This article has been written by Sachin Kumar pursuing the Diploma in Cyber Law, FinTech Regulations and Technology Contracts from LawSikho. This article has been edited by Prashant Baviskar (Associate, Lawsikho) and Smriti Katiyar (Associate, Lawsikho).
Japan had about 117 million active internet users in January 2021, placing it fourth in the Asia Pacific region. Security concerns have become a major domestic issue in Japan as the relevance of digitization grows for the economy and people’s daily lives. In 1973, the Tokyo District Court received the first case involving computer crime in Japan. This was a civil damage lawsuit rather than a criminal one. However, the primary issue, in this case, was data theft. At the time, Nikkei McGraw-Hill was a joint venture between Nikkei Shimbun (a well-known Japanese news organisation) and McGraw-Hill. The Tokyo District Court ordered the defendant to pay a portion of the plaintiff’s damages (2,039,420 Japanese Yen) and expenses.
Unauthorized computer access, illicit business operations, and illegal or harmful content, which includes numerous examples of child prostitution and child pornography, are among the other crimes that are committed. Cyber security has become a major concern in Japan, owing to the country’s economic reliance on the internet, electronic gadgets, and automation technologies, as well as Japan’s geopolitical position and tense relations with its neighbours.
Cybercrime trends in Japan
From 2.8 million in 2002 to 1 million in 2016, Japan’s annual number of Penal Code offences has steadily declined. The annual number of cybercrimes, on the other hand, has been steadily increasing. In 2016, the number of cybercrimes was estimated to be over 8,000, according to police crime statistics [National Police Agency (Japan) 2017]. In Japan, current internet crimes involve a wide spectrum of offences. In 2019, there was a significant increase in online banking frauds, with the total amount of money lost due to online banking frauds reaching over 2.5 billion Japanese yen. Since the beginning of 2020, Japanese businesses have been hit by an unprecedented wave of ransomware attacks, which have halted operations and disrupted computer and email systems, precisely as the country’s businesses have switched to teleworking as a countermeasure to COVID-19.
A survey of 2,200 security departments at major companies in 13 countries found that just over half of 200 Japanese companies, ranging from the automotive, aviation, and finance sectors, reported ransomware cyberattacks in which 33 companies paid an average of 123 million yen ($1.17 million) to criminal networks to prevent the loss of data.
The Basic Cybersecurity Act, which was adopted on November 6, 2014, is Japan’s dedicated cybersecurity law (and promulgated on 12 November 2014). The Basic Cybersecurity Act is the first cyber security-specific law passed by the G7 countries. Article 2 of the Basic Cybersecurity Act in Japan is the first time the term “cybersecurity” has been legally defined. The following is a definition of cybersecurity: “The conditions where the measures necessary for the prevention of leakage, loss or damage, and for other security management of information which is recorded, sent, transmitted or received using an electronic method, a magnetic method, or any other method not recognisable to human senses, as well as measures necessary for securing the safety and reliability of information systems and information communication networks have been taken, and where such conditions are being properly maintained and managed.”
The Basic Cybersecurity Act’s main goal is to maintain cybersecurity while simultaneously allowing for unfettered information exchange. The Basic Cybersecurity Act’s goal is to advance cybersecurity-related policies comprehensively and effectively , therefore contributing to the establishment of a more active and rapidly growing economic society and, as a result, to Japan’s national security.
Other substantive laws covering cybercrime issues currently exist in Japan, including the Penal Code, the Unauthorized Computer Access Prohibition Act, the Unfair Competition Prevention Act, the Copyright Act, the Specially Designated Secret Protection Act, the Basic Act on the Formation of an Advanced Information and Telecommunications Network Society, and the Act on Electronic Signatures and Certifiable Documents. The Personal Information Protection Act was enacted in 2003 to safeguard personal information and identity, in addition to cybercrime legislation. In addition, in 2013, the Social Security and Tax Number Act was passed.
The Personal Information Protection Act, rather than being about cybersecurity, is about information security and, more particularly, the correct management of personal information. Despite the fact that article 2, paragraph 5 of the Personal Information Protection Act outlines specific responsibilities for a company operator managing personal information (personal information-handling business operator), It does not provide specific responsibilities for administrative bodies, autonomous administrative agencies, or municipal governments. The Act on the Protection of Personal Information held by Administrative Organs, among others, prescribes the concrete duties of administrative organs; the Act on the Protection of Personal Information held by Independent Administrative Agencies, among others; and the Act on the Protection of Personal Information Held by Local Governments, among others, prescribes the concrete duties of local governments.
The Personal Information Protection Act (the modified Personal Information Protection Act) was updated in September 2015 and went into effect on May 30, 2017. The following are the main changes that were made:
- Clarification of the meaning of “personal information” (information “carrying any personal identifying code” being added to the definition to eliminate grey areas, as well as the insertion of additional sensitive information requirements);
- New restrictions governing the use of information that has been anonymized using the technique outlined in the Personal Information Protection Commission’s (PPC) guidelines;
- New provisions relating to the traceability of personal data by the individual who is identifiable by it;
- Additional measures relating to criminal sanctions for providing personal information to obtain illegal profits;
- The creation of the PPC as an independent authority that will coordinate personal information protection policies in a unified manner; and the establishment of the PPC as an authority independent of other administrative organs that will coordinate personal information protection policies in a unified manner.
- The Personal Information Protection Act of Japan has rules regarding foreign transfers of personal information and extraterritorial application.
In addition, due to factors such as an increase in the number of cases of damage caused by the disclosure or wrongful use of credit card numbers, as well as the entry of fintech companies into the service payment business, the amended Installment Sales Act, which was promulgated on December 9, 2016, has become effective, containing new provisions on requiring member stores to take countermeasures against wrongful use, such as: (fintech companies, etc).
METI published its Cybersecurity Management Guidelines on December 28, 2015, which were updated on December 28, 2016, and November 16, 2017. (as version 2.0). The Guidelines are designed for big, small, and medium-sized businesses who supply IT-related systems or services and that, in order to safeguard their businesses from cyberattacks, fundamentally demand the usage of IT in accordance with their management plans. The Guidelines stated that: (i) a company’s management should be aware of three principles; and (ii) ten essential elements that a company’s manager should convey to the officer in charge of implementing information security measures (eg, the chief information security officer in charge of supervising information security within the company). In the succeeding measures, the current version 2.0 offers more specific information about the ‘detection’ and recovery’ procedures.
The nodal authorities for guaranteeing the execution of the laws are government entities that are the competent authorities in the area of cybersecurity, such as by giving interpretations as relevant administrative organs and establishing recommendations (provided, however, that the interpretation of laws by the administrative organs shall not be binding upon judicial organs).
The National Police Agency, the Ministry of Internal Affairs and Communications, and the Ministry of Economy, Trade, and Industry, for example, are the competent authorities in the case of the Unauthorized Computer Access Prohibition Act, and the Ministry of Justice is in charge of the implementation of cybercrime laws, including the Penal Code. The PPC has jurisdiction over the Personal Information Protection Act and, as stated in the Act, has the authority to require personal information-handling business operators to provide reports and materials, as well as enter their premises for inspection purposes (Article 40 of the Act; the power of entry and inspection has been newly included pursuant to the amended Personal Information Protection Act). Furthermore, the PPC offers needed guidance and advice (Article 41 of the Act) or suggestions or instructions to personal information-handling company owners (Article 42 of the Act). If a personal information-handling business operator fails to comply with an order, it will be penalised (Chapter 7 of the Act). Because the PPC is required to ensure the proper handling of personal information in a timely and focused manner, it has the authority to delegate the power to collect reports from, as well as enter and inspect the business premises of, a personal information-handling business operator, to the authority having jurisdiction over the business concerned, whenever the PPC deems it necessary to e. (Article 44, paragraph 1 of the Act).
Principal cyber activities that are criminalised
The Penal Code, the Unauthorized Computer Access Act, and other legislation govern cybercrime, as detailed below.
In the 1987 modification to the Criminal Code, the following forms of behaviour were designated as offences:
- Unauthorized creation of electronic or magnetic records (Article 161-2): the act of producing electronic or magnetic records on rights, duties, or certification of facts, which was formerly covered by the crime of document forgery, is now criminal.
- Obstruction of business by damaging a computer (Article 234-2): A new kind of obstruction of business that is punishable has been added: obstruction of business by destroying a computer.
- Computer fraud (Article 246-2): it is now illegal to commit fraud using a computer; and
- Damage to an electronic or magnetic record (Articles 258 and 259): An act of damaging an electronic or magnetic record in use by a public office or another person’s electronic or magnetic records on rights or duties became criminal.
In the 2001 revision to the Criminal Code, the following categories of behaviour were added as crimes:
- Unauthorized fabrication of payment card electromagnetic records (Article 163-2);
- Article 163-3: Possession of payment cards with unauthorised electromagnetic recordings
- preparing for the unlawful production of payment card electromagnetic records (article 163-4); and
- Attempts to commit the offences listed above (article 163-5).
Articles 168-2 and 168-3 were added as crimes in the 2011 amendment to the Criminal Code to punish the conduct of creating, providing, obtaining and storing a computer virus.
The Unauthorized Computer Access Act prohibits and punishes criminal conduct such as unauthorised access, promoting any unauthorised computer access (ie, providing another authorised person’s identification code (eg, ID and password) without that person’s permission), wrongfully obtaining another authorised person’s identification code (eg, ID and password), and wrongfully storing another authorised person’s identification code (eg, ID and password) without that person’s permission. Spoofing (i.e., entering another authorised person’s identification code (e.g., ID and password) without that person’s permission) and attacking security holes are examples of unauthorised access (as defined in article 2(4) of the Computer Access Act) (ie, inputting unique data, avoiding access control features and using computer functions that are restricted by identification codes by utilising computer programmes to engage in cyberattacks).
International cooperation to prevent and investigate cybercrime
Japan is actively engaged in international cooperation to prevent and investigate cybercrime. Firstly, Japan promotes international cooperation, as a party to the Convention on Cybercrime, the only multilateral treaty on the use of cyberspace. Upon concluding the Convention on Cybercrime, Japan criminalized certain acts and established necessary measures for the investigation to effectively address cybercrime. Japan also cooperates with other countries on cybercrime investigations. For example, if an offender of a cross-border cybercrime cannot be identified in an investigation, it will require the cooperation of foreign authorities. In such cases, the NPA effectively combats cross-border cybercrimes utilizing the frameworks for international cooperation in a criminal investigation such as the Convention on Cybercrime, mutual legal assistance treaties and agreements, INTERPOL and the G7 24/7 High Tech Crime Network point of contact.
While Japanese officials and politicians were sluggish to respond to these concerns, the country has been catching up in recent years when it comes to its cyber security policy. The government’s “Society 5.0″ goal, as well as the 2020 Tokyo Olympics, gave a major incentive to fortify infrastructure against foreign and internal threats. In 2018, the government amended the Telecommunications Business Act to allow the National Institute of Information and Communication Technology (NICT) to actively survey Internet of Things (IoT) devices as part of its efforts to combat DDoS attacks.
Prime Minister Shinzo Abe understands the significance of cybersecurity in global events. In May 2015, he remarked at a Cybersecurity Strategy Headquarters meeting that cybersecurity is the cornerstone for effective IT use, economic growth, national security, and crisis management, as well as a successful Tokyo 2020. The Cabinet created the Cybersecurity Strategic Headquarters in 2014 with the goal of efficiently and completely advancing cybersecurity policy. The Chief Cabinet Secretary leads the Cybersecurity Strategic Headquarters, which includes his deputy, the Minister-in-Charge of Cybersecurity, the Chairman of the National Public Safety Commission, the Ministers for Internal Affairs and Communications, Foreign Affairs, Economy, Trade and Industry, Defense, and Information Technology Policy, as well as seven experts from academia and business. This group works closely with Japan’s National Security Council, demonstrating the importance of cybersecurity in the country’s broader policy.
The National Centre of Incident Readiness and Strategy for Cybersecurity (NISC) was founded a year later, in 2015, when the National Information Security Centre, which had been established in 2005, was upgraded. The National Institute of Standards and Technology (NISC) acts as the secretariat of the Cybersecurity Strategy Headquarters, collaborating with the public and commercial sectors on a range of projects to build a “free, fair, and secure cyberspace.” It coordinates intra-government collaboration and promotes collaborations between business, academia, and the public and private sectors.
As cyberspace and physical space become increasingly intertwined and cyberattack increasingly sophisticated and complex, it will be vital for all people to have an awareness and understanding of cybersecurity and undertake basic efforts even during normal times as public hygiene activities in cyberspace, and to be able to address various risks, as with crime prevention and traffic safety measures in physical space. It will be important for the public and private sectors to work together on raising awareness and providing information to reinforce behaviour that allows the people to acquire literacy and protect themselves from threats using their judgment.
- Thisanka Siripala,”Japanese Companies Fall Victim To Unprecedented Wave of Cyber Attacks”, December 23, 2020, https://thediplomat.com/2020/12/japanese-companies-fall-victim-to-unprecedented-wave-of-cyber-attacks/
- Cybersecurity in Japan, Kazuyasu Shiraishi and Masaya Hirano,
- Hiroyuki Tanaka , Daisuke Tsuta and Naoto Shimamura, Japan: Cybersecurity Comparative Guide, https://www.mondaq.com/technology/976226/cybersecurity-comparative-guide
- Cyber Security Rules and regulations 2021, https://iclg.com/practice-areas/cybersecurity-laws-and-regulations/japan
- Kazuyasu Shiraishi and Masaya Hirano, “Cybersecurity in Japan”, https://www.lexology.com/library/detail.aspx?g=5a1b0e44-9f84-432e-9bed-88523b2ebb6a.
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join:https://t.me/joinchat/J_0YrBa4IBSHdpuTfQO_sA