure Operators are required to make an effort to deepen their interest and understanding of the importance of cybersecurity, and to voluntarily and proactively ensure cybersecurity for the purpose of providing services in a stable and appropriate manner (BAC, Article 6). Article 3(1) of the BAC defines ‘Critical Information Infrastructure Operators’ as operators of businesses that provide any infrastructure which is foundational to people’s lives and economic activities and the functional failure or deterioration of which could significantly impact that infrastructure.
The Cybersecurity Strategy Headquarters (the ‘CSHQ’), established under Article 25 of the BAC to promote Japan’s cybersecurity measures, formulated the Cybersecurity Policy for Critical Infrastructure Protection as a non-mandatory guideline which designated 14 critical infrastructure areas under its coverage. These 14 areas are information and communication, financial services, aviation, airport, railway, electric power, gas supply, government and administrative supply, medical, water, logistics, chemical, credit card, and petroleum.
Information which is particularly necessary to be kept secret as part of national security is protected under the Act on the Protection of Specially Designated Secrets.
The Act on the Promotion of National Security through Integrated Economic Measures (the ‘Economic Security Promotion Act’) was passed in May 2022. This act introduces four main matters: (i) ensuring the stable supply of critical materials, (ii) ensuring the stable provision of essential infrastructure services, (iii) supporting the development of advanced critical technologies, and (iv) suspension of the disclosure of patent applications. The first and the third matters are already enacted. The remaining matters will be effective in multiple stages but no later than 18 May 2024.
In June 2020, the Information System Security Management and Assessment Program (‘ISMAP’) commenced. The purpose of ISMAP is to ensure security in governmental cloud service procurement by evaluating and registering cloud service that meets the security requirements of the government, thereby contributing to the smooth introduction of cloud services. This system is based on the Federal Risk and Authorization Management Program (FedRAMP) of the United States.
Cloud services that are the subject of an application for registration and that meet the requirements under ISMAP are listed and published. In principle, governmental agencies are supposed to select from this list when procuring cloud services. This system is intended for governmental agencies, but it is expected that the private sector will also refer to it to promote the proper use of cloud services in Japan.
(b) Certain types of information (personal data, health information, financial information, classified information)?
The APPI applies to personal information. It also protects what is referred to as special care-required personal information by imposing additional restrictions, such as requiring consent before it may be obtained. A ‘special care-required personal information’ is defined by Article 2(3) of the APPI as personal information comprising a principal’s race, creed, social status, medical history, criminal record, fact of having been victim of a crime, or other information the handling of which has been prescribed by cabinet order as requiring special care so as not to cause unfair discrimination, prejudice or other disadvantages to the principal.
For health information, in addition to the APPI, there are guidelines which provide special data protection rules.
For financial information, in addition to the APPI, there are business-related laws and guidelines which provide special data protection rules.
Classified information is protected under the Act on the Protection of Specially Designated Secrets.