Japan: Toward International Standards – Except for 'Big Data'
(2015) 135 Privacy Laws & Business International Report, 12-14.
6 Pages Posted: 8 Sep 2015 Last revised: 10 Oct 2015
Date Written: June 19, 2015
The Abe Government introduced into Japan's Diet in March 2015 a Bill for the first significant changes to its data privacy law of 2003, the Personal Information Protection Act (PIPA). The Bill's reforms which will bring Japan’s closer to international standards for privacy principles, plus a new data protection authority which has significant powers, and requirements to act independently. It is a Bill significantly stronger than was indicated by early drafts. 'Big data' provisions concerning use of 'anonymised' data are still included, but there are significant controls on business use of such data. The Bill was passed unchanged by the lower House of Japan's Diet in May 2015.
This article analyses the Bill's proposals, and reaches some conclusions about what will be needed to make them effective. The Bill will created for the first time in Japan a data protection authority (DPA), the Personal Information Protection Commission (PIPC), which will have jurisdiction in relation to the whole private sector, although not the public sector. The extent of likely independence of the PIPC, and the strength of its powers, are assessed.
Japan's current law has the weakest privacy principles of any Asia-Pacific country that has a data privacy law. This Bill takes substantial steps to address such criticisms, and it is shown that these changes, once enacted, will bring the principles in Japan's law to a similar position to most other Asian or Asia-Pacific countries with data privacy laws: stronger than the basic OECD principles, and about mid-way toward the 'European' principles of the EU Directive or the Council of Europe Convention.
The new concept of 'anonymous process information' (API) is explained, and that, although API is not 'personal information', many protective provisions similar to those applied to personal information apply to API. Businesses will therefore need to consider carefully the business case for the creation or use of API, given these obligations.
The overall conclusion is that the effectiveness of the new Act is going to depend a great deal on the chairperson and members of the PIPC, because so much of the content of the legislation will now be found in delegated legislation made by the PIPC.
Keywords: privacy, data protection, Asia, Japan, legislation, big data
Suggested Citation: Suggested Citation