This article was written as of October 2024.

On May 10, 2024, the Diet passed the Act on the Protection and Utilization of Important Economic Security Information (the "CESI Act"). The Act provides for the establishment of a new security clearance system in the economic security sector.

In Japan, the Act on the Protection of Specially Designated Secrets (the "SDS Act") already exists as a law providing for a security clearance system. However, the SDS Act only covers highly sensitive government information (i.e. top-level and general-level designated secrets) and does not protect less sensitive information (i.e. confidential information). For this reason, the CESI Act was established to protect confidential information in the economic security sector, the protection of which has recently become increasingly important.

The CESI Act consists of (1) provisions designating the types of information to be protected, (2) protocols for the provision of information to security clearance holders, and (3) penalties in case of leakage. This is similar to the SDC Act, and the security clearance system under the SDS Act and the CESI Act will operate seamlessly together in the future. The detailed content of the CESI Act will be determined by regulations to be established by the end of 2024.

1. Designation of Information Subject to Be Protected

The range of Information to be protected under the CESI Act (CESI: Critical Economic Security Information) extends to certain information related to critical infrastructure and the supply chain of critical products.

In the Diet deliberations, the government has described the following as examples of CESI:

• threat information related to cyber-attacks on critical infrastructure and the government's response measures
• information on regulatory assessments obtained through the accumulation of reviews in relation to essential infrastructure under the Economic Security Promotion Act※1
• vulnerability information obtained through investigations and analyses of the supply chain of critical products
• information obtained from foreign governments through international joint research on critical products such as semiconductors

※1 In order to prevent critical facilities of essential infrastructures from being misused as a means of disrupting the stable provision of services from outside Japan, the Economic Security Promotion Act states that the government must conduct prior screening and make recommendations or orders related to the installation or the entrustment of maintenance, etc. of critical facilities.

2. Provision of Information to Security Clearance Holders

An administrative agency may disclose CESI to other administrative agencies or to private companies when a certain necessity to disclose CESI is recognized. In doing so, persons handling CESI are required to obtain security clearance, whether they are employees of administrative agencies or of private companies (in the case of private companies, the companies are further required to meet requirements related to the installation of specified facilities and equipment, and to meet other requirements necessary for the protection of CESI). Specifically, a person, with her/his consent, must undergo an investigation conducted by the Cabinet Office, and based on the results of such investigation, the administrative agency disclosing the information must find that there is no risk of CESI being leaked.

3. Penal Provisions for Leakage

If a person who engages in the operation of handling CESI leaks CESI, such an offence is punishable with up to 5 years in prison. If said leakage was committed in relation to the business of a private company, the company itself may also be fined.