I believe that I follow breach notification pretty closely. So I was surprised to learn that I had missed the passage of a law in Japan. Bird & Bird, Notification of data security breaches explains:
In Japan, the Personal Information Protection Act (Law No. 57 of 2003; chapters 1 to 3 effective May 30 2003 and chapters 4 to 6 effective April 1 2005) (the “PIPA”), establishes the basic principle regarding the fair handling of personal information and regulates the handling of Personal Information by business operators (“Information Handlers”).
A presentation by Morrison & Foster, “Data Security and Incident Notification: The Impact of Foreign Law” tells us:
You may have obligations under Japanese privacy law if:
- You are affiliated with a Japanese company or institution.
- You use or have access to employee or student information maintained in Japan.
- A Japanese institution with which you are involved, for example, in a study-abroad program enters into a contract with you, according to which you assume privacy obligations under Japanese law.
To date, I’m aware of breach disclosure laws in 38 US states and Japan. Are there others?