-
Description
Japan advocated "Data Free Flow with Trust (DFFT)" in 2019 and took the lead in promoting free data distribution. Japan takes active measures to build a digital society. For example, Japan revises the Personal Information Protection Law and makes continuous efforts to formulate relevant laws and regulations to ensure information security. Alibaba Cloud incorporates the privacy requirements into the development of all its services to protect the privacy of customers and end users. This way, safe, reliable, and state-of-the-art technologies are provided.
-
General regulatory environment
Security:
Japan issued the BAC in 2014, which marks that the nationwide cybersecurity measures have gone into full effect in Japan. The Cybersecurity Strategy Headquarters was established under the Cabinet and the National Center of Incident Readiness and Strategy for Cybersecurity (NISC) is coordinating the implementation of the cybersecurity strategy. NISC has issued the Common Standards on Information Security Measures of Government Entities (2018 edition), which is widely used as a guideline for government agencies to take measures to ensure information security. The 2021 edition is under formulation.
In addition, the government of Japan stipulated a Cloud-by-Default Principle for Government Information Systems in June 2018. As a result, the "Information System Security Management and Assessment Program"(ISMAP) was established and carried out in October 2020. ISMAP is a system for registering cloud service providers that meet the security requirements.
Key laws related to security:
The Basic Act on Cybersecurity
Privacy:
The Act on the Protection of Personal Information of Japan was first enacted in 2005 and then revised three times in 2015, 2017, and 2020.Japan enacted a law related to social security numbers or My Number, which is called "My Number Act". In addition, detailed guidelines are provided to process My Numbers. The processing requirements are particularly strict. The Ministry of Economy, Trade and Industry and the Ministry of Internal Affairs and Communications published a guidebook to promote privacy governance in 2020. The Ministry of Economy, Trade and Industry issued JIS X 9251:2021 in January 2021, which is a JIS translation of ISO 29134:2017. ISO 29134:2017 is used as the global standard for privacy impact assessment.
Supervision bureaus:
Personal Information Protection Commission (Scope of application of the Act on the Protection of Personal Information and the My Number Act)
* The Ministry of Economy, Trade and Industry and the Ministry of Internal Affairs and Communications are formulating guidelines for the utilization of personal data outside of these frameworks.
Key laws related to privacy protection:
Act on the Protection of Personal Information, which is a law related to the protection of personal Information
My Number Act, which is a law related to the use of numbers to identify specific individuals in administrative procedures
Act on Regulation of Transmission of Specified Electronic Mail, which is a law related to the proper sending of specified emails
Guidelines related to privacy:
Guidelines related to the Act on the Protection of Personal Information
Guidelines related to the My Number Act
Guidebook on Corporate Governance for Privacy in Digital Transformation (DX) ver.1.0
Requirements for cross-border transfer of personal information:
The transfer of personal information to third parties in other countries is limited. Specifically, one of the following requirements must be met:
The Personal Information Protection Commission stipulates in Article 11(2) of the Enforcement Rules for the Act on the Protection of Personal Information that the person to whom the personal information is transferred must be certified based on the international framework for processing personal information. It also stipulates in Section 4-3 of the Guidelines on the Act on the Protection of Personal Information (Provision to Third Parties Located in Foreign Countries) that a third party to which data is transferred in a foreign country must be certified by the APEC CBPR system.
Alibaba Cloud acquired the CPBR certification in April 2021. Personal information can be transferred from Japan to Alibaba Cloud in a safe and secure manner. -
Financial services sector
Overview:
Similar to many other countries, Japan has formulated regulations dedicated to financial services. The FISC has formulated the Financial Institutions Security Guidelines and Manual as voluntary standards for financial institutions. The Financial Institutions Security Guidelines and Manual is also named the FISC Security Guidelines and Manual. Many financial institutions use the standards as the guidelines for system architecture and operation. The 9th edition of the Safety Guidelines and Manual is the latest edition, which was published in March 2020. In addition, the "Report of the Council of Experts on the Usage of Cloud Computing by Financial Institutions (Trial edition)" was published in May 2021.
Financial institutions have also formulated special regulations to protect personal information. The Personal Information Protection Commission has formulated and issued Financial Sector Guidelines and Practical Guidelines for Security Management Measures.
Alibaba Cloud provides the electronic Know Your Customer (eKYC) API service to verify digital identities.This service confirms to the requirements of Article 6 (1) (e) of the "Enforcement of the Act on Prevention of Transfer of Criminal Proceeds." In addition, Alibaba Cloud made a self-assessment based on the public comments on the "Order for Enforcement of the Act on Prevention of Transfer of Criminal Proceeds" in 2018 to guide customers through the implementation.
Supervision bureaus:
Financial Services Agency
Personal Information Protection Commission (Scope of application of the Act on the Protection of Personal Information and the My Number Act)
Webinar
China Cybersecurity Law and countermeasures
This webinar outlines the Cybersecurity Law of China and discusses what kind of companies were actual regulatory objects. This webinar also uses examples to describe what measures Japanese companies can take to enter Chinese market.
Safety and security initiatives of Alibaba Cloud
This webinar introduces the compliance initiatives of Alibaba Cloud in Japan.
Alibaba Cloud strives to address the concerns of our customers by improving the accountability system.
Featured story
- Examples of certifications acquired by Alibaba Cloud -
Data Protection by Design
The Personal Data Protection Commission of Singapore and Hong Kong Office of the Privacy Commissioner for Personal Data jointly issued the "Guide to Data Protection by Design for ICT Systems" in 2019. In response to this guide, Alibaba Cloud develops all its services based on the principles of this guide.
This guide proposes the following requirements for a system design:
1. Take proactive measures to prevent problems.
2. Set default settings to best protect data.
3. Ensure security from end to end.
4. Minimize the data used.
5. Be user-oriented.
6. Ensure information transparency.
7. Minimize risks.
Notice on the acquisition of APEC CBPR certification
The APEC CBPR System is an international mechanism used to certify whether a business operator complies with the APEC Privacy Framework. Japan was certified by this system in 2014. Alibaba Cloud was certified in April 2021 in Singapore where the global headquarters of Alibaba Cloud resides. Then, personal information in Japan can be transferred to Alibaba Cloud without consent from the individual. For more information about APEC CBPR, click here.
Alibaba Cloud strives to best serve its customers around the world. Alibaba Cloud proactively complies with the industrial standards and best practices, and legal requirements of each country in which the customers of Alibaba Cloud operate.
Notice on the acquisition of APEC PRP certification
The APEC Privacy Recognition for Processors (APEC PRP) system is an international certification system for data processors who process personal information on behalf of data controllers to transfer personal information across borders in compliance with the APEC Privacy Framework. Alibaba Cloud was certified in April 2021 in Singapore where the global headquarters of Alibaba Cloud resides. The cross-border transfer of personal information has become a major topic of debate around the world. Alibaba Cloud strictly complies with the APEC PRP and has established a system that allows users to more seamlessly and freely transfer their data across borders. For more information about APEC PRP, click here.
Alibaba Cloud strives to best serve its customers around the world. Alibaba Cloud proactively complies with the industrial standards and best practices, and legal requirements of each country in which the customers of Alibaba Cloud operate.
M3 company
Coronavirus diagnosis by using AI imaging
DAMO Academy is the advanced technology research center of Alibaba Cloud. It develops an AI algorithm for coronavirus diagnosis.
Data Privacy FAQ
Alibaba Cloud endeavors to resolve data privacy issues
as a cloud service provider by optimizing security measures and the accountability system.
1. Can Alibaba Cloud access the data of our enterprise?
- On the basis of the responsibility sharing model established between Alibaba Cloud and its users, users have full control over their data, and Alibaba Cloud can never access user data without permissions from users.
2. Does Alibaba Cloud ever disclose our data to the government or law enforcement agencies?
- Customers decide whether the access to and use, transfer, and disclosure of their data are allowed. If a government agency wants to access the data of customers, Alibaba Cloud requires the government agency to obtain permissions from the customers before it accesses the data.
3. Is Alibaba Cloud a Chinese company?
- The global headquarters of Alibaba Cloud is located and registered in Singapore. It is operated in compliance with Singapore laws.
4. Do data centers in Japan ever receive data disclosure orders from other countries?
- Alibaba Cloud operates data centers in 30 countries and 89 availability zones around the globe. Each data center operates in accordance with the laws of the country and region where it is deployed.
If the country or region where a data center is deployed has data disclosure legislation or the government agencies in this country or region is authorised to issue binding orders, the data center is subject to the management of the legislation or binding orders. In this case, Alibaba Cloud sends a notice about the claim to customers and allow the customers to take necessary remedial actions to the extent permitted by law.
Proceed with caution when you select an availability zone for your Alibaba Cloud service.
5. What kind of personal information does Alibaba Cloud collect?
- Alibaba Cloud is expanding its business-oriented services as a cloud service provider. Most of the personal information that Alibaba Cloud processes is account registration information from customers, which is necessary for Alibaba Cloud to provide services for its customers. Alibaba Cloud has few service requests from governments.
Blog
Articles related to compliance are posted.
Alibaba Cloud Recieved High Rating for NIST Assessment and NIST CSF
Alibaba Cloud recieved high score from KPMG for the compliance assessment of NIST SP 800-53 and NIST CSF.
Click here for details
Why Alibaba Cloud complies with EU Cloud COC
Alibaba Cloud is a cloud service that is compliant with the EU Cloud COC. The EU Cloud COC is the only code of conduct that the EU supervisory authorities have approved that companies that comply with it are fulfilling the obligations of processors as stipulated in Article 28 of the GDPR.
Click here for details
Alibaba Cloud and data laws: China's Personal Information Protection Law
Alibaba Cloud is well aware of the importance and challenges of security and compliance that multinational companies face when entering or expanding their business in China. In this article, we will introduce you to China's Personal Information Protection Law.
Click here for details
Alibaba Cloud and Data Laws: Cyber Security Law Compliance
Alibaba Cloud understands the importance and challenges of security compliance that international companies face when they enter or expand their business in China. In this article, we will discuss one of the most important requirements in cybersecurity law: Multi-level Protection of Information Security (MLPS 2.0).
Click here for details
Alibaba Cloud and Data Law: Alibaba + Salesforce Solution
Alibaba Cloud is well aware of the importance and challenges of security compliance that international companies face when entering or expanding their business in China. This article introduces an Alibaba Cloud's service that reduces the compliance risk for using Salesforce in China, which we are getting a lot of inquiries about right now.
Click here for details
Privacy by Design and Alibaba Cloud
More people show their concern on data privacy, these days. Alibaba Cloud pays close attention how we can protect our customers’ data security and data privacy when we design and provide services. One of the basic approaches to achieve privacy protection is Privacy by Design. This approach allows business processes, technologies, or organizations to embed privacy as a default setting.
Click here for details
