A Comparative Legal Study on Data Breaches in Japan, the U.S., and the U.K.

  • Kaori Ishii
  • Taro Komukai
Conference paper
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 474)


This paper focuses on the liability and duties of data controllers regarding data leaks and compares the relevant legal schemes of Japan, the U.S., and the U.K. There are three primary approaches to reducing or redressing damages caused by data leaks: (1) providing remedies for data leaks; (2) data security obligations; and (3) notification obligations in the event of a data breach. The aim of this article is to compare the measures on data breaches from the above viewpoints and highlight the relevant issues in order to reach an appropriate solution.

To address the issues related to data breaches, legal rules among countries should be common to all due to the worldwide circulation of personal data. Nonetheless, different features are recognizable through the analysis in each chapter.

Companies in Japan have thus far eagerly abided by data security obligations even if they are ineffective for data protection. Conducting PIAs is another option to prevent security incidents. If data breach notification rules are introduced, the subject matters to be publicized must be identified and followed by enforcement actions. Also, such rules should contribute to the avoidance of secondary harm.

In the U.S., while compensations for data leakage and security breach notification rules have apparently been effectively managed, it is needed to reduce serious harm arising from massive data breach. Obliging companies to maintain data traceability might serve this.

In the U.K., data breach notification rules imposed as part of the General Data Protection Regulation need to connect with other effective enforcements and contributions to avoiding secondary harm, so as not to become meaningless.

We must harmonize the above differences and make ongoing efforts to improve the effectiveness of rules.


Data breach notification Tort liability on data leaks Data security obligations ID theft Criminal uses of leaked data 



This work was supported by JSPS KAKENHI (C) Grant Number 15K03237.


  1. 1.
    Nikkei Asian Review: Customer data leak deals blow to Benesse, 10 July 2014 (2014). (in Japanese)Google Scholar
  2. 2.
  3. 3.
    IT Media News: Softbank losses 107 billion yen in the Current Term affected by the Influence of Data Leakage. (in Japanese)
  4. 4.
    Nikkei Business: Competitors take advantage of the leakage of Benesse Corporation. (in Japanese)
  5. 5.
    IT Media Business: Benesse Corporation declined its sales profit of 1.07 million yen. (in Japanese)
  6. 6.
    METI: Guidelines Targeting Economic and Industrial Sectors Pertaining to the Act on the Protection of Personal Information. (in Japanese)
  7. 7.
    METI: Outline and Enforcement of the METI Guidelines, December 2014. (in Japanese)
  8. 8.
    Pauli, D.: Adobe pays US $1.2 M plus settlements to end 2013 breach class action.
  9. 9.
    Roman, J.: Home Depot already faces breach lawsuit, data breach today.
  10. 10.
    FTC: A Brief Overview of the Federal Trade Commission’s Investigative and Law Enforcement Authority.
  11. 11.
    FTC: Administrative Law Judge Dismisses FTC Data Security Complaint Against Medical Testing Laboratory LabMD, Inc., 19 November 2015.
  12. 12.
  13. 13.
    Cavoukian, A.: Privacy by Design: The 7 Foundational Principles.
  14. 14.
    FTC: Protecting Consumer Privacy in an Era of Rapid Change, Recommendations for Businesses and Policymakers, 26 March 2012.
  15. 15.
  16. 16.
    FTC: ChoicePoint Settles Data Security Breach Charges; to Pay $10 Million in Civil Penalties, $5 Million for Consumer Redress, 26 January 2006.
  17. 17.
    Harris, K.D.: California Data Breach Report (2014).
  18. 18.
    Romanosky, S., Telang, R., Acquisti, A.: Do data breach disclosure laws reduce identity theft? J. Policy Anal. Manag. 30(2), 256–286 (2011)CrossRefGoogle Scholar
  19. 19.
  20. 20.
    Dunn, J.E.: The UK’s 11 most infamous data breaches (2015).
  21. 21.
    ICO: Data Protection Act Monetary Penalty Notice, 21 July 2014.
  22. 22.
  23. 23.
    ICO: Conducting privacy impact assessments code of practice (Feb. 2014).
  24. 24.
    European Commission: Protection of personal data.
  25. 25.

Copyright information

© IFIP International Federation for Information Processing 2016

Authors and Affiliations

  1. 1.Faculty of Library, Information and Media ScienceUniversity of TsukubaTsukubaJapan
  2. 2.College of Risk ManagementNihon UniversityTokyoJapan

Personalised recommendations