EUROPEA COMMISSIO
DIRECTORATE-GENERAL JUSTICE, FREEDOM AND SECURITY
COMPARATIVE STUDY
O
DIFFERET APPROACHES TO EW PRIVACY CHALLEGES,
I PARTICULAR I THE LIGHT OF TECHOLOGICAL DEVELOPMETS
Contract r: JLS/2008/C4/011 – 30-CE-0219363/00-28
COUTRY STUDIES
(Douwe Korff, Editor)
B.5 – JAPA
BY
Graham Greenleaf
Submitted by:
LRDP KATOR Ltd (Leader)
In association with
Centre for Public Reform
(Final edit – May 2010)
EUROPEAN COMMISSION – DG JFS
EW CHALLEGES TO DATA PROTECTIO
Country Study B.5 – Japan
JAPAN
By Graham Greenleaf
I.
Context of information privacy in Japan
Protection of information privacy in Japan derives primarily from legislation, but case law
developments are also relevant. Informal methods of conflict resolution play a significant
role, as does guidance from Ministries, of varying degrees of formality, on how legislation is
to be interpreted and applied.
1.
Political, legal and economic context
Japan is a democracy with a bi-cameral parliament and a constitutional monarchy with an
emperor. It is a unitary state, not a federation. It adopted its current constitution in 1947,
following World II and Allied occupation. The Diet (parliament) comprises the Upper Diet
(Sangi-In) and Lower Diet (Shuugi-In).
Japanese politics has been relatively stable since the end of the post-war Allied occupation.
The conservative Liberal Democratic Party (LDP) has been in power since 1955, except for a
short period in 1993. The post-war generation has experienced economic prosperity and has
not had to react against authoritarian rule (contrast South Korea or Taiwan).
Japan’s legal system and courts have been influenced substantially by German civil law
models, and to a lesser extent by French civil law. Following the new 1947 constitution there
was substantial influence of the American common law system (particularly in constitutional
law and criminal procedure), so that the system became ‘coloured by a mixture of German
and American models’ (Chiba, 1997) or even a hybrid of civil and common law. The
Japanese legal system is also characterised by a preference for arbitration, mediation or
conciliation as an alternative to judicial settlement of disputes, and by various administrative
practices which provide guidance falling short of formal law (Chiba 1997 and references
cited therein). Both practices are significant in Japan’s data protection system.
Since Japan is a unitary state, its court system is comparatively simple, with its Supreme
Court also being its constitutional court. The Court system is divided into four levels, with
438 Summary Courts, one District Court in each prefecture, eight High Courts (with cirtcuits
of several prefectures) and the Supreme Court. Judicial precedents, though not legally
binding, are of greater significance than in some civil law countries, particularly those of the
Supreme Court.
Japan has the world’s tenth largest population, at about 128 million, and the world's second
largest economy by nominal GDP and the third largest in purchasing power parity.
2.
Surveillance context
As in many countries, there is a close relationship between the development of surveillance
systems in Japan and the development of data protection laws. In one commentator’s opinion
‘The immediate catalyst for elevating privacy to a societal interest (deserving of proactive
government regulation), rather than individual interest (to be defended only reactively by
1
DK/May10
EUROPEAN COMMISSION – DG JFS
EW CHALLEGES TO DATA PROTECTIO
Country Study B.5 – Japan
aggrieved individuals in the courts), was the public and political resistance to the enactment
of the Basic Resident Registers Act 1999.’ (Lawson, 2003: 97). This was an attempt to
convert the long-established paper-based system of the Resident Basic Register System
(which tracks people’s movements between residences) into a national electronic network,
Juki-net. The new system combines the resident registration databases of 3.200 municipal
governments, and gives every Japanese citizen an ID number.
Juki-net is restricted by law to only transmitting four pieces of personal data (name, sex, dateof-birth and address), plus a randomly-generated 11-digit unique number. There is a juki-net
card that enables easy access to local (and some national) services via the web or ATM-like
machines at local government offices, but acquisition of the card is voluntary although having
a number is not. The card can have a photo if the person wishes, but that is not included in the
Juki-net system1. Apparently, take up of the card has been very limited, amounting to less
than 10% of the population. At this point, Juki-net does not seem to be a very extensive
national identification system, and Japan is not at the more intrusive end of the spectrum of
surveillance societies.
3.
Juki-net, Keidanren and the development of Japan’s data protection
law
The ruling Liberal Democratic Party could not force the Juki-net legislation through the Diet
without an amendment promising a personal data protection law (Lawson, 2003: 97). It set up
a Working Group on Personal Data Protection in 1999, chaired by Prof Horibe, who proposed
a system close to self-regulation (Lawson, 2003: 98), with no penal provisions. The
government decided to include penal provisions, and a new committee was established under
Prof Sonobe to draw up a revised Bill. After considerable political controversy, and the
withdrawal of the original Bill (due to it not including exemptions for the media or for
individuals), a package of legislative measures was passed on May 30, 2003. It came into
force on April 1, 2005, and has therefore been in operation for only four and a half years.
Adams (2009) provides valuable insights into the role of Japan’s business community in the
passage of its private sector data protection law (a public sector law had existed since 1988).
Having promised to introduce private sector data protection in order to pass the Juki-net
legislation, the government was facing pressure from the Japanese media, who were generally
supportive of this expansion (having been reassured by allowances for journalistic use in the
EU Directive), so the government commenced discussions with representatives of the
財財(zaikai) (the financial world), and in particular with Keidanren, the representative body
for large Japanese commercial and industrial concerns. Adams explains:
Although initially skeptical, after consulting its members, Keidanren perhaps surprisingly
threw its considerable political weight behind the development of such a law, provided of
course that the regulations to be applied would be agreed with industry cooperation.
… the rationale of the members of Keidanren seems to have been that their international
trading operations with European companies were already subject to significant data
protection regulation. With the US having agreed the Safe Harbour agreement with the
EU, a similar regime in Japan should not adversely effect trade with the US, while a
national legislative data protection regime in Japan would put Japanese companies at a
potential competitive advantage in EU trade.
1
See <http://ubisurv.wordpress.com/2009/07/23/identification-in-japan-part-2-juki-net/> for details.
2
DK/May10
EUROPEAN COMMISSION – DG JFS
EW CHALLEGES TO DATA PROTECTIO
Country Study B.5 – Japan
In September 2000, Keidanren … issued an `interim proposal for the enhancement of the
rules on computerised commerce', which clearly asserts the view that industry self
regulation is the way forward for data protection regulation in Japan, following the US
model. However, a few months later in December 2000, a Japanese Cabinet Office
official had a meeting with Keidanren representatives in which details of comprehensive
(i.e. covering both governmental and commercial sectors) new laws on data protection,
modelled on the EU Directive, were put forward. The minutes of this meeting are
available from Keidanren … The context of the US/EU Safe Harbor agreement,
concluded in July 2000, allowing movement of data between the EEA and industryregulated US companies needs to be noted here (and is mentioned as one of the early
points [by Keidanren].
By March 2003, whether persuaded by media pressure, by the experience of the US Safe
Harbor scheme, or by the government's arguments, Keidanren (2003) significantly
changed their public position, issuing a new policy on `constructing a secure and safe Net
society'.
International considerations, as well as a domestic ‘trade off’ of data protection for increased
surveillance, both therefore seem to have influenced the development of Japan’s law.
4.
Social attitudes to privacy
There is considerable academic argument about the nature and extent of the Japanese sense of
privacy, with recent writers less inclined to claim major differences between Japanese and
western senses of information privacy. Adams, Murata and Orito (2009), after surveying this
debate, hypothesise that ‘the Japanese sense of information privacy is as strong as that in
Western cultures, and has existed for a significant period, but differs as to the placement of
boundaries through which information should not flow, and the types of information that are
blocked by those boundaries’. They give examples from ‘a rich set of social norms
comprising the Japanese sense of information privacy’, such as when people who obtained
knowledge about others by overhearing it would act as if they were unaware of it. They
conclude that ‘the speed with which Japanese society has moved from reliance on social
norms to the development of legal protection for information privacy demonstrates just how
strong the Japanese sense of information privacy is.’ Laws are simply the ‘latest expression’
of this sense of privacy.
5.
International obligations in relation to privacy
Japan is a member of the OECD, and its legislation is influenced by the OECD privacy
Guidelines. It is also a member of APEC but its legislation pre-dates the APEC Privacy
Framework. It is participating in some of the APEC ‘Pathfinder’ projects.
In Japan, treaties have immediate affect as law without requiring implementing legislation by
the Diet. Japan is therefore cautious about entry into treaties. It ratified the International
Convention on Civil and Political Rights (ICCPR) in 1979, and so Article 17 concerning
privacy is part of Japanese law, but it has not yet ratified the first or second Optional
Protocols to the ICCPR. Complaints (‘communications’) cannot therefore be made against
Japan to the UN Human Rights Committee.
3
DK/May10
EUROPEAN COMMISSION – DG JFS
EW CHALLEGES TO DATA PROTECTIO
Country Study B.5 – Japan
6.
Constitutional protections
Article 13 of the Constitution of Japan (1946) provides that:
"All of the people shall be respected as individuals. The right to life, liberty, and the
pursuit of happiness shall, to the extent that it does not interfere with the public welfare,
be the supreme consideration in legislation and in other governmental affairs."
The Constitutional provisions have had substantive effects relevant to privacy through case
law, such as in Supreme Court decisions limiting wiretapping2. However, although decisions
of lower courts held that the Juki-net resident registration network infringed Article 13 in the
in the absence of the consent of individuals to be included in it, the Supreme Court held
otherwise in 20073. The Court confirmed the basis of the protection of privacy under Article
13:
Article 13 of the Constitution provides that citizens' liberty in private life shall be
protected against the exercise of public authority, and it can be construed that, as one of
individuals' liberties in private life, every individual has the liberty of protecting his/her
own personal information from being disclosed to a third party or made public without
good reason (See 1965 (A) No. 1187, judgment of the Grand Bench of the Supreme Court
of December 24, 1969, Keishu Vol. 23, No. 12, at 1625).
In finding that Juki-net did not infringe this principle, the Court took into account factors
such as: the limited information contained in Juki-net and that it ‘cannot be regarded as
highly confidential information that is related to an individual's inner mind’; it was operated
on the basis of laws and regulations and for justified administrative purposes; there was ‘no
concrete risk’ of unauthorised outside access; and that use by the system operators for nonintended purposes (eg data matching) was prohibited by law. It held, contrary to the lower
court, that the higher protective provisions against change of use found in the legislation
governing Juki-net would apply, not the lower standards which more easily allowed change
of use found in the PPIHAO Act.
There is clearly considerable potential for Article 13 to be used to provide protections for
information privacy, given the factors that the Supreme Court found relevant in the Juki-net
case.
7.
Case law protections
“In 1963, the Supreme Court first recognized the substantial right to privacy under Article 13
of the Constitution. Since then, the right of privacy has been established under Article 13 by
the courts' precedents and has been applied to specific cases through the general provisions of
tort law in the Civil Code.” (‘Japan’ Chapter in PHR, 2006: 593). Lawson (2003: 93)
however traces the first appearance of a privacy tort to a Tokyo District Court case the
previous year involving a book by the writer Yukio Mishima which allegedly disclosed
details of the lives of a prominent couple4. She regards this transplantation of a concept
Case of narcotics control act violation, fraud, and attempt of aforementioned actions - 1997 (A) No.636
[1999] JPSC 57 (16 December 1999) at <http://www.asianlii.org/jp/cases/JPSC/1999/57.htm>
3 Judgment concerning the relationship between the act of an administrative organ to collect, manage or use
identification information of inhabitants by way of the Basic Resident Register "etwork, and Article 13 of the
Constitution 2007 (O) No. 403, 2007 (Ju) No. 454; Minshu Vol. 62, No. 3
4 Tokyo District Court Case #1882 (wa) 1961 known as the “After the Banquet Incident” (Utage no Ato Jiken).
2
4
DK/May10
EUROPEAN COMMISSION – DG JFS
EW CHALLEGES TO DATA PROTECTIO
Country Study B.5 – Japan
derived from US tort law as ‘a roaring success’, with privacy tort actions flourishing for two
decades before the 2003 legislation.
Court decisions have confirmed that the privacy tort can protect such matters as financial
affairs, aspects of personal life such as sickness, magazine subscriptions, pension
entitlements, and criminal records after the sentence has been served. Further examples are
given below in discussion of remedies under Japan’s privacy legislation.
II.
Legislation
1.
Legislative structure
Japan’s complex legislative structure is based on three main laws related to the protection of
personal information, enacted on May 30, 2003, plus ancillary legislation and administrative
documents, giving at least nine major sources of law. Links to all Acts and other documents
available in English are in the References. In this context, mention should also be made of
the Panel on the Protection of Personal Information under the Quality of Life Policy Council
(or Bureau); this is done at the end of this section.
The three main Acts are:
(1)
The Act on the Protection of Personal Information
This is the key legislation setting out basic principles and applying to both the public and
private sectors. This is referred to hereinafter as the ‘PPI Act’ or ‘the Act’.
(2)
The Act on the Protection of Personal Information Held by Administrative
Organs
This Act (‘PPIHAO Act’) updates and supersedes Japan’s original public sector privacy Act
dating from 1988, which originally governed the use of personal information in computerized
files. The 2003 Act governs paper-based data as well, and also establishes new criminal
provisions for government officials who leak personal information without proper
justification. (‘Japan’ Ch in PHR, 2006: 594).
(3)
The Act on the Protection of Personal Information Held by Incorporated
Administrative Agencies (‘PPIHIAA Act’)
This Act applies similar principles to incorporated administrative agencies. No English
translation of this Act is available. Basic details are in the Japan APEC IAP (2006).
There are then at least six further elements involved in the whole legislative structure:
(4)
Cabinet Order on the Enforcement of the Act on the Protection of Personal
Information
The Cabinet Order was revised in May 2008 (no English version available).
(5)
Basic Policy on the Protection of Personal Information
The Government is required to establish the Basic Policy by A7 of the PPI Act, setting out
the ‘basic direction’, and the ‘basic matters’ to be taken by the State, local public bodies,
5
DK/May10
EUROPEAN COMMISSION – DG JFS
EW CHALLEGES TO DATA PROTECTIO
Country Study B.5 – Japan
independent administrative agencies, and ‘entities handling personal information’; this was
revised in April 2008(no English version available).
(6)
Guidelines set by each Ministry (including the METI Guidelines)
As of April 1, 2008, 37 guidelines5 had been established in 24 fields (Kato, 2008). The fields
cover quite specific industry sub-sectors6. ‘Though these guidelines are not binding [on
businesses] … most companies accept and abide by the rules’ (Kato, 2008). Shimpo (2009)
explains the complex process as follows:
Thirty-eight Ministry guidelines have been enacted and reviewed pursuant to the
enforcement of the Act. The grounds of the enactment and review of each ministries
guideline are based on article 8 of the Act and article 7 clause 1 of the Basic Policy, and
also on article 6 clause 3 of the Act for particular areas of handling sensitive data. Article
8 is the provision concerning Support to Local Public Entities and Others. It provides that
‘In order to support the measures for the protection of personal information formulated or
implemented by local public entities and the activities performed by people, entities and
others to ensure the proper handling of personal information, the government shall
provide information, formulate guidelines to ensure the appropriate and effective
implementation of measures to be taken by entities and others and take any other
necessary measures’. Based on the article, the government must enact guidelines and
indicate the measurements for determining the effectiveness of the enforcement of the
Act. It is also important to determine the effectiveness of the Act by establishing concrete
indicators for the legal interpretation of a new act and of adherence to the new law where
any legal restrictions did not exist before its enactment. The ‘Basic Policy’ article 7
clause 1, requires the government to provide a basic policy concerning the protection of
personal information and to attempt consistent enforcement of the measure to secure its
protection. The policy further provides that each minister should enact or revise their
guidelines for each business domain. Then the ministries must immediately begin
developing a common minimum requirement for the handling of personal information
based on the law for each business sector, and establish a means for imparting
information and advice on implementing the guideline.
However, the guidelines differ so much in style and wording that in June 2008 the Cabinet
Office established a standardised guideline (decision of the Cabinet Office regarding the
‘Guideline for the standardisation to all business fields and standards’) (not yet available in
English), and each Ministry is now in the process of revising its guidelines in light of this
(Kato, 2008). Ito and Parker (2008) explain the current general review of guidelines as
follows:
In response to criticisms, the Japanese Government has for some time been undertaking a
series of reviews of the Act, including conducting hearings and surveys, and seeking
comments from stakeholders. One result of this is that the Cabinet Office issued a
document entitled “Basic Guidelines in relation to Protection of Personal Information”,
which was partially amended on 25 April 2008, that attempts to set out additional
guidance on the proper scope of the Act. The Government then issued on 25 July 2008 a
There are in fact 38, but only 37 publicly acknowledged by the Cabinet Office (advice by Prof Shimpo); see
list at http://www5.cao.go.jp/seikatsu/kojin/gaidorainkentou.html (Japanese only)
6 eg General industry, Financial industry, Consumer credit, Medical records, Genome R&D, Employee data,
Head hunting, Telecommunications, TV Broadcasting/Cable, Education/Students, Welfare recipients,
Transportation, Agriculture, Criminal suspects (Case, 2005). A list of 33 current in 2006 is in Japan APEC IAP
(2006).
5
6
DK/May10
EUROPEAN COMMISSION – DG JFS
EW CHALLEGES TO DATA PROTECTIO
Country Study B.5 – Japan
“mutual agreement” (mo-shi awase) among the relevant ministries to harmonise the 37
ministerial guidelines currently in place, according to a common policy and form
attached to the “mutual agreement”. There is no stated deadline for this to be completed.
Since then, various ministries have together been undertaking an exercise to attempt to
standardise as much as possible the guidelines which have been issued. There are no
current proposals to conduct a review of the Act itself.
Until those revisions are complete the METI Guidelines of 2007 have been ‘arguably the
most widely applicable of the ministerial guidelines due to METI’s broad administrative
purview’ (Kosinksi, 2007), and they are referred to in the following. The METI guidelines
have now been further revised in light of the ‘mutual agreement’. METI organized a study
committee, the ‘Personal Information Study Group’ in December 2008. A draft amendment
was released on 30 June 2009 (not available in English), open for Public Comment for a
month during which METI received 81 comments. The revised Guidelines were then released
at the end of September 2009 (not yet available in English). Shimpo (2009) states that ‘[t]he
characteristics of the METI guideline that distinguish it from other guidelines are that it
provides (1) a clarification on the wording of the Act, (2) supplemental pragmatic suggestions
for implementation and enforcement and (3) model regulations’. He elaborates on each of
these three points as follows:
(1) Regarding the clarification of the content of the Act, the METI guideline contains
complete practical functions for implementing the Act. The responsibilities of companies
handling personal information described in the Act are minimum requirements for the
protection of personal information; therefore, when companies carry out this obligation,
they may be unable to achieve the minimum standards required by the Act.
(2) Regarding the pragmatic instructions, the METI guideline contains many examples
and cases to support implementation of the Act. Also, the guideline uses plain wording
compared to the technical legal wording in the Law itself. Therefore, the METI guideline
serves to supplement the Act by interpreting it in simple language. Then, the guideline
indicates a strategy for Security Control Measures, which the Act requires of companies
handling personal data. Article 20 of the Act states, ‘ Each entity handling personal
information shall take necessary and proper measures for the control of security of the
personal data it handles, including the prevention of leakage, loss, and damage’.
However, there are no practical examples in this provision, so the METI guideline
provides a four-factor practical scheme for information security: ‘Organization’,
‘Person’, ‘Resources’, and ‘Information Technology’.
(3) As a model guideline the METI guideline is used to enact or review other ministry
guidelines. However, there are many differences among the provisions of the various
ministries’ guidelines so the Cabinet Office released a notice for a standardisation across
all guidelines on 25 July 2008.
According to Shimpo (2009) ‘[t]he main purpose of the revision of the METI guideline in
2009 is to achieve its closer correspondence to the intentions of the Act and correct any
misunderstandings. Moreover, the revision responds to myths and overreactions to the Act’.
The main changes in the 2009 METI guidelines are referred to later as they become relevant.
(7)
Municipal laws
‘Each municipality (about 1780 local governments) has its ordinance on the protection of
personal information.’ (Kato, 2008). There are 1799 as of May 2009.
7
DK/May10
EUROPEAN COMMISSION – DG JFS
EW CHALLEGES TO DATA PROTECTIO
Country Study B.5 – Japan
(8)
The Act authorizing the establishment of Information Disclosure and
Personal Information Protection Review Board
‘When a person who has requested the disclosure of an administrative document and
corporate document and personal information appeals against the disclosure decision under
the Administrative Complaint Investigation Law, the Information Disclosure and Personal
Information Protection Review Board carries out a review and submits a report in response to
a query from the head of the government body in question.’7 It then takes action in
accordance with this Law. No English translation is available.
(9)
The Act concerning the Preparation of Related Laws for the Enforcement of
the Act concerning the Protection of Personal Information Held by
Administrative Organs
This is the last of the 2003 Acts concerning the public sector. No English translation is
available. The Board does not have a website.
The Panel on the Protection of Personal Information (Quality of Life Council)
report (2007)
The Panel on the Protection of Personal Information under the Quality of Life Policy Council
(or Bureau) established by the Cabinet Office carried out a review of how the PPI Act was
operating as required by A 7 (Japan, Quality of Life Policy Council, 2007). This is the main
‘official critique’ of the operation of the Japanese law to date, and it is therefore cited in some
detail herein. Case (2007) considers that ‘it reads in part like a response to critics of the
Bureau and [the PPI Act] and a pre-emptive strike on future debate … it also reads like a trial
balloon for future amendments being considered by the Bureau.’ It did not recommend
specific legislative changes.
2.
Definitions and Core Concepts
The PPI Act is extensive in its scope, but not fully comprehensive.
‘Personal data/information’ etc
The PPI Act defines ‘personal information’ as ‘information about a living individual which
can identify the specific individual by name, date of birth or other description contained in
such information (including such information as will allow easy reference to other
information and will thereby enable the identification of the specific individual)’ (A 2(1)).
The definition in the PPIHAO Act A 2(2) is the same.
However, ‘personal data’ is restricted to ‘personal information constituting a personal
information database’ (A 2(4)), and is therefore limited to systematically organized
computer-retrievable data and other data allowing retrieval (see below). The size of such a
database also has implications for the applicability of the PPI Act (see below). In the
PPIHAO Act the definition of ‘personal information file’ is of similar effect (A 2(4)).
7 Cabinet Office website note at <http://www.cao.go.jp/en/disclosure.html>. Links to web pages providing
further information are broken.
8
DK/May10
EUROPEAN COMMISSION – DG JFS
EW CHALLEGES TO DATA PROTECTIO
Country Study B.5 – Japan
‘Retained personal data’ is ‘personal data’ over which the data controller has the authority to
disclose, correct, add, delete, discontinue the use of or discontinue the provision to third
parties (essentially all data controlled by an entity), subject to exemptions which may be
specified by a Cabinet order (A 2(5)). The definition in the PPIHAO Act A 2(3) is of similar
effect.
The PPI Act only applies to ‘information about a living individual’ and so does not apply to
legal persons or deceased persons.
‘Processing’, ‘disclosure’ and ‘use’
There is no definition of ‘processing’ in the Acts. ‘Disclosure’ and ‘use’ are not defined in
the Acts. Ministry officials suggests that disclosure occurs when a third party gains access to
the personal data in a way that enables the third party to use the personal data8.
‘Consent’
‘Consent’ is not defined in the Acts. It is referred to in A 16(1) and A 23(1) of the PPI Act by
words such as ‘without obtaining the prior consent’ which give no indication as to whether
consent must be express or may be implied (including by failure to opt out).
The influential METI Privacy Guidelines provide that ‘consent’ can only be obtained once
the data subject has been given a reasonable opportunity to understand to what he/she is
consenting (METI, 2007: 2-1-10). It is desirable for consent to be evidenced by a positive
action such as an oral or written statement, or checking a box on a website. However,
implied consent might be recognized as valid on a case-by-case basis in view of the
circumstances (METI, 2007a). A minor lacks the capacity to consent, but his or her attorneyin-fact may consent on his/her behalf (META, 2007: 2-1-10). The FSA guidelines also say
that in principle, consent should be obtained by a written form, not oral (FSA, 2007: A 4).
3.
Scope – entities regulated
The overall legislative scheme gives comprehensive coverage to both the public sector
(including local government) and the private sector.
In the PPI Act private sector bodies are referred to as ‘a business operator handling personal
information’ (A 2(3)), which is any ‘business operator using a personal information database,
etc. for its business’, but from the definition of which state and local public bodies and
independent administrative agencies have been excepted (as they are covered by other
legislation).
The PPI Act is therefore largely comprehensive of businesses in the private sector, subject to
the significant exceptions discussed below. However, it will only cover individuals in relation
to those actions where they are acting as a ‘business operator’.
The legislation is primarily aimed at automated data. A ‘personal information database’
requires such information to be ‘systematically arranged in such a way that specific personal
information can be retrieved by an electronic computer’ or designated by Cabinet order even
8
Information provided by White & Case.
9
DK/May10
EUROPEAN COMMISSION – DG JFS
EW CHALLEGES TO DATA PROTECTIO
Country Study B.5 – Japan
though it is not subject to electronic retrieval (PPI Act A 2(2)). The Cabinet Order adds ‘a set
of information systematically arranged in such a way that specific personal information can
be easily retrieved by organizing personal information contained therein according to certain
rules, and has a table of contents, an index, or other arrangements that aids in retrieval’
(Cabinet Order, 2003: A 1). Common examples of a personal information database include a
searchable archive of email messages and a rolodex of business cards. In contrast to the
rolodex example, a drawer filled with disorganized business cards would not constitute a
personal information database because it is not organized for searching.
The PPIHAO Act defines ‘administrative organ’ broadly in relation to central government
agencies (A 2(1)).
4.
Entities exempted from regulation
The ‘small business’ exemption
In the PPI Act, the definition of ‘a business operator handling personal information’
exempts ‘Entities specified by a Cabinet order as having a little likelihood to harm the rights
and interests of individuals considering the volume and the manner of use of personal
information they handle’ (A 2(3)(5)). This has been interpreted to allow a ‘small business
exemption’, and the Cabinet Order exempts businesses whose personal information database
does not identify more than 5,000 individual persons. It is not known what percentage of
Japanese businesses this has the effect of excluding from the operation of the PPI Act. This is
a particular problem for individuals dealing with many Japanese companies because they are
not in a position to know whether the business holds a personal information database of the
requisite size. The number of employees of a company does not indicate whether it will be
covered by the PPI Act, and there is no provision for including companies that trade in
personal information but have a smaller database. On the face of the PPI Act, such ‘exempt
small businesses’ do not retain any minimal privacy obligations such as security or providing
access on request, they are simply in the ‘privacy free zone’.
However, the Quality-of-Life Policy Council reports (2007: 11) that the actual administration
of the PPI Act is more complex:
Of 35 guidelines for the protection of personal information covering 22 business sectors
in total, 14 guidelines obligate small entities to perform certain duties, 17 require that
they make an effort to perform certain duties, and four exclude them from the definition
of a business entity handling personal information (as of May 31, 2007).
(NB: There are now guidelines for 24 business areas.)
They therefore concluded that the current practices were ‘appropriate at present’ (2007: 11).
Third party location information (eg telephone directories or car navigation systems are not
included in the calculation of 5,000 addresses, and they recommend that ‘widely distributed
name lists’ should also be excluded (2007: 23). These have been excluded by the amendment
of a cabinet order9.
9
Order of May 1, 2008: information provided by Prof Shimpo.
10
DK/May10
EUROPEAN COMMISSION – DG JFS
EW CHALLEGES TO DATA PROTECTIO
Country Study B.5 – Japan
Other exemptions
The following categories of organization are also excluded from the PPI Act’s operation (A
50): media/press organizations and professional journalists, for the purpose of journalism;
entities conducting ‘literary work’; educational organizations, for ‘academic studies’;
religious organizations for religious activities; and political organizations for political
purposes. However, despite falling outside the privacy principles in Chapter 4, these entities:
‘must endeavor to take by themselves the necessary and appropriate measures for
controlling the security of personal data, and the necessary measures for the handling of
complaints about the handling of personal information and the other necessary measures
for ensuring the proper handling of personal information, and must also endeavor to
publicly announce the content of those measures concerned’ (A 50(3)).
The word ‘endeavour’ does not create an obligation that can lead to a breach of the Act, it
is not a prescribed duty (Harland, 2004).
‘Overreactions’ and proposed exceptions
There have been concerns about ‘overreactions’ to the legislation, with governments and
businesses perceiving that the provision of information previously provided to the public for
good reasons (or at least by customary practices) cannot now be provided without breaching
the PPI Act. Which such perceptions are justified because of the legislation being over-broad,
and which are mistaken, is debated. The Quality of Life Council concluded ‘Most cases of
“overreaction” can be resolved if the right principles are correctly disseminated through
guidelines’, and that the number of such ‘overreactions’ was slowing (2007: 4). It
recommended some additional exceptions to the restrictions on disclosure, including where
‘personal information is made public conventionally’ (only in relation to government
entities), where necessary for the protection of a person’s safety, and where necessary in
order to cooperate with government entities if an activity is in the public interest or needed
for the performance of government services or ‘if there is no possibility of infringement of
rights or interests and there is a reasonable reason’ (2007: 6). These proposals have not yet
resulted in legislation.
Case (2005) claims that the ‘overreactions’ result in part from ‘the generality of the [Act] and
its application to all personal information without exception’. He cites a list of distributors of
a product which included the name of the key contact at each distributor as an example of the
type of information which technically was in breach of the PPI ACT, and school alumni lists
as an example of information customarily circulated in Japan.
Ito and Parker (2008) consider that ‘no doubt in an attempt to avoid becoming the target of an
increasing stream of embarrassing headlines concerning improper handling or disclosure of
personal information, the response of many, in the face of uncertainty over the scope of their
obligations under the Act, has been to adopt an overly cautious and conservative approach’.
11
DK/May10
EUROPEAN COMMISSION – DG JFS
EW CHALLEGES TO DATA PROTECTIO
Country Study B.5 – Japan
5.
Territorial scope10
The PPI Act does not apply extraterritorially to entities that do not have a presence in Japan.
Therefore, a Japanese data controller that overcomes the general prohibition of personal
information transfers to third parties (A 23 – see later concerning disclosure restrictions) can
transfer personal information to a foreign recipient which is not obligated to abide by the PPI
Act. However, if a Japanese data controller provides personal information to a foreign entity
and the foreign entity handles the personal information in a manner inconsistent with the PPI
ACT, the providing Japanese data controller might be found in violation of the PPI Act under
some circumstances. The data controller might be found to violate Art. 22 (Supervision of
Trustees) if its trustee handles the personal information inconsistently with the PPI Act.
Furthermore, the data controller might be found to violate A16 (Restriction by the Purpose of
Use), A 18 (Notice of Purpose of Use at Time of Acquisition) and A 20 (Security Control
Measures) if its joint user handles the personal information inconsistently with the PPI Act.
In contrast to the case where the recipient of personal information is a purely foreign entity, if
the recipient of a transfer of personal information has a presence in Japan and otherwise
qualifies as a data controller (A 2(3) definition of data controller (kojin jouhou toriatsukai
jigyousha)), it must comply with the duties the PPI Act places on data controllers with regard
to the personal information received.
In summary, if a recipient of personal information uses the received personal information
inconsistently with the PPI Act, (i) the providing data controller might be subject to
administrative or criminal action under the PPI Act, (ii) a domestic Japanese recipient that
qualifies as a data controller would also be similarly liable under the PPI ACT, but (iii) a
purely foreign recipient would not be liable under the PPI Act. Even if the recipient of the
personal information is not subject to the PPI Act, if it mishandled the personal information,
it is arguable that it might be liable to the data controller under contract law and to the data
controller and the aggrieved data subjects under tort law.
An exception to the territorial limitations of the Japanese legislation is that the offences for
disclosing or collecting personal information under the PPIHAO Act Articles 53-55 can be
committed outside Japan (A 56).
6.
Data Protection Principles
General considerations
The data protection principles are set out in fifteen Articles (15-29) of Chapter 4 of the PPI
Act, ‘Duties of entities handling personal information. etc’. However, they are considered to
‘set minimum requirements only [and] the Basic Policy requires that each ministry establish
or revise guidelines depending on actual conditions of each business sector’ (Quality-of-Life
Policy Council, 2007: 12).
10
White & Case have provided the information of which this section is a paraphrase.
12
DK/May10
EUROPEAN COMMISSION – DG JFS
EW CHALLEGES TO DATA PROTECTIO
Country Study B.5 – Japan
Sectoral guidelines
As noted previously, the 37 guidelines as of 2008 differed so much that in June 2008 the
Cabinet Office established a standardised guideline, and each Ministry is now in the process
of revising its guidelines in light of this template.
Purpose limitation principle – collection, use and disclosure limitations
The law contains somewhat overlapping rules limiting the collection of personal data,
requiring specification of the purposes of personal data collection, and limiting the use and
disclosure of personal data. These rules generally distinguish between the public and the
private sector. They can be summarised as follows:
Collection limitations – private sector
‘A business operator handling personal information shall not acquire personal information by
a deception or other wrongful means’ (PPI Act A 17). There is no explicit limitation of
collection of information to that which is necessary for carrying our the Purpose of
Utilization specified under A 15, but that may possibly be implied by A 16 which limits the
use of information to that which is necessary for the achievement of the A 15 purpose.
The 2009 METI Guidelines set out five examples of where information is required
improperly and therefore in breach of A 17 (Shimpo, 2009):
Case 1) When you acquire individual information on the family’s income, etc., of the
parents, not related to the acquisition situation from the child who has parental consent,
and doesn't have sufficient judgment capability
Case 2) When you acquire individual information through the violation of the third party
offer limitation that provides it, according to Article 23 of the Law
Case 3) When individual information is acquired by illegal means, such as it directs other
entrepreneurs and in the above-mentioned Case 1) or, Case 2), so that individual
information is illegally acquired from the entrepreneur
Case 4) When you acquire individual information with full awareness of the violation of
the third party’s offer limitation under Article 23 of the Act or of the fraudulent
procurement (‘on the side’ or more easily than legal means would permit)
Case 5) When you acquire individual information with full awareness of the violation of
the third party’s rights, such as mentioned above in Case 1) or, Case 2), or more easily
than legal means would permit
Shimpo (2009) explains that these examples were ‘added to cover situations where the
individual information concerned is acquired improperly, even though it was possible to
obtain legally, if the acquiring party is aware of the violation of the third party’s offer
limitation or of the fraudulent procurement (‘on the side’) where individual information was
acquired by the illegally or more easily than legal means would permit’.
13
DK/May10
EUROPEAN COMMISSION – DG JFS
EW CHALLEGES TO DATA PROTECTIO
Country Study B.5 – Japan
Collection limitations – public sector
There is no express restriction on collection by wrongful means in the PPIHAO Act, but this
would probably be implied by general administrative law requirements. The PPIHIAA Act
requires ‘proper acquisition’ (A 5).
Public sector bodies may only retain personal information ‘when the retention is necessary
for performing the affairs under its jurisdiction provided by laws and regulations’ (PPIHAO
Act A 3; PPIHIAA Act, A 3). This is, in effect, a limit on collection (Japan, APEC IAP,
2006).
Statements of purpose – private sector
The ‘purpose-limitation principle’ or ‘finality principle’ is stated most generally in relation to
businesses in A 15 ‘Specification of the purpose of utilization’:
(1) When handling personal information, a business operator handling personal
information shall specify the purpose of utilization of personal information (hereinafter
referred to as "Purpose of Utilization") as much as possible.
(2) A business operator handling personal information shall not change the Purpose of
Utilization beyond the scope which is reasonably considered that the Purpose of
Utilization after the change is duly related to that before the change.
Clause (2) in effect allows secondary uses (including disclosures) that are ‘reasonably
considered’ to be ‘duly related to’ the original ‘purpose of utilization’, which must be
specified ‘as much as possible’.
Clause (1), in the opinion of the Quality-of-Life Policy Council ‘asks for detailed
specification of the Purpose of Utilization as far as possible instead of abstract or general
specification thereof’ (2007: 24). They note that ‘The Guideline for the Business and Industry
Sector gives as a model example “the delivery of products, information on new products, and
related after-sales services in the field of XX business”, and that ‘it is widely accepted that
“XX business” be specified using the term of middle or smaller grouping in the Standard
Industrial Classification for Japan’ (2007: 25). The METI Guidelines also emphasise that
abstract statements of purpose of use are unacceptable (2007: 2-2-1(1)).
Statements of purpose – public sector
When public sector bodies ‘directly acquire’ personal information that is recorded in a
document, they must ‘clearly indicate the purpose of use to the individual concerned in
advance’, with a number of exceptions (PPIHAO Act, A 4; PPIHIAA Act, A 4).
Use restrictions - general
Personal information may not be used beyond the scope necessary for the achievement of the
Purpose of Utilization specified under A 15, without the prior consent of the person
concerned (A 16). This includes secondary uses that are ‘reasonably considered’ to be ‘duly
related to’ the original ‘purpose of utilization’ under A 15(2).
14
DK/May10
EUROPEAN COMMISSION – DG JFS
EW CHALLEGES TO DATA PROTECTIO
Country Study B.5 – Japan
Standard exceptions are provided in A 16(3) for uses (i) based on Japanese laws and
regulations; (ii) where necessary for protection of life, body or property (and consent is
difficult to obtain); (iii) where necessary for public health or children’s interests (and consent
is difficult to obtain); and (iv) where necessary for cooperation with governments or their
representatives carrying out law, and obtaining consent is likely to impede that.
Corresponding exemptions from providing notice are provided in A 18(4).
Disclosure restrictions and exceptions to them – private sector
As a general rule, a data controller must not provide personal information to a third party
without obtaining the prior consent of the data subject (PPI Act, A 23). The same restrictions
and exceptions as apply to use of personal information apply to its disclosure (A 23). This
would seem to include any disclosures ‘reasonably considered’ to be ‘duly related to’ the
original ‘purpose of utilization’ under A 15(2), but it is not clear that reliance is placed on this
to expand the scope of permissible disclosures.
The most significant exception to the disclosure restrictions is A 23(2), which allows
businesses to disclose personal information to third parties despite A 23, provided they
‘notify’ the data subject that they are going to do so, including giving the data subject notice
that he or she can ‘opt-out’ of such disclosure to third parties (‘discontinued at the request of
the person’). The ‘notification’ must be ‘in a readily accessible condition for the [data
subject]’ (such as by posting details on a readily accessible website), and must specify that
the information will be used to provide to a third party, the items of information so provided,
the means of provision, and that discontinuance may be requested (ie an ‘opt out’). No
disclosure of the identity of the third party is required, or their location. No consent to
disclosure is then required. Ito and Parker conclude that ‘the opt-out exemption is, on the
whole, easily satisfied and makes it possible for companies to sell or otherwise transfer
personal data to third parties without consent’ (Ito and Parker, 2008). This will also include
transfers to third parties overseas. Some Ministry Guidelines such as the 2007 METI
Guidelines state that business must not utilise A 23(2) if they have not provided Notice that
they might do so when collecting the information (see Guideline 2-2-4(2)).
Additional exceptions are made for outsourcing, mergers of businesses, and joint ventures (A
23(4)), and have been summarized as being satisfied when any of the following types of
provision of data occurs11:
(1)
the disclosee qualifies as a delegatee, with whom the discloser executed a proper
agreement satisfying requirements suggested by guidelines (Art. 23(4)(1), A 22, and METI,
2007: 2-2-3-4);
(2)
the data is provided due to a merger, etc (A 23(4)(2)); The 2009 METI Guidelines
have ‘established that a contractual agreement constitutes an offer for the legal disclosure of
individual data for the purpose of succession of a business; when data security issues
(purpose of use, operation method, leakage, etc.) interfere with the business succession
process, the safety management measures must be observed in the absence of a contractual
agreement (that is, the person does not agree to disclosure of his/her information)’ (Shimpo,
2009); or
11
Summary provided to the author by White and Case.
15
DK/May10
EUROPEAN COMMISSION – DG JFS
EW CHALLEGES TO DATA PROTECTIO
Country Study B.5 – Japan
(3)
the disclosee qualifies as a joint user (A 23(4)(3)).
Disclosures to joint users must also be notified to data subjects, by readily accessible means,
with details of the scope and purpose of the joint use and who will be responsible for the data,
though the level of detail required is uncertain (Ito and Parker, 2008).
Use and disclosure restrictions and exceptions to them – Public sector
Public bodies cannot use or disclose retained personal information ‘for purposes other than
the purpose of use’ (PPIHAO Act, A 8; PPIHIAA Act, A 8). Four exceptions can then be
used unless the use or disclosure ‘is likely to cause unjust harm to the rights or interests of the
individual concerned or a third party’: consent; necessity for executing affairs under its
jurisdiction provided by laws; similarly for disclosures to other government entities; and for
statistical and research uses ‘obviously beneficial to the individual concerned’ or where other
‘special grounds’ justify disclosure. Other laws and regulations can also justify use or
disclosure. The grounds for other uses are broad, but not more so than in many other
jurisdictions.
An administrative organ may not change the purpose of use ‘beyond the scope in which it is
reasonable to find that the changed purpose of use is appropriately relevant to the original
purpose of use’ (PPIHAO Act A 3(3)). The implication here that administrative organisations
can change their purposes to include others ‘appropriately relevant’ where this is
‘reasonable’.
Data quality obligations
Article 19 (Maintenance of the Accuracy of Data) provides that ‘an entity handling personal
information must endeavour to maintain personal data accurate and up to date within the
scope necessary for the achievement of the Purpose of Use’ (PPI Act).
Public sector bodies ‘shall endeavour to maintain the retained personal information consistent
with the past or present facts within the scope necessary for the achievement of the purpose
of use’ (PPIHAO Act A 5; PPIHIAA Act, A 6). The wording is different but the meaning
seems to be the same.
Data security obligations
Article 20 (Security Control Measures) provides that ‘an entity handling personal information
must take necessary and proper measures for the prevention of leakage, loss, or damage, and
for other control of security of the personal data’. The Quality of Life Policy Council
discusses various guidelines and benchmarks (2007: 17-19) but gives little concrete
indication of any more specific security practices or policies than the general statement in A
20. The frequency and extent of large scale data leakages in Japan indicates that good
security practices are far less than universal.
The PPI Act requires businesses to exercise appropriate supervision over employees (A 21)
or contractors (A 22 refers to ‘trustees’) who handle personal data. The Basic Policy states it
is important for businesses and contractors to have a service agreement by which the
contractor is required to take security measures. Some members of the Quality of Life Policy
Council are of the opinion that the fact of outsourcing personal information should be made
known to consumers, whereas others were uncertain of the practical difficulties in naming
16
DK/May10
EUROPEAN COMMISSION – DG JFS
EW CHALLEGES TO DATA PROTECTIO
Country Study B.5 – Japan
contractors (2007: 21). The possibility of disclosing the fact of outsourcing but not naming
the contractor was not canvassed.
Ito and Parker (2008) summarise the influential METI guidelines on security as follows:
Guidelines issued by METI, which apply to a wide range of businesses, provide specific
recommendations as to the specific measures to be adopted. The METI guidelines
recommend that businesses implement: (i) organisational security control measures (e.g.
establishment of organisational structures for security control; preparation and operation
of internal rules for the security control of personal data; measures for verifying the use of
personal data by personnel; and evaluation, review and improvement of the security
measures); (ii) personnel-related security control measures (e.g. execution of nondisclosure agreements at the time of hire or entrustment of services; and education and
training of personnel); (iii) physical security control measures (e.g. security control of
entry and exit to buildings, rooms or sections of the premises, measures for the prevention
of theft and physical protection measures for equipment and facilities); and (iv) technical
security control measures (e.g. identification and certification in accessing personal data;
control/limitation of access to personal data; administration and control of access rights;
maintenance of records (logs) of access to personal data; measures for the protection of
the information systems against harmful software; control measures in transferring or
transmitting personal data; measures in checking the proper operation of the information
systems on which personal data is handled (such as prohibition on using personal data in
test runs and ensuring that security functions are not affected when the systems are
changed or modified); and monitoring of the information systems on which personal data
is handled).
According to a clarification in the 2009 METI Guidelines ‘[i]t is permitted to report to the
competent minister once a month in case of information leaked through wrongful
transmission via facsimiles and mail’ (Shimpo, 2009).
Public sector bodies are required to take ‘necessary measures for the prevention of leakage,
loss or damage and for the proper management of retained personal information’. This
obligation also applies when they entrust an individual or business operator with the
information (PPIHAO Act A 6; PPIHIAA Act, A 7).
‘Openness’ concerning practices
Article 24 (Public Announcement of Matters Concerning Retained Personal Data, etc.)
applies the OECD’s ‘openness’ principle. Businesses must be prepared to advise any person
of the Purpose of Utilization of all retained data (with some exceptions), and the procedures
for accessing it (PPI Act). There is however, no requirement to register details with any
government body.
In contrast, where an administrative organ intends to retain a personal information file, it
must notify the Ministry of Internal Affairs and Communications (MIC) in advance, with
details of the name of the file, purposes of use, routine disclosures, and scope of individuals
covered by it (among other matters) (PPAHAO Act, A 10). These details are required to be
collated by an administrative organ into a Personal Information File Register, and published
(A 11). There are numerous exceptions.
The objective of openness of personal data record-keeping practices is therefore achieved by
different means in the private and public sectors.
17
DK/May10
EUROPEAN COMMISSION – DG JFS
EW CHALLEGES TO DATA PROTECTIO
Country Study B.5 – Japan
Deletion of data
There is no general obligation on businesses to delete data after it has ceased being of use.
However, individuals can request that retained personal data be deleted (PPI Act A 27(1)), as
discussed below.
Public sector bodies may only retain personal information ‘when the retention is necessary’
(as discussed) and the purpose is specified ‘as much as possible’ on retention, and ‘shall not
retain personal information beyond the scope necessary for’ the specified purpose (PPIHAO
Act A 3; PPIHIAA Act, A 3). It is therefore implied that deletion is required when the
purpose is complete.
7.
Areas of special concern
Processing of Sensitive Data
Article 6 PPI Act provides that
The Government shall take necessary legal and other measures to ensure that special
measures will be taken for the protection of the personal information whose proper
handling is especially strictly required for the further protection of the rights and interests
of individuals in view of the nature and the method of use of the personal information.
Legislation regulating businesses in particular fields (eg medical care, finance/credit,
telecommunications) has been amended to include stronger confidentiality provisions,
particularly the law concerning money-lenders (Quality of Life Policy Council 2007: 10).
Ministry guidelines also give special treatment to ‘sensitive’ data. The METI (2007) and
FSA (2007) Guidelines have provisions on special treatment of sensitive info. According the
the FSA guidelines, sensitive information means information regarding political views,
religion, union activities, race, family origin and registered domicile, health care, sexual
activities and criminal records.
‘Sensitive Processing’ - automated decisions
Automated decision-making systems could be subject to special regulation under A 6 because
of the ‘method of use’ requiring ‘special measures’ to protect rights.
Interconnection of files (‘Data matching’)
There are no special provisions in the PPI Act concerning data matching. There are no
explicit provisions in the public sector legislation either.
Direct marketing
There are no special provisions in the PPI Act concerning direct marketing. There is separate
legislation concerning spam and telemarketing. Japan does not have a Do-Not-Call list.
18
DK/May10
EUROPEAN COMMISSION – DG JFS
EW CHALLEGES TO DATA PROTECTIO
Country Study B.5 – Japan
Anti-spam legislation
Japan introduced early anti-spam legislation in 2002 (The Law on Regulation of
Transmission of Specified Electronic Mail, known as the Anti-Spam Law) but it was opt-out.
There was a minor amendment in 2005 increasing penalties. However, in 2008 Japan
amended the legislation, switching to an opt-in regime effective from 1 December 2008
(Japan, MIC, 2009). The law is administered by the Ministry of Internal Affairs and
Communication (MIC). The law prohibits common types of fraud and deception, and now
has very few exemptions. Its main weakness is that it appears that opt-in can be implied by a
person providing their email address, with no other expression of consent, and MIC has not
yet provided clarifying guidance on this. It is also unclear if it covers SMS12.
Credit reporting
There are no special provisions in the PPI Act concerning credit reporting. There are sectoral
Ministry guidelines concerning consumer credit.
A 2007 report by the Political And Economic Research Council entitled ”On the Impact of
Credit Payment Reporting on the Financial Sector and Overall Economic Performance in
Japan” ‘compares the differences in economic performance of the fragmented and incomplete
reporting system found in Japan to a more robust one, consisting of complete records
covering various sectors’13.
Use of Publicly Accessible Data (‘Public Registers’)
None of the legislation deals explicitly with public registers (publicly accessible registers of
personal information held by government agencies), and whether the rules concerning use,
disclosure, security, deletion etc apply to them.
The PPIHAO Act will exempt information contained in at least some public registers from its
scope. ‘Retained personal information’ is defined (PPIHAO Act, A 2(3)) as limited to
personal information recorded in ‘administrative documents’ as defined in the Act on Access
to Information Held by Administrative Organs A 2(2) which provides inter alia that
‘Administrative Document’ shall mean a document ‘held by the administrative organ
concerned for organizational use by its employees’, but that this shall exclude ‘(i) Items
published for the purpose of selling to many and unspecified persons, such as official
gazettes, white papers, newspapers, magazines, and books’. So a public register where there
is a fee for access is clearly exempt from those parts of the PPIHAO Act applying to ‘retained
personal information’. But where there is free access (or a zero yen fee), will it be exempt?
Whether a public register would have to comply with the requirements of the PPIHAO
therefore depends upon the interpretation of this definition.
However, the obligations in the PPIHAO Act that apply to ‘personal information’ (as
distinction from ‘retained personal information’) such as the obligation to indicate purpose of
collection (A 4), or on employees not to disclose without justification (A 7), will still apply to
information collected for inclusion in a public register. Before the information is published it
These comments are based on information provided by Chris Connolly.
Press Release – ‘Political And Economic Research Council Releases Japan Credit Reporting Study’ at
<http://www.1888pressrelease.com/political-and-economic-research-council-releases-japan-credi-pr5mw913m4p8.html>
12
13
19
DK/May10
EUROPEAN COMMISSION – DG JFS
EW CHALLEGES TO DATA PROTECTIO
Country Study B.5 – Japan
will be ‘retained personal information’, and therefore subject to the obligation to not change
the purpose of use or disclosure (A 8), except in compliance with that section. The purpose of
including in a public register may therefore have to exist at the time of collection.
An administrative organ cannot use A 9 to impose conditions of use on a recipient of
information from a public register, because by that stage the information is not ‘retained
personal information’.
8.
The Internet
There are no specific provisions dealing with the Internet in any of the Japanese Acts.
Comments concerning the applicability of the Act to some common Internet-related issues
follow here and in the next section.
Social networking site operators
Japanese citizens do use social networking Internet sites where the servers and businesses
that run them are located in other countries (for example, Facebook). The operators of
foreign-operated sites are only likely to be bound to observe Japanese law in relation to the
collection and other processing of information on Japanese residents if they have a business
presence in Japan (see ‘Territorial scope’ earlier). If they do, then the location of their servers
will not matter, they will be bound by the PPI Act.
However, this is likely to be a low-level problem in Japan, compared with some other
countries, because popular Japanese-language sites like Mixi, ni-chaneru and purofare are
operated from Japan and subject to Japanese law.
Individual and small users of Internet publication (including social networking)
The Internet provides individuals and small organisations with the capacity to disseminate
personal information about others to an unprecedented extent. Japanese law currently fails to
address the implications of this in two different ways.
The PPI Act only applies to ‘business operators’ (see ‘Scope – Entities regulated’ above), so
an individual acting in a purely private or social capacity who uploads information about
other individuals onto a social networking site, or onto any other Internet platform (web
pages, blogs, email lists etc) will not be bound for that reason.
If an individual was held to be acting in a business capacity in loading information onto any
Internet platform, they would still be exempt from the PPI Act because of the ‘small
business’ exemption (see ‘Exemptions’ above), unless their ‘personal information database’
identified more than 5,000 persons.
Interaction without identification not regulated
The definition of ‘personal information’ only includes information which can ‘identify the
specific individual’, so information which allows interaction with a person on an individuated
basis, but without identification of which person, is not ‘personal information’.
20
DK/May10
EUROPEAN COMMISSION – DG JFS
EW CHALLEGES TO DATA PROTECTIO
Country Study B.5 – Japan
9.
Cross-Border Data Transfers
Japan does not have any specific data export restrictions, and none are planned. Japan relies
on the development of APEC’s cross-border recognition system and the PrivacyMark System
(Miyashita, 2008), as well as the general rules for transfer of personal information to third
parties. See ‘Territorial Scope’ and ‘Disclosure Limitations’ above for the full implications
of these other aspects of Japanese law for data exports.
The position can be summarised as follows:
(1)
Disclosures to foreign processors (as with other disclosures) require consent (A 23),
but this can be avoided by the provision of a ‘readily accessible’ Notice allowing data
subjects to opt out of the disclosure (A 23(2)). The Notice need not even say the disclosure is
in an export to overseas.
(2)
A qualification of this is that where disclosure is to a trustee (agent), the exporter must
‘supervise’ to ensure ‘security control’ of the data. This is only a duty to supervise, not the
imposition of vicarious liability on the exporter.
(3)
The Japanese law does not have extra-territorial application to entities that do not
have a presence in Japan (except where the foreign recipient is a trustee of the Japanese
exporter). If the foreign recipient has a presence in Japan, it must comply with Japanese data
protection law.
As a result, if data is validly disclosed (under A 23) to a foreign third party (not a trustee)
with no presence in Japan, neither the Japanese transferor nor the foreign recipient will be
liable.
10.
Rights of Data Subjects
Informing of Data Subjects
Business operators have to give an explanation of reasons to data subject for the decisions
they take in relation to access, correction or cessation of processing (PPI Act, A 28).
Confirmation of processing – private sector
Where a business operator acquires personal information directly from the person, or has
acquired the information pursuant to a contract or other document from the person, they must
‘expressly show the Purpose of Utilization in advance’ (PPI Act, A 18(2)). However, when
they otherwise acquire the information from a third party, they must promptly notify the
person of the Purpose of Utilization (A 18(1).
Where the business operator changes the Purpose of Utilization they have the choice of
notifying the person of the change, or publicly announcing it (PPI Act, A 18(3)). Public
announcement is only an option if the new purpose of use is reasonably related to the old
purpose of use, in accordance with A 15.
There are exceptions to these three provisions similar to the exceptions to use and disclosure
without consent, but in addition where such notification is likely to harm the legitimate
21
DK/May10
EUROPEAN COMMISSION – DG JFS
EW CHALLEGES TO DATA PROTECTIO
Country Study B.5 – Japan
interests of the business, or where the purpose is clear in the circumstances of acquisition (A
18(4)).
A person can also request notification of the Purpose of Utilization of information held about
them (A 24(2)), and similar exceptions apply.
Access
Requests for disclosure of a person’s retained personal data must be answered by a business
‘without delay’, either in full or with some information redated (PPI Act, A 25). Charges for
access must be reasonable in consideration of the actual cost of providing access (A 30).
The PPIHAO Act contains very detailed provisions providing a person’s right to access his or
her personal information held by administrative organs and the procedures to be followed
(Chapter 4, Section 1 ‘Disclosure’, Articles 14-26). PPIHIAA Act A 12 is similar.
Correction
Correction, addition to, or deletion of, personal information is required on request and ‘on the
basis of results’ of investigation by the business operator (PPI Act, A 26). There is no
provision for ‘the complainant’s side of the story’ to be added to the file where the business
operator does not accept the complainant’s request.
The PPIHAO Act contains very detailed provisions providing a person’s right to correct his
or her personal information held by administrative organs and the procedures to be followed
(Chapter 4, Section 2 ‘Correction’, Articles 27-35). PPIHIAA Act A 27 is similar.
Notification of disclosures and data breaches
Outsourcing
The Quality of Life Policy Council is of the opinion that the fact of outsourcing personal
information should be made known to consumers (2007: 21). It also considered that the
individual’s right to obtain access to their own data (‘retained personal data’) does not
include details of the party who disclosed that data to the business receiving the request, in
contrast with the EU position (2007: 25). Its members were divided over whether this should
be followed in Japan.
Data breach notification
One of the most important changes in the 2007 METI Guidelines was to require certain
responses in case of a data leak or other breach of the PPI Act (Kosinski, 2007; METI, 2007:
2-2-3-2). The Guidelines refer to taking preparations to provide information to persons
affected by a leakage accident, the need to contact the person to prevent secondary damage,
and the desirability of making details public as much as possible (while specifying exceptions
to where that is necessary).
22
DK/May10
EUROPEAN COMMISSION – DG JFS
EW CHALLEGES TO DATA PROTECTIO
Country Study B.5 – Japan
Objections to processing
Private sector
There is no general right under the PPI Act to object to processing of personal information by
a business and request it be discontinued or the data erased, but A 27 allows this to be
requested in three cases: (i) where it is being used in violation of the A 16 Purpose of
Utilization; (ii) where it has been acquired by deception or other wrongful means (A 17); or
(iii) where it is being provided to third parties in violation of A 23.
The Quality of Life Policy Council is pessimistic about the effectiveness of this part of the
legislation: ‘Even after the enactment of the PPI Act, the number of spam e-mails, random
telephone sales calls, direct mails, etc. has not decreased in the slightest.’ (2007:17). Spam
and telemarketing are regulated by other legislation, but the data protection Act does not
seem to have deterred use of the lists on which such marketing is based. However, the new
2008 anti-spam legislation may change this in relation to spam.
Public sector
There are similar provisions in the PPIHAO Act whereby a person can request an
administrative organ ‘for suspension of use, deletion, or suspension of provision’, where the
administrative organ (i) has not obtained the information lawfully, retains the information in
violation of A 3 obligations to delete it, or uses it in violation of it’s a 8 purposes of use )A
36). The Act sets out detailed procedures (Articles 37-40)
Right to object to direct marketing
There is no general right to object to direct marketing arising from A 27. See above.
11.
Individual Remedies
The PPI Act does not explicitly provide for individuals to obtain damages in a Court for
breach of its provisions, but it had been considered an open question whether it did impliedly
provide such a cause of action. In what has been described as ‘one of the most important
court cases to interpret’ the PPI Act (Fuse and Kosinski, 2008), the Tokyo District Court held
that the PPI Act did not provide a data subject with a cause of action against a data controller
who withheld the data subject’s personal information (decision of June 27, 2007). The
defendant operated two ophthalmology clinics in Tokyo, and each of the two plaintiffs
(patients of one of the clinics) plaintiffs demanded that the defendant disclose their medical
records to them in accordance with Article 25-1 of [the PPI Act]. As summarised by Fuse and
Kosinski (2008), ‘The plaintiffs requested the court to interpret [the PPI Act] as providing a
private cause of action against the defendant for court-ordered disclosure of the data at issue
and monetary compensation. In response, the defendant asserted that the legislature did not
intend the PPI ACT to provide a private cause of action because the text of [the PPI Act]
provides for extra-judicial conciliation methods (Article 42) and gives a clear grant of
authority to the ministries to enforce the [PPI Act] (Article 34-1).’ The court adopted the
defendant’s view.
Critics of the decision argue that there is evidence from the legislative history of the PPI Act,
though not from the text of the PPI Act itself, that the legislature intended to create a civil
23
DK/May10
EUROPEAN COMMISSION – DG JFS
EW CHALLEGES TO DATA PROTECTIO
Country Study B.5 – Japan
right of action, and that that District Court did not take this into account (Fuse and Kosinski,
2008). The issue is not settled, particularly as Courts in Japan’s civil law system courts are
not strictly bound to follow earlier decisions.
If this decision is followed by subsequent courts, complainants will have to rely on the very
limited administrative remedies under the PPI Act, or extra-judicial mediation (discussed
below) and will have no direct access to the courts to uphold their rights under the PPI Act, at
least unless those rights can be equated to something already protected under other laws. It is
possible to sue the Japanese national government or local government for negligent
application of the law.14
In other cases, plaintiffs in cases of non-consensual disclosures have successfully taken
actions under the tort provision of A 709 of the Civil Code to uphold rights similar to those
found in the PPI Act, without attempting to base their case on a positive right arising directly
from the PPI Act. The plaintiffs in this case apparently considered that mere refusal to allow
them to access their record would not constitute a breach of their tortious right of privacy
(Fuse and Kosinski, 2008).
In a case commenced before the PPI Act came into force, the Tokyo High Court upheld on 28
August 2007 a District Court decision holding a beauty salon chain vicariously liable for the
negligence of a subcontractor. The contractor had let customers’ personal information escape
onto the Internet where it was distributed by P2P software. Kosinski (2007) explains that the
significance of the case is that ‘The court looked to OECD privacy guidelines and Japanese
ministry regulations in effect at the time to determine the applicable standard of care. If this
incident were to occur today, the court would instead likely look to the [Act] to determine the
standard of care.’ Although the damages awarded were objectively very small, averaging
only US$265 to 13 of 14 plaintiffs, plus US$45 costs, this was nevertheless record damages
for a data leak case.
In a previous case connected with Yahoo!, the Osaka District Court awarded a small amount
of compensation (5,500 yen per person) to a group of plaintiffs, against Softbank BB Corp
for its violation of its duty of care in preventing improper access to, and leakage of, large
amounts of personal data, because of inadequate security measures (Ponazecki and Horikawa,
2006).
These cases illustrate that, where actions which would breach some of the privacy principles
in the PPI Act (eg intentional or negligent disclosures), plaintiffs may have some remedy
under the Civil Code, or other legislation, but for other breaches (eg refusal of access or
correction, failure to give notice, excessive collection) tort or other remedies may not be
available. It is doubtful whether these miscellaneous remedies could be an adequate substitute
for direct access to the Courts to enforce rights under the PPI Act.
12.
Supervision, Notification and Enforcement
The lack of a data protection Authority
Japan does not have any national data protection authority sufficient to meet the accreditation
standards of the International Conference of Data Protection Commissioners. The Quality of
14
Information provided by White & Case.
24
DK/May10
EUROPEAN COMMISSION – DG JFS
EW CHALLEGES TO DATA PROTECTIO
Country Study B.5 – Japan
Life Policy Council (2007) concluded that ‘it is reasonable to maintain the system in which
the relevant minister holds sway’, but that the creation of an independent authority was ‘a
medium or long term task in view of compatibility with international practices’ (Japan,
Quality of Life Policy Council, 2007:31). Enforcement as a result of supervision by
Ministries is discussed below under administrative actions following complaints.
No notification and/or permits system
There is no system of notification or registration by businesses under the PPI Act. However,
Ministries may require information to be provided by the entities that come under their
administration, and sometimes do so. The system of notifications to the MCI by
administrative organs has been discussed earlier.
There is no general system of permits for certain categories of personal data to be collected or
used.
Investigation of complaints
Private sector
A complaint about the handling of personal information by a business may be filed with one
of four bodies under the PPI Act:
(1)
The business entity concerned A business operator ‘shall endeavour’ to ‘appropriately
and promptly process complaints’ (A31).
(2)
An authorized personal information protection organization (APIPO) There have been
34 organisations so designated by relevant Ministers under A 37 (as at 31 May 2007),
discussed below under self-regulation.
(3)
A local government department Heads of local government have the same authority as
a competent minister in relation to handling complaints (see below concerning
‘Administrative orders’).
(4)
The National Consumer Affairs Council of Japan (NCACJ), including through one of
the local Consumer Affairs Centres. The Basic Policy (Japan, 2006) requires the NCACJ to
offer advice, provide training and distribute manuals, to assist ‘grievance organs’ such as
Consumer Affairs Centres.
There are no specific provisions in the PPI Act allowing persons to make complaints to an
APIPO, local government department or NCACJ, or to the ‘competent minister’ (see below
concerning ‘Administrative orders’), nor to require that complaints are first made to the
business concerned.
The NCACJ prepares and distributes a ‘Manual on Complaint Processing for Personal
Information’ and a ‘Summary of Personal Information Protection-related Complaints and
Responses’. No English language versions are available. Both NCACJ and the Cabinet Office
collect complaint examples, and since 2006 have been exchanging them (Japan, Quality of
Life Policy Council, 2007:29).
25
DK/May10
EUROPEAN COMMISSION – DG JFS
EW CHALLEGES TO DATA PROTECTIO
Country Study B.5 – Japan
In financial year 2005, 14.028 complaints were lodged with either local governments or the
NCACJ (Japan, Quality of Life Policy Council, 2007:2). How many were lodged with
authorized personal information protection organizations is not stated.
In financial year 2007, 12, 728 complaints were stated to be lodged with government or
NCACJ, 85% being received by local consumer centres. The principal causes of complaint
were fraudulent acquisition of personal information, leakage or loss of data and disclosure
beyond the purposes of use (Cabinet Office, 2008). Unfortunately, the figures given add up to
over 17,000 complaints, so the percentages given are unreliable. The outcomes of the 12,728
complaints were ‘guidance and advice’ or ‘other types of information provision’ in 12,094
cases (95%), and 212 (1.7%) successfully mediated, with most of the rest being introductions
to other institutions.
It does not seem that any of these complaints feed in to complaints being investigated by a
Ministry, so it is not obvious that any mandatory sanctions arise from so many complaints.
Examples of private sector complaints
The website of the National Consumer Affairs Council of Japan gives summaries of 18
complaints from 2004-0715, but none since then. Some of them concerned these issues16:
Direct mail sent to a dying son.
•
•
•
•
•
•
•
•
Direct mail offer of a suit for Coming of Age ceremony sent to a person already dead
for 20 years old. The bereaved family asked the company to stop sending direct mail,
but the company replied that the request should be sent by the data subject.
An internet auction service provider that required a person to disclose his real name
on their website, and warned him of suspension of the service when he refused to
disclose his name on the Net.
List brokers collecting personal information from high school students who provided
their class directories in exchange for a book token valued at 3,000 yen ($US30).
Disclosure of a registration postcard registered under another person's name.
Requirement of a comprehensive consent that compels agreement to utilise personal
information.
Deletion of individual information after cooling off notification.
Unsolicited telemarketing.
Telemarketing involving a threatening telephone call by a real estate company.
Prof Shimpo has translated the first of these complaint summaries as follows:
Title: A Direct mail which was sent to a son who has already died
Summary of the case: A direct mail for the advertisement of a suit to wear at a Coming of
Age ceremony reached to the son who has already died before 20-years old.
Content of the claim: The bereaved family asked the company to suspend sending direct
mails after this, however, the company replied them that "We are not able to suspend
sending these direct mail by the claim from a family, we will accept it only when the
request was submitted by the person in question". The bereaved family was disappointed
15
16
NCACJ website <http://www.kokusen.go.jp/jirei/j-top_kojinjoho.html>
Information provided by Professor Fumio Shimpo
26
DK/May10
EUROPEAN COMMISSION – DG JFS
EW CHALLEGES TO DATA PROTECTIO
Country Study B.5 – Japan
by the answer from the company and then asked NCAL center about the interpretation of
the Personal Information Protection Act...
Construction of the Law: The Personal Information Protection Act provides that "In this
law, the term "personal information" means information about a living individual that
contains such name, date of birth, or other description as will enable the identification of
the individual (including such information as will allow easy reference to other
information and will thereby enable the identification of the individual)."(article 2
section1) So the law applies to the "living individual" not to a dead person in principle.
(If the personal information is related to the bereaved family, the information is regarded
as the personal information concerning to the living bereaved family)
Unfortunately, the summary does not include any information about how (or whether) the
complaint was resolved. It seems that these are only summaries of types of complaints, not
complaint outcomes, and therefore of little use in assessing the effectiveness of the Act.
Public sector – Information Disclosure and Personal Information Protection Review
Board
Where decisions by administrative organs concerning access to a person’s own record,
correction, or suspension of use, are appealed against, the head of the administrative organ
who is expected to decide the appeal must consult the Information Disclosure and Personal
Information Protection Review Board (PPIHAO Act, A42). The result of such consultation
must be made know to all relevant parties including third parties who have objected to the
disclosure of a personal information file under an access request.
Actions following complaints – private sector: administrative orders
Under the PPI Act, the competent minister (see below) ‘may have’ a business operator ‘make
a report’ on its handling of personal information (A 32), and the minister may then ‘advise’
the business operator (A 33). It is not clear whether the report must be about a specific
complaint, or how an individual brings matters to the attention of a minister.
When a business has violated any of the data protections provisions (Articles 16-27 except A
19, and A 30(2)), the competent Minister may recommend that the business concerned ‘cease
the violation concerned and take other necessary measures to correct the violation’ (A 34(1)).
If the business fails follow the recommendation, and minister finds that ‘a serious
infringement on the rights and interests of individuals is imminent’ it may order the business
to take the measures recommended (A 34(2)). Urgent orders may be made under some
circumstances without the Minister waiting to see whether a recommendation will be
followed (A 34(3)). The normal case is therefore a three stage process: a request for a report
by the business; a recommendation; and an order.
The ‘competent minister’ is ‘the minister etc concerned with jurisdiction over the business of
the business operator’ (A 36), except in the case of personal information relating to
employment management, responsibility is shared with the Minister of Health Labour and
Welfare. The Prime Minister can also designate competent ministers.
In financial year 2007, Ministers collected reports from the businesses they supervise in 83
cases, but did not make recommendations or orders in any case. In financial year 2006 they
collected reports in 60 cases and made recommendations in four (Cabinet Office, 2008). Ito
27
DK/May10
EUROPEAN COMMISSION – DG JFS
EW CHALLEGES TO DATA PROTECTIO
Country Study B.5 – Japan
and Parker (2008) confirm that there have so far only been a limited number of cases in
which enforcement proceedings having been brought under the Act:
One of the significant enforcement proceedings to date was brought against a regional
bank in 2005, which resulted from the bank's loss of three CD-ROMs containing personal
information about approximately 1.3 million of its customers.17 It led to a serious rebuke
by the regional Finance Bureau, and the issuing of warnings to individual bank officials.
The FSA has, by far, been the most active of the government ministries. Of a total of 83
reports ordered from personal information handlers between April 2007 and March 2008,
78 were by the FSA (mostly on data security measures and measures against leakages).
However, no recommendations for improvement were issued during this time.
Unless evidence is available that mere requesting of a report always results in spontaneous
offers of remedies where appropriate, it does not seem that Ministerial supervision is playing
a significant role in any system of responsive regulation here. Ito and Parker (2008) consider
that the Act may be somewhat effective in terrorem:
As in the E.U., the real effectiveness of the Act is that it creates for businesses a greater
risk of damage to reputation. In fact, the lack of enforcement action may be attributed, in
part, to the nature of Japanese society, with its complex system of business etiquette, in
which reputation still carries a tremendous amount of importance. Reputation is
acknowledged to be particularly important to both individuals and companies (including,
to a lesser extent, foreign companies), as is rigid compliance with administrative rules.
Japanese businesses would argue that data compliance issues, like other compliance
issues, are taken more seriously than in other countries and that even an informal threat of
enforcement will usually be sufficient to jolt a non-compliant business into action. The
nature of enforcement proceedings taken against the regional bank in 2005, including the
summoning of its President to appear before the local Finance Bureau, and the issue of
warnings to individual bank officials, demonstrate at least some willingness on the part of
the authorities to frighten companies, through their officers, into compliance with the Act.
There is not, however, much evidence to support the view that companies in Japan have a
better record of data compliance than companies in other countries. In fact, the ongoing
stream of headlines in the press concerning breaches of the Act is as least anecdotal
evidence to support the view that data compliance issues in Japan are just as prevalent as
they are in the other major economies.
Criminal penalties
A breach of one of the information privacy principles is not enough in itself to attract
criminal penalties under any of the Acts. Under the PPI Act there must also be a breach of a
ministerial order. A violation of a ministerial order under A 34 can result in fines up to
¥30,000 (US$3,000) (and up to 6 months in prison if the data controller is an individual) (A
56 and A 57).
Under the public sector legislation there is no general provision for criminal penalties, but
where employees or former employees wrongly disclose or collect personal information
under certain circumstances, criminal penalties can result (PPIHAO Act, A 53 – A 55), even
when the offence is committed outside Japan (A 56). The Act does not prescribe offences by
recipients of such information.
17
“Michinoku ordered to secure data” (The Japan Times, May 23, 2005).
28
DK/May10
EUROPEAN COMMISSION – DG JFS
EW CHALLEGES TO DATA PROTECTIO
Country Study B.5 – Japan
13.
Self-Regulation and Codes of Conduct
Private dispute resolution bodies
The role of ‘authorized personal information protection organizations’ (APIPO) is set out in
part 4 Section 2 (Promotion of the Protection of Personal Information by Private Institutions).
The Basic Policy says that it expects they will play ‘an extremely important role’ in Japanese
data protection, particularly to assist businesses to voluntarily resolve complaints.
The competent ministry in a sector may authorise as an APIPO a business that involves itself
in the handling of complaints about the personal information practices of other businesses
(called ‘targets’) (A 37). There are some very vague standards with which the applicant must
comply (A 39). Each other business ‘target’ must become a member of the dispute resolution
body, and this must be made public (A 41). APIPOs can receive complaints directly from
individuals, and target entities are required to cooperate in investigations, and not reject the
APIPO’s requests ‘without justifiable reason’ (A 42). Each APIPO is supposed to publish its
own guidelines (A 43). The Minister can require reports from an APIPO (A 46) or order it to
improve its procedures (A 47), or even revoke its authorisation (A 48). There was one case of
a minister requiring a report in 2007 (Cabinet Office, 2008: 4).
The APIPOs have no independent powers. They are not arbitrators in disputes or even
specifically empowered to be mediators. They are presumably supposed to be neutral as
between their members and complainants, but even this is not clear.
Although there have been 34 organisations designated as APIPOs by relevant Ministers under
A 37 (as at 31 May 2007), the number of complaints lodged with them in 2005 is not
disclosed by the Quality of Life Policy Council. Although the Council adheres to the Basic
Policy line that these private dispute resolution bodies are important, it seems to make some
elliptical criticisms of at least some of them. It states that ‘less active authorized personal
information protection organizations are expected to proactively process complaints and
provide information to target entities in the future’, and furthermore
From now on, it will be important to fully publicize the roles of authorized personal
information protection organizations to the public and entities and to make efforts to help
improve confidence in these organizations. In addition, it will be necessary for these
organizations to proactively engage in personal information leakage cases in order to
further enhance their functions.
No evidence of their effectiveness is presented by the Council.
14.
Japanese trustmarks
Japan’s PrivacyMark, which has been operating since 1998, is explained by its operators
(PrivacyMark 2009) as follows:
The accreditation of PrivacyMark System requires third-party organizations to objectively
evaluate the compliance of private enterprises with all relevant laws and regulations,
including JIS Q 15001, and is an effective tool that allows private enterprises to
demonstrate that they are in compliance with the law and that they have voluntarily
established a personal information protection management system with a high level of
protection.
29
DK/May10
EUROPEAN COMMISSION – DG JFS
EW CHALLEGES TO DATA PROTECTIO
Country Study B.5 – Japan
The Japan Information Processing Development Cooperation (JIPDEC), a joint public-private
agency established by METI, is responsible for managing the PrivacyMark system. It has a
PrivacyMark System Committee which it says ‘is organized with scholars, learned
individuals, representatives from business organizations, representatives of consumers and
legal professionals’ (2009: ‘Implementation Structure’ page), and has three main functions:
(i) Establishment and revision of standards and regulations involving the PrivacyMark
system; (ii) Designating and revoking of the Conformity Assessment Bodies (which accredit
individual businesses as PrivacyMark users); and (iii) Revoking of PrivacyMark
Accreditation.
‘Conformity Assessment Bodies should be trade associations and other organizations with
rich store of knowledge in personal information protection and ability to implement
PrivacyMark system. (Limited to non-profit organizations and trade associations established
by Japanese law and/or others non-profit organizations admitted by the JIPDEC.)’
(PrivacyMark, 2009: ‘Implementation Structure’ page). There are seventeen such bodies
(JIPDEC, 2008). Accreditation involves having an appointed manager for person data,
annual training, annual audit, a permanent contact point for consumers, ‘appropriate security
measures’, and measures for protecting information given to contractors etc (JIPDEC, 2008;
PrivacyMark Rules, A10).
It costs a business somewhere in the range ¥300,000-1,200,000 to obtain a PrivacyMark,
renewable every two years at 60-75% of the initial fee (JIPDEC, 2008). Around 10,000
Japanese companies are stated to use the PrivacyMark System (Miyashita, 2008), with new
holders dropping substantially from 2006 (3,798), to 2007 (2.259) to 2008 (483) (JIPDEC,
2008).
There does not seem to be a procedure for consumers to make complaints about breaches of
the legislative or other standards by businesses that exhibit the PrivacyMark in the Rules for
Establishment and Operation of the PrivacyMark System (‘PrivacyMark Rules’) but
references to making of complaints do appear in documents explaining PrivacyMark
(JIPDEC, 2008). However, there is a procedure by which accredited businesses are supposed
to self-report any ‘accidents’ concerning personal data to JIPDEC in accordance with
‘Evaluation Criteria for PrivacyMark Disqualification’ (PrivacyMark, 2009: ‘Reporting
Accidents’ page; PrivacyMark Rules, A 20(4)).
The PrivacyMark Rules have provisions for Conformity Assessment Bodies to conduct factfinding studies about a businesses’ ‘protection of personal information and use of the
PrivacyMark’, and for its issuing warnings and recommendations, issue suspensions or
withdraw accreditation (PrivacyMark Rules, A 20-22). Details of such studies or their results
do not seem to be available from the PrivacyMark site, so it is difficult to assess whether
enforcement by the threat of withdrawal of the mark is credible. Similarly, JIPDEC can
conduct a ‘fact-finding study’ of any of the seventeen Conformity Assessment Bodies, and
request it to take improvement measures, or withdraw accreditation (PrivacyMark Rules, A
31-34). Again, there does not seem to be information about this occurring.
So this is a decentralised system in which numerous trade associations and the like are
supposed to be able to certify that their own members comply with Japan’s legislation,
Cabinet Order, Basic Policy, Guidelines etc. The businesses accredited to use the trustmark
are then supposed to self-report to JIPDEC ‘accidents’ that may lead to their disqualification
from displaying the mark. Consumers are then supposed to rely on this.
30
DK/May10
EUROPEAN COMMISSION – DG JFS
EW CHALLEGES TO DATA PROTECTIO
Country Study B.5 – Japan
III. Summary and conclusions
Overall
There is a divergence of opinion concerning the effectiveness of the enforcement of the PPI
Act. Ponazecki et al (2007) concede that ‘there have not been significant administrative fines
or penalties or court judgments arising from failures to comply with the Law and the related
guidelines’. According to other Japanese practitioners, there have been many instances where
a Ministry warned or ordered a company to fix the problem that led to an improper transfer to
a third party (eg METI warnings to companies to take measures to prevent their employees
from improperly selling credit history information to third parties). In their view the main
risk for a private company that violates the PPI Act is usually the risk of reputational damage
rather than the risk of paying large fines or having to defend class action suits. This is
consistent with the view of Ito and Parker (2008), noted earlier.
Ito and Parker (2008) are uncertain in which direction enforcement is headed:
It is less clear for now whether the ministries are likely to take more active steps to
enforce compliance with the Act. The deterrent effect is not proven and the ongoing
incidents of data leaks and other breaches are proof that more needs to be done by
businesses to ensure compliance. It is possible that, as in the EU, the authorities will over
time become more aggressive in enforcing the Act. However, although the responsible
ministries are actively engaged in ensuring enforcement through a process of consultation
within their respective industry sectors, and the Cabinet Office has issued an annual
report on the enforcement status of the Act, together the ministries and the Cabinet Office
are much less vociferous than their counterparts in the EU, who can be regularly heard
speaking out in public against the failings of businesses to take adequate steps to comply.
It is also difficult to imagine a business ever facing fines, or the directors the threat of
imprisonment, under the Act, except in the case of hopelessly reckless failure, or
aggressive refusal, to comply; businesses are much more likely to co-operate with the
relevant ministries to ensure that they comply with any order to implement corrective
measures.
The Japanese legislation has only been in effect for four years, so anything beyond tentative
assessment of its effectiveness is difficult. Assessment difficulties are compounded by the
propensity of the Japanese legal system to rely on relatively informal means of dispute
resolution, rather than litigation. It can reasonably be said that there is a lack of evidence that
the legislation is effective, which could be remedied somewhat by Ministries gathering and
publishing more detailed data on compliance, enforcement, breaches and remedies.
Position in relation to international standards
Japan’s data protection system may well meet the standards of the OECD Guidelines, and no
doubt would meet the standards of the APEC Privacy Framework, given the weaknesses of
both documents in relation to enforcement. Comparison with the EU privacy Directive is a
more difficult question, beyond the scope of this report. Suffice to say is that it would be an
arguable question in relation to privacy principles, and in relation to enforcement one on
which more information about practices is needed.
- o – O –o NB: General references overleaf
31
DK/May10
EUROPEAN COMMISSION – DG JFS
EW CHALLEGES TO DATA PROTECTIO
Country Study B.5 – Japan
References
Adams, A (2009) ‘The Development of Japanese Data Protection’ draft article provided to the author
Adams, A, Murata, K and Orito, Y (2009) ‘The Japanese sense of information privacy’ (2009) 24(4) AI &
Society
Case, D (2005) ‘How Japan’s New Personal Information Law is Having an Impact on Business’, Privacy Laws
& Business Conference, Cambridge, July 2005
Case, D (2007) “Japan’s Privacy Law to Be Revised” Privacy Laws & Business International "ewsletter, issue
86, p. 12, 2007
Case, D & Ogiwara, Y (2003) “Japan Adopts a Personal Information Protection Law” Privacy Laws & Business
International "ewsletter, issue 68, p. 15, 2003
Chiba, M (1997) ‘Japan’ Chapter in Tan P (Ed) Asian Legal Systems – Law, Society and Pluralism in East Asia,
Butterworths, 1997
Fuse, K & Kosinski, E (2008) “Individual Cause of Action Denied in Japanese Privacy Case” Privacy Laws &
Business International "ewsletter, issue 94, p. 11, 2008
Harland, J (2004) ‘Japan’s new privacy legislation: Are you ready?’ Computer Law & Security Report, Vol 20
No 3, 2004, pgs 200-202
Ito, O and Parker, N ‘Data protection law in Japan: a European perspective’ B"A World Data Protection
Report, December 2008
Japan Times Online, Top court: Juki "et not against the Constitution, 7 March 2008,
<http://search.japantimes.co.jp/cgi-bin/nn20080307a1.html>.
Japan, APEC IAP (2006) – Information Privacy Individual Action Plan – Japan (2006), Japanese Government,
2006,
on
APEC
website
<http://www.apec.org/etc/medialib/apec_media_library/downloads/taskforce/ecsg/dp_iaps.Par.0006.File.tmp/W
eb_IAP_Japan.doc>
Japan, Act for Protection of Computer Processed Personal Data Held by Administrative Organs 1988,
<http://www.soumu.go.jp/gyoukan/kanri/b_11e.htm>.
Japan, Act on the Protection of Personal Information Held by Administrative Organs - Act No. 58 of 2003
<http://www.asianlii.org/jp/legis/laws/aotpopihbaoan58o2003772/>
Japan,
Act
on
the
Protection
of
Personal
Information
2003
(Japan),
<http://www5.cao.go.jp/seikatsu/kojin/foreign/act.pdf>.
Japan - The Law on Regulation of Transmission of Specified Electronic Mail (known as the Anti-Spam Law)
(Law No. 26 of April 17, 2002, as amended by Law No. 87 of July 26, 2005), at
<http://www.japaneselawtranslation.go.jp/law/detail_main/?id=120&vm=2&re=>
Japan, Basic Policy on the Protection of Personal Information, 2 April 2004, revised 25 April 2008,
<http://www5.cao.go.jp/seikatsu/kojin/foreign/basic-policy-tentver.pdf>.
Japan, Cabinet Office, Summary Report on the Enforcement Status of Act on the Protection of Personal
Information
in
FY
2007
(Tentative
Translation
,
Excerpt),
September
2008,
<http://www5.cao.go.jp/seikatsu/kojin/implementation2007.pdf>.
Japan, Cabinet Office, Summary Report on the Implementation Status of Act on the Protection of Personal
Information
in
FY
2005
(Tentative
Translation),
June
2006,
<http://www5.cao.go.jp/seikatsu/kojin/implementation2005.pdf>.
Japan, Cabinet Office, Summary Report on the Implementation Status of Act on the Protection of Personal
Information
in
FY
2006
(Tentative
Translation),
September
2007,
<http://www5.cao.go.jp/seikatsu/kojin/implementation2006.pdf>.
Japan, Cabinet Order for the enforcement of the Act on the Protection of Personal Information, 10 December
2003, <http://www5.cao.go.jp/seikatsu/kojin/foreign/cabinet-order.pdf>.
Japan, FSA (2007), Financial Services Agency, Guidelines for Personal Information Protection in the Financial
Field, <http://www.fsa.go.jp/frtc/kenkyu/event/20070424_02.pdf>.
Japan, METI (2007) Ministry of Economy, Trade and Industry, Guidelines Targeting Economic and Industrial
Sectors Pertaining to the Act on the Protection of Personal Information, March 2007,
<http://www.meti.go.jp/policy/it_policy/privacy/0708english.pdf>.
Japan, METI (2007a) , Ministry of Economy, Trade and Industry METI Privacy Guidelines Q&A March, 2007
<http://www.meti.go.jp/policy/it_policy/privacy/070330guidelineq&a.pdf>
Japan, METI (1998) Ministry of Economy, Trade and Industry, Handbook Concerning Protection Of Personal
Data, February 1998, <http://www.meti.go.jp/english/information/downloadfiles/Taro9-eng.pdf>.
Japan, METI (2004) Ministry of Economy, Trade and Industry, The Guidelines for the Protection of Personal
Information for Business Operations Handling Personal Genetic Information, December 2004,
<http://www.jba.or.jp/report/industry/document/pdf/guideline-19-e.pdf>.
32
DK/May10
EUROPEAN COMMISSION – DG JFS
EW CHALLEGES TO DATA PROTECTIO
Country Study B.5 – Japan
Japan, Ministry of Internal Affairs and Communications (MIC) (2009) ‘Amendment of Law on Regulation of
Transmission of Specified Electronic Mail - Introduction of opt-in method as a countermeasure to SPAM
emails’
MIC
Communications
News,
Vol
19
No
20,
23
January
2009
at
<http://www.soumu.go.jp/main_sosiki/joho_tsusin/eng/Releases/NewsLetter/Vol19/Vol19_20/Vol19_20.html>
Japan, Ministry of Posts and Telecommunications, Guidelines on the Protection of Personal Data in
Telecommunications
Business,
2
December
1998,
<http://www.soumu.go.jp/joho_tsusin/whatsnew/guideline_privacy-e.html>.
Japan, New Media Development Association, Guidelines on the Protection of Personal Data in
Telecommunications Business, 3 December 1997, <http://www.nmda.or.jp/enc/privacy-rev-english.html>.
Japan, Quality-of-Life Policy Council, Summary of Opinions on the Protection of Personal Information, 29 June
2007, <http://www5.cao.go.jp/seikatsu/kojin/opinion.pdf>
JIPDEC (2008) – Japan Information Processing Development Corporation ‘PrivacyMark System’, June 30 2008
(PPTs), on PrivacyMark website
Kato, T (2008) ‘Outline of Japan’s Protection of Personal Information Act and its Enforcement’, Office of
Personal Information Protection, Cabinet Office, Japan (PPTs); Privacy Laws & Business Conference, Octobe
14, 2008, Strasbourg
Kosinski, E (2007) “Japan Amends Its Official Privacy Rules to Include Data Breaches” Privacy Laws &
Business International "ewsletter, issue 90, p. 8, 2007
Kosinski, E (2007a) “Japan’s High Court Confirms Record Damages for Data Leak” Privacy Laws & Business
International "ewsletter, issue 90, p. 1, 2007
Kosinski, E (2008) “Japanese Privacy Guidelines Require Tighter Oversight of Data Processors” Privacy Laws
& Business International "ewsletter, issue 92, p. 6, 2008
Lawson C, Japan’s "ew Privacy Act In Context, 2006, University of New South Wales Law Journal, vol. 29 no.
2, <http://www.austlii.edu.au/au/journals/UNSWLJ/2006/17.pdf>.
Miyashita, , H ‘The Japanese Act on International Issues’ Office of Personal Information Protection, Cabinet
Office, Japan; presentation at Privacy Laws & Business Conference, October 14, 2008
Omori, Y & Kosinski, E (2009) “Japan’s FSA Considers Data Leak at Mitsubishi UFJ Securities” Privacy Laws
& Business International "ewsletter, issue 98, p. 8, 2009
Ponazecki J and Horikawa S, Japanese Court Orders Payment For 6,000 Yen To Each Plaintiff In Connection
With The Yahoo!BB Personal Data Leak, June 2006, Privacy Information and Law Report, vol 7 issue 6,
<http://westlegalworks.com/newsletters/samples/Privacy.pdf>.
Ponazecki, J, Levison, D and So, T ‘Japan – Personal information privacy update’ BNA International World
Data Protection Report, December 2007
PHR (2006) – Electronic Privacy Information Centre (EPIC) (editors) Privacy and Human Rights, 10th edition
(2006), available at http://epic.org/phr06/
Shimpo, F (2009) ‘Amendment of the Japanese Guideline Targeting Economic and Industrial Sectors Pertaining
to the Act on Protection of Personal Information’ draft article for Privacy Laws & Business International
Newsletter, submitted October 2009 (cited with permission)
Westin, A (2007) “Japan’s Data Leak: Comparisons With the US” Privacy Laws & Business International
"ewsletter, issue 87, p. 22, 2007
33
DK/May10