Country Studies – B5 Japan (Information Privacy Protection in Japan)
COMPARATIVE STUDY ON DIFFERENT APPROACHES TO NEW PRIVACY CHALLENGES, IN PARTICULAR IN THE LIGHT OF TECHNOLOGICAL DEVELOPMENTS, EUROPEAN COMMISSION, DIRECTORATE- GENERAL JUSTICE, FREEDOM AND SECURITY, D. Korff, ed., May 2010
34 Pages Posted: 20 Mar 2012
Date Written: October 30, 2010
This Report to the European Commission surveys Japanase protection of information privacy as at October 2009. It commences with the context of information privacy in Japan including the political context, the surveillance context of Juki-net, Keidanren and the development of Japan’s data protection law and social attitudes to privacy. Japan’s international obligations in relation to privacy, and its constitutional and case law protections of privacy are summarised. The main focus of the report is Japan’s complex legislative structure in relation to information privacy, based on three main laws related to the protection of personal information, enacted on May 30, 2003 (particularly the Act on the Protection of Personal Information, the PPI Act), plus ancillary legislation and administrative documents, giving at least nine major sources of law. The overall legislative scheme gives comprehensive coverage to both the public sector (including local government) and the private sector. The complex role played by non-binding Ministry guidelines is discussed.
The report’s analysis of the data protection principles in the Acts finds that, while they cover the basic principles of the OECD Guidelines (but little beyond that), many of them have exceptions leaving them open to abuse. The lack of extra-territorial operation of the PPI Act, and its lack of data export restrictions, are notable weaknesses. In any event, the principles are only intended as general guidance to be supplemented by industry-specific guidelines.
This report finds little evidence available concerning any of the avenues of enforcement of the Japanese law that provides any convincing indication of its enforcement or effectiveness. Japan does not have any national data protection authority. A complaint about the handling of personal information by a business may be filed with one of four types of bodies under the PPI Act, but none publish useful information about how complaints are actually resolved. Ministerial warnings or orders to companies are very rare, and are necessary before criminal penalties can be imposed. The role of the ‘authorized personal information protection organizations’ (APIPO) established by industry organisations is unclear, and there is no evidence of their effectiveness. Japan’s PrivacyMark, which has been operating since 1998 is a decentralised system in which numerous trade associations and the like are supposed to be able to certify that their own members comply with Japan’s legislation, Cabinet Order, Basic Policy, Guidelines etc. It has no compaints mechanism and relies on self-reporting.
There is a divergence of opinion concerning the effectiveness of the enforcement of the PPI Act. The Japanese legislation has only been in effect for four years, so anything beyond tentative assessment of its effectiveness is difficult. Assessment difficulties are compounded by the propensity of the Japanese legal system to rely on relatively informal means of dispute resolution, rather than litigation. It can reasonably be said that there is a lack of evidence that the legislation is effective, which could be remedied somewhat by Ministries gathering and publishing more detailed data on compliance, enforcement, breaches and remedies.
Japan’s data protection system may well meet the standards of the OECD Guidelines. Comparison with the EU privacy Directive is a more difficult question, beyond the scope of this report. It would be an arguable question in relation to privacy principles, and in relation to enforcement one on which more information about practices is needed.
Keywords: Asia, Japan, privacy, data protection, data privacy, surveillance
Suggested Citation: Suggested Citation